Using Gamification to Improve the Security Awareness of Users: The Security Awareness Escape Room

It is vital that organizations take action to improve security awareness. Threat reports increasingly acknowledge and predict attacks connected to the human factor (e.g., ransomware, fake news). Employees pose a high-level risk at all enterprises because it is generally known that they are the weakest link in the chain of information security.¹ Mitigating this risk is not easy because technological solutions do not provide complete security against these types of attacks.² The only effective countermeasure is improving employees’ security awareness levels and sustaining their knowledge in this area.

Information security officers have a lot of options by which to accomplish this, such as providing security awareness training and implementing weekly, monthly or annual security awareness campaigns. But traditional awareness improvement programs, which commonly use posters or comics about information security rules, screensavers containing keywords and important messages, mugs or t-shirts with information security logos, or passive games such as memory cards about information security knowledge, are boring and not very effective.³ Based on feedback from users, people quickly forget what they are taught during training, and some participants complain that they receive mainly unnecessary information or common-sense instructions such as “lock your computer,” “use secure passwords” and “use the paper shredder.” This type of training does not answer users’ main questions: Why should they be security aware? What could happen if they do not follow the rules? What are the relevant threats? In addition, it has been shown that training is more effective when the presentation includes real-life examples or when trainers introduce elements such as gamification, which “is the use of game elements and game thinking in non-game environments to increase target behaviour and engagement.”⁴

Gamification has been used by organizations to enhance customer engagement—for example, through the use of applications, people can earn points and reach different game levels by buying certain products or participating in an enterprise’s gamified programs. But today, elements of gamification can be found in the workplace, too. Gamification can be used to improve human resources functions (e.g., hiring employees, onboarding) and to motivate customer service representatives or workers at call centers or similar departments to increase their productivity and engagement. In addition to enhancing employee motivation and engagement, gamification can be used to optimize work flows and processes, to attract new professionals, and for educational purposes.⁵

In the case of education and training, gamified applications and elements can be used to improve security awareness. In the area of information security, for example, an enterprise can implement a bug-bounty program, whereby employees (ethical hackers, researchers) earn bounties for finding and reporting bugs in the enterprise’s systems. Beyond that, security awareness campaigns are using e-learning modules and gamified applications for educational purposes. These new methods work because people like competition, and they like receiving real-time feedback about their decisions; employees know that they have the opportunity to influence the results, and they can test the consequences of their decisions. But most important is that gamification makes the topic (in this case, security awareness) fun for participants. With a successful gamification program, the lessons learned through these games will become part of employees’ habits and behaviors.

Gamified elements often include the following:⁶

• Badges
• Leader boards
• Points or scores
• Levels
• Challenges

In general, employees earn points via gamified applications or internal sites. For example, at one enterprise, employees can accumulate points to improve their security awareness levels from apprentice (the basic security level) to grand master (the so-called innovators). Points can be earned for reporting suspicious emails, identifying badge-surfing and the like, and actions and results can be shared on the enterprise’s internal social media sites.⁷

GAMIFICATION MAKES THE TOPIC (IN THIS CASE, SECURITY AWARENESS) FUN FOR PARTICIPANTS.

Another interesting example is the “Game of Threats” program developed by PricewaterhouseCoopers. It is a critical decision-making game that helps executives test their information security knowledge and improve their cyberdefense skills. This game simulates “the speed and complexity of a real-world cyberbreach to help executives better understand the steps they can take to protect their companies. The game environment creates a realistic experience where both sides—the company and the attacker, are required to make quick, high-impact decisions with minimal information.”⁸

Gamified training is usually conducted via applications or mobile or online games, but this is not the only way to do so. The following is a gamification method that can be used in an office environment, allowing employees to test their security awareness knowledge “physically,” too.

Information Security Escape Room: A Gamification Case Study

The information security escape room is a new element of security awareness campaigns. It is a game that requires teamwork, and its aim is to mitigate risk based on human factors by highlighting general user deficiencies and bad habits in information security (e.g., simple or written-down passwords, keys in the pencil box). It answers why it is important to know and adhere to the security rules, and it illustrates how easy it is to fall victim to human-based attacks if users are not security conscious. It uses gamification and the methodology of experiential learning to improve the security awareness levels of participants by pointing out common mistakes and unsafe habits, their possible consequences, and the advantages of security awareness.

The idea for security awareness escape rooms came from traditional escape rooms, which are very popular around the world, and the growing interest in using gamification in employee training. In 2014, an escape room was designed using only information security knowledge elements instead of logical and typical escape room exercises based on skills (e.g., target shooting or fishing a key out of an aquarium) to show the importance of security awareness.

The major differences between traditional escape rooms and information security escape rooms are identified in figure 1. The most significant difference is the scenario, or story. In a traditional exit game, players are trapped in the room of a character (e.g., pirate, scientist, killer), but in the case of a security awareness game, the escape room is the office of a fictive assistant, boss, project manager, system administrator or other employee who could be the target of an attack.⁹

Another important difference is that, in a security awareness escape room, players are not locked in the room and the goal is not finding the key to the door. To “escape” the room, players must log in to the computer of the target person and open a specific file. If they can open and read the file, they have won and the game ends. This leads to another important difference: computer usage, which is not usually a factor in a traditional exit game. Based on the storyline, players can be either attackers or helpful colleagues of the target. The security areas covered during a game can be based on the following:

• Physical security, badge, proximity card and key usage (e.g., the key to the container is hidden in a flowerpot)
• Clean desk and clean screen policy
• Secure physical usage of mobile devices (e.g., notebook without a Kensington lock, unsecured flash drives in the user’s bag)
• Secure passwords and personal identification number (PIN) codes (e.g., smartphone code consisting of year of birth, passwords or conventions written down in notes or files)
• Shared sensitive or personal information in social media (which could help players guess passwords)
• Encrypted devices and encryption methods (e.g., how the solution supported by the enterprise works)
• Secure shredding of documents (office bins could contain sensitive information)

An advanced version of an information security escape room could contain typical attacks, such as opening phishing emails, clicking on malicious files or connecting infected pen drives, resulting in time penalties.

A traditional exit game with two to six players can usually be solved in 60 minutes. In a security awareness escape room, the time is reduced to 15 to 30 minutes. This is enough time to solve the tasks, and it allows more employees to participate in the game. Short games do not interfere with employees’ daily work, and managers are more likely to support employees’ participation.

EXPERIENCE SHOWS THAT POORLY DESIGNED AND NONCREATIVE APPLICATIONS QUICKLY BECOME BORING FOR PLAYERS.

Security awareness escape rooms are usually physical personal games played in the office or other workplace environment, but it is also possible to develop mobile applications or online games. The advantages of these virtual escape games are wider availability in terms of number of players (several player groups can participate), time (players can log in after working hours or at home), and more game levels with more scenarios and exercises. Before deciding on a virtual game, it is important to consider the downside: Many people like the tangible nature and personal teamwork of an actual game (because at work, they often communicate only via virtual channels), and the design and structure of a gamified application can be challenging to get right. Experience shows that poorly designed and noncreative applications quickly become boring for players.

Creating a Security Awareness Escape Room Program

Before organizing a security awareness escape room in an office environment, an assessment of the current level of security awareness among possible participants is strongly recommended. This can be done through a social-engineering audit, a questionnaire or even just a short field observation. The game will be more useful and enjoyable if the weak controls and local bad habits identified during the assessment are part of the exercises. If there is insufficient time or opportunity to gather this information, colleagues who are key users, who are interested in information security and who know other employees well can provide ideas about information security risk based on the human factor.¹⁰

After identifying the required security awareness elements (6 to 10 per game) the game designer can find a character to be the target person, identify the devices used and find a place to conduct the program (empty office, meeting room, hall). It is important that notebooks, smartphones and other technical devices are compatible with the organizational environment. The next step is to prepare the scenario—a short story about the aims and rules of the game—and prepare the simulated environment, including fake accounts on Facebook, LinkedIn or other popular sites and in Outlook or other emailing services. Special equipment (e.g., cameras, microphones or other high-tech devices), is not needed; the personal supervision of the instructor is adequate. In fact, this personal instruction improves employees’ trust in the information security department. Before the event, a few key users should test the game to ensure that the allotted time and the difficulty of the exercises are appropriate; if not, they should be modified.

If there are many participants or only a short time to run the program, two escape rooms can be established, with duplicate resources. In this case, players can work in parallel, or two different games can be linked—for example, room 1 is for the manager and room 2 is for the manager’s personal assistant, and the assistant’s secured file contains the password to access the manager’s top-secret document.

After preparation, the communication and registration process can begin. This is a very important step because without communication, the program will not be successful. It is essential to plan enough time to promote the event and sufficient time for participants to register for it. It is advisable to plan the game to coincide with team-building sessions, family days organized by the enterprise or internal conferences, because these are unbounded events that permit employees to take the time to participate in the game. Registration forms can be available through the enterprise’s intranet, or a paper-based form with a timetable can be filled out on the spot. In the case of preregistration, it is useful to send meeting requests to the participants’ calendars, too.

IF THERE ARE MANY PARTICIPANTS OR ONLY A SHORT TIME TO RUN THE PROGRAM, TWO ESCAPE ROOMS CAN BE ESTABLISHED, WITH DUPLICATE RESOURCES.

The instructor should tell each player group the scenario and the goal (name and type of the targeted file) of the game, give the instructions and rules for the game (e.g., which elements in the room are part of the game; whether WiFi and Internet access are available; and outline forbidden elements such as hacking methods, personal devices, changing user accounts, or modifying passwords or hints), and provide information about time penalties, if applicable. The instructor supervises the players to make sure they do not break the rules and to provide help, if needed. At the end of the game, the instructor takes a photograph of the participants with their time result. These photos and results can be shared on the enterprise’s intranet site, making it like a competition; this can also be a good promotion for the next security awareness event.

After the game, participants can be given small tokens, such as a notepad, keyring, badge or webcam cover, or they can be given certificates acknowledging their results. These rewards can motivate participants to share their experiences and encourage others to take part in the program. They can also remind participants of the knowledge they gained in the security awareness escape room.

INTELLIGENT PROGRAM DESIGN AND CREATIVITY ARE NECESSARY FOR SUCCESS.

Between player groups, the instructor has to reestablish or repair the room and check all the exercises because players sometimes modify the password reminders or other elements of the game, even unintentionally.

Through experience leading more than a hundred security awareness escape room games, the feedback from participants has been very positive. According to interviews with players, some reported that the game exercises were based on actual scenarios, and they were able to identify the intended information security message. They found it useful to try unknown, secure devices approved by the enterprise (e.g., supported secure pen drives, secure password container applications). Some participants said they would change their bad habits highlighted in the security awareness escape room (e.g., PIN codes, secret hiding places for keys, sharing of public content on Facebook). Other employees admitted to starting out as passive observers during the mandatory security awareness program, but by the end of the game, they had become active players and helped their team.¹¹

Conclusion

Most people change their bad or careless habits only after a security incident, because then they recognize a real threat and its consequences. Security awareness escape rooms or other gamification methods can simulate these negative events without actual losses, and they can motivate users to understand and observe security rules. The most important result is that players can identify their own bad habits and acknowledge that human-based attacks happen in real life.

Before gamification elements can be used to improve the security knowledge of users, the current state of awareness must be assessed and bad habits identified; only then can rules, based on experience, be defined. Intelligent program design and creativity are necessary for success. Other critical success factors include program simplicity, clear communication and the opportunity for customization. Of course, it is also important that the game provide something of value to employees, because players like to win, even if the prize is just a virtual badge, a certificate or a photograph of their results.

Based on experience, it is clear that the most effective way to improve information security awareness is to let participants experience what they (or other people) do wrong. Gamified applications or information security escape rooms (whether physical or virtual) present these opportunities and fulfill the requirements of a modern security awareness program.

Endnotes

¹ Mitnick, K. D.; W. L. Simon; The Art of Deception: Controlling the Human Element of Security, Wiley, USA, 2003
² Ibid.
³ Oroszi, E. D.; Security Awareness Escape Room—A Possible New Method in Improving Security Awareness of Users: Cyber Science Cyber Situational Awareness for Predictive Insight and Deep Learning, Centre for Multidisciplinary Research, Innovation and Collaboration, UK, 2019
⁴ Van den Boer, P.; “Introduction to Gamification,” Charles Darwin University (Northern Territory, Australia), 2019, http://www.slideshare.net/pvandenboer/whitepaper-introduction-to-gamification
⁵ Anadea, “How Gamification in the Workplace Impacts Employee Productivity,” Medium, 31 January 2018, http://medium.com/swlh/how-gamification-in-the-workplace-impacts-employee-productivity-a4e8add048e6
⁶ Ibid.
⁷ Shedova, M.; “Using Gamification to Transform Security Awareness,” SANS Security Awareness Summit, 2016
⁸ PricewaterhouseCoopers, “Game of Threats,” http://www.pwc.com/lk/en/services/consulting/technology/information_security/game-of-threats.html
⁹ Op cit Oroszi
¹⁰ Ibid.
¹¹ Ibid.

Eszter Diána Oroszi, CISA, CRISC, CISM

Is a senior information security expert at an international company. She has 12 years of experience in the field of information security, with a special interest in human-based attacks, social engineering audits and security awareness improvement.