For many years the defense and intelligence communities have relied upon a concept called gamification to test concepts, strategies, and potential outcomes in various scenarios via computer simulation. They have found that gamification heightens interest of the players involved and serves as a stimulus for creativity and interchange of ideas which is vital for keeping an edge. As computers have become faster and more capable and data gathering abilities have has exponentially grown, gamification has become a “go to” process for many involved in the security community.
The information and technology research firm Gartner defines gamification as “the use of game mechanics and experience design to digitally engage and motivate people to achieve their goals”. They note that gamification applies these ideas to motivate the audience to higher and more meaningful levels of engagement.
Recently, one of the global “Big Four”, consulting firm PwC, held a gamification exercise with its senior executives. They created a game that pitted defenders against attackers that simulated a cyber-attack comprised from real-life data that of some of their clients. The mostly non-technical executives who participated were able to get a better grasp of how their actions impacted outcomes. Christian Arndt, a cybersecurity director at PwC, said the participants in the game were able to “develop a better knowledge of the threat actors, tools and techniques which could threaten their systems and data”.
Gamification in cybersecurity for both the public and private sectors makes great sense for several reasons. 1) It creates an ability to discover gaps in in the monitoring framework, 2) It can be a guiding element in allowing companies to best determine how they direct their resources toward mitigating vulnerabilities and threats, and 3) It helps address the workforce shortage and plugs the skills gap by cultivating a next generation of computer and video gamers.
The reality is that most workers in government and industry do not understand the basics of cybersecurity. Although there are mandatory training programs often mandated by policy, a quick test or refresher on cyber policies is not enough to create an awareness of the multitude of threats in an increasingly digital world. Gamifying the worker experience can enhance interest in the subject matter and also create a better understanding of how and why cybersecurity attacks occur. This makes sense especially in an environment where phishing has become a preferred hacker attack method. We have seen the implications of workers creating costly data breaches opening malware in government agencies, hospitals, universities and especially corporations. Gamification can provide a better mechanism for training everyone on how to prevent and respond to the changing landscape of cybersecurity and educate people on methods, means, prevention, and who are the probable adversaries.
Most companies are learning the hard way that what they thought was secure is really not. Data breaches are an epidemic and every year of intrusion reports outpace the previous year. As a result of procrastination on cyber threats, corporate leadership has been playing catch up by procuring IT security technologies, educating their boards of liability issues, and hiring cybersecurity talent. However, deciding how to best allocate resources, focus on specific industry threats, and design prevention and contingency plans are not an easy task. Gamification can be helpful in providing testing and simulation for a custom cybersecurity strategy while stimulating the workforce at the same time.
It is widely noted on almost a daily basis that the cybersecurity industry is facing major skilled worker shortages. Despite determined efforts in recruitment, education and STEM programs, the shortage has persisted and will likely be an issue in the future. While not a remedy, gamification is helpful in addressing the skilled cybersecurity hire shortage. A generation of young talent raised on computer and video games are “wired” for a career where they can utilize their digital skills and maintain their lifestyle. Cybersecurity can be logical path and fulfilling for those who already thrive on the gaming culture for entertainment.
Of course there is a real science to gamification and the many algorithms that create a scenario for the players. The values of lessons learned for the cybersecurity community in conducting such exercises can create working models that will pay dividends for everyone connected, improving competiveness for industry and better security overall.
Charles (Chuck) Brooks serves as the vice president for Government Relations & Marketing for Sutherland Global Services. Chuck also serves as chairman of CompTIA’s New and Emerging Technology Committee, and he serves as subject matter expert to the Homeland Defense and Security Information Analysis Center (HDIAC), a Department of Defense (DOD) sponsored organization through the Defense Technical Information Center (DTIC). Chuck also served as a technology partner advisor to The Bill and Melinda Gates Foundation. In government, he served at the Department of Homeland Security as the first director of Legislative Affairs for the Science & Technology Directorate.