Brain Plasticity: Quick Gamification for Enabling Risk Discussions with the C-Suite

I love cyber. I love teaching. And, truthfully, I think that bringing in more teachers to work with cyber professionals‍ and train them is one of the best ways to overcome the disconnect between the business leaders and cyber risks‍ inherent in business operations. So, to focus on how to do that and why gamification matters, I wanted to start with the science of the brain and then show how to use that for more effective interactions.

What is brain plasticity?

At its core, the term refers to the brain’s amazing way of rewiring itself and making new neural connections. Our brains are pretty amazing computers. As such, when they have new experiences, they learn from them. Brain plasticity can be either functional or structure.

For our purposes, structural plasticity, which allows the brain to change the physical structure as a result of new experiences, is going to be a key for working with the c-suite.

How to increase structural plasticity

So, a lot of recent research focuses around using food, vitamins, nutrients, and creating a healthy lifestyle. Unfortunately for you, as an information security professional‍, these options are pretty much useless.

However, two things in the research are useful when training workforce members or talking about cyber risk strategy‍.

First, physical activity tends to promote learning and memory. Now, I’m not suggesting that you’re going to be getting everyone on an exercise routine to promote cyberawareness‍, but there’s definitely something to be said about promoting a kinesthetic approach to working with people who need to learn cyber‍.

Second, the research also indicates that cognitive engagement also promotes brain plasticity. Functionally, if people are mentally engaged, their brains can become more resilient and learn tasks faster.

What does this mean for cyber?

Let’s be honest, when was the last time you told people you needed to talk to them about information security‍ or do a training, and you heard everyone groan in unison?

I get it. Remember, I spent 11 years teaching very resistant first-year college kids.

And why do people hate this? Because you’re talking at them or making them read some kind of boring training module that has no impact on their existence.

This means that to get buy-in we need to start approaching employees‍ and the c-suite‍ in ways that engage their cognitive functions. Sitting at a desk and answering the world’s most boring multiple choice isn’t going to do any good. We need to start getting people moving and engage their brains more.

But how can we do this?

Creating a cyber security training‍ program doesn’t have to be boring. And, in fact, it doesn’t have to be super time consuming either. It does, however, mean being purposeful.

When I spoke about “Getting to Yet” I defined the core strategies of growing the brain:

Set clear objectives

Communicate high expectations

Foster growth

All of these work if you think about gamifying cyber education‍ - and I am not the first person to suggest that approach.

In a 2016 SANS presentation, Masha Sedova outlined some of the key elements of gamification. Back in March 2018, Associate Counsel for the Peace Corps, Greg Walters, also explained the value of gamification in cybersecurity education‍.

As an educational model, it works. As a teacher, I used gamification to promote classroom discussion, awarding points based on specific behaviors. And guess what? Most of the kids found the idea novel. If you’ve ever run a training, I’m sure that you’ve heard the infamous “crickets” when you ask a question. After several years of that, I finally decided I was tired of hearing myself speak. So I created a points system that awarded risk taking (a growth mindset value) while also valuing discrete behaviors that I wanted the students to practice. For example:

Raising you hand and answering a question: 5 points

Using a textual reference in a response: 50 points

Building on a peer’s response with another textual reference: 75 points

I also subtracted points for behaviors I hated.

Coming late to class: -10 points

Derailing class discussion: -20 points

Falling asleep in class: -40 points

Leveraging Gamification for Brain Plasticity with The C-Suite

So, you’re not going to be able to kick your CEO or CFO out of the meeting for ignoring you. But, you’re going to get more interest if you help them understand risk in business terms.

Running a c-suite‍ or Board of Directors‍ training that incorporates hands on interaction with risk is one way to move past “talking at” and into “talking to.” It really doesn’t have to be difficult either.

At the core, what you need to do is run a basic role-playing game where they can interact (kinesthetic/mobility) with information and be cognitively engaged. You need to establish a series of roles, controls, events, and responses.

In its most simplistic form, you can simply focus on an element of cybersecurity and show how it impacts the business. For example, if you want to focus on passwords you could set up a scenario as follows:

  1. Give a 10-15 minutes discussion on passwords, password strength, and controls.
  2. Start by asking members in attendance to set controls in response
  3. Award points for controls (I’ve used a few basics that add up to 75 points total):
  1. Create a cyber attack‍ scenario:
  • cybercriminal‍ uses a purchased program on the dark web to obtain access to login information.
  • The data breach‍ costs a total of 35 points. (Again, this can also be customized to align to the number of controls you set)
  1. Tell people to tally the points they earned from the controls they set, then subtract the 35 points of the data breach.
  2. At the end, the person with the most points remaining wins.

How to Gamify Budget Conversations

The above example helps work on giving insights into how controls mitigate threats. But, it doesn’t really help you when you’re trying to talk senior management into using a new automated compliance‍ or security monitoring‍ enablement that you want. So, how do we move from “knowledge” to “practice”? We switch it up a little bit.

  1. Set a budget: $300 overall
  2. Provide a series of costs that align to what your business leaders want for the year and assign protection points for each
  1. Assign “protection” points for each choice (some are negative) that you share after they make their budgetary decisions based on business objectives (you can customize these based on what you think are most important and/or useful to the organization):
  • SaaS Marketing Platform: -20
  • SaaS Governance Platform: 20
  • Continuous monitoring platform: $20
  • IAM platform: 100
  • IAM with PAM: 200
  • Password Management Program: 300
  • AI-Based Monitoring Solution: 400
  • VPN for remote employees: 400
  1. Create a cyber crime‍ scenario as above (if you want to mess around with the points, incorporate a total for things like legal and reputational impact as well):
  1. Tally up the protection points, subtract the data breach impact

What does this do?

Fundamentally, this gets the people involved engaged. You’re incorporating at least two of the primary strategies for encouraging brain plasticity: cognitive and physical engagement.

However, you’re also giving your c-suite and Board an approachable model that allows them to easily quantify either controls or technology costs.

I continue to maintain that it’s not that business leaders don’t believe cybersecurity matters. It’s that they can’t integrate that information in ways that are meaningful to them . Most of cybersecurity risk management is a “what if” scenario. And that makes it hard to put a hard quantification on. However, if you engage them in a meaningful way, you can create stronger controls and make your life easier.