Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, Find this presentation at: Securiplay.com.

Published byBethanie Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, Find this presentation at: Securiplay.com."— Presentation transcript:

1

2 Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, SSCP @brasscount Find this presentation at: Securiplay.com

3 ABSTRACT There seem to be two requirements implicit in security. First, stop the bad guys from doing bad things to us, and second limit the exposure to loss so the company can make money. Is your management playing the same game? Check-the-box security is regularly dismissed by security professionals as mere compliance, and a waste of highly trained staff. Instead of making security compliance the worst part of a security job, why not make it a game? Can we pay a receptionist to play a game to monitor logs between phone calls while helping to secure our networks?

4 DISCLAIMER I am not an attorney. I am not providing a legal opinion, or offering legal advice. I am providing information regarding my research on this topic, which may include law or case law. My views are my own, any opinions expressed in this presentation are mine, and do not necessarily reflect the opinions of my employer. Please consult your attorney before adopting any of the practices discussed in this presentation. If you choose to implement any of the ideas expressed in this presentation, please mention the inspiration that this presentation provided.

5 So what is Gamification? Michael Wu – – Gamification is the use of game-like mechanics to drive game-like engagement and actions. Wikipedia – – Gamification is the use of game thinking and game mechanics to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning. Dictionary.com – No results found, do you mean Gasification?

6 What is Gamification What Gamification is not: – Game Theory A Beautiful Mind Problem-Solving approach to model complex problems – Video Games – Role Playing Games – Strategy Games – Train Games – Board (Bored Games)

7 THE TYPE OF PENETRATION TESTING USED TO DISCOVER WHETHER NUMEROUS USERCODE/PASSWORD COMBINATIONS CAN BE ATTEMPTED WITHOUT DETECTION IS CALLED? a. Keystroke capturing b. Access validation testing c. Brute force testing d. Accountability testing

8 SURVEY SAYS? c. Brute force testing

9 What is Gamification Using Game Mechanics – Fogg’s Behavior Model (BJ Fogg Stanford University) Motivation – WANT – Sensation (Pleasure, Pain) – Anticipation (Hope, Fear) – Social Cohesion (Rejection, Acceptance) Ability – “By focusing on Simplicity of the target behavior you increase Ability. “ Trigger – Getting someone to act at the right time, when both motivation and ability are at their peak. For more on this search for Michael Wu: the Science of Gamification (fora.tv)

10 AN ACCESS SYSTEM THAT GRANTS USERS ONLY THOSE RIGHTS NECESSARY FOR THEM TO PERFORM THEIR WORK IS OPERATING ON WHICH SECURITY PRINCIPLE? a. Discretionary access b. Least privilege c. Mandatory access d. Separation of duties

11 SURVEY SAYS? b. Least privilege

12 So how does this apply to me? Gamification has three direct applications to security – Gamification to increase employee engagement and employee retention – Gamification to increase employee productivity, by simplifying work, and by increasing motivation. – Gamification to increase executive buy-in.

13 WHICH OF THE FOLLOWING IS A MALICIOUS PROGRAM, THE PURPOSE OF WHICH IS TO REPRODUCE ITSELF THROUGHOUT THE NETWORK UTILIZING SYSTEM RESOURCES? a. Logic bomb b. Virus c. Worm d. Trojan horse

14 SURVEY SAYS? c. Worm

15 Increase Employee Engagement Gamify the work experience – Immediate gratification – Achievements for completions – Achievements for Certs, degrees, promotions, years experience, etc. Gamify the Bug Hunt – A note for finding the bug, a badge (and spot bonus) for following it through the GRC Gamify Secure Coding – If your code makes it through code review with no bugs, WIN FABULOUS PRIZES! Gamify Incident Detection – APT detection (much like the bug hunt.) Help Solve the “Never a Prophet In Your Own Land Syndrome.” Create a team intranet site, and DISPLAY your employee’s earned badges. Make it the Security LEADER board. Pro-Tip

16 ALL YOUR BASE? a. Are Hidden On Dantooine. b. Are Belong To The Kilrathi. c. Are Belong To Us. d. Are being closed in BRAC.

17 SURVEY SAYS?

18 Increase Employee Productivity Lets build a game: – Needs to engage your employees – Solve a problem. – Be simple enough to understand, motivating enough to challenge. Candy Crush A real-world problem: – Log Monitoring – Receptionists with free-time – A match made in gamification heaven. Did you play Galaga to “Earn the High Score”, to “Knock off the guy in number 1,” to “Hang at the arcade with your buddies,” or to “See the Mothership?” Richard Bartle, PhD notes that there are four player personality types: Achievers Killers Socializers Explorers

19 WHY ARE UNIQUE USER IDS CRITICAL IN THE REVIEW OF AUDIT TRAILS? a. They show which files were altered. b. They establish individual accountability. c. They cannot be easily altered. d. They trigger corrective controls.

20 SURVEY SAYS? b. They establish individual accountability.

21 Gamify Your Management Return on Investment is important. – What are the tangible and intangible returns? – Financial ROI is virtually incalculable in a large company. – Intangible ROI may be a better return. What experience can security provide your executives and your board? – Earn the “Briefing at Cheyenne Mountain” Badge – Earn the “Secret Clearance” Badge – Earn the “Best Security Program in Class” Badge – Earn the “Q works for me” Badge – Earn the “Not FUD But Science” Badge – Earn the “We PROTECT our Customers / Infrastructure / Nation” Badge

22 WHAT PRINCIPLE RECOMMENDS THE DIVISION OF RESPONSIBILITIES SO THAT ONE PERSON CANNOT COMMIT AN UNDETECTED FRAUD? a. Separation of duties b. Mutual exclusion c. Need to know d. Least privilege

23 SURVEY SAYS? a. Separation of duties

24 Bibliography See securiplay.com A formal bibliography is forthcoming.

Download ppt "Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, Find this presentation at: Securiplay.com."

Similar presentations

Board Governance: A Key to Quality Organizations

Board Governance: A Key to Quality Organizations
Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.
Gallup Q12 Definitions Notes to Managers

Gallup Q12 Definitions Notes to Managers
Performance Management Guide for Supervisors. Objectives  Understand necessity of reviews;  To define a rating standard across the Foundation for an.

Performance Management Guide for Supervisors. Objectives  Understand necessity of reviews;  To define a rating standard across the Foundation for an.
The Power of Employee Engagement

The Power of Employee Engagement
Maintaining Industrial Harmony at Work

Maintaining Industrial Harmony at Work
Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.

Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.
Managers roundtable 9/25/2013

Managers roundtable 9/25/2013
Information Security Policies and Standards

Information Security Policies and Standards
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.

Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
HRM-755 PERFORMANCE MANAGEMENT

HRM-755 PERFORMANCE MANAGEMENT
Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.

Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.
CHAPTER 2 – ROLES OF CONSTRUCTION PERSONNEL IN SAFETY AND HEALTH

CHAPTER 2 – ROLES OF CONSTRUCTION PERSONNEL IN SAFETY AND HEALTH
Contents Click the link below to go directly to the slides for that chapter. Chapter 1 ■ Your Personal Strengths Chapter 2 ■ The Roles You Play Chapter.

Contents Click the link below to go directly to the slides for that chapter. Chapter 1 ■ Your Personal Strengths Chapter 2 ■ The Roles You Play Chapter.
Motivation What energizes human behavior?

Motivation What energizes human behavior?
MANA 4328 Dennis C. Veit dveit@uta.edu Human Resource Staffing and Performance Management “Beginning the Staffing Process” MANA 4328 Dennis C. Veit dveit@uta.edu.

MANA 4328 Dennis C. Veit Human Resource Staffing and Performance Management “Beginning the Staffing Process” MANA 4328 Dennis C. Veit
1 Challenges For A Credit Bureau In Emerging Markets.

1 Challenges For A Credit Bureau In Emerging Markets.

Similar presentations

Ads by Google