Article written by Florian Pouchet: Senior Manager and Head of Cybersecurity and Operational Resilience for Wavestone UK with 15 years of experience in cybersecurity management consulting. Florian is responsible for building and leading teams to deliver high quality advisory services and growing Wavestone’s business in the cybersecurity and operational resilience space. He has provided oversight on a number of engagements including cybersecurity remediation programmes, IAM strategy and global deployment, crisis management exercises and security assurance in agile development processes.
Users play a massive role in detecting cybersecurity threats and attacks. Our CERT’s 2021 incidents report showed that more than half of major cyber incidents had been picked up by users before security solutions and monitoring was triggered.
As a consulting firm that helps our clients make their most strategic decisions, Wavestone wants to empower users to identify suspicious activity. In such time-sensitive events, every minute matters: a ransomware could encrypt most of your data/IT in less than an hour! So, how to make sure users have the skills and practice to handle a cybersecurity crisis? One solution might surprise you: gaming.
Why do we need to be trained?
When an incident escalates into a crisis, we need both the skills and practice to handle it. I don’t know about you, but I prefer to live most of my life out of crisis mode. Without a regular training, I wouldn’t have the right reflexes and reactions to make the right decisions and make my organisation more resilient.
Also, the pandemic weakened our cyber “herd immunity”. As we are going back to the office or in a flexible working situation, we are by ourselves more than before. It offers more time to focus, but we lose the benefit of learning from others around us. Being fragmented like this, weakens our ability to react and respond effectively as a group and help each other, with regards to cyber incidents and crisis response.
But the standard for mandatory training, due to regulations, is sadly a dull, online tick box exercise that you just want to get done and forget the moment you finish…
What if we could learn and enjoy it at the same time?
Level up your training
What about games makes them a great tool to train?
- The novelty: It’s human nature to be excited by something new. That peak of interest (and spike of dopamine) increases focus, which is perfect for absorbing and learning new things
- The competition and challenge: The gamified setting creates a fun experience and a memorable journey. In turn, these memories are anchor points for lessons learnt and will stick around after the course. Those “oh yes, I really shouldn’t use my children’s names as passwords, that’s how my colleague got hacked” moments.
- The reward: Whether it’s just bragging rights or a more material reward, it gives a sense of achievement and incentivizes players to commit to the game.
- In certain settings, games can help break diversity barriers: anyone could be behind an avatar. There’s no discrimination against your gender, ethnicity, etc. You are just another player.
The gamification trend we saw a decade ago was largely about adding a scoring system or leaderboard to any activity. This was a good start, but I believe it is time for the next level of the training, and by that, I mean creating an immersive experience.
Wavestone has been running cyber escape games for a couple of years, with more enthusiasm from participants each year. With a set of accessories and devices, we turn a simple office room into an escape game. One scenario puts the players in the shoes of attackers: ill-intended fraudsters posing as a startup seeking investment.
They are left unattended in the office before a presentation with the investors and told: “You have 20 minutes to leverage the environment, gain access to the laptops in the room and commit a fraud”. There are even fake social media accounts that players can access through their phones. This really increases the immersion! By seeing an attack from the other perspective, players better understand how their actions and systems could be leveraged against them, helping to build “reflexes” to avoid such a scenario.
In another context, we have been working with the Imperial College London / Business School Executive Education programme to teach security in agile software development. We used typical creative thinking workshop materials but went a step further by delivering the activities in the format of a popular TV show. This familiar format eases the learning curve for players and adds excitement and competition to the mix.
Lastly, we run super-realistic crisis exercises, where we leverage our incident response experience to present life-like scenarios. The greater degree of immersion helps teams appreciate the challenges of a real crisis. For instance, having technical details about systems affected by a cyber-attack speaks to IT teams, but may be a challenge for board level executives. In such a scenario, board executives would have to have a conversation with IT teams in order to translate technical details into business impacts, before being able to take a decision. These are “realistic role-playing games”, where players play their own job in the story.
Not just training
The utility of games extends well beyond training and cybersecurity.
- Collaboration: WorkAdventure is a conference tool that uses a gamified interface, with a pixelated visual style that resembles games from the 1990s. It emulates a location and you are represented by an avatar. You can move around freely in that location, and when you get close to a group of people, it automatically adds you to a video conference call to talk with that “circle”. A colleague rebuilt one of our office floors, and with this we could virtually wander around the office and replicate our habits of “going to join that conversation/group of people” to talk during lockdown.
- Recruitment: Wave Game is an event we run every year to attract passionate cyber talents, by creating a competition between major French universities. Participating students, in teams, are presented various challenges requiring technical and analytical skills, all wrapped up in a story inspired by the work we do with our clients. They have fun solving these challenges, and it serves as a first step of the recruitment process if they wish to apply.
- Science: Fold.it is a puzzle game that leverages the player solutions to drive research in the field of protein structure prediction. Similarly, in 2020 EVE Online added a mini-game which advanced COVID-19 vaccine research!
Now it’s your turn. Can you think of an essential but dull activity? Why not add gaming elements, and see the benefits of improved engagement yourself?
Wavestone is a global transformation consultancy, focused on delivering business improvement and transformation. Our mission is to work in partnership with technology and business leaders to design and deliver successful change, innovation, cyber security, and operational resilience. We deliver our most critical transformations on the basis of a single, central, conviction that a shared sense of enthusiasm is at the core of successful change. That’s what we call “The Positive Way”. We bring together more than 3,600 employees across 8 countries, amongst the leading independent firms in consulting in Europe, and the n°1 independent consulting firm in France. Wavestone is one of Imperial College London’s industry partners in the ISST Innovation Ecosystem.