Gaming…seriously? -TEISS® : Cracking Cyber Security
Children building sandcastles

Opinion

Gaming…seriously?

Games are more than a jovial pastime and have a long history of professional uses. In this article Andreas Haggman examines the theory of gamification and illustrates how companies use gamification to drive customer retention and engagement before outlining an original boardgame created for training and education in cyber security.

The idea of play is something many people abandon after childhood. If the word "sandbox" conjures up images of virtual machines you are probably one of these people (and should therefore read on!).

Beginning with Johan Huizinga’s 1938 treatise Homo Ludens, much research has demonstrated the power of playing and games beyond the playground, leading to a meteoric rise of the concepts of gamification and serious games.

Gamification

If you have ever restocked your fridge, flown overseas, or created a social media profile chances are you will have experienced gamification.

Tesco, and other supermarkets, offer shoppers Points (all of which, we are told, “add up!”) just for completing the mundane weekly shop. Airlines dish out Frequent Flier miles which customers can spend on future flights. LinkedIn assesses how complete your online profile is and gives you a ranking from Beginner to All-Star.

These are but a few examples of the myriad organisations that have implemented gamification for marketing and customer retention.

The basic idea is to set targets for customers to strive towards and administer rewards for successfully reaching milestones. The gratifying nature of this system will be readily identifiable by any videogame player who has received an “Achievement Unlocked” or “Trophy Earned” notification.

If implemented subtly, these gratification systems are potentially even more powerful as people do not consciously recognise their presence, but simply feed into the playful human nature. At its core, gamification is a method of positive reinforcement that shapes "player" behaviour in a desired way.

The key difference, of course, is that in partaking in these activities (shopping, flying etc.) we are not consciously playing games, but merely going about our lives.

Also of interest: Security by design - what is it?

Serious games

In much less nefarious ways, the serious games initiative seeks to harness many of these same concepts but for overt training and education purposes. Serious games are either adapted from existing games or built from scratch to address some pedagogical need.

The games may forego the gratification mechanisms described above in favour of high-fidelity simulations where players can experience an activity in a way that closely resembles real life and thereby derive explicit lessons for real-life behaviour.

Technology has played a particularly important role in serious games, because the higher fidelity a simulation achieves the more direct the lessons are that can be learnt. Developments like virtual and augmented reality will prove pivotal in coming years, providing users with extremely engaging and interactive experiences.

Although the military has been particularly pioneering of such simulations, serious games have been made for a whole gamut of military and civilian uses, including urban infantry combat tactics, treatment for sufferers of post-traumatic stress disorder, repairing industrial equipment, predicting financial markets, and any number of cockpit-type experiences from piloting fighter jets to driving ambulances. The list goes on.

Also of interest: Breaking into the mind of a hacker

Wargaming

That the military led the way in the use of games is perhaps less surprising when we consider that a particular subset of games had been used for centuries to shape minds and behaviours.

The roots of wargaming can be traced back some 5000 years to ancient games like Wei Hai (literally “encirclement”, a precursor to Go) in China and Chaturanga (a precursor to chess) in India, which were used to teach aspiring military commanders about strategy and tactics.

Modern wargaming, however, was really pioneered in 18th and 19th century pre-unification Germany, where it was wholeheartedly adopted by the general staff. The success of the German military in ensuing conflicts can be partly attributed to this.

Simply defined, wargaming is an activity that at some level of abstraction seeks to model and simulate conflict. Over the past 200 years wargaming has been used by militaries around the globe to understand events of the past, plan operations and organisations, and explore envisaged futures.

In the past few decades, wargaming has also entered the civilian commercial world, with companies recognising the potential of using these tools and methods to achieve cost savings and realise business growth. However, despite this widespread popularity, few serious, and even fewer good, attempts have been made to apply these ideas to the cyber domain.

The importance of cyberspace as a communications and commerce medium is firmly entrenched, and concepts around cyber warfare feature heavily in modern military thinking, yet little work has been done (at least in the public domain) to wargame cyber.

My own work in the Centre for Doctoral Training in Cyber Security in the ISG seeks to ameliorate this situation. I have developed a wargame based on the UK National Cyber Security Strategy for the purpose of cyber security education and awareness training, primarily for senior policy and decision makers. The game is currently being deployed to as many organisations as possible to ascertain its pedagogic value.

With games and gamification now being widely appreciated for serious uses beyond jovial childhood pastimes there is great appetite to explore these methods in a variety of settings. Just as building sandcastles can be formative to early personal development, so can applications of playful ideas be leveraged to grow knowledge and foster understanding in more adult environments, including cyber security.

“Games,” said Benjamin Franklin, “lubricate the body and mind.” He was definitely on to something.

Andreas Haggman is a PhD researcher in the Centre for Doctoral Training in Cyber Security at Royal Holloway University of London. His thesis investigates the use of an original tabletop wargame for cyber security education and awareness training. Andreas’ wider research interests lie in non-technical cyber security topics and he has published on diverse topics including Stuxnet, cyber deterrence, national cyber security strategies, and offensive cyber. A full profile can be found on tinyurl.com/HaggmanRHUL and you can follow him on Twitter @Andreas_Haggman.

Also of interest: China altering its vulnerability data and why it matters

Comments