Illustration via Max Fleishman (CC-BY)
The cybersecurity industry is dealing with seemingly insurmountable challenges on many fronts. On the one hand, we’re faced with the yearly growth of data breaches in number, size, severity and complexity. On the other hand, there aren’t enough cybersecurity experts to deal with the mounting cyber-threats that are endangering individuals, companies, organizations and government agencies, and the cybersecurity talent rift is widening as we proceed.
One of the approaches that is showing promise is gamification, or the use of gaming mechanics in cybersecurity. Gamification is the process of engaging people and changing behavior using game mechanics in a non-game context. Competition, personal achievement and rewards are elements that can trigger strong emotions and motivate people to become more actively involved in domains that are otherwise shunned and avoided because of their complexity and arduousness.
This is a growing trend that is helping a lot in improving cybersecurity in different areas, including the implementation of security practices, the discovery of security vulnerabilities, and the recruitment of talent.
One of the mains areas where cybersecurity is lacking is true implementation of security practices at the employee and executive level in companies and organizations. Most average users are oblivious to the plethora of cyber threats that surround them, and thus do not appreciate the importance of the rules and regulations set by the IT security department in the company.
'Security actually can be fun when you apply game mechanics to it.' —Connie Stack, chief marketing officer at Digital Guardian
This has effectively led to a divide between the security department and most everyone else, the former perceiving the latter as “idiots” that cause security incidents, and the latter perceiving the former as the noisome bunch who are always putting spokes in the company’s wheels. Security departments become too harsh in their judgment of employees, employees become too negligent in their abidance of security rules, and the organization suffers as a whole.
“If we ask anyone to think about a typical interaction with their security team at work; or security software they have to use, like one-time password tokens, anti-virus or DLP, they may actually start twitching,” says Connie Stack, chief marketing officer at Digital Guardian. “That’s because they’re all a complete hassle and perceived as barriers to getting your job done. Whether it’s a CEO, a restaurant manager or a receptionist, the mere mention of security will draw deep groans.”
But it doesn’t have to be that way, Stack argues. “Security actually can be fun when you apply game mechanics to it.”
That is the idea Digital Guardian uses in its Data Defender game concept, which was first introduced in the RSA 2016 security conference at Moscone Center in San Francisco. Basically, Data Defender is a cost-free gaming system that can help companies bring the security staff and the average employees on the same team to fight cyber-threats.
Having been around video games most of their lives, millennials are very adept at finding their way into games and gaming mechanics. And as they enter the workforce en masse, gamification can prove to be their bridge to many unknown areas. “Employers would be wise to incorporate gamification into as many aspects of their jobs as possible—particularly around security awareness,” says Stack.
The traditional approach in cybersecurity is to detect and punish bad behavior and practice in the organization. The method proposed by Digital Guardian is to not only penalize the bad behavior, but to also address and reward abidance by security rules. As Stack puts it, “Employees are your last line of defense for data protection. Making the often too-dull business of cybersecurity more engaging will help improve the security posture of any organization who does it.”
The Data Defender system will award users with scores for actions that conform to security best practices, such as sending an email that doesn’t trigger a policy violation or using a corporately-approved cloud engine. Users will receive printable badges after reaching milestones, and will receive gift cards after earning a specific number of points.
“If encrypting credit card data in an e-mail before you send it could earn you a cool badge, and 10 badges could earn you a $25 Amazon gift card, you’d be more likely to encrypt that data,” says Stack. “That’s why we introduced DG Data Defender, to add a layer of fun to protecting sensitive information like credit card and social security numbers.”
Gamification is also helping in rooting out bugs and security holes in different products. For years, researchers and whitehat hackers who found and reported vulnerabilities in software were chided—and in some cases prosecuted—by angry manufacturers who accused them of meddling with the company’s code.
That is a mentality that has changed in recent years, as many companies have launched bug bounty programs, where researchers are rewarded for finding gaps in the firm’s software. Most major tech firms such as Google, Microsoft and Facebook already have such programs, and the Department of Defense has recently launched its own bug bounty. Bug bounty and security researcher enrolment has gained enough traction to deserve its own dedicated platform,HackerOne, where companies can find and hire talent required to test their software source code.
Of special interest is Uber’s recently launched bug bounty program, which will pay up to $10,000 for a critical bug found. But what makes Uber’s bug bounty unique is the way it involves competition and gaming mechanics in order to find the best researchers and keep them engaged.
This is definitely a win-win situation.
“There is actually only a small pool [of qualified researchers] who can find bugs in these applications, a small percentage and you want to grab their attention and keep it,” says Collin Greene, a security engineer who helped develop this program for Uber. Greene was previously involved in setting up a similar program at Facebook along with HackerOne CTO Alex Rice.
Uber’s first loyalty program starts on May 1 and will last for three months. During that period, researchers who find four bugs will be given a bonus on their fifth and subsequent bug reports. Uber also adds to the gamification by offering participants a “treasure map” which provides valuable information about where to start looking for bugs and vulnerabilities.
This is definitely a win-win situation, in which hackers get rewarded for their hard work and Uber builds a more secure platform.
Other use cases of gamification in the cybersecurity industry involve the use of contests and challenges to find talent and encourage experts from different IT backgrounds to join the cybersecurity workforce. Cyber Security Challenge UK has led a terrific effort in this regard through its yearly competitions, in which players fight simulated threat situations in gaming environments.
“We’ve seen that traditional recruitment methods, used in other industries, just don’t work in cyber security,” says Stephanie Daman, CEO at Cyber Security Challenge UK. “However, there is a noticeable pattern between gamers and those that show significant skills in the industry.”
Cyber Security Challenge UK proves that you don’t necessarily need a hard-earned security certificate to get started on a successful cybersecurity career. The winner the competition’s most recent iteration, which took place last November, was a 38-year-old network engineer for a car dealer, who was offered career-enhancing prizes and lucrative job opportunities at different tech firms.With cyber threats looming on the horizon, we need every tool at our disposal to help overcome the inevitable challenges that lie ahead.
In Stack’s words:
“We’re definitely in the midst of a much bigger cybersecurity battle than we’ve ever seen. Whether the culprits are nation-state sponsored attackers, typically associated with the phrase cyberwar, or sleazy hackers who commit cybercrimes, we need to start building cybersecurity armies to help us win this new battle. Gamification or game mechanics will play a big role in building that army. If you make the game of cybersecurity more engaging and rewarding, you will get more recruits for your army.”