Superconductor

In 1824, George Leopold, better known as the Baron von Reiswitz, published a set of rules for a game that simulated tactical situations that a commander of a Napoleonic-era army might face. These rules were called Anleitung zur Darstelling militarische manuver mit dem apparat des Kriegsspiels (Instructions for the Representation of Tactical Maneuvers under the Guise of a Wargame). The story goes that when presented his game to General von Muffing, the Chief of Staff of the Prussian Army and his General Staff, von Muffing was skeptical of the game, but after seeing his staff play it, he said "This not a game! This is training for war! I must recommend it to the whole army."

Not too long after that, each brigade in the Prussian army had their own copy of Leopold's game and regularly played it. When the Prussians soundly defeated the French in the Franco-Prussian war (1870-71), in part due to the training that the Prussian officers had received from playing Leopold's kriegsspiel, other armies started to take the game seriously. Even today, similar games are used today to train military officers. The ones that I played used little lead models of tanks to fight out various scenarios in a hypothetical invasion of Germany through the Fulda Gap by the USSR. You definitely got to try scenarios in the games that you'd very reluctant to try in real-life, and it was very interesting to see the outcome of these unusual scenarios.

If wargames are useful for training military officers, similar games might be useful to train information security professionals. Instead of making tactical decisions, in such an information security kriegsspiel you'd have to make decisions about how to spend your budget. Once you allocated your budget, you'd go through a series of security incidents, the outcome of which would depend on how you allocated your budget. After resolving enough incidents to represent a year, you'd begin the process again. Maybe a referee would periodically provide updates to the information security threat that would require you to reprioritize your spending.

After playing such a game a few times, you'd be able to try lots of "what if" situations, and might have a better idea of exactly what the implications of making certain decisions would be. This could be a very useful training tool for CIOs, CSOs, CISOs, etc. Maybe someone already does this and I just haven't heard about it.