Video Games and Information Security – Uneasy Bedfellows?

Written by Marc Busch, AIT

We like it when things fall easily into place and we like to have fun. We, as humans are playful in nature and appreciate competitions and collaboration with strangers, colleagues, friends or family. Video games are a welcome distraction, whether it is just a quick session of Candy Crush in the subway or an advanced gaming evening full of World of Warcraft. Even people who do not have video games on their bucket list probably get nostalgic feelings when they think of PacMan or hear the iconic Tetris music. Video games are fun and a nice way to spend some minutes or even hours.

For me, there are other nice ways to spend some time: attending classes or trainings in organizational information security. Nothing better than being confronted with heaps of learning material on why information security in my company is important, countless lessons about how I should behave and endless musings about the Top 50 Information Security Fails and How to Prevent Them. Wait – WHAT? This was a joke, of course.

Trainings and classes (on any topic, not only on information security) are usually not especially renown for ultimate fun and interactivity. Let’s be honest (and science supports us in that): information security trainings are boring, time-consuming, expensive and overall not very effective. We go there once in a while (most of the time because we have to, not because we want to), sit, listen, leave and by the time we trash the course materials we have forgotten almost everything of what we just “learned”. This is not only a waste of our time (think of all the things you could have done instead!), but it could also have negative consequences for our company.

Within the last few years, people attacking companies to obtain valuable information has significantly increased. These attacks do not only happen via technical means (“hacking” systems), but also via communication and interaction with employees (“hacking” us): attackers use various ways (mail, messaging, social media, telephone, etc.) to persuade us to provide information, which they need (e.g. passwords) to attack us. They also try to infect our systems with malware and viruses by making us click on bad links or attachments in messages. They even pretend to be colleagues or friends, who send us links to some websites. This is called phishing.

It would not be especially hard to detect phishing attempts. For example, hovering over a link in an email (without clicking on it), allows to identify the web address that this link will lead to. If the link is unexpected or weird (facepalmbook.com; amazon.as.com), don’t click on it. So now you know everything about phishing and don’t need to attend information security training. You might be right, however do you think that you will remember this information for a very long time and do you think you will remember it just in the moment when you receive a phishing message? I doubt it (and science supports that, too. Isn’t science great?!).

Okay, now is a point where you might ask yourself two things: one, why are you reading this and two, what is the connection between information security and video games?

The answer is pretty obvious: we combine information security training with video games. More precisely, we integrate information security training in fun and easy video games, which you will love to play and which will educate you at the same - killing two birds with one stone! Education might sound boring, but in combination with an appealing gameplay you will not even notice that you have learned something! This is an interesting concept of learning, right?

So how do we get there? By talking to people in companies and by observing them we find out what kind of games they like and what they know about information security. We rely on basic and appealing gameplays, known from a range of puzzle and arcade games: jumping, smashing, throwing and catching things, collecting, fighting, trading, and destroying. We combine these game mechanics with snippets of knowledge about information security. Imagine playing SpaceInvaders, but instead of destroying asteroids, you destroy phishing messages. And by doing so you incidentally learn that phishing messages are an issue. The more you play, the more you think about phishing as an issue. And since it game is really fun, you play it a lot and you will think a lot about phishing. And the next time you receive a phishing mail, you won’t click on it  – mission complete!

You think this sounds interesting? Contact us. We would love to tell you more about this approach.

 

by Marc Busch (AIT)




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618

 

PHISHING WARS
The DOGANA phishing videogame

Want to try it?
Read more here and contact us

 

DOGANA CARDS GAME
Phishing: awareness through play

Want to try it?
Read more here and contact us

 

Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels