Cybersecurity Enhancement Through Gamification
Introduction
A concept that I find intriguing is the idea of enhancing user engagement with cybersecurity initiatives through games and game-like activities. I love playing games, especially video games, and have tried my hand at developing them as a hobby. I find them not only fun, but also fascinating because of their ability to tell immersive stories that captivate me and leave behind memorable experiences. I decided to take a closer look at the idea of gamifying cybersecurity to improve end-user training.
Instead of forcing users to take a quiz after a boring lecture, or series of uninteresting slides and videos - a task that is often met with resistance and leaves the user with a feeling of resentment - gamification aims to create an immersive, enjoyable experience that will leave a lasting, positive impression.
Breaking Tradition
Security training and awareness is a common control or set of controls aimed at training and testing users in security best practices, often mandated by policies, frameworks and regulations. That being the case, it may often be implemented quickly and with minimal effort, in order to satisfy a compliance checkbox. Enforcing yearly training with the same dull content may satisfy the requirement, but it does not provide positive benefit to an organization’s security practices and culture, or leave a lasting and effective impression on users. It is often seen as another hinderance to productivity, a mandatory compliance obligation that is clicked through and forgotten until next year.
For any presentation to be successful, content should be engaging and memorable. It should reinforce positive thoughts and feelings, and not annoyance and resentment. That is where gamification can add benefit to this critical, and often obligatory, activity.
Shall We Play a Game?
I’ll now take a look at some real world offerings that show a wide-range of approaches to this concept.
One option I found that provides a fully interactive cybersecurity training platform focused on threat simulation is called Game of Threats™ by PwC. PwC offers general services in cybersecurity training and awareness, and this is a gamified version of a cyber tabletop exercise (which is basically cybersecurity D&D, and a lot of fun if presented well). Teams use tablets and a shared monitor to compete in real-time, making decisions based on guided scenarios. It is built similar to a card game in the way the scenario is shuffled with each new play. It then provides a detailed analysis of the results for a lessons learned follow-up. I have not had the opportunity to play this or see it in action, but it seems interesting based on its description:
“Game of Threats™ is a digital game that simulates the speed and complexity of a real-world cyber breach to help executives better understand the steps they can take to protect their companies. The game environment creates a realistic experiences where both sides – the company and the attacker, are required to make quick, high impact decisions with minimal information.
PwC’s Cybersecurity experts coach players through realistic scenarios with different types of threat actors and their preferred methodologies, and explain what they can do to better prevent, detect and respond to an attack. ”
Unfortunately, it appears to be geared toward executives, and large organizations, with costs ranging from $40K and up! However, it is a good example to kick off the concept.
Next up…
Space Shelter by Euroconsumers in collaboration with Google. This is a series of minigames that teach cybersecurity basics. It is cleverly designed, highly entertaining, and best of all… it’s free!
The game begins by selecting an avatar from a few generic astronaut characters, and then the user is presented with a brief sci-fi themed quiz about common cybersecurity topics. After the quiz, the scene changes to a spaceship, where the player navigates their avatar through a series of point-and-click security tasks to protect their ship from space pirates and aliens.
Adding Space Shelter to an organization’s security and awareness training program could be a game changer. Pun absolutely intended, and I feel chuffed about it.
Let’s keep going before I get distracted…
Red vs. Blue by ThreatGEN® claims to be “the next evolution in cybersecurity education”. ThreatGEN® offers an online platform that provides an education portal with courses, labs, scenarios, and a community. One of their offerings is a game designed to replace cyber tabletop scenarios called Red vs. Blue.
This is a turn-based game where a player can choose to be either an attacker or a defender (Red Team or Blue Team). It offers a single player mode, and a multiplayer mode. As mentioned, it is turn-based, and each action requires spending resources, such as time, staff and money. The player chooses their mode and their team, then selects a network type as the scenario. Playing against other players, or AI, they have to use their resources efficiently to successfully attack or defend the network.
This is an awesome concept and it looks like fun, but it may be a little advanced for the average user. Check out their YouTube demos for more. At the moment, the cost is $14.99 on Steam, and there is a subscription-based pro version with licensing options for organizations.
Bookmark that for later…
The last option, CyberEscape Online by Living Security, might be a good middle ground, and the right overall look and feel for a professional setting. This is a series of virtual escape rooms with a cybersecurity thriller theme. The company also has simulations that allow employees to experiment with different security measures and response strategies. The escape rooms are offered as part of their overall training services and prices are available upon request. I assume the cost is out of scope for individuals or small organizations, but that is conjecture.
Conclusion
There are different types of solutions out there geared toward different audiences, using unique formats and with varying levels of sophistication. I hope this gives a good idea of the ways security awareness and training engagement and effectiveness can be enhanced through gamification.
There are other ways that IT Security pros can provide an interactive experience for users without deploying expensive tools. I have seen successful programs that simply use a reward system for good security behaviors, even pitting departments against each other to see which could report the most phishing attempts, or which had the least amount of forgotten password requests. I have also deputized staff to be a part of the security team, getting them more engaged, and showing how the relationship between security and business is mutual. The solution doesn’t have to be expensive or complex, as long as it is effective and helps develop a positive attitude toward cybersecurity and its goals.
Daily Cuppa
Today’s cup of tea is Organic Earl Grey provided by Equal Exchange. Organic and fair trade, with just a splash of soy milk for added creaminess that enhances the sweetness.
If you enjoyed this article or the site in general, feel free to buy the author a cup of tea.