7

Gamification, which is the use of game design elements and game mechanics in a non-game context, is a heavily discussed topic. Looking at the behavioral impact on Gamification, it has potential in educating users in IT security and rewarding secure behavior, especially in a corporate environment.

Applications that I found are mostly serious games, with the exception of Privacyville, which is not a game itself, but a "gamified" privacy policy (which is more like what I'm looking for)

http://www.funtheory.net/internetsecuritygames.htm

http://www.healthit.gov/sites/default/files/cybersecure/cybersecure.html

http://cisr.nps.edu/cyberciege/index.htm

http://company.zynga.com/privacy/privacyville

What applications are there, that gamify IT/coporate security in particular?

  • Which security tools apply gamification mechanics or elements?

  • Which companies use these techniques to educate or reward their employees for security compliance? (like giving them achievements, badges, scores or rank them in a leaderboard)

J_rgen
  • 187
  • 4
  • 8
    [Ahhhhem](http://security.stackexchange.com/). – Adi Jul 10 '13 at 09:59
  • An interesting idea. Suggest you soften the second phrase (the one with "undoubtedly") and perhaps reword it into a question. I cannot think of anything but "[Whack](https://en.wikipedia.org/wiki/Whac-A-Mole) the [mole](https://en.wikipedia.org/wiki/Mole_(espionage))" game right now. The problem is security should be as non-intrusive as possible to let people concentrate directly on maximizing the real objective of their business. – Deer Hunter Jul 10 '13 at 10:04
  • 3
    J_rgen, suggest looking into various CTF events in which the team of plankholders from this forum regularly participates. More information can be found in [Meta Sec.SE](http://meta.security.stackexchange.com/) – Deer Hunter Jul 10 '13 at 10:07
  • 1
    I've heard of some companies that use the data provided by [PhishMe](http://phishme.com/product-services/how-phishme-works/) as a game - leaderboards etc. – Michael Jul 10 '13 at 10:22
  • You mean like this site? – zedman9991 Jul 10 '13 at 12:02
  • Adnan, your link just leads to the home page of this site. Sorry if the question is a little vague, it's also because the topic itself is still in early research. What I am looking for are concrete examples, rather that a discussion about the value of Gamification. – J_rgen Jul 10 '13 at 14:42
  • 1
    I am currently developing a product for this very thing and I am voting to reopen because I want to hear the community's thoughts. – schroeder Jul 10 '13 at 15:23
  • 1
    @J_rgen Not at all, your question is very clear. I pointed at this site for a reason. Check your rep, check its position, see how many badges you have. Do you see the notifications when you earn a new badges? Do you see your rep increase with each good thing you do? Go to "Users", check the scoring boards, see the ranks. The StackExchange network is, IMO, the biggest example of gamification on the Internet. This site is about IT security. There's your example. – Adi Jul 10 '13 at 16:36
  • Thanks, I'm aware that SE has gamification features, like many other social media sites do. It's a good example for gamification in general, although this site is more of an educational tool than a security tool (that has direct impact on security). If my question was clear, why did you put it on hold? – J_rgen Jul 11 '13 at 07:25
  • @Adnan Wouldn't that be a cool twist. Tell all of a company's employees to join Sec.SE and to get a rep of 600 by the end of the year from answers alone. It might be insane enough to try, actually .... – schroeder Jul 11 '13 at 15:39
  • right now, i'm feeling like a necromancer, diggin out this old thread... maybe you'll have a look at www.awarity.at – Dr.Ü Dec 06 '14 at 13:53
  • Wow, thanks for that. That's even a local company for me. :) Too bad I'm not working on this project anymore. – J_rgen Dec 16 '14 at 13:42

2 Answers2

1

Every program I have heard of (and there are only a few) is home-grown and has had mixed results, mostly due to the program's design. I, myself, am developing a program to incorporate Gamification into an ongoing Phishing awareness training. My hope is to leverage my successes in this one area to expand into others areas of user security training, but this approach is very new.

One huge modification I made was to remove all references to 'Gamification' because it causes confusion. Instead, I use the term 'active feedback metrics' and 'comparative metrics' and hope that I don't sound too corny ('shifting the paradigm' and all that ...).

My goals in design are:

  • behavioural modification instead of knowledge transfer
  • short training/interaction time
  • training that increases in difficulty after user success
  • active instead of passive learning
  • short times between interactions
  • simple 'scoring' (a.k.a 'instant active feedback') that can be shared with peers

One of the unexpected benefits to Gamification is that is possible to lead users into far more complex material than would be possible through passive learning alone. Users are enticed to tackle the optional material to get their score/reward/achievement/bragging rights/active feedback.

From my experience, I think that Gamification can be used to fill the gaps in traditional security training because, ultimately, we don't want users to just 'know' what they should do, but to 'do' what they are supposed to do, even if they don't exactly know why (although the knowledge itself is beneficial). That means that what we need to focus on is behavioural modification, and Gamification is uniquely suited for this purpose.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I am too working on an idea of chaning user behavior with Gamification mechanics. The model would use feedback, reward and competition mechanics to change behavior in the long run. I.e. giving the user direct feedback and rewarding him when he acts security-aware, instead of punishing him or constantly advising him, when he doesn't. – J_rgen Jul 12 '13 at 06:55
  • 1
    I've been doing a lot of research into positive reinforcement and Karen Pryor's work. I encourage you to look at some of her work, too. – schroeder Jul 12 '13 at 20:22
0

I perform pentesting from time to time and was at a financial company meeting with their architects, etc., it was conveyed to me that their Information Security "guru" had come on board and tried doing something similar. The outcome was horrible. I was told many were offended by the manner in which this person was conveying security and risk. E.g.: He had cardboard cutouts of people with guns with verbiage like: "This criminal wants your password, etc."

Businesses are in the business to make money. Security has no tangible ROI and anyone pitching stats (AV*EF=SLE) whether it is qualitative, or quantitative. Arguments can be made for and against this and Murphy's Law will trump them all. With that said, what benefit does a company have in spending tangible resources for a game.

Now, this was answered in the sense that, I inferred it to be a question towards security policies and procedures as a whole. The "hacme bank" comment might work in a security based field, it may work to illustrate risk to say programmers and web developers, but to the average person (receptionist, account manager), they'd be like a deer in headlights (confused).

A program like this, would cost (man hours, time spent away from work for games, etc), so unless it can be proven to say Board Members (in a big corp.), seniors (CEO, CFO, etc), that it can MAKE money somehow, I don't see it becoming a norm. While you can pitch: "It can save money" to a CEO, COO, CFO, they're likely to look for a "technical" solution (firewall, email proxy, etc) which is more cost effective than having say N amount of man hours lost on a game.

Do the math:

Big Corp (10,000 employees)
Security Game (1/2 hour of time)
Game Plays (once per quarter)
Employee Salary $7.25

If everyone was paid minimum wage, the cost per play in wages would be $36,250.00 per quarter, not including the cost to set it up, any servers, potential business losses due to someone playing, etc. At this pace, keeping people informed normally (once per quarter) and it would cost $145,000.00 on salaries alone. (7.25 [salary] * 10,000 [# of employees] / 2 [half hour of time] * 4 [times per year]) A CEO/CFO/CTO is immediately going to look for a technology to solve this issue. E.g., an email proxy server to detect phishing may cost $30,000.00, a quick email, costs nothing. Doesn't make too much financial sense to bring "games" into the environment. Business is just that, about making money.

munkeyoto
  • 8,682
  • 16
  • 31
  • 3
    I'm not sure you've understood the original question. It is not about playing a security game but about using techniques used in game design to improve human response to a given case of problem ([*](http://en.wikipedia.org/wiki/Gamification)). In the context of security, it wouldn't be referring to marketing idea (like your cardboard password thief) but to rewarding positive behavior (like giving points for answers in a community web site and establishing some form of ranking). – Stephane Jul 10 '13 at 13:22
  • According to your logic, any educational initiative would not be deemed valuable because it would not directly bring in revenue. There is ample evidence to the contrary. – schroeder Jul 10 '13 at 15:22
  • 1
    According to my logic: "education is secondary to making money for a business." It is easier to shift risk. – munkeyoto Jul 11 '13 at 12:07
  • ok, now compare this "cost" of a few minutes per employee per quarter, with the what this lack of information could cost the company in case it (indirectly or directly) leads to a breach, or simply a downtime of a few hours... – Olivier Dulac Jul 11 '13 at 14:45
  • Olivier, I am not disagreeing with the fact that it is more cost effective whatsoever. I am all for it however, its been my experience with C-levels, that their concerns (revenue) no matter how its spelled out greatly differ from my concerns (security). Most take a "it hasn't happened to us" approach – munkeyoto Jul 11 '13 at 14:57
  • @munkeyoto While I, too, have experienced similar resistance from some C-levels, your answer offers no value to the OP and sounds like a general rant. I have met with multiple companies that value security education but feel that the effectiveness can be difficult to measure. Gamification is growing in popularity in order to meet this need. – schroeder Jul 11 '13 at 15:17