I love cyber. I love teaching. And, truthfully, I think that bringing in more teachers to work with cyber professionals and train them is one of the best ways to overcome the disconnect between the business leaders and cyber risks inherent in business operations. So, to focus on how to do that and why gamification matters, I wanted to start with the science of the brain and then show how to use that for more effective interactions.
What is brain plasticity?
At its core, the term refers to the brain’s amazing way of rewiring itself and making new neural connections. Our brains are pretty amazing computers. As such, when they have new experiences, they learn from them. Brain plasticity can be either functional or structure.
How to increase structural plasticity
So, a lot of recent research focuses around using food, vitamins, nutrients, and creating a healthy lifestyle. Unfortunately for you, as an information security professional, these options are pretty much useless.
First, physical activity tends to promote learning and memory. Now, I’m not suggesting that you’re going to be getting everyone on an exercise routine to promote cyberawareness, but there’s definitely something to be said about promoting a kinesthetic approach to working with people who need to learn cyber.
Second, the research also indicates that cognitive engagement also promotes brain plasticity. Functionally, if people are mentally engaged, their brains can become more resilient and learn tasks faster.
What does this mean for cyber?
Let’s be honest, when was the last time you told people you needed to talk to them about information security or do a training, and you heard everyone groan in unison?
I get it. Remember, I spent 11 years teaching very resistant first-year college kids.
And why do people hate this? Because you’re talking at them or making them read some kind of boring training module that has no impact on their existence.
This means that to get buy-in we need to start approaching employees and the c-suite in ways that engage their cognitive functions. Sitting at a desk and answering the world’s most boring multiple choice isn’t going to do any good. We need to start getting people moving and engage their brains more.
But how can we do this?
Creating a cyber security training program doesn’t have to be boring. And, in fact, it doesn’t have to be super time consuming either. It does, however, mean being purposeful.
When I spoke about “Getting to Yet” I defined the core strategies of growing the brain:
Set clear objectives
Communicate high expectations
All of these work if you think about gamifying cyber education - and I am not the first person to suggest that approach.
In a 2016 SANS presentation, Masha Sedova outlined some of the key elements of gamification. Back in March 2018, Associate Counsel for the Peace Corps, Greg Walters, also explained the value of gamification in cybersecurity education.
As an educational model, it works. As a teacher, I used gamification to promote classroom discussion, awarding points based on specific behaviors. And guess what? Most of the kids found the idea novel. If you’ve ever run a training, I’m sure that you’ve heard the infamous “crickets” when you ask a question. After several years of that, I finally decided I was tired of hearing myself speak. So I created a points system that awarded risk taking (a growth mindset value) while also valuing discrete behaviors that I wanted the students to practice. For example:
Raising you hand and answering a question: 5 points
Using a textual reference in a response: 50 points
Building on a peer’s response with another textual reference: 75 points
I also subtracted points for behaviors I hated.
Coming late to class: -10 points
Derailing class discussion: -20 points
Falling asleep in class: -40 points
Leveraging Gamification for Brain Plasticity with The C-Suite
Running a c-suite or Board of Directors training that incorporates hands on interaction with risk is one way to move past “talking at” and into “talking to.” It really doesn’t have to be difficult either.
At the core, what you need to do is run a basic role-playing game where they can interact (kinesthetic/mobility) with information and be cognitively engaged. You need to establish a series of roles, controls, events, and responses.
In its most simplistic form, you can simply focus on an element of cybersecurity and show how it impacts the business. For example, if you want to focus on passwords you could set up a scenario as follows:
- Give a 10-15 minutes discussion on passwords, password strength, and controls.
- Start by asking members in attendance to set controls in response
- Award points for controls (I’ve used a few basics that add up to 75 points total):
- Password policy: 5 points
- Password review: 10 points
- Multifactor authentication: 15 points
- Identity and Access Management: 20 points
- Access Review: 25 points
- Create a cyber attack scenario:
- cybercriminal uses a purchased program on the dark web to obtain access to login information.
- The data breach costs a total of 35 points. (Again, this can also be customized to align to the number of controls you set)
- Tell people to tally the points they earned from the controls they set, then subtract the 35 points of the data breach.
- At the end, the person with the most points remaining wins.
How to Gamify Budget Conversations
The above example helps work on giving insights into how controls mitigate threats. But, it doesn’t really help you when you’re trying to talk senior management into using a new automated compliance or security monitoring enablement that you want. So, how do we move from “knowledge” to “practice”? We switch it up a little bit.
- Set a budget: $300 overall
- Provide a series of costs that align to what your business leaders want for the year and assign protection points for each
- SaaS Marketing Platform: $70
- SaaS Governance Platform: $60
- Continuous monitoring platform: $50
- IAM platform: $40
- IAM with PAM: $60
- Password Management Program: $40
- AI-Based Monitoring Solution: $90
- VPN for remote employees: $40
- Assign “protection” points for each choice (some are negative) that you share after they make their budgetary decisions based on business objectives (you can customize these based on what you think are most important and/or useful to the organization):
- SaaS Marketing Platform: -20
- SaaS Governance Platform: 20
- Continuous monitoring platform: $20
- IAM platform: 100
- IAM with PAM: 200
- Password Management Program: 300
- AI-Based Monitoring Solution: 400
- VPN for remote employees: 400
- Create a cyber crime scenario as above (if you want to mess around with the points, incorporate a total for things like legal and reputational impact as well):
- Cyber criminal accesses customer database: - 300 points
- Cyber criminal accesses network: -400
- Cyber criminal deploys ransomware attack: -500
- Tally up the protection points, subtract the data breach impact
What does this do?
Fundamentally, this gets the people involved engaged. You’re incorporating at least two of the primary strategies for encouraging brain plasticity: cognitive and physical engagement.
However, you’re also giving your c-suite and Board an approachable model that allows them to easily quantify either controls or technology costs.
I continue to maintain that it’s not that business leaders don’t believe cybersecurity matters. It’s that they can’t integrate that information in ways that are meaningful to them . Most of cybersecurity risk management is a “what if” scenario. And that makes it hard to put a hard quantification on. However, if you engage them in a meaningful way, you can create stronger controls and make your life easier.