Gamification of Security:
Making Security a Game.
Spencer Wilcox, CISSP, CPP, SSCP
@brasscount
Find this presentation at: Securiplay.com
There seem to be two requirements implicit in security. First, stop the bad guys from
doing bad things to us, and second limit the exposure to loss so the company can
make money. Is your management playing the same game?
Check-the-box security is regularly dismissed by security professionals as mere
compliance, and a waste of highly trained staff. Instead of making security compliance
the worst part of a security job, why not make it a game?
Can we pay a receptionist to play a game to monitor logs between phone calls while
helping to secure our networks?
ABSTRACT
I am not an attorney. I am not providing a legal opinion, or offering legal advice. I am
providing information regarding my research on this topic, which may include law or case
law. My views are my own, any opinions expressed in this presentation are mine, and do
not necessarily reflect the opinions of my employer. Please consult your attorney before
adopting any of the practices discussed in this presentation. If you choose to implement
any of the ideas expressed in this presentation, please mention the inspiration that this
presentation provided.
DISCLAIMER
So what is Gamification?
• Michael Wu –
– Gamification is the use of game-like mechanics to drive
game-like engagement and actions.
• Wikipedia –
– Gamification is the use of game thinking and game
mechanics to engage users in solving problems.
Gamification is used in applications and processes to
improve user engagement, return on investment, data
quality, timeliness, and learning.
• Dictionary.com
– No results found, do you mean Gasification?
What is Gamification
• What Gamification is not:
– Game Theory
• A Beautiful Mind
• Problem-Solving approach to model complex problems
–
–
–
–
–
Video Games
Role Playing Games
Strategy Games
Train Games
Board (Bored Games)
a. Keystroke capturing
b. Access validation testing
c. Brute force testing
d. Accountability testing
THE TYPE OF PENETRATION TESTING USED
TO DISCOVER WHETHER NUMEROUS
USERCODE/PASSWORD COMBINATIONS CAN
BE ATTEMPTED WITHOUT DETECTION IS
CALLED?
c. Brute force testing
SURVEY SAYS?
What is Gamification
• Using Game Mechanics –
• Fogg’s Behavior Model (BJ Fogg Stanford
University)
• Motivation – WANT
For more on this search for
Michael Wu: the Science of
Gamification (fora.tv)
– Sensation (Pleasure, Pain)
– Anticipation (Hope, Fear)
– Social Cohesion (Rejection, Acceptance)
• Ability
– “By focusing on Simplicity of the target
behavior you increase Ability. “
• Trigger
– Getting someone to act at the right time, when
both motivation and ability are at their peak.
a. Discretionary access
b. Least privilege
c. Mandatory access
d. Separation of duties
AN ACCESS SYSTEM THAT GRANTS USERS
ONLY THOSE RIGHTS NECESSARY FOR THEM
TO PERFORM THEIR WORK IS OPERATING
ON WHICH SECURITY PRINCIPLE?
b. Least privilege
SURVEY SAYS?
So how does this apply to me?
• Gamification has three direct applications to security
– Gamification to increase employee engagement and
employee retention
– Gamification to increase employee productivity, by
simplifying work, and by increasing motivation.
– Gamification to increase executive buy-in.
a. Logic bomb
b. Virus
c. Worm
d. Trojan horse
WHICH OF THE FOLLOWING IS A MALICIOUS
PROGRAM, THE PURPOSE OF WHICH IS TO
REPRODUCE ITSELF THROUGHOUT THE
NETWORK UTILIZING SYSTEM RESOURCES?
c. Worm
SURVEY SAYS?
Increase Employee Engagement
• Gamify the work experience
– Immediate gratification
– Achievements for completions
– Achievements for Certs, degrees,
promotions, years experience, etc.
• Gamify the Bug Hunt
– A note for finding the bug, a badge
(and spot bonus) for following it
through the GRC
• Gamify Secure Coding
– If your code makes it through
code review with no bugs,
WIN FABULOUS PRIZES!
• Gamify Incident Detection
– APT detection (much like the bug hunt.)
Pro-Tip
Help Solve the “Never a
Prophet In Your Own Land
Syndrome.”
Create a team intranet site,
and DISPLAY your
employee’s earned badges.
Make it the Security LEADER
board.
a. Are Hidden On Dantooine.
b. Are Belong To The Kilrathi.
c. Are Belong To Us.
d. Are being closed in BRAC.
ALL YOUR BASE?
SURVEY SAYS?
Increase Employee Productivity
• Lets build a game:
– Needs to engage your employees
– Solve a problem.
– Be simple enough to understand,
motivating enough to challenge.
• Candy Crush
• A real-world problem:
– Log Monitoring
– Receptionists with free-time
– A match made in gamification
heaven.
Did you play Galaga to “Earn the
High Score”, to “Knock off the guy
in number 1,” to “Hang at the
arcade with your buddies,” or to
“See the Mothership?”
Richard Bartle, PhD notes that
there are four player personality
types:
• Achievers
• Killers
• Socializers
• Explorers
a. They show which files were altered.
b. They establish individual accountability.
c . They cannot be easily altered.
d. They trigger corrective controls.
WHY ARE UNIQUE USER IDS CRITICAL IN THE
REVIEW OF AUDIT TRAILS?
b. They establish
individual
accountability.
SURVEY SAYS?
Gamify Your Management
• Return on Investment is important.
– What are the tangible and intangible returns?
– Financial ROI is virtually incalculable in a large company.
– Intangible ROI may be a better return.
• What experience can security provide your executives
and your board?
–
–
–
–
–
–
Earn the “Briefing at Cheyenne Mountain” Badge
Earn the “Secret Clearance” Badge
Earn the “Best Security Program in Class” Badge
Earn the “Q works for me” Badge
Earn the “Not FUD But Science” Badge
Earn the “We PROTECT our Customers / Infrastructure / Nation”
Badge
a. Separation of duties
b. Mutual exclusion
c. Need to know
d. Least privilege
WHAT PRINCIPLE RECOMMENDS THE
DIVISION OF RESPONSIBILITIES SO THAT ONE
PERSON CANNOT COMMIT AN UNDETECTED
FRAUD?
a. Separation of
duties
SURVEY SAYS?
Bibliography
• See securiplay.com
• A formal bibliography is forthcoming.