User engagement, return on investment and learning. Those are key benefits of gamification. Gamification might be a new term but it has been used on specific industries since years. One example is the militaries that have been using games, challenges and simulations to resolve problems and engage audiences. NATO is considering gamification using the Internet. The Office of Naval Research a department from the US Navy recently ran a Massive Multiplayer Online Wargame Leveraging the Internet. Deloitte call it the engagement economy.
Gabe Zichermann and Christopher Cunningham on the preface of their latest book wrote that “Simulation and gaming is a promising, and rapidly-expanding, field of study. This new methodology is being adopted in a wide variety of disciplines. Complicated computer models have helped inform everything from finance to engineering, a new wave of “serious games” have begun to change the way we think about gaming as a told for learning, and true-to-life simulations have changed the way professionals train for intensive, on the job-skills.”
Then, how can we use and apply gamification to information security? Well, learning information security skills through gamification is what this post is about. And is where NetWars comes in. NetWars is a product from SANS and it illustrates how gamification can be used to help you increasing your information security skills. The concept is not new and there are others. Similar is the Overthewire and Smasthestack challenges, which are also known as capture the flag or wargames. However, NetWars was made by Ed Skoudis. That alone is already a differentiator. Last year at London, SANS hosted the first EMEA Netwars tournament session. It consisted of 5 levels, where each one consists of several challenges that will give you points from 1 to 15 based on its difficulty. To be able to pass to the next level you need to reach a certain threshold. The levels are designed to help participants develop skills areas such as Vulnerability Assessments, System Hardening, Malware Analysis, Digital Forensics, Incident Response, Packet Analysis and Penetration Testing.
Should business leaders invest in this type of simulations to train their employees? Absolutely, the marriage between pedagogy and technology is a fact. In addition from a pure return on investment, employee training might be the best business expense. According to Professor Bartel, who is the Director of Columbia Business School’s Workforce Transformation Initiative and an expert in the field of labor economics and human resource management. The estimated return on employee training range from 7% to 50% per dollar spent and on two specific case studies it can grow with returns of 100% to 200% on investment. Further details on her paper “Measuring Employer Return on Investments in Training”.
To give you an example on how gamification can be used to engage people and learn. You might remember, back in 90s, there was a famous video game called Where in the World is Carmen Sandiego?. The game challenges player to track the thief who is hiding out in one of 30 cities using a world almanac as investigative tool (for example, “What country uses keroner as its currency? Check your connections to find out which cities the thief might have fled to). The game basically teaches you knowledge of world geography and cultures.
But back to NetWars and his director, Ed Skoudis, check his presentation on “Using InfoSec Challenges to build your skills and career”. Among others the presentation describes the benefits of gamification information security challenges. The presentation also provides guidelines on how to develop your own challenges and simulations.
Teaching and training systems like NetWars are designed to mimic real life situations. In this case it represents real-world security issues with their respective flaws and resolutions on an interactive and hands-on laboratory environment. Historically books contain theories and examples. But with simulations, challenges and games, the dynamic and a temporal element can be added. It will also allow difficult concepts to be vibrantly illustrated.
References:
Zichermann, Gabe; Cunningham, Christopher (2011) : Gamification by Design : O’Reilly
Information Resources Management Associations (2011) :Gaming and Simulations : IGI Global
Count Upon Security 