Meeting cybersecurity challenges through gamification

When it comes to cybersecurity issues, we always seem to be dealing with either shortages or excess. Everywhere there’s talk of how data breaches are growing in number, size, severity and cost, and there are always too many new security holes, vulnerabilities and attack vectors that need to be fixed.

On the other hand, there’s a widening cybersecurity talent gap to fill vacant posts. We never seem to have enough tools to deal with new threats and malware that are sprouting on a daily basis, and there’s not enough data to make smart assumptions and decisions (or in some cases, too much data and too many false positives to find the real threats). And awareness about security matters among employees, staffers and executives in firms, associations and agencies is always at abysmal levels.

With the dark shadow of bigger security incidents constantly looming on the horizon, both government agencies and private firms are always looking for new ways to meet the challenges and overcome the many shortages the cybersecurity industry is facing.

One of the growing trends in this regard is the use of gaming software, the element of competition and simple rewards programs to help find security holes, educate about cybersecurity issues and recruit talent to plug the skills gap that is riddling the industry. Here’s how security firms are using game mechanics to address some of their most serious issues.

Gamification’s role in security implementation

Though the concept of gaming is not new in the cybersecurity industry, it’s so far been mainly used in the domains of education and scouting for talent. Day-to-day security practices and procedures in businesses and agencies continue to be carried out in the traditional way, and they often are perceived by employees as excessive, cumbersome and unnecessary measures that can be ignored and overlooked when in a rush to meet critical deadlines and finish overdue tasks.

Digital Guardian, a cybersecurity firm that offers a namesake data loss prevention (DLP) platform, intends to challenge this norm by integrating gaming concepts and mechanics into the daily security practices of firms and organizations.

Not enough people are entering the cybersecurity workforce.

The idea was first introduced by Mark Stevens, Senior Vice President of Global Services at Digital Guardian, during a presentation at the 2016 RSA Conference in San Francisco. Stevens presented DG Data Defender, a cost-free gaming system that can help companies turn their average employees — arguably one of the greatest risks to the protection of data — into their greatest security assets.

The idea behind DG Data Defender, as explained by Connie Stack, Chief Marketing Officer at Digital Guardian, is “to encourage organizations to engage every employee in their data security programs using gamification principles.”

Most traditional DLP solutions are centered on identifying and preventing non-conformant behavior, and reporting it to security team members, managers and supervisors.

The gaming approach suggested by Digital Guardian addresses not only the bad behaviors, but also the good behaviors: Employees are rewarded when they abide by the rules and punished when they break them. For instance, users receive printable badges upon first, tenth and hundredth email sent without triggering a policy. Scoreboards are used to present DLP leaders among employees to create a positive spirit of competition. Eventually, continued use of good security practices will earn employees prizes, such as e-store gift cards.

“This gives users a more positive data security experience,” explains Stack, “and it encourages them to handle sensitive data correctly in the future to earn even more rewards/badges — effectively becoming a force multiplier for the security team.”

Digital Guardian plans to implement the DG Data Defender gaming concept as a policy pack for its DLP solution in the future.

Gamification’s role in finding talent

The cybersecurity talent gap is a great problem. Not enough people are entering the cybersecurity workforce, and most firms and organizations are faced with vacancies. According to the Cisco 2014 Annual Security Report, there’s currently a global shortage of one million IT security pros, a number that is bound to rise as high as 1.5 million by 2019. Another study released in January 2016 by Information Systems, Audit and Control Association (ISACA) shows that most organizations are having trouble filling cybersecurity jobs, which leads to greater vulnerabilities and higher data breach risks.

Cyber Security Challenge, a U.K.-based organization, has been trying to tackle this shortage through yearly competitions in which players face simulated threat situations they must prevent through the use of their cyber skills.

“We’ve seen that traditional recruitment methods, used in other industries, just don’t work in cyber security,” says Stephanie Daman, CEO of Cyber Security Challenge U.K. “However, there is a noticeable pattern between gamers and those that show significant skills in the industry.”

Human error and lack of awareness continue to be the main contributing forces to successful data breaches.

The organization uses CyPhinx, a gaming environment designed to find, test and recruit cyber talent. “It’s a 3D immersive platform that brings the games together with a virtual world in which candidates can interact with each other and with industry experts to gain knowledge and skills and build their networks,” Daman explains.

The qualifying rounds are carried out on the online platform; top players are invited to play face-to-face challenges hosted by the competition’s sponsors. “Competitors are assessed not only for their technical abilities, but also for their communication, presentation and teamwork skills,” says Daman.

Winners are offered a host of career-enhancing prizes and lucrative job opportunities at large tech firms and government agencies, such as GCHQ, Northrop Grumman and BT, some of the main sponsors of the event.

Cyber Security Challenge U.K. provides an opportunity for anyone with coding and IT skills to prove their mettle against security incidents. The winner of November’s final competition, which involved thwarting a biological attack, was a 38-year-old network engineer for a car dealer.

Gamification’s role in educating and raising awareness

Human error and lack of awareness continue to be the main contributing forces to successful data breaches. A considerable number of security incidents occur because employees and staff members don’t have enough knowledge, education and sensitivity in handling data, and organizations are thus risking their reputation, customer trust and, eventually, their bottom lines.

Research conducted by AXELOS suggests firms are suffering from cyberattacks because their staff are either not provided with cybersecurity training or the training they receive isn’t effective in changing employee behavior regarding information security.

PwC, a global consulting firm, intends to remedy this situation by teaching cybersecurity through its game, Game of Threats, which allows senior executives and board members to deal with real-world cybersecurity situations by competing against each other, playing as either the attackers or defenders.

Attackers must choose their tactics, methods of attack and skills, while defenders must develop defense strategies by investing in the right technologies and talent to respond to the attacks.

David Burg, Global and U.S. Cybersecurity Leader said, “The idea of Game of Threats came after a desperate need to educate Boards and C-Suite, who have little technical expertise. The game allows you to think like a hacker, and serves as a good education tool on cybersecurity — that’s why they play as both sides.”

Game of Threats rolled out in the U.S. one year ago and more recently in Melbourne and Sydney. The game is played for up to eight hours at a time by finance auditors, compliance employees and C-suite and other boardroom executives, so they each get a taste of the battle their cybersecurity team faces every day.

Game of Threats was PwC’s first shot at gamification, but given the success, the company plans on using the concept in other areas. “We’re considering games for financial crime and also crisis management in general — anything such as a product recall or a natural disaster,” says Richard Bergman, PwC’s cyber partner. “It helps companies to understand how well prepared they are.