Cybersecurity gamification: A shortcut to learning
Cybersecurity awareness trainings are usually a boring affair, so imagine my colleagues’ surprise when I exited the room in which I participated in a demonstration of the Kaspersky Interactive Protection Simulation (KIPS) game and told them: “You have to try this!”
This enthusiasm is apparently shared by the overwhelming majority of people who undergo one or more of the trainings that make part of Kaspersky Lab’s set of cybersecurity awareness products, game host Slava Borilin told me later.
Kaspersky Lab and cybersecurity awareness
The equation “Kaspersky Lab = antivirus” is entrenched in many a user’s brain, but the company has been branching out of the endpoint security market for a while now.
One of the market segments it has entered is that of security awareness, and it provides a complete set of solutions aimed at helping enterprises develop a cyber safety culture.
Apart from being one of the creators of the KIPS game, Borilin is also Security Education Program Manager and Security Awareness Evangelist at the company.
As he tells it, the success and effectiveness of their training products surprised even him. Users’ feedback says that over 90 percent of them use the knowledge acquired during the trainings AND recommend the training to their colleagues. “They are saying that it was exciting, and are urging their peers to take the time and go through the training. Sounds crazy, no?” he says.
Well, it might not be crazy, but it is definitely unusual. So, what’s the secret to Kaspersky Lab’s success?
In short: interactive, learn-by-doing, customized and – above all – fun trainings, and the leveraging of games and users’ natural competitiveness to teach cybersecurity awareness.
The company’s approach is based on the Safety Culture methodology developed by DuPont and utilized in thousands of large enterprises. The goal is to provide the cybersecurity know-how as well as encourage the right attitude towards cyber security (“Everybody else cares about cyber safety, so I do, too”) and induce the right behaviors that will lead to the creation of the desired cyber safety culture.
In an organization, everybody needs cybersecurity training, but not everybody needs the same cybersecurity training. There are different trainings for different groups of employees and management, at all levels of the organizational structure. For example, the KIPS game is meant for the top managers and decision makers from business, IT and security departments of an enterprise.
“KIPS is a tool that we use to teach the decision makers about the role of cybersecurity and to convince them that they need to allocate money and time for management and employees learning about cybersecurity,” Borilin notes. “The senior managers definitely need to support the creation of a cyber safety culture.”
As I mention that my stress level went through the roof while playing the game, he shared that this was a happy side-effect that helps managers and engineers – people who are not practicing security as a job – to understand the daily pressure cybersecurity practitioners are under.
The employees get to go through modules teaching them about phishing, safe web browsing, email security, mobile security and so on, and regular assessments and simulated attacks. Line managers also go through trainings that allow them to acquire personal cyber hygiene skills, but also get trainings on cyber safe decision making, motivation and influence, communication – in short, skills that will allow them to push the cyber safety agenda across the board.
“Middle level/line managers are the most influential people for this type of change in the company, as employees follow the example and requirements provided by their direct manager, not of the chief executive. Line managers need to be taught how to support the safe and discourage the unsafe behavior of employees, how to motivate people, how to talk about cybersecurity with employees and with peers, and so on,” Borilin explains.
“The ideal result of the implementation of our products and of the security awareness program based on them is to make sure that people with different roles have the needed set of skills and to use them to increase the organization’s cyber safety culture.”
Creating the games and trainings
Borilin came to Kaspersky Lab after a few years of working at online gaming companies and on developing business trainings. His background is in computer science and software development, but his job at Kaspersky is his first time working in the cybersecurity arena.
I’ve already mentioned that he is one of the creators of the KIPS game. Of course, other people were involved, too.
“We started with a very small research team, then had more and more people participate in making scenarios, making and adding the various new levels of trainings. Today we have a formal team of five people at Kaspersky Lab who are responsible for the security awareness program, some 120 people (or so) involved in the running and supporting these trainings, and several hundred people who evangelize the approach in the world,” he says.
The challenges tied to creating these products were many.
The first step in every training design is understanding why people behave as they do (make mistakes) and what needs to be done for them to make better security decisions. For the KIPS game, for example, they sat down with cybersecurity experts from different industries and asked them about the current threats, trends, attacks and typical mistakes, as well as the “ideal” defence strategy for dealing with those attacks.
Once the goal for the training was set, they worked on making the game not too easy and not too difficult, so that players cannot pass the training in a single round, but are ultimately able to “win.”
“During the training, people must have several opportunities to make mistakes, try out different actions, and elaborate a successful solution before the training ends. This is the implementation of the principle that people want and need to make mistakes so that they can learn from them. They want to try again, to see the progress, to succeed, and they need to feel that success. If people fail time and time again, they will give up, and that’s definitely not the effect we are after,” Borilin notes.
It’s also important that it is not very clear from the beginning what the winning strategy is. Again, this is so that people can make mistakes and learn from them.
“Sometimes we even help people to make mistakes by misleading them a bit. We want them to understand that they made a mistake, we want them to find the other way – they will learn better by doing and not by listening to someone drone on about security.”
Example scenario
The scenarios are based on attacks that have already happened. They are occasionally oversimplified, as a few hours of training cannot cover all the complexity of a real-life scenario. On the other hand, they sometimes develop scenarios that see multiple attacks happening at the same time.
“Some of these scenarios present a situation that is more difficult than one that the players would likely face in real life. But we have enough examples, especially from the finance industry, when the same company is suffering from multiple attacks at the same time,” he says.
It’s not probably the most typical case, he admits, but it happens, and such a scenario is great for training. “It’s better to fail in the simulated environment than face the same attacks in real-life and be unprepared for them,” he points out.
The last step of creating a scenario is the “game balancing,” and involves making the scenario accurate, sustainable, nicely designed, and finally, making the artefacts needed for the game (cards, game field, etc.).
Some parts of their security awareness offerings were created and/or are offered by partners. For example, anti-phishing training modules are by Wombat Security, and the CyberSafety culture assessment before the trainings has been left to professionals from SHL/CEB.
Kaspersky Lab itself rarely plays the role of a formal consultant when it comes to cyber safety awareness programs or cyber safety culture. The company offers the tools – the trainings and games – that would be hard for enterprises to create themselves, and a network of partners sells them AND tailors, customises and manages those programs for the customers.
Building a cyber safety culture within an enterprise is a very complicated task, says Borilin.
“It’s more than just learning the technical skills: people have to use what they learn, talk to each other about cybersecurity, and everybody needs to be part of the security culture change. It’s a very long process, and requires a long-term effort. We develop the building blocks for a security awareness program but, at the end of the day, the main job of building security culture is definitively on the customers’ human resources and security departments,” he concluded.
Personally, I can’t offer my own experience regarding other cyber safety awareness trainings, but can confirm that just one KIPS bout taught me lessons that stuck with me and came in hand when I played again (through a different scenario) a month later. And that second bout came with additional insights, as well.
A well thought-out and fun game, I discovered, could definitely be a fantastic shortcut to both knowledge and self-knowledge.