This article was published on June 24, 2016

4 ways gamification is advancing cybersecurity


4 ways gamification is advancing cybersecurity

There’s no doubt that the cybersecurity industry is in dire straits.

Each year, data breaches are growing in size, numbers and severity while the cybersecurity talent gap is widening and there aren’t enough experts to fill vacant posts. And with internet-based services encroaching over every aspect of our lives and tasks, new vulnerabilities are sprouting every day, providing malicious actors with new possibilities and attack vectors to carry out their evil deeds.

Every person, every connected device and every piece of software running on the network can become an exploit opportunity, and there’s only so much that can be done to plug the endless stream of security holes that are being discovered.

One method helping immensely in overcoming these problems is the use of gamification, which employs gaming mechanics to deal with non-gaming situations. The use of gaming concepts is helping in many ways break the complexity of cybersecurity tasks and create motivation for collective efforts to deal with the rising challenges.

Here’s how gaming and gamification is helping transform the cybersecurity space for the better.

Raising awareness among employees and board members

Human errors account for a large part of security incidents in organizations and companies. Many data breaches occur as a result of an ignorant employee opening a malware-infected email attachment, clicking on a link to a malicious site, or carelessly attaching a virus-infected thumb drive to one of the corporate computers.

However, instructing employees and executives on security rules presents its own set of challenges and firms are suffering from cyberattacks largely because they fail to provide effective and behavior-changing training for their staff.

The folks at PwC, a global consulting firm, believe that gaming can have an effective role in remedying this situation. Game of Threats is a software aimed at educating board members and senior executives in security principles and concepts by providing them with a gaming environment where they can play simulations of real-world cybersecurity simulations.

Participants can play the role of either attacker or defender and compete against each other by investing in skills, tactics, talent and tools. This is a tool that allows participants to see both sides of a cyberattack, helping them become more aware of how security incidents take place and better prepare for and react to security threats.

Improving implementation of security principles and rules

Even when fully instructed, many employees continue to ignore security rules and principles, especially when they’re faced with fast approaching deadlines and overdue tasks. The problem is that security rules are often perceived as cumbersome and mundane, excessive and unrewarding caution that can be overlooked for the sake of other pressing matters.

The lack of incentive in carrying out security measures is a contributing factor to employees and executives letting their guard down and paving the way for security breaches.

Digital Guardian, a security firm renowned for its data loss prevention (DLP) solutions, is integrating gaming mechanics into cybersecurity measures in order to transform the experience into a rewarding game that will encourage employees at all levels to become engaged in data security programs and help protect their organizations and firms against cyber-threats.

Data Defender, which the firm names its free gaming concept, is a shift from the traditional cybersecurity approach, which implies identifying, reporting and punishing non-conformant behavior. The Digital Guardian team suggests that by rewarding good behavior instead of only punishing bad ones, employees will become more motivated to continue abiding by security rules, even when they’re focused on other critical targets and goals.

Users accumulate points when they conform to security practices, such as sending emails without triggering security policies, or upon using company-approved cloud services.

Employee scoreboards are used to add an element of competition. Users are awarded badges upon reaching specific milestones, such as sending 1,000 safe emails, and finally they will earn prizes such as e-store gift cards when they amass enough points.

Finding and recruiting cybersecurity talent

A Cisco study indicates that there’s a global shortage of more than a million IT security pros, and the gap is slated to rise to as much as 1.5 million by 2019. Consequently, many organizations are faced with vacancies in critical security posts, which lead to greater vulnerabilities and higher risks of data breaches.

Nonprofit organization Cyber Security Challenge UK is helping draw and recruit fresh talent into the cybersecurity industry by setting up yearly gaming competitions in which anyone can take part and participants can their skills against simulated threat situations.

Cyber Security Challenge uses CySphinx, a gaming environment designed for testing and recruiting cyber talent. The 3D platform enables gamers to interact with each other and industry experts to gain knowledge and skills. Competitors are assessed for a host of abilities, including technical, presentation, teamwork and communication.

The competition’s qualifying rounds take place in an online platform, but the finals take place face to face, and the winners are rewarded with prizes and job opportunities at government agencies and large tech firms such as GHCQ and Northrop Grumman.

Cyber Security Challenge UK provides an opportunity for anyone with IT and coding experience to start a career as a cybersecurity expert. The winner of the competition’s most recent event was a network engineer working for a car dealer.

Rooting out vulnerabilities in software

Every year, software vulnerabilities account for a large number of data breaches. No matter how much in-house testing an application goes through, it’s likely that more bugs and possibly-serious loopholes are found after it is released.

In order to make sure that vulnerabilities are discovered by the right people before being exploited by malicious actors, big tech firms and government agencies are now launching bug bounty programs, which allow ethical hackers and security researchers to be rewarded for their efforts in finding and reporting bugs.

Tech giants such as Google, Microsoft and Facebook have already rolled out such programs, and the Department of Defense has also declared its own bug bounty.

One of the most interesting bug bounties belongs to Uber, which has thrown in competition and gaming touches to keep the best researchers engaged. Participants can earn up to $10,000 dollars for the discovery of critical bugs.

The program includes a “treasure map,” which helps researchers find their way around Uber’s ride sharing platform and focus on finding bugs in critical and vital areas.

It also has a loyalty program which will reward researchers who find more than four bugs in a specific period of time, encouraging them to engage more actively in the program.

Get the TNW newsletter

Get the most important tech news in your inbox each week.