Article

Using games to mitigate people risk in cyber security

October 17, 2018

Having long languished as an underappreciated problem for organisations, cyber security is today widely recognised as a critical business risk, with 74% of UK companies rating it as a high priority for senior management.  However, increased recognition does not necessarily mean that the problem is better understood. Cyber security is replete with impenetrable jargon and complicated concepts which often lead to it being incorrectly considered a problem for technologists that can be solved by IT departments.

In actuality, while cyber security does involve technology, at least equally important are people and processes – the users of technology and the guidelines which govern their use. For the past three decades, the people portion of this triad was viewed as a weak link. Users, it was commonly iterated, were prone to making bad security decisions (such as using and reusing weak passwords or clicking on malicious links) and were susceptible to social engineering attacks. More recently, however, there has been a shift to viewing the user as an asset rather than a liability. A properly trained and aware user can be a first line of defence to spot and avoid threats, meaning fewer technological and process solutions need to be implemented to mitigate the risks stemming from users.

Despite this shift in thinking, there has been a lack of progress in developing engaging cyber security training tools. Too often the topic is covered briefly by an IT-representative during employee onboarding or, worse, is an online presentation that users click through mindlessly before checking the box to say they have understood it. Such solutions offer no engagement value for users to take a proactive interest in the topic.

This is where games and gamification come in. Gamification harnesses the competitive streak in people to encourage them to engage with a subject without feeling like they are sitting through an enforced training session. Games offer immersive training solutions that enable players to participate in an interactive environment more conducive to retaining lessons learned.

There is a growing body of work using games and gamification for cyber security training and education. Products exist using a variety of media, both digital – ranging from simple online Flash games to comprehensive learning platforms – and analogue – ranging from playing cards to Lego models to board games – targeting audiences from children and young adults to professionals. Many of these are designed to teach about specific aspects of cyber security, such as privacy, industrial control systems, or network security, while others take a more holistic approach.

Although the quality of current games varies, this field holds great promise. Games are an effective way to introduce people to cyber security without resorting to disengaging training methods, thereby reducing the security risk posed by users and potentially saving costs on technology and increasing efficiency in processes.

The Great [Cyber] Game, an educational game developed by the author, based on the UK National Cyber Security

Image of flow chart showing the different ways to understand cyber security