How is gamification shaping cyber security?

In Information Security ByTeam Acumin / 9th July 2016

Gamification, the process of applying gaming elements to other activities, is rapidly becoming a tool to assist cyber security.

There are four main principles of gamification:

• Create a goal
• Create the rules for attaining that goal
• Set up feedback systems
• Make playing the game voluntary

Sports such as football and golf are based on these principles. Online role play games such as Warcraft also have goals, rules, feedback systems and voluntary participation. The rewards of winning games motivate players to increase their skills levels and participation.

Gamification is designed to make modifying human behaviour fun.

Gamification to improve security awareness

Many security incidents are the result of human error. Employees opening email attachments that release malware, clicking on malicious website links, or attaching virus-infected USB memory sticks to a company computer are examples of security lapses by workers that should not happen.

Most companies have rules and policies about how employees can avoid security errors, but simply providing these does not necessarily result in changed behaviour.

Game of Threats is a video game played on tablets that simulates the speed and complexity of a cyber breach. Players form two teams, with one the attacker and the other the defender, and need to make quick decisions based on little information. Good decisions are rewarded and bad ones penalised. The game is designed to put players under pressure and respond to the actions of the opposing team players.

Game of Threats raises awareness about cyber security by giving an insight into how cyber attacks occur and how they can be prevented. After a game, players are encouraged to discuss cyber security issues.

By raising cyber security awareness, Game of Threats hopes to change workers’ attitudes to cyber security and influence their behaviour. Such methods have been known to have an effect; Salesforce.com found that after employees had taken part in a cyber security game, they were 50% less likely to clink on a malicious link and 82% more likely to report phishing emails.

Gamification that rewards good behaviour

Many corporate policies are driven by punishment, in that breaking rules comes with repercussions. Gamification reverses this by focusing on rewarding good behaviour rather than punishing bad behaviour.

Gaming mechanics can be introduced in the workplace to reward good security behaviour. Digital Guardian, the cyber security organisation, has created the Data Defender game. Instead of punishing workers for bad security practices, the Data Defender game rewards workers for conforming to security practices.

Workers are awarded points and badges for reaching specific targets. For example, a badge is awarded for sending 1,000 safe emails.

Prizes are awarded for a certain amount of points, and employees compete to earn the most points.

Other rewards are doled out for reporting suspicious emails, spotting unauthorised USB memory sticks, creating secure passwords, and safeguarding laptops away from the company premises.

Gamification and recruitment

There is worldwide shortage of people able to carry out IT security jobs, so businesses are looking at novel ways to recruit extra staff.

The Cyber Security Challenge UK is a game in which players have to combat simulated cyber threats, but players do not necessarily need cyber security experience to compete. To do well in the game requires technical, communication and teamwork skills. The winners of the game are awarded prizes, but most importantly they are given jobs in large firms and government agencies. Past winners have started cyber security careers at GCHQ.

Baroness Pauline Neville-Jones of the Cyber Security Challenge said:

“Cyber Security Challenge UK offers an innovative and exciting way of attracting talented individuals to take up rewarding careers in this field.”

Bug tracing

Many data breaches are caused by software bugs. Despite extensive in-house testing, bugs may still remain. Major companies such as Google, Microsoft and Facebook have launched bug bounty programs where people outside of the companies are rewarded for finding and reporting bugs.

Bug Bounty programs are not games as such, but appeal to gamers, as they are competitive and reward innovative behaviour.

Bug Bounty can also pay well. Taxi booking firm Uber rewards up to $10,000 for people finding critical bugs, and has a rewards program for people who find more than four bugs in a short time. Like the best online games, the reward program keeps people engaged with the Uber bug-hunting program.

Introducing gamification into the workplace

When faced with a proposal to introduce security gamification into a workplace, many managers are suspicious. The word ‘game’, to some, implies not being serious. If the proposal is presented as ‘active feedback’, then it will be more likely to be received better.

Employees who are suspicious of gamification will be reassured when told that joining the game is voluntary. Once the game is underway, and participants are seen to be having fun competing for rewards, then the staff who have not joined will probably be motivated to join.

Some companies find that competition for points is sufficient, but others like to rewards achievements with small prizes.

Although the main principle of gamification is rewarding for good practices rather than punishing, there can be rewards for employees recognising that they have made a mistake, then reporting their mistake, rather than try to cover them up through fear of punishment.

Gamification is in its early stages, so games need to be monitored for their effectiveness and modified where necessary.

Not everyone supports cyber security gamification

It should be noticed that not all companies are convinced that gamification is the best way to change security related behaviour. In the United States, credit card giant Visa has hired cognitive psychologists to research other methods of changing behaviour.

Some cyber security experts, such as Jonathan Feigle of Hyatt Hotels, support using elements of gamification, but do not add levels and points.

Conclusion

What gamification is trying to address is that most of the problems of security awareness are not technology issues, but human behaviour ones.

Gamification attempts to change human behaviour regarding security awareness, but is not the only way to achieve behaviour change.

Gamification will not be effective against expert and determined hackers. Companies will still need to employ highly skilled cyber security personnel to protect their computer systems and networks.