As many of you know, Cyber Security Awareness Training has always been near and dear to my heart. I am a firm believer that everyone should be equipped with the right tools to defend themselves should they become the ire targets of bad actors; but over the years, I have seen somewhat of a plateau in terms of the effectiveness among my colleagues.
One of the apparent challenges many have with today’s methods of learning is literally consuming the same material without flair or consequences. In hindsight, I can see where that would be an issue. It’s like chewing the same piece of gum for an extended period of time. After the flavor is gone, it just seems like you are going through the motions. Eventually, it will lose it’s appeal or purpose and it gets discarded. Same could apply to using the same techniques year over year.
You see, as an employee, if all you are looking forward to is 1-hour of downtime clicking through screens, boredom will set in and quite quickly. The brain will not be receptive to learning because there is no interest or value with the seemingly regurgitated material. So how do you solve that as an organization?
A quick aside that will dove-tail into this post (I promise). One of my favorite networking events the last 12-months has been joining the ISC(2) Alamo Chapter. It’s been a joy getting to know all of the members as well as see the breadth of knowledge and (non-monetary) resources they have at their disposal. This month they organized an Escape the Room-esque style of event.
For months since the announcement, I didn’t know what to expect and was filled with anxiety and excitement for the event. I have seen others in the community (but outside of our Chapter) stream Capture The Flag (CTFs) content and seeing the lengths that they would go through to complete the challenges, I felt I would be outside of my depth. When I logged into this month’s meeting, I was utterly shocked at what we were getting into.
The Chapter Head introduced that they had secured a spot for all of us to participate in a web-based team builder exercise developed by a company called Living Security. The vendor specializes in Cyber Security Awareness Training for Fortune 1000 companies and/or large enterprises. What makes them unique is the format and literal gamification approach they take to providing awareness training.
Gaming Into Gear
Effortlessly, we were assigned into groups of three by the administrator. The material instantaneously captured my attention as the initial presentation was laid out as if we were agents of a secret organization. Our mission (if we choose to accept it) was to complete 10 challenges within a 1 hour timeframe. The challenges were described as an engagement of activities including the identification of security violations, OSINT (open source intelligence) and Social Engineering attacks. After the announcement of the last two activities, my ears perked up, I adjusted out of my seat and leaned in considerably. With a big smile on my face, and excitement in my heart, I yelled to my virtual team, “YEAAAAAAAAH!”
It was literally at this moment that I knew this wasn’t just a techie version of escape the room but that this would be a unique Cyber Security Awareness Training platform and I was definitely here for it.
Without spoiling the details, I will say that the initial challenge was fun; not terribly difficult which I assume was by design. We were asked to identify a variety of violations in a corporate office. This challenge was likely placed there to get us acquainted with the platform itself. In the back of my mind, I was secretly hoping the next one would be a bit more challenging.
We knocked out challenges 2 – 5 pretty quickly but as we got to challenge 6, we could tell that the difficulty was noticeably different. In the previous challenges, the leader of the group could single handedly solve the challenge without much input from the rest of the team. Challenge 6 was going to require a bit more teamwork and this is where it got fun.
Instead of playing the role of the end user or admin, we got to test our skills as the threat actor. I recall the group looking at each other with a small smirk on our faces and a nod. This was an interesting approach to learning.
In one of the challenges, we had to do our own OSINT to craft the perfect social engineering attack against our target. With a wide variety of material presented by the platform, we had to ensure that the attack we were about to purportrate was convincing enough to trick our target and gain access. This required much needed teamwork and with the clock ticking, we could start to feel the anxiety of not getting to the end, kick in.
Although we were only able to complete 7 challenges in an hour, I personally felt like I learned a lot more doing this than the traditional way of learning. After speaking with Living Security and providing feedback, I learned that they do provide a variety of different challenges with more difficulty than what was presented to us. This is good to know as we were only a small group and putting this on an enterprise scale, would require a vast amount of challenges and difficulties. To know that this is scalable is a positive sign for the company.
Is Gamification the Future of Cyber Security Awareness Training?
That is the question and I would say yes. There is something to being competitive that brings out the best in all of us and if we can harness that energy into learning something new and be effective, I believe that experience will last a lifetime, improving network security.
Unfortunately, I did not have the opportunity to inquire about their clients’ average ROIs (return on investment) or net gains by utilizing a service like this but I would definitely be interested in the metrics from a business perspective. As a security researcher, I would love to dive deep into year over year metrics and see how effective this approach is. With the increased amount of ransomware and data breach attacks in the last five year, out of the box thinking like this could be a game changer (sorry, needed at least one pun).