Cyber Security Awareness ViaGamification: Lessons From Decisions& Disruptions

Benjamin ShreeveUniversity of Bristol, UKben.shreeve@bristol.ac.uk

Joseph HallettUniversity of Bristol, UKjoseph.hallett@bristol.ac.uk

Richard AtkinsMetropolitan Police Servicerichard.M.Atkins@met.police.uk

Awais RashidUniversity of Bristol, UKawais.rashid@bristol.ac.uk

Copyright is held by the author/owner. Permission to make digital or hard copies of allor part of this work for personal or classroom use is granted without fee. Posterpresented at the 15th Symposium on Usable Privacy and Security (SOUPS 2019).

AbstractGames are a powerful and usable tool to help raise aware-ness of cyber security. We report on lessons learned fromdeveloping Decisions & Disruptions: a game developedas a research tool, but which has gone on to have multipleversions, and be used by a UK national public organisationas a tool to raise awareness of cyber security nationwide.To date Decisions & Disruptions has been played by morethan 2,000 participants, and with more than 200 differentorganisations. We report on the challenges we faced andthe lessons we learned developing and updating differentversions of the game; and some of the security perceptionsusers have when playing.

Author Keywordsgames; education; lessons learned

ACM Classification KeywordsJ.4 [Computer Applications]: Social and Behavioural Sci-ences; K.3.m [Computers and Education]: Miscellaneous;K.6.1 [Computers and Education]: Training; D.4.6 [Operat-ing Systems (C)]: Security and Protection

IntroductionDecisions & Disruptions (D-D) is a game designed to ex-plore people’s perception of security and their security de-cision decision making processes. The game started as a

research tool but has evolved into something run through-out the UK by a national public organisation responsible forcyber security awareness, and played with thousands ofpeople and hundreds of companies.

Investments available

Cyber Security BasicsPlant Firewall $30,000Office Firewall $30,000Antivirus $30,000Security Training $30,000

Advanced Cyber SecurityPlant Network Monitoring$50,000Office Network Monitoring$50,000

Physical SecurityPlant CCTV $50,000Office CCTV $50,000

Intelligence GatheringThreat Assessment $20,000Asset Audit $30,000

Cards unlocked by AssetAuditPC Upgrade $30,000Server Upgrade $30,000Controller Upgrade $30,000Database Encryption$20,000PC Encryption $20,000

Playing the game with a large number of people has re-enforced the need to raise public and corporate awarenessof cyber security as current security perspectives can bewrong, dangerous or misleading. Some players believe thatgood security will increase the likelihood of an attack:

A: “. . . let’s say you’ve got 10 companies andone’s got a firewall, you’ve gotta find whichfirewall it is, particularly a good firewall, thenthat’s the company they’re gonna target. . . ”

B: “There could be something good in there.”

Others suggest that security has become routine with de-fenses being deployed by people without understandingtheir context:

“It does feel that you’d need firewalls becausewe always have firewalls.”

Many cyber security games have been developed to helpimprove peoples’ security awareness [2, 5, 4, 7, 3, 1, 6]. Inthis poster we reflect on some of the lessons we’ve learntwhile developing D-D, and how we can educate users aboutsecurity through games more effectively.

D-D for ResearchD-D was originally developed by Frey et al. [3] to explorecyber security decision making amongst different demo-graphic subgroups such as computer scientists, cyber secu-rity experts and managers within Academia and Industry.

Plant Office

InternetPCs DatabasePlant LAN

River Turbines ICS Router

PCs

Database Server

Office LAN

Figure 1: Starting layout for D-D (without any cyber security inplace)

During the game, D-D challenges participants to work to-gether as security advisors for a fictional hydro-electricalcompany. The company operates on two separate sites:A plant site where the company generates electricity, andan office which is located elsewhere. Teams are presentedwith a physical representation of the organisation and itsinfrastructure in built in LEGO® (see Figure 1).

Teams are told that this hydro-electric company currentlyhas no cyber security specific defences in place and thatthey have been asked to help them identify which defencesthey should invest in and in what order. Teams then haveto identify investments from a range available (see side-bar) over four rounds. They are given a budget of $100,000(game $) to spend in each round (they are allowed to rollover any unspent money between rounds). At the end ofeach round teams are told about attacks that the organi-sation has suffered as a result of their investments. Thereare 30 attacks varying from low-level attacks through to thedestruction of the plant. Attackers include Script Kiddies,Organised Crime Groups and Nation States.

This first version of D-D was used to gather research datafor Frey et al.’s paper [3] with 43 participants, along withdata from a further 137 participants in other sessions. Feed-back from these sessions suggested two key changes bemade to improve D-D:

Example Investment Cards

FIREWALL(office)

Firewall (office) : 30kA software and hardware solution

that monitors and filters unauthorised traffic coming from the Internet to the office network

ASSETAUDIT

Asset Audit : 30kThe entire infrastructure

is thoroughly assessed for

vulnerabilities

Don’t be subtle. Attacks suffered needed to be more ex-treme. Inexperienced participants had a tendencyto overlook the potential consequences of the moresubtle attacks in the original version. More acute at-tacks were necessary for teams to appreciate theconsequences of their choices. Take-away: Makethe players understand that their decisions have con-sequences, otherwise they won’t learn the lessonsyou’re trying to teach.

Hit them where it hurts. Financial implications wereneeded. Organisations consistently asked whatthe potential financial consequences of attacks anddecisions might be. Take-away: Consequenceshave to be delivered to the players in a format theyunderstand—if they don’t understand how bad anattack is, they won’t learn why they should care.

D-D for BusinessThe second iteration of D-D was developed in conjunctionwith the national public organisation which specialised inraising cyber security awareness and sought to addressthese shortcomings. The adaptation of D-D retains many ofthe core aspects of the original game. Teams are still work-ing to help improve things for a hydro-electric organisationwhich has the same infrastructure. Teams also have thesame $100,000 budget to spend across four rounds and onthe same potential investments. However, teams encountera different set of attacks in response to their investments,

these attacks tend to have more tangible consequences.Many of these attacks detail the amount which a team maylose as a result of the attack. These losses are used asan additional game mechanism when playing with multi-ple teams simultaneously; each team adds up their totallosses from attacks and the team which loses the least isconsidered the winner.

Everyone has a favourite. While playing the game wenoticed that some participants were more interestedin the business aspects of the game and disengagedwith more technical parts, and that for other playersthe opposite was true. Take-away: Not everyonecares about the same thing. If you make your gametoo focused on one thing you risk disengaging thoseinterested in other aspects.

Everyone has an angle. When playing the game we foundthat teams with differing levels of seniority and ex-perience gained the most. Contrasting perspectiveshelped everyone learn from each other and identifynew security angles. Take-away: It is important thateveryone in an organisation gets a chance to play—not just the technical teams and new recruits. Mix itup!

Hit me baby one more time! Having played the gameonce players would wonder what would have hap-pened if they did things differently. D-D has a rela-tively static script and no randomised elements: play-ers didn’t get as much out of a second playthroughas they’d have hoped. Take-away: Cyber securityawareness cannot be developed through a single playthrough, therefore the game needs to be developedso that participants are able to play it through multipletimes, encountering different scenarios each time.

People have jobs to do. Developing a game which willbe used by organisations means working within theirconstraints. For the most part this means develop-ing a game that can be played over a short period.When D-D was played for research, games could lastfor up to 2 hours, but once we started to play it withorganisations this dropped to 1 hour in most cases.This is a reflection of the time constraints placed byorganisations on training time.

D-D for GDPRIn 2016 the General Data Protection Regulation (GDPR)came into effect in Europe. This legislation created newrules for how companies had to manage and protect thedata of European citizens—and introduced heavy fines forany company that failed to protect the data.

You have to stay relevant. As GDPR came into force wenoticed that players would ask what it might meanfor them in terms of penalties and consequencesthey may suffer. D-D was originally developed beforethe introduction of the GDPR, but in order to stayrelevant, we updated seven in game events. Theseincluded penalising teams which failed to protectsensitive customer data, and ensuring that teamswere told when prior investments protected themfrom breaches which would otherwise have beenof interest to the Information Commissioners Office(legislative enforcer). Take-away: People are awareof big changes in the operating landscape—you needto respond to these otherwise you risk becomingirrelevant.

Initial findingsParticipants demonstrated a number of common cybersecurity awareness characteristics, we summarise below.

The Windows 95 Effect. Teams believe Firewalls andAntivirus to be key to cyber security, but they rarelyexplain why. We would posit that this is becauseFirewalls and Antivirus have been the core basis of‘security’ on PCs for the last 30 years.

The Mr Robot Effect. Teams place a far greater emphasison investing in new defences against uncertain (andinherently unknowable) threat actors rather than in-vesting in upgrades for known existing vulnerabilities.

The Butterfly Effect. Teams often consider what knock-oneffect their decisions might have. This appears to beparticularly common where teams lack the technicalexperience in order to make as informed a choice aspossible.

ConclusionD-D was established as a research tool but has since beendeveloped into a dedicated tool for raising cyber securityawareness in organisations. This second iteration devel-oped by a national public organisation in the UK has nowbeen extensively used. The data gathered to date hasstarted to provide some insight into cyber security aware-ness. Furthermore, our experience running D-D enablesus to provide some insight for those looking to developawareness games in the future. Future work will look atwhy people play the way they do and continue to evolve thegame to help educate people about cyber security decisionmaking.

REFERENCES1. Kevin Bock, George Hughey, and Dave Levin. 2018.

King of the Hill: A Novel Cybersecurity Competition forTeaching Penetration Testing. In 2018 USENIXWorkshop on Advances in Security Education (ASE18). USENIX Association, Baltimore, MD, 9.https://www.usenix.org/conference/ase18/presentation/bock

2. Tamara Denning, Adam Lerner, Adam Shostack, andTadayoshi Kohno. 2013. Control-Alt-Hack: The Designand Evaluation of a Card Game for Computer SecurityAwareness and Education. In Proceedings of the 2013ACM SIGSAC Conference on Computer &Communications Security (CCS ’13). ACM, New York,NY, USA, 915–928. DOI:http://dx.doi.org/10.1145/2508859.2516753

3. Sylvain Frey, Awais Rashid, Pauline Anthonysamy,Maria Pinto-Albuquerque, and Syed Asad Naqvi. 2017.The Good, the Bad and the Ugly: A Study of SecurityDecisions in a Cyber-Physical Systems Game. IEEETransactions on Software Engineering (2017), 16. DOI:http://dx.doi.org/10.1109/TSE.2017.2782813

4. Mark Gondree and Zachary NJ Peterson. 2013.Valuing security by getting [d0x3d!]: Experiences with anetwork security board game. In Presented as part ofthe 6th Workshop on Cyber Security Experimentationand Test. USENIX, Washington, DC, USA, 8.

5. Mark Gondree, Zachary NJ Peterson, and TamaraDenning. 2013. Security through play. IEEE SecurityPrivacy 11, 3 (May 2013), 64–67. DOI:http://dx.doi.org/10.1109/MSP.2013.69

6. John R. Morelock and Zachary Peterson. 2018.Authenticity, Ethicality, and Motivation: A FormalEvaluation of a 10-week Computer Security AlternateReality Game for CS Undergraduates. In 2018 USENIXWorkshop on Advances in Security Education (ASE18). USENIX Association, Baltimore, MD, 11.https://www.usenix.org/conference/ase18/presentation/morelock

7. Jan Vykopal and Miloš Barták. 2016. On the design ofsecurity games: From frustrating to engaging learning.In 2016 USENIX Workshop on Advances in SecurityEducation (ASE 16). USENIX Association, Austin, TX.