• Save
Gamification and Security Oct2012
Upcoming SlideShare
Loading in...5
×
 

Gamification and Security Oct2012

on

  • 123 views

A talk I gave looking at some ideas for applying gamification ideas to cybersecurity.

A talk I gave looking at some ideas for applying gamification ideas to cybersecurity.

Statistics

Views

Total Views
123
Slideshare-icon Views on SlideShare
123
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Picture from http://carolineasmussen.com/the-fun-theory/piano-staircase/
  • Wii Fit
  • FitBit and PedometerTurns an existing activity into a game
  • Foursquare achievementsAlso turns an existing activity into a game, but also gives specific goals to achieve
  • Some achievements are actually built into a game (and have points).Other achievements are ones that you can show off to others, e.g. rare items or rare mountsIn this case, Blizzard also turned this desire to show off into a business model, selling virtual items for real money (this is a picture of the Celestial Steed)
  • http://gamestudies.org/1101/articles/jakobssonSome people get really obsessed with achievements
  • http://www.geekwire.com/2012/coding-fun-microsofts-visual-studio-badges-leaderboard/
  • Note that “paying people” is not here for extrinsic, as one of the mainpoints of gamification is to avoid paying peopleExamples of publicly visible forms of reputation and rank: leaderboards, badgesOther extrinsic motivators: currency
  • People seem split about look and feel of Phil, so in our other training, we went for more corporate look
  • http://cisr.nps.edu/cyberciege/
  • Lindqvist et al, I'm the Mayor of My House: Examining Why People Use foursquareBentley et al, Drawing the City: Differing Perceptions of the Urban Environment
  • http://www.weightymatters.ca/2010/02/bad-news-for-wii-fit-curing-childhood.htmlhttp://well.blogs.nytimes.com/2010/12/01/phys-ed-why-wii-fit-is-best-for-grandparents/?src=twt&twt=taraparkerpope

Gamification and Security Oct2012 Gamification and Security Oct2012 Presentation Transcript

  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Gamification and Security Jason Hong, PhD CTO and Co-Founder Wombat Security Technologies
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Today’s Topics • Non-Security Examples of Gamification – Give examples of diversity and range of ideas – Step back, talk about core ideas and mechanisms • Gamification for Security • Effectiveness of Gamification
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Lots of Examples of Gamification
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Directly Turning Activity into a Game • http://www.thefuntheory.com/
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Directly Turning Activity into a Game
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Directly Turning Activity into a Game
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Indirectly Making Things into a Game
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Indirectly Making Things into a Game
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. World of Warcraft Achievements
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Extreme Lengths for Achievements • Car mechanic needed to add 40 more hours to the 50 he had already spent playing Perfect Dark Zero to earn the last achievements
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Coding Achievements in Visual Studio • Fun achievements – Lonely: Coding on Fri or Sat night – Potty Mouth: use five different curse words • Highlight “hidden” features – Extensions Junkie: install 5 extensions – Casual Observer: use debugging features – Cheater: use IntelliTrace Menu 10x
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Why Gamification? • Increased stickiness – Loyalty cards • Opening up possibilities, setting goals – Beer passport, Visual Studio achievements • Make boring activities fun – Piano stairs, FitBit, pedometer • Increased revenues – WoW for-pay steeds (showing off)
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. What Motivates People? • Social utility – Reciprocity – Identification with group – Altruism • External personal value – Reinforcement – Pay – Privilege – Reputation • Intrinsic value of task – Fun – Curiosity – Challenge
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Motivations and Gamification • Extrinsic – Publicly visible forms of reputation, rank – Prestige within a community – Privilege (special access, early access) • Intrinsic – Fun (make a boring activity fun) – Challenge (set high goals for oneself) • Social – Fun, chatting and socializing with others
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Example: . • Goal: Get mobility data from people, get people to go to cafés / stores / etc • Extrinsic – Publicly visible achievements – Points for going to unusual places – Discounts if mayor (sometimes) • Intrinsic – Makes going to places more fun – Learn more places in city
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Example: Visual Studio • Goal: Get people to learn more about and use features in Visual Studio • Extrinsic – Points (note that some fun ones offer 0 points, to disincentivize stupidity) • Intrinsic – Funny achievements – Joy of unexpected achievements
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Today’s Topics • Non-Security Examples of Gamification • Gamification for Security • Effectiveness of Gamification
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Directly Gamifying Security • Direct – Anti-Phishing Phil – Security Training Platform – CyberCIEGE – Shostack's Elevation of Privilege Game • Indirect – ???
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Micro-Games for Cyber Security • Training doesn’t have to be long & boring • Micro game format, play for short time • Two-thirds of Americans played a video game in past six months • Not just young people – Average game player 35 years old – 25% of people over 50 play games • Not just males – 40% of casual gamers women
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Wombat’s Security Training Platform
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. CyberCIEGE • Users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack • Free for US gov and educational, eval copy for other orgs
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Elevation of Privilege • Get your developers to think more about threat modeling – Spoofing – Tampering – Repudiation – Information Disclosure – Denial of Service • http://www.microsoft.com/security/sdl/adopt/eop.aspx
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Indirectly Gamifying Security • Not much work done here – Also not clear to me what a good angle of attack is • Turn security into a meta-game – Ex. Achievements for completing training? – Ex. Points for doing ongoing training (perhaps link with ability to spend points)? – Ex. Limit how far individuals can go (require social or group effort, similar to Farmville)? – Ex. Competition between groups in an org
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Effects of Gamification? • Phil, very good results with just 15 min of play – Over 100k people playing it in first month – Marked improvement (4517 people selected)
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Effects of Gamification? • In our studies of foursquare, major reasons for using it (in rough order of strength) – Badges and Fun – Social connection – Place discovery – Keeping track of places – A game you can play by yourself • Other research found people who check-in more correlated with more knowledge of city
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Effects of Gamification • Gamification not a panacea – Wii Fit found to be fun but not effective for family fitness (Scott Owens) – “Several recent studies have found that young people often grow bored with exergaming. Three months into a recent six-month study of the effects of a dance game, for instance, only 2 of the 21 children participating were still using the game at least twice a week.” (NYTimes) – “But there may be another, unexpected group for whom exergaming might be extremely beneficial: grandparents.”
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Summary • Lots of real-world examples of gamification – Directly turning something into a game – Indirectly offering game-like mechanisms • Motivations – Intrinsic, extrinsic, social • Gamification for security – A few examples, still in early stages – Not entirely clear yet what does and doesn’t work
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. Extras
  • © Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc.© Wombat Security Technologies, Inc. All rights reserved. Wombat Security Technologies name, logo, PhishPatrol® and PhishGuru® are all trademarks of Wombat Security Technologies, Inc. MySecureCyberspace