Why Businesses Should Start Thinking of Cybersecurity As A Game Instead Of A Problem
Cybersecurity is no doubt a serious matter, but that does not mean it cannot be approached in exciting and creative ways.
As noted internet security and fraud prevention expert Elias Manousos wrote in his Help Net Security piece, “cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down.”
The growing and evolving barrage of cyber attacks understandably makes CTOs and CISOs anxious. They incessantly keep security professionals on their toes. Would it not be better if cybersecurity were like a game that has its thrills and challenges but enjoyable?
Is it possible to make continuous security testing and cyber risk assessment less boring and intimidatingly technical? Conventionally, security is handled by professionals who regularly examine vulnerabilities, monitor security incidents, and implement solutions to prevent or remedy problems. Can a gaming mindset help improve this setup?
Taking advantage of game elements and dynamics
Games are known for their point system, accomplishments or badges, leaderboards, performance stats and graphs, and the idea of teamwork. How can these be applied to boosting cybersecurity’s effectiveness?
Point system, badges, and leaderboards
Instead of having a policy of having zero attacks, it can be advantageous for a company’s cybersecurity to reward those who spot weaknesses or vulnerabilities in the enterprise’s security system. A point system can be established to keep track of those who contribute to keeping the company’s computers, networks, and systems secure.
As reported on CIO Insight, a security firm’s study reveals that employees have a tendency to hide security incidents from their employers. Accordingly, employees do not report incidents when they happen in 40 percent of businesses.
“The ‘hide and seek’ problem seems to be most challenging for larger companies, with 45 percent of enterprises (over 1000 staff) experiencing employees hiding cybersecurity incidents, compared to only 29 percent for very small businesses,” the study writes.
This problem can have dire consequences. It can lead to critical data losses or security breaches, which could have been prevented if only the vulnerabilities were reported earlier. Employees usually veer away from reporting security incidents because they do not think it is part of their job, and they want to veer away from more obligations. There is also the fear that they could be blamed for the attack.
By making it a policy to welcome and even reward vulnerability and breach reporting, employees are more likely to help in securing the digital infrastructure and assets of an organization. It wouldn’t hurt to come up with recognitions or awards as well as a ranking of employees who provide the most security incident reports.
Performance stats and graphs
Many games generate statistics and game performance graphs to help players evaluate their gaming. These can be adopted for cybersecurity use as part of the continuous security testing and cyber risk assessment plan.
Keeping information about cyber attacks and the discovery of vulnerabilities provides a comprehensive view over the cybersecurity status of an organization. It can show where work is needed to strengthen defenses. It can also help detect if the attacks are already unusual and facilitated by an insider.
Compiling and monitoring cybersecurity statistics, however, only works with the point system in place. It is impossible without everyone in the organization motivated to report all the security incidents and vulnerabilities they encounter. There is nothing to report and analyze if the security incident data is sparse and not representative of what is really happening with the organization.
Many modern games, especially those used in e-sports, require solid teamwork. They involve groups of players who must coordinate their efforts to ensure the success of the entire team. Nobody can be a non-performer. If someone needs help, other team members are expected to provide assistance to avoid unnecessary losses.
Organizations need to adopt the kind of teamwork gamers employ to win their battles. Everyone should play a role. It is not only the IT department that should carry the burden of securing the computers, network, online accounts, and digital assets of a company.
As a Cisco paper puts it, cybersecurity is everyone’s responsibility. Everyone has a role to play to make sure an organization’s data and digital resources are not compromised. However, it is important to emphasize that this responsibility starts from the top. Just like in gaming, someone has to act as a leader.
National security and cybersecurity expert Samuel Visner sums it up perfectly in a piece he wrote for CSO Online. “Leadership and all members of the executive management team must be committed, and that commitment must radiate throughout every level of every department,” Visner explains.
While everyone in a gaming team is expected to be adequately skilled, the probability of a win increases significantly when there is competent leadership, when someone guides the efforts of a team toward the achievement of goals.
Cybersecurity training gamification
Social engineering is one of the most effective ways to penetrate cyber defenses, and it is identified as a factor in virtually all cyber attacks. As Proofpoint’s The Human Factor report reveals, 99 percent of attacks require human involvement (clicks by a user) compared to only around 1 percent that rely on system exploits or CVE driveby.
People are arguably the weakest link in any cybersecurity defense system. It is only logical to help them develop the wariness when it comes to cyber attacks and the ability to detect and avoid possible instances of attacks. Organizations need to minimize or completely eliminate human mistakes that lead to breaches.
To do this effectively, it helps to create a cybersecurity learning and action system that is more engaging and interactive. Tests or quizzes can be administered to boost the cybersecurity knowledge of employees instead of conducting the usual boring orientation and seminars. Also, as discussed earlier, a point and leaderboard system can be put in place to encourage everyone’s participation in ensuring cybersecurity.
George Gerchow, Chief Security Officer at Sumo Logic, attests to the effectiveness of cybersecurity gamification. “Over the course of this last year, we had a 10 percent reduction in end user risk. Most organizations, when they get compromised, it happens because an end user has a weak password, gets phished or downloads malware. The amount of education you need to do around these things is incredible. One percent to 2 percent is a win, but a 10 percent reduction is remarkable,” Gerchow said in an interview with InfoSecurity Professional Magazine.
Cybersecurity is not the exclusive responsibility of the IT department of a company. It can be more effective when it is fun and engaging. Security concerns are inherently a technical matter, but since everyone needs to be involved to achieve an excellent level of security, something needs to be done to make it relatable to ordinary employees. Adopting a gaming perspective is one way to do it.