Slide 1

Gamification of Security:Making Security a Game.

Spencer Wilcox, CISSP, CPP, SSCP@brasscountFind this presentation at: Securiplay.comAbstractThere seem to be two requirements implicit in security. First, stop the bad guys from doing bad things to us, and second limit the exposure to loss so the company can make money. Is your management playing the same game? Check-the-box security is regularly dismissed by security professionals as mere compliance, and a waste of highly trained staff. Instead of making security compliance the worst part of a security job, why not make it a game? Can we pay a receptionist to play a game to monitor logs between phone calls while helping to secure our networks?DisclaimerI am not an attorney. I am not providing a legal opinion, or offering legal advice. I am providing information regarding my research on this topic, which may include law or case law. My views are my own, any opinions expressed in this presentation are mine, and do not necessarily reflect the opinions of my employer. Please consult your attorney before adopting any of the practices discussed in this presentation. If you choose to implement any of the ideas expressed in this presentation, please mention the inspiration that this presentation provided.

So what is Gamification?Michael Wu Gamification is the use of game-like mechanics to drive game-like engagement and actions.Wikipedia Gamification is the use of game thinking and game mechanics to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning.Dictionary.comNo results found, do you mean Gasification?What is GamificationWhat Gamification is not:Game TheoryA Beautiful MindProblem-Solving approach to model complex problemsVideo GamesRole Playing GamesStrategy GamesTrain GamesBoard (Bored Games)The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called?

a. Keystroke capturingb. Access validation testingc. Brute force testingd. Accountability testing

SURVEY SAYS?c. Brute force testing

What is GamificationUsing Game Mechanics Foggs Behavior Model (BJ Fogg Stanford University)Motivation WANTSensation (Pleasure, Pain)Anticipation (Hope, Fear)Social Cohesion (Rejection, Acceptance)Ability By focusing on Simplicity of the target behavior you increase Ability. TriggerGetting someone to act at the right time, when both motivation and ability are at their peak.For more on this search for Michael Wu: the Science of Gamification (fora.tv)An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?a. Discretionary accessb. Least privilegec. Mandatory accessd. Separation of duties

SURVEY SAYS?b. Least privilegeSo how does this apply to me?Gamification has three direct applications to securityGamification to increase employee engagement and employee retentionGamification to increase employee productivity, by simplifying work, and by increasing motivation.Gamification to increase executive buy-in.

Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network utilizing system resources?a. Logic bombb. Virusc. Wormd. Trojan horse

SURVEY SAYS?c. WormIncrease Employee EngagementGamify the work experienceImmediate gratificationAchievements for completionsAchievements for Certs, degrees,promotions, years experience, etc.Gamify the Bug HuntA note for finding the bug, a badge (and spot bonus) for following it through the GRCGamify Secure CodingIf your code makes it through code review with no bugs,WIN FABULOUS PRIZES!Gamify Incident DetectionAPT detection (much like the bug hunt.)Help Solve the Never a Prophet In Your Own Land Syndrome.

Create a team intranet site, and DISPLAY your employees earned badges.

Make it the Security LEADER board. Pro-TipAll Your Base?a. Are Hidden On Dantooine.b. Are Belong To The Kilrathi.c. Are Belong To Us.d. Are being closed in BRAC.

SURVEY SAYS?

Increase Employee ProductivityLets build a game:Needs to engage your employeesSolve a problem.Be simple enough to understand, motivating enough to challenge.Candy CrushA real-world problem:Log MonitoringReceptionists with free-timeA match made in gamification heaven.

Did you play Galaga to Earn the High Score, to Knock off the guy in number 1, to Hang at the arcade with your buddies, or to See the Mothership?

Richard Bartle, PhD notes that there are four player personality types:AchieversKillersSocializersExplorersWhy are unique user IDs critical in the review of audit trails?

a. They show which files were altered.b. They establish individual accountability. c . They cannot be easily altered.d. They trigger corrective controls.

SURVEY SAYS?b. They establish individual accountability. Gamify Your ManagementReturn on Investment is important.What are the tangible and intangible returns?Financial ROI is virtually incalculable in a large company.Intangible ROI may be a better return.What experience can security provide your executives and your board?Earn the Briefing at Cheyenne Mountain BadgeEarn the Secret Clearance BadgeEarn the Best Security Program in Class BadgeEarn the Q works for me BadgeEarn the Not FUD But Science BadgeEarn the We PROTECT our Customers / Infrastructure / Nation BadgeWhat principle recommends the division of responsibilities so that one person cannot commit an undetected fraud?a. Separation of dutiesb. Mutual exclusionc. Need to knowd. Least privilege

Survey Says?a. Separation of dutiesBibliographySee securiplay.comA formal bibliography is forthcoming.