Gamification of Cyber Security training and incentivising your team

Training can be pretty dull.

Getting teams to use that cool new function your DevOps team has just rolled out can be a challenge.

Here is where gamification can be useful.

We all love those little dopamine hits our brain rewards us with, but what if we could harvest that idea to help us learn and increase our capabilities instead of doom scrolling or re-opening an app the second you’ve closed it.

Photo by Josh Riemer on Unsplash

Experimenting with some basic gamification has actually led to some really positive results in work and training.

What do I mean by gamification? Basically, taking ideas from games, levelling up, reward systems, scores etc., and adding them into real life situations.

The first two forays into gamification for me were in creating a skill tree for starting to learn some basic skills that a threat intel analyst might be interested in and developing a metric for recording threat hunting by value as opposed to sheer quantity.

CTI Skill Tree

I’m not saying this is a definitive list of skills Threat Intel analysts need. These roles can be pretty diverse and benefit from all different skill sets.

This was just an early attempt at guiding training for people new to the team or that had never really done any Cyber Security work.

Splitting up competencies in a similar ways to disciplines in games (Tank, DPS etc.) and then adding a tiered levelling system (I -III on the image) for each competencies. Allowing individuals to choose what they wanted to aim for and guiding them down a path based on complexity and value.

Gamified learning pathway

Sometimes when starting a new role it can be easy to feel overwhelmed. Where should I begin? What should I focus on as an output?

I found that when looking at sources like Twitter you’d quickly feel like an impostor or that you had to learn everything to the Nth degree to progress or “be good” at your job.

By creating the skill tree we can provide this to new users and take the edge off that feeling.

Photo by Volodymyr Hryshchenko on Unsplash

Simple ideas like levelling up towards a certain discipline can help not only give the user something to progress towards but reward them at the same time as showing progress.

Incremental goals can be used that bring value to the user and whatever it is that is required by the team whilst staying away from traditional training syllabuses and dry learning paths.

In addition to the skill sets we created a final challenge to show that you’d mastered the intro, again not a definitive list :), we hoped this would help demonstrate to the participants how far they had come whilst also delivering something useable for the team.

On a personal level I'd much rather work towards becoming a level 3 OSINT CTI analyst than work through a traditional course with an exam etc. but maybe that’s just me.

Rewarding Threat Hunting

Not all threat hunts are built equally. To some not all threat hunts are actually threat hunts, but that’s a different story.

Focusing on the pyramid of pain as an idea for difficulty\triviality.

https://www.sans.org/tools/the-pyramid-of-pain/

We took the idea that the lower down the triviality scale the “easier” the hunt. And then attributed a value to each hunt type between 1–100 (Trivial to Tough).

Setting what you believe to be a reasonable level of hunting for a day can help in creating a target or goal score. For example you may wish your hunters to be achieving at least 100 points everyday.

Enacting hunt metrics in this manner can help avoid arbitrary KPI\SLA’s such as do 5 hunts in a given time. By assigning a value based on complexity we can achieve hunt value and not just box ticking.

And we have the added benefit of empowering users to hit goals however they see fit and incentivising them with a simple system.

Photo by Joana Godinho on Unsplash

Creating or using a platform, I used a SOAR platform to achieve this, to record and present hunt values and records notes and hunt findings alongside these scores allows us to reward hunters as they are doing their job.

Simple colour coding from negative red to positive green can be used to reflect how close to a goal state they are for a day. With rewards for hunts completed and scores for greater complexity searches giving them larger scores towards the daily goal.

Presenting simple hunt value dashboards colour coded and showing the daily target gave users instant gratification for achieving high value hunts whilst leaving them a target to progress towards or beat.

One practical implementation of this saw a 150% increase in output for one user. Even though this won’t work for everyone across the board, I feel it shows a way we can use simple things like gamification to really help push towards achieving our goals.

Take-away

Creating simple gamified systems for your teams can reap direct results. Whether making training more “fun” or palatable or helping to achieve increases in productivity or driving towards goals.

We can use this as individuals or as a part of a team. Hopefully motivating ourselves and rewarding our selves for positive behaviour such as learning or hunting down bad things going on in networks.

Finding simple systems to reward users can take the brains reward system that is so commonly abused by things like mobile games and social media and turn it to our advantage.

Why not give it a try?