Go Feed Racer Go!

Addressing the Typical User Problem

As information security practitioners, we love to talk at length about the “stupid user” problem. The issue here is few if any real solutions are presented to address the issue head on. We assume our business units and management teams SHOULD be as interested in securing the infrastructure as we are, but what have we done to actually cultivate that besides the usual rhetoric? If you’re looking at your own awareness training while reading this, and finding the typical death by slideshow is well represented, then this is for you.

If we want to resolve this issue, we need to give our participants a reason to participate

It’s important to remember that your security program in some way impacts a business process. Whether it’s removing the ability for someone to execute a shortcut, limiting functionality of a tool, or providing guardrails around information sharing between business units, somewhere in some capacity, someone won’t be a fan of the work you’re required to do inside the business. So presenting them a slide show of how they should now interact with these changes already sets you up for failure. Consider this:

• You’re not the only slideshow they’ve had today, you likely aren’t the last one of the day either

• Your awareness presentation likely isn’t the first or last meeting your participants have to attend today

• It’s a “collaborative session” designed without a collaborative tool. Slideshows rarely elicit participation since they’re passive and improperly used

• Your presentation takes mental cycles away from something else they have to do today, probably with a tighter deadline and a noisier boss.

This is a really difficult starting point for you as you’re competing for attention spans similar to traditional performance art. However unlike a rock band or stand up comedian, you don’t have the luxury of a willing audience.

Could you imagine if the Director of Accounting locked the boardroom doors to make you listen to their demo tape for an hour and if you managed to leave early you didn’t get credit for the attempt, meaning you have to come back and do it again later?

That scenario would replace the evil figure in my nightmares

In essence, that’s what we as security practitioners have done with our business unit facing training. We’ve turned a learning opportunity into a hostage situation and unlike someone’s demo tape, there’s no heart in the effort, which bleeds through into the presentation material.

Games in a boardroom for the purposes of learning, while also providing net value to your business is a whole new way of solving the same old problems. Instead of one-way presentations, you set the tone of collaboration right from the beginning. Most people won’t sign on for a slide show, but the opportunity to play something instead of the usual work is going to get higher traction from those who have to attend.

We as people enjoy games because we get to use many parts of our brains. We have to be creative in our approaches, while also remaining logical within the parameters of the game itself. It’s an inherently social exercise that lends itself well to organic collaboration, which cultivates that sense of self-awareness we all strive for in security program management.

Best of all, you as the game designer get to have fun putting it all together

Methodology

Before I get into the how, here’s a shameless plug for our Incidents & Accidents service; a multi-player incident response tabletop experience, where we take your security program elements such as incident response plans, specific crisis communication processes, assets, tooling, as well as incident handling team structures, and integrate them into a custom game instance designed just for your business.

We wrap a relevant threat case around a plausible incident that could happen inside your business, and allow your teams to work through a simulated breach with no actual impact to the business. Before the session ends, we tell you how much it cost, and you’ll have already determined the genuine gaps in your IR processes, which gives everyone a clear picture of how equipped your business is to respond to security incidents right now.

Non-technology business units are highly encouraged to attend, as our sessions include a security awareness talk (we make it interesting don’t worry), an incident response primer lecture so everyone plays from the same sheet of music, and the remainder of the session is reserved for game play.

The session includes attendance tracking, after-action report which includes suggestions for improvements, and a letter to your auditors detailing why our sessions meet the standards of compliance for both awareness training, and incident response plan validation. We understand you’re probably an overworked security practitioner, so our entire process is designed to minimize impact on your workloads, while providing immense value to your security program.

Alright, now back to our regularly scheduled programming

Whether you procure a service like ours or design your own game to solve a training problem, you’ll want to consider a few things first:

• What would you like to play? Chances are you’ve got some ideas and even some concepts of games you would like to play while learning something. Find that info and use it as a starting point.

• Be ready to design some things. Whether it’s tangible tokens for in-person delivery, event cards that tell a story, or something visual for remote delivery, you’ll want to have visual representations of your idea.

• Focus on one topic as your delivery. Most security training tries to cover too much ground, with little impact in any good direction. Go a little deeper and use the time to align the training to business processes. Pick a problem your business is currently struggling most with, and wrap a game around that. Since most businesses struggle with phishing, consider a game that showcases how phishing works from an attacker point of view. (We have one of those games too and it works really well)

• If possible, have some form of impact around the game itself. Are specific moves more expensive than others? Do certain objectives come up in specific cases? A trade off of some kind enforces some kind of trade-off discussion amongst participants, which then generates some kind of evaluation criteria. Our IR game has costs associated with isolating devices or playing certain abilities, Our phishing game has costs associated with playing specific options. Here you can tinker with the risk/reward components of your game, so give this some heavy consideration.

• Have fun with the whole thing. Crack jokes, tell stories, engage with your audience and don’t hesitate to describe technical concepts in a simplified manner, WITHOUT being condescending. That goes a long way with your everyone, and helps get them interested in what you’re doing.

Does this actually work…?

Absolutely! Here’s where we get to the crux of the case study.

One of our clients invited some non-tech business units to their session of Incidents & Accidents, where we evaluated the current capacity to respond to a breach scenario with a high probability based on their industry of operations. Before we finished the session, everyone could see the potential costs associated, time required to resolve the breach, technical team skills required, communication effort needed, and overall business disruption.

That lead to a brief bit of silence, followed by various representations of “whoa…that’s a lot”. That “whoa” is where this all takes hold and turns apathetic business units into your new security front lines.

As a result, the security manager who hired us continues to receive positive feedback about that session (which took place early 2021), and more importantly their non-tech business units are now among their new security champions. In one instance, someone from a non-tech business unit escalated a suspicious link to the security team BEFORE the threat feeds were updated. To us, that’s a 2 minute mile we’re proud to have as proof our way works.

So how can I bring this into my own training?

See very little is really discussed with the business when we talk security training. We teach not to click on links because it leads to compromise, but we don’t showcase what that compromise MEANS to the business. Most security training has a “why”, but stops short of making that matter to our participants in ways that resonate with their work.

When we demonstrate the impact this has on the business, while also illustrating that breaches will happen even with good tech managed by skilled teams, it provides this moment of clarity to everyone involved. We can showcase that while we’re ready to respond, there are still issues that can crop up in that response, and the impact may be coming for their budgets as much as our own.

More importantly, when we invite everyone to participate while we pull back the curtain of our security programs in an accessible way, it creates interest and curiosity in our work, as opposed to the traditional responses we’re used to. You build connections within the business and present your security team as an approachable entity, who takes the time to understand the business while also providing something fun for them to do in the pursuit of improving security posture.