Phishing, data leak, laptop or smartphone thefts, fake President… end-users are key actors in securing information systems.
However, it is a difficult exercise to raise their awareness to security risk and to teach them good practices. Headache for CISOs, lack of interest or even state of tension from end-users interpreting security measures as restrictions. Ways to raise awareness on information security must evolve continuously.
Is an escape game the way to bring end-users and cybersecurity back together?
A fun approach to raise awareness among end-users
Like any classic escape game, the game master welcomes players and introduces the game’s context and rules. They get into the game’s room where they have to reach their goals in a limited time.
During the game, the game master follows remotely the team progress and gives clues if the players encounter difficulties.
At the end, the game master performs a debriefing. He goes through the different bad security practices used by the team during the game and remind them the good security practices.
Goals to be reached during the game depends on the scenario. It can be:
- Someone pretending to apply for a job that will search the desk of the R&D director of a competitor company to steal the design and technical details of a new product.
- A hacker forcing people to steal classified documents and to do bank payments within their own company by threatening them to reveal private sensitive information.
- Someone using the opportunity of an invitation at their CEO’s home to steal evidence of their involvement in misappropriation of funds.
Which awareness areas are raised?
An escape game enables to raise awareness on different topics:
Let us take as example the “Password” area. The game will expose players to bad practices they will have to leverage to reach their goals:
- Straightforward password based on personal information (first name, last name, birthdate…),
- Passwords saved in Web browsers,
- Same passwords used for personal and professional life,
- Passwords written on a post-it.
Players will exploit themselves vulnerabilities set-up in the game and will get a better understanding of associated risks than if they had to read a policy.
Furthermore, the escape game will help them understand the part they have to play to avoid being unintentionally accomplice of a cyberattack. It means to have a cautious behavior like being discreet on social media, being careful when talking to someone new, having reflexes to identify phishing e-mail, shredding confidential papers, etc.
How to successfully build a cybersecurity escape game?
First, define the overall scenario: goals to be reached, roles taken by players and location of the game.
Then, design secondary objectives and the series of actions that will allow the players to reach the main goals. Let us take an example: to reach the goal “steal the confidential document of a product’s design”, players will have to:
- Rebuild a document torn apart manually from the trash,
- Use this document to find the answer of a secret question to reset a user password,
- Leverage the account hacked to connect to a SharePoint to fetch the confidential document.
A classic escape game is using clues / objects in unexpected hiding places. On the contrary, the idea of a cybersecurity escape game is to recreate real life circumstances that players will be able to reflect on their own working life.
It is important to adjust the difficulty level according to the people targeted. Clues must be comprehensible to people with no IT expertise if the escape game is targeting a large group of coworkers. On the contrary, clues must be more complex if the target is IT people. Like, having them do easy SQL injections on an application to access confidential data. The approach to use the SQL injection can be provided through a Web app thanks to a bookmark saved in a Web browser.
Finally, once everything is designed and ready, test sessions are required to refine the game and adjust when the game master needs to give clues. It is important that players reach all goals to ensure they see all security awareness topics expected.
A very effecient tool to be included in a global awareness strategy
Role-playing provided by escape game enable great awareness and ensure a good assimilation of messages. Players spontaneously create links between life experience and ones encountered during the game which allows rich debriefings: multiple discussions and players are engaged in depth in the topic approached.
Escape game does not replace other methods of awareness campaigns. It must be part of a global strategy which alternate actions with strong impact (but costly) and other cheaper actions (but with less impact) to allow continuous awareness with a controlled budget.
Finally, cybersecurity escape game is also an excellent teambuilding tool!