1 / 23

Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, SSCP @ brasscount

Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, SSCP @ brasscount Find this presentation at: Securiplay.com.

umed
Download Presentation

Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, SSCP @ brasscount

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gamification of Security: Making Security a Game. Spencer Wilcox, CISSP, CPP, SSCP @brasscount Find this presentation at: Securiplay.com

  2. There seem to be two requirements implicit in security. First, stop the bad guys from doing bad things to us, and second limit the exposure to loss so the company can make money. Is your management playing the same game? Check-the-box security is regularly dismissed by security professionals as mere compliance, and a waste of highly trained staff. Instead of making security compliance the worst part of a security job, why not make it a game? Can we pay a receptionist to play a game to monitor logs between phone calls while helping to secure our networks? Abstract

  3. I am not an attorney. I am not providing a legal opinion, or offering legal advice. I am providing information regarding my research on this topic, which may include law or case law. My views are my own, any opinions expressed in this presentation are mine, and do not necessarily reflect the opinions of my employer. Please consult your attorney before adopting any of the practices discussed in this presentation. If you choose to implement any of the ideas expressed in this presentation, please mention the inspiration that this presentation provided. Disclaimer

  4. So what is Gamification? • Michael Wu – • Gamification is the use of game-like mechanics to drive game-like engagement and actions. • Wikipedia – • Gamification is the use of game thinking and game mechanics to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning. • Dictionary.com • No results found, do you mean Gasification?

  5. What is Gamification • What Gamification is not: • Game Theory • A Beautiful Mind • Problem-Solving approach to model complex problems • Video Games • Role Playing Games • Strategy Games • Train Games • Board (Bored Games)

  6. a. Keystroke capturingb. Access validation testingc. Brute force testingd. Accountability testing The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called?

  7. c. Brute force testing SURVEY SAYS?

  8. What is Gamification • Using Game Mechanics – • Fogg’s Behavior Model (BJ Fogg Stanford University) • Motivation – WANT • Sensation (Pleasure, Pain) • Anticipation (Hope, Fear) • Social Cohesion (Rejection, Acceptance) • Ability • “By focusing on Simplicity of the target behavior you increase Ability. “ • Trigger • Getting someone to act at the right time, when both motivation and ability are at their peak. For more on this search for Michael Wu: the Science of Gamification (fora.tv)

  9. a. Discretionary accessb. Least privilegec. Mandatory accessd. Separation of duties An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?

  10. b. Least privilege SURVEY SAYS?

  11. So how does this apply to me? • Gamification has three direct applications to security • Gamification to increase employee engagement and employee retention • Gamification to increase employee productivity, by simplifying work, and by increasing motivation. • Gamification to increase executive buy-in.

  12. a. Logic bombb. Virusc. Wormd. Trojan horse Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network utilizing system resources?

  13. c. Worm SURVEY SAYS?

  14. Increase Employee Engagement • Gamify the work experience • Immediate gratification • Achievements for completions • Achievements for Certs, degrees,promotions, years experience, etc. • Gamify the Bug Hunt • A note for finding the bug, a badge (and spot bonus) for following it through the GRC • Gamify Secure Coding • If your code makes it through code review with no bugs,WIN FABULOUS PRIZES! • Gamify Incident Detection • APT detection (much like the bug hunt.) Pro-Tip Help Solve the “Never a Prophet In Your Own Land Syndrome.” Create a team intranet site, and DISPLAY your employee’s earned badges. Make it the Security LEADER board.

  15. a. Are Hidden On Dantooine.b. Are Belong To The Kilrathi.c. Are Belong To Us.d. Are being closed in BRAC. All Your Base?

  16. SURVEY SAYS?

  17. Increase Employee Productivity • Lets build a game: • Needs to engage your employees • Solve a problem. • Be simple enough to understand, motivating enough to challenge. • Candy Crush • A real-world problem: • Log Monitoring • Receptionists with free-time • A match made in gamification heaven. • Did you play Galaga to “Earn the High Score”, to “Knock off the guy in number 1,” to “Hang at the arcade with your buddies,” or to “See the Mothership?” • Richard Bartle, PhD notes that there are four player personality types: • Achievers • Killers • Socializers • Explorers

  18. a. They show which files were altered.b. They establish individual accountability. c . They cannot be easily altered.d. They trigger corrective controls. Why are unique user IDs critical in the review of audit trails?

  19. b. They establish individual accountability. SURVEY SAYS?

  20. Gamify Your Management • Return on Investment is important. • What are the tangible and intangible returns? • Financial ROI is virtually incalculable in a large company. • Intangible ROI may be a better return. • What experience can security provide your executives and your board? • Earn the “Briefing at Cheyenne Mountain” Badge • Earn the “Secret Clearance” Badge • Earn the “Best Security Program in Class” Badge • Earn the “Q works for me” Badge • Earn the “Not FUD But Science” Badge • Earn the “We PROTECT our Customers / Infrastructure / Nation” Badge

  21. a. Separation of dutiesb. Mutual exclusionc. Need to knowd. Least privilege What principle recommends the division of responsibilities so that one person cannot commit an undetected fraud?

  22. a. Separation of duties Survey Says?

  23. Bibliography • See securiplay.com • A formal bibliography is forthcoming.

More Related