SecurityCom: A multi-player game for researching and teaching ...Presentation Transcript
SecurityCom: A multi-player game for researching and teaching information security teams Doug Twitchell, PhD Illinois State University School of Information Technology
Security Education and Training Why? The easy part That’s why we’re here Integral to a comprehensive security plan How? Not so easy… Classroom? Books? Certifications? Apprenticeships? On-the-job?
Learning According to Bloom Bloom: Lowest/Easiest is Knowledge (i.e., memorizing, defining, recognizing) Books/Lectures Highest/Hardest is Evaluation (i.e., assess, compare, judge, predict) Long experience Middle is Application (i.e., use, operate, demonstrate) What we can hope for in security education http://officeport.com/edu/blooms.htm
Experiential Learning According to Kolb Concrete Experience Active Experimentation Reflective Observation Abstract Conceptualization
Security Learning for Teams Security function Usually involves more than one person Doesn’t happen in a vacuum Organizational constraints Budgetary constraints Security Agility Decisions made with others across the organization Security “techies” not often prepared for this Security may lose out (bias => agility)
Experiential Learning in Security Education and Training How to get to the application level with teams Demonstrations Not really application Labs Tutorials Step-by-step Assignments Figure out parts on your own Work/Study and Internships Best Sometimes difficult to get Uncontrolled (may not coincide with curriculum goals) Games!
Games In Security Education Advantages Disadvantages Controlled You decide what they learn and how they learn it No distracting outside information Cause/Effect demonstrated immediately Quick Can be designed to do in < 1 hour Part of a lecture Cheap Not much equipment needed Familiarity Younger students, at least Motivation Competition Use for Research Main disadvantage: Not as close to “real life” as real life is Not free Some equipment required Design and setup required Students must learn how to use
Games in Security Education:CyberProtect Two games you might know about CyberProtect Defense Information Systems Agency Free and freely distributable Won awards Quick/Easy to use Single player Turn-based Somewhat outdated Demo!
Games in Security Education:CyberCIEGE CyberCIEGE Naval Postgraduate School Free for some by request 3D! Simulation based Game-building language Some pre-built scenarios Not as quick/easy as CyberProtect Currently only single-player But claims that multi-player is in the works Demo!
StrikeCom StrikeCom Built for researching interpersonal deception Used for teaching Network Centric Warfare Office of Force Transformation Seminars around the world National Defense University (until they were hacked) Received great feedback – students could “feel” the concepts, and it broke up the “Death by PowerPoint” Multi-player, collaborative game –Teams!– Taught usefulness of shared-situational awareness and alternative communication channels Demo!
SecurityCom Wanted a game Quick/Easy like CyberProtect Multiplayer/Collaborative like StrikeCom Configurable like CyberCIEGE Web-based Easy to install (web browser only) and administer Familiar interface Built from ground-up Ruby on Rails AJAX Demo!
Goals Use SecureCom As an experiential learning tool Active Experimentation Concrete Experience Integrated in to lecture First concept Security in the organization Security Agility Players with differing goals Need for trade-offs We teach this, but they need to “feel” it
Testing SecureCom: Experiment 1 Lecture Only Lecture +Activity Lecture +SecureCom Teach concepts Organizational goals Conflicts Trade-offs Relation to risk management Overview of concepts Activity Groups of three Come up with a security plan on paper
Overview of concepts
Groups of three
Secure the system across 4 rounds
Test learning outcomes
Testing SecureCom Experiment 2 Choose two concepts Use CyberProtect, CyberCIEGE, and SecureCom as teaching aids Compare learning outcomes
Bonus: Security Research Using Games Games are useful for research Research besides teaching/learning research Research using StrikeCom Deception Leadership Controlled environment Motivated subjects Full interaction recorded
Bonus: Security Research Using Games Planned research using SecurityCom Shared-situational awareness Network-Centric Warfare tenet The ability for all involved to simultaneously have knowledge of current battlefield situtation Security Planning Does having shared-situational awareness help groups who make security decisions make better decisions? Network is the “battlefield” Compare groups with SSA to those with only language-based communication
Conclusion Security education is important Need to make sure SE results in at least “Application” level learning Use Experiential learning to accomplish Games help complete experiential learning cycle CyberProtect and CyberCIEGE are currently available, but single player SecureCom is on its way and is collaborative Two experiments are planned to test SecureCom SecureCom and games like it can also be used for research