With attacks against organizations becoming more sophisticated and damaging, senior executives and business stakeholders are beginning to recognize that they also play a role in enterprise defense. The challenge, then, is to bring together all the different perspectives so they can work effectively with the security team in the case of a cyberattack or security incident.
It’s time to play a game. A gamified approach to training is more fun than tedious, and people are more likely to remember the concepts afterward.
A new online simulation game from Kaspersky walks business executives and other non-security staff through a simulated cyberattack against the UN First Committee, one of six main committees at the General Assembly of the United Nations. Players are asked to determine the intended target, what types of attacks were deployed, and who the attackers may be. At the outset, it’s unclear exactly what’s going on, and players have to make a series of turn-based decisions from a relatively small amount of available information. The consequences of the player’s decisions — both good and bad -- are compounded, offering players insight into what options are available in a crisis and how the choices affect one another.
How the Game Is Played
Represented by cards, each decision costs time and money, both of which are in short supply. Whatever options a player chooses affect the outcome of that round. Poorer decisions put a player deeper in a hole; wiser ones put them in a better position to start the next round. There are numerous paths and branches a player might follow, so participants may, and likely will, have completely unique experiences even as they compete with others for the best score.
Players receive messages with clues at the beginning and end of each round, but they still need to think critically because there are red herrings and distractions. For example, players will be presented with options like performing security training (too little, too late) or accusing a group or individual of the cyberattack (generally not helpful) in the wake of news reports.
There are many specific courses of action to take. For example, players can choose to ask for national IT support for attack remediation, quickly convene an emergency meeting to get key stakeholders informed, and launch an investigation into what sort of attacks were perpetrated and by whom. Players may also be faced with gut-check options like when and how to speak to the press and whether or not to pay a ransomware demand.
This particular security training is based on the Kaspersky Interactive Protection Simulation (KIPS) game, a team-based training program for business system experts, IT people, and line managers. Part of the Kaspersky Security Awareness portfolio, KIPS simulates ransomware, advanced persistent threats (APTs), and other online threats in a variety of settings, including a bank, a “typical” corporation, local public administration, a power station, logistic companies, water plant, an entity in the oil and gas industry, and an airport.
Lessons for the Enterprise
This version of the game is designed primarily for diplomats and their staff — hence the focus on the United Nations and options for international cooperation — but anyone in a leadership role within an organization or business stakeholder can benefit from the simulation’s lessons. Parts of a coordinated response to cyberattacks are, of course, deeply technical in nature, but much of it involves strong communication and timely decision-making.
In other words, it’s more important for leaders and staff to know what technical information they need to acquire, who can gather or decipher that technical information, and who needs to share in that knowledge once it’s acquired than necessarily possessing technical expertise themselves. That knowledge can strengthen an entire organization’s security readiness.
“Simulations of these sorts, when done correctly, can be extremely useful for organizations and the individuals involved,” says Javvad Malik, a security awareness advocate at KnowBe4. “It's akin to a dojo or boxing sparring, where by going through the motions in a safe environment, one can increase their skills.”
The purpose of these exercises “...need to be to gain assurance that processes, technologies, and training work as expected — and not designed as tricks to fool colleagues or showcase how clever the simulations can be made,” Malik emphasizes.
One of the game’s key implications is that organizations should always take steps to prepare for cyberattacks before they occur. Training is a big part of that, including learning new ways of conceptualizing how cybercriminals think.
“Defenders think in lists. Attackers think in graphs,” explains Bob Rudis, chief data scientist at cybersecurity firm Rapid7. “What we need is a new class — protectors — that think in graphs (i.e., looking ahead at the choices they can make to see what may come about, so they can make better or additional choices). These games could make that a reality.”
He also advises bringing in people from all corners of an organization, not just from information security, to regularly participate in cyberwar games.
Once members of an organization have been able to think critically through realistic scenarios in a dynamic simulation, they’ll be able to prepare their defenses more wisely, including deciding where to invest resources.
“It's really what organizations should do before spending any money on cyber defenses since you have to know how you're going to use what you buy, not just install-it-and-forget-it,” notes Rudis. “Seeing how well choices match up in a real-world, consequence-free setting is pretty powerful.”