ROOM#42 takes off to Expo 2020 Dubai

and demonstrates Luxembourg’s ambition to consider cybersecurity as a major issue


The cyberattack simulation made in Luxembourg that will test visitors’ nerves from 12-18 December 2021 at Luxembourg Pavilion.

Cybersecurity is a key pillar of the country’s digital economy strategy. The selection of ROOM#42 - the cyberattack simulation made in Luxembourg - by the Ministry of Foreign and European Affairs to join the ‘Knowledge and Learning Week’ exhibition at Expo 2020 Dubai is just another example, representing Luxembourg’s innovative know-how and expertise in the field, in a world event.

ROOM#42 will be presented from 12-18 December 2021 at the Luxembourg pavilion.

Dive into the danger and learn how to survive

In a setup similar to the one in Luxembourg, visitors will be plunged in the chaos of a cyberattack. While putting on the hat of a CEO, they will measure the effects of their decisions in real time.

“Through ROOM#42, the Grand Duchy of Luxembourg has been a forerunner in putting people at the heart of cyber by giving them back their legitimacy rather than following a trend that involves putting in place additional layers of technology to manage a crisis”, Jérôme Jacob, founder of ROOM#42, says.

What’s ROOM#42?

In cybersecurity, it is essential to consider that a crisis can be anticipated and therefore requires the ability to understand emerging threats, analyse and test appropriate measures”, Jérôme Jacob explains.

ROOM#42 was conducted as an applied research project considering the application of cyber and non-cyber skills in a simulated environment.

In a recent publication, Jérôme Jacob highlighted the following equation: Time Factor x (Human Factor x Competence Factor), that identifies the undeniable link between people and competence. “In a structured and organised system in which a service has to be delivered, one is nothing without competence and competence is useless without a person to implement it. Furthermore, any competence degrades with the level of stress”, he describes. “This means that in a critical situation, one must not only have skills, but must also be able to understand the situation, to decide within a short period of time under psychological pressure, and to analyse the effects of his or her decisions after the fact. To date, no system is able to respond to this type of challenge and consequently to replace the human resource, hence the importance of this reflection: a failure in one of the three factors inexorably degrades the capacities of an organisation to control a cyber crisis”, he continues.

The objective of ROOM#42 is to test the maturity of companies in the management of a cyber crisis in order to increase their competence. The exercise brings together 5 to 8 employees representative of a working environment in a simulated environment to test their crisis response competence and lasts 3 hours.

What will be presented in Dubai?

As it was not possible to repeat an exercise of this scale at Expo 2020, in order to allow visitors to experience (and not just imagine) dealing with a cyber attack, a VR solution has been developped in which participants would virtually enter ROOM#42 and have to deal with cyber incidents alone (in a reduced period of time of 10 minutes).

We have developped a new concept based on the key elements that made ROOM#42 a success:

  • considering the human factor as a central element,
  • maintaining the fundamentals of ‘detection/analysis/decision’,
  • stimulating/simulating”, Jérôme Jacob explains.

The VR version will therefore be a tool to raise awareness among decision-makers so that they can assess their level of maturity in the field of incident response.

ROOM#42 at a glance

After 3 years of service, the following figures have been observed:

  • cryptoransomware: 85% of participants took more than 15 minutes to detect it and react, 60% of the countermeasures were not enough
  • fake news: 65% of participants did not manage to handle this type of incident
  • Defacing: 35% of participants were not aware of this type of attack
  • Social Engineering: 10% of participants revealed their password through the phone to someone they didn’t know
  • Cybercriminals: 40% of participants paid a ransom
  • Crisis: 45% of participants had difficulties or did not know how to handle a crisis
  • CERT: 70% of participants did not think of asking a CERT for help
  • Communication: 80% of participants did not communicate internally during a crisis
  • Evidence: 95% of participants did not think about preserving evidence of a cyber attack

For more information, visit www.room42.lu & if you are in Dubai at that time, come see us!