Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, Find this presentation at: Securiplay.com

ABSTRACT There seem to be two requirements implicit in security. First, stop the bad guys from doing bad things to us, and second limit the exposure to loss so the company can make money. Is your management playing the same game? Check-the-box security is regularly dismissed by security professionals as mere compliance, and a waste of highly trained staff. Instead of making security compliance the worst part of a security job, why not make it a game? Can we pay a receptionist to play a game to monitor logs between phone calls while helping to secure our networks?

DISCLAIMER I am not an attorney. I am not providing a legal opinion, or offering legal advice. I am providing information regarding my research on this topic, which may include law or case law. My views are my own, any opinions expressed in this presentation are mine, and do not necessarily reflect the opinions of my employer. Please consult your attorney before adopting any of the practices discussed in this presentation. If you choose to implement any of the ideas expressed in this presentation, please mention the inspiration that this presentation provided.

So what is Gamification? Michael Wu – – Gamification is the use of game-like mechanics to drive game-like engagement and actions. Wikipedia – – Gamification is the use of game thinking and game mechanics to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning. Dictionary.com – No results found, do you mean Gasification?

What is Gamification What Gamification is not: – Game Theory A Beautiful Mind Problem-Solving approach to model complex problems – Video Games – Role Playing Games – Strategy Games – Train Games – Board (Bored Games)

THE TYPE OF PENETRATION TESTING USED TO DISCOVER WHETHER NUMEROUS USERCODE/PASSWORD COMBINATIONS CAN BE ATTEMPTED WITHOUT DETECTION IS CALLED? a. Keystroke capturing b. Access validation testing c. Brute force testing d. Accountability testing

SURVEY SAYS? c. Brute force testing

What is Gamification Using Game Mechanics – Fogg’s Behavior Model (BJ Fogg Stanford University) Motivation – WANT – Sensation (Pleasure, Pain) – Anticipation (Hope, Fear) – Social Cohesion (Rejection, Acceptance) Ability – “By focusing on Simplicity of the target behavior you increase Ability. “ Trigger – Getting someone to act at the right time, when both motivation and ability are at their peak. For more on this search for Michael Wu: the Science of Gamification (fora.tv)

AN ACCESS SYSTEM THAT GRANTS USERS ONLY THOSE RIGHTS NECESSARY FOR THEM TO PERFORM THEIR WORK IS OPERATING ON WHICH SECURITY PRINCIPLE? a. Discretionary access b. Least privilege c. Mandatory access d. Separation of duties

SURVEY SAYS? b. Least privilege

So how does this apply to me? Gamification has three direct applications to security – Gamification to increase employee engagement and employee retention – Gamification to increase employee productivity, by simplifying work, and by increasing motivation. – Gamification to increase executive buy-in.

WHICH OF THE FOLLOWING IS A MALICIOUS PROGRAM, THE PURPOSE OF WHICH IS TO REPRODUCE ITSELF THROUGHOUT THE NETWORK UTILIZING SYSTEM RESOURCES? a. Logic bomb b. Virus c. Worm d. Trojan horse

SURVEY SAYS? c. Worm

Increase Employee Engagement Gamify the work experience – Immediate gratification – Achievements for completions – Achievements for Certs, degrees, promotions, years experience, etc. Gamify the Bug Hunt – A note for finding the bug, a badge (and spot bonus) for following it through the GRC Gamify Secure Coding – If your code makes it through code review with no bugs, WIN FABULOUS PRIZES! Gamify Incident Detection – APT detection (much like the bug hunt.) Help Solve the “Never a Prophet In Your Own Land Syndrome.” Create a team intranet site, and DISPLAY your employee’s earned badges. Make it the Security LEADER board. Pro-Tip

ALL YOUR BASE? a. Are Hidden On Dantooine. b. Are Belong To The Kilrathi. c. Are Belong To Us. d. Are being closed in BRAC.

SURVEY SAYS?

Increase Employee Productivity Lets build a game: – Needs to engage your employees – Solve a problem. – Be simple enough to understand, motivating enough to challenge. Candy Crush A real-world problem: – Log Monitoring – Receptionists with free-time – A match made in gamification heaven. Did you play Galaga to “Earn the High Score”, to “Knock off the guy in number 1,” to “Hang at the arcade with your buddies,” or to “See the Mothership?” Richard Bartle, PhD notes that there are four player personality types: Achievers Killers Socializers Explorers

WHY ARE UNIQUE USER IDS CRITICAL IN THE REVIEW OF AUDIT TRAILS? a. They show which files were altered. b. They establish individual accountability. c. They cannot be easily altered. d. They trigger corrective controls.

SURVEY SAYS? b. They establish individual accountability.

Gamify Your Management Return on Investment is important. – What are the tangible and intangible returns? – Financial ROI is virtually incalculable in a large company. – Intangible ROI may be a better return. What experience can security provide your executives and your board? – Earn the “Briefing at Cheyenne Mountain” Badge – Earn the “Secret Clearance” Badge – Earn the “Best Security Program in Class” Badge – Earn the “Q works for me” Badge – Earn the “Not FUD But Science” Badge – Earn the “We PROTECT our Customers / Infrastructure / Nation” Badge

WHAT PRINCIPLE RECOMMENDS THE DIVISION OF RESPONSIBILITIES SO THAT ONE PERSON CANNOT COMMIT AN UNDETECTED FRAUD? a. Separation of duties b. Mutual exclusion c. Need to know d. Least privilege

SURVEY SAYS? a. Separation of duties

Bibliography See securiplay.com A formal bibliography is forthcoming.