Can incident response be fun?

April 14, 2020 | Kim Crawley

This blog was written by an independent guest blogger.

Cyber attacks are unfortunately inevitable. It’s important to security harden your networks as much as possible. But your organization must also be prepared for incident response. Effective incident response involves an awareness of various cyber risks and threats, having a plan to respond to the various ways they manifest, and having a team that can think quick on their feet when they actually occur. Sadly, many of the people in the cybersecurity industry who I speak with regularly tell me that many organizations aren’t ready for cyber incidents.

Sometimes it takes a lot of caffeine and willpower for me to do my work. But I never need an excuse to play games. I’ll impulsively play a game on my phone while I’m on the subway. I unwind on my couch at home to play video games to relax. And when friends come to visit, I can’t wait to set up a good old fashioned board game. Games have a natural appeal to human nature.

If you’ve heard of the word gamification before, you know that games don’t have to only be for entertainment. New York University’s Adam Penenberg studies gamification (turning learning or doing work into a game). He writes:

“Turns out, gamification works great on students. And apparently employees like it just as much. Companies that train large volumes of staff are rushing to use games, in a variety of forms. The goal is the same: turn a boring, repetitive and difficult series of tasks into an enjoyable, interesting activity that gets better results. Games provide intrinsic motivation—that is, people play them because they want to—as opposed to bribing someone with a raise (an extrinsic motivation).”

So what if gamification can prepare IT professionals to improve their incident response? Well, cybersecurity people are a bunch of nerds. And everyone knows nerds love tabletop roleplaying games like Dungeons and Dragons.

CISO Michael Ball had an epiphany. He decided to turn incident response into a tabletop roleplaying game. His game is called Breach the Keep. I asked him what inspired him to invent the game.

“I've done tons of executive training, both as the executive being trained, and as the trainer.

Boring scripts, little engagement. No real team building. The CSIRT (computer security incident response team) has to be a team.  Not just a group you pull together in an emergency!

They have to know on another's roles, and how to communicate with each other and the corporate stake holders before the chaos of a breach. None of the training I've seen to date engages the executives to develop the camaraderie of a team.”

Roleplaying games are all about using your imagination, and they’re often set in a high fantasy setting. Breach the Keep is no exception. As the datasheet describes:

“We will take you back in time into the realms of medieval and have a little fun with our version of Dungeons and Dragons. Through multiple scenarios we can help enhance your company’s team building abilities, identify gaps within the team and improve real world incident response time.

Although the game is designed to imply information security type scenarios, we are going to use our imaginations and move the entire group back 400 years into the past. Instead of datacenters, we're protecting the castle’s keep.”

Ball describes the roles in the game. “The CEO is the King or Queen. The CIO is Commander in Arms. CISO is the Mage or Viseer. HR (human resources department) is Chancellor. Corp Comms is the Town Cryer. Network Admins are Cavalry, and Security Analysts are Knights.”

The datasheet explains some of the basics of the game.

“Players will be given 5-10 minutes to become familiar with their role and where they position in the chain of command. In this time, players can strategize their tactics with their team as to how they can most effectively communicate in a timely manner, as real-world cyberattacks must be acted upon quickly.

The team will face a number of scenarios and challenges. Every time a new attack happens, the team must work together and make decisions based on these questions. Who is in charge? Who is taking notes? What are the current risks? Who should we notify? What should we do next?”

I asked Ball how he intends to market his game.

“We’ve run several sessions in both public and private sector and have recently started collaborating with cybersecurity product vendors the help get the message out. We are currently looking for Consulting partners to help promote Breach the Keep into the enterprise marketspace.”

If you’re interested in providing Breach the Keep to your organization, check out the official website for more information.

Having the right mindset and being able to work in a team can make all the difference when it comes to incident response. Practice can help to re-wire your brain so what was once overwhelming can become instinct. When it comes to responding to incidents like data breaches and ransomware, minutes can make all the difference. So you must think quickly on your feet!

Security professionals can train themselves to better handle incident response and have fun simultaneously. Looks like a win-win if you ask me.

Kim Crawley

About the Author: Kim Crawley, Guest Blogger

Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.

Read more posts from Kim Crawley ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial