Information Security? Game On!

Adam Shostack has an excellent page on security gamification. So, in case you have not already done so, go and read it, not only is a well written piece but also contains a wealth of games that you can use, as per your use case. Standing on the shoulder of giants, I would like to add two benefits that the article does not explicitly mention.

The first one is the engagement factor. By gamifing certain activities, you can count that even the folks that do not want to be there will have a better (perhaps not optimal but better) degree of engagement with the whole exercise. I do have a small empirical sample for this, it has yet to prove me wrong but as always YMMV. You do not need the big, bad spreadsheet for measurement, gamify (and if you actually need a spreadsheet, you can always fall back to it, behind the scenes).

The second benefit you can get from security gamification requires a small experiment from the first time reader of this article. Allow me to ask you this and I ask you to reflect on this for a moment “When was the last time you played a video game or a board game or a team sport and you deliberately wanted to LOSE?“. Let me guess, not very often. Gamification more often than not implies a form of competition, even if a friendly one. For better or worse, even persons who hate competing, if they find themselves in a competition, most likely they will try to win. Trying to win means that the objective of the game is internalized and inherent motivation is starting to form. This step can work wonders establishing a security culture within the organization – people might actually start taking security into consideration, if not downright care.

The overall positive effect of gamification is not only in imparting knowledge, it can also improve the overall security culture and level of engagement. Achieving all the aforementioned objectives can improve the overall security posture and lessen the workload on the security elements of the organization. Of course, no silver bullets exist – there are always people that will go along the lines “Oh my goodness, here is Athanasios with his silly cards again” and in more conservative workplaces might raise an eyebrow or two but, overall, it is a tool well worth exploring.

PS. I also guess it is time for me to resolve my grievance with Adam Shostack and Andrew Stewart publically. In their old website for “The New School of Information Security”, they had the choice self description “the Emergent Chaos Jazz Combo“. When I think of a Jazz combo, what comes to my mind are refined, high-level musicians performing for an elegant audience. The name is apt for the participants. However, in information security, you cannot always be the jazz combo, sometimes you need to be the politically charged hardcore punk band: crude, loud, in your face, maybe not the most technical but sure as hell getting the point across. After all “Jazz musicians play 1000 chords for 3 people, rock musicians play 3 chords for a 1000 people“, as the saying goes. (You know an article in this blog is not complete without a, perhaps bad, musical analogy). Until next time.