Let’s recap October. Cyber Security Awareness Month. For a cyber awareness enthusiast, it is hard to conceal the excitement that comes with a full month of initiatives in all shapes and sizes, built around a genuine and strong effort to help keep companies and their people “safe online”. At NVISO also, the buzz is tangible, and everyone is eager to know what great projects we will be launching for this year’s Cyber Security Awareness Month. We’re lucky enough to have a client who will go the extra mile and allowed us to let our imagination run wild. And that is exactly what we did.
Let’s make it: “a game”
Our assignment was simple, yet challenging:
- Define a scenario that fits a “Security at Home” context, where we connect our security tips to a “working from home” context
- Make something fun out of the everyday security challenges we face in our day-to-day life, at home. Basically, challenges that should be familiar for any player. Not to teach something new, but to reinforce existing awareness as a main goal.
- Set up a digital experience that allowed people working remotely to collaborate smoothly in a team, and to compete against each other in teams.
Gamification being all the rage, there is quite a few options out there. Some of which we’ve tested and used for projects in the past. Think Online Cyber Escape Games (even a full size escape truck) scavenger hunts, online quizzes, e-learnings, … You name it. However, none of these fully fitted the brief.
A match made in…
Inspired by the CSCBE 2021 event, successfully hosted remotely through the use of Gather.town, we came up with the idea of creating our own game and dedicated space. An all-in-one solution which is fully customizable and which allows for direct audio and video communication between hosts, players and teams. A match made in cyber awareness heaven? Or too good to be true? Let’s dive into the details.
As a concept we opted for the well-known schemes of a classic Crime Scene Investigation (CSI) game which has shown to be a successful basis for many legendary series and video games. We came up with a cyber related crime that could fit into the personal and social environment of your average neighbour and created a whole world around it. By world we mean: a location, a family (and pet), a social life, pieces of evidence and of course many irrelevant objects to create some noise ;-). All elements of this fictional world are linked to clearly defined (not so fictional) cyber security topics and lessons.
“The Harris’s family apartment gets robbed in the middle of the night without them noticing.
This is strange, since their newly installed connected alarm system was active and signalled “all clear” when they woke up that morning. The whole family is a bit shaken, and no-one can really explain what happened…
Turns out their alarm system has been compromised and was turned off to ensure the burglar had easy access.”
Teams signing up for the game will be asked to investigate the crime, in order to be able to answer the main question: “how did it happen?”. Additional questions are asked in the ‘investigation report’ to be able to distinguish between top teams and to allow for the game to be a real competition with final scores and a leadership board.
Connecting the dots: tips to create an attractive and usable Gather.town virtual world
To allow for this concept to work in practice, we needed a strong and stable platform that would deliver on both connectivity and experience. That’s were Gather.town comes in play.
Disclaimer: we don’t have any particular business relationship with Gather.town. It’s just that we’ve tested a few platforms, and really liked that particular one.
Designing an attractive map
Gather.town consists in a map filled with interactive objects, where your avatar can move around the map and interact with the objects.
First, we needed to create a map that would fulfil our scenario requirements while also being intuitive to walk on for non-gamers people. Instead of designing everything from scratch, we used tile sets from the well-known RPG Maker series and adapted them so they could be easily manipulated in an open-source map editing software called Tiled. Using this software, we were able to divide the map into a set of two layers, the foreground and background. This allowed for a more realistic way of moving in the room by giving a perception of depth for the players.
We decided to go for a square and compact room so that people do not get lost easily, along with the fact that everyone could hear each other even from the other side of the map. However, the sky is basically the limit here. Endless options to go crazy. It is however important to note that this kind of configuration details do really affect the overall user experience and should therefore not be left to chance.
Have the players check out the content of a computer, in the map
As the Gather.town platform is still under development, the number of features available was limited compared to our ambitious game scenario. To increase the range of possible types of interactive objects, we decided to embed a home-made web application to be shown as an iframe in the game. This could be then presented as the content of a computer – for example, the social media profile of a family member, their e-mail inbox, or some Twitter post.
To touch upon the topic of phishing, we created an e-mail inbox (c.f. screenshot below) with four emails that could or could not be phishing. We decided to go with all legitimate emails for each of which an additional piece of evidence was added somewhere in the room. Participants still needed to look for red flags in the emails, but would find justifications for each email during their investigation.
Another example is a social media account (and privacy settings page) we created for one of the family members to introduce the topic of social engineering. Participants would need to make some links between this profile and testimonials to understand how the burglar use that technique to commit their crime.
To balance the costs and efforts, we decided to go for a frontend application which would simply be hosted on a S3 AWS Bucket. The application was made using Vue.JS along with Buefy so that we would not have to worry about the design either.
Each interactive item is corresponding to a different path in the URL. Having a frontend-only application did not prevent us from building interactive items. Indeed, we implemented a fake login screen which would validate the credentials in the frontend directly. As the players have a limited time to complete investigation, it is unlikely they will search for the solution in the source code, so we considered we could afford the risk of cheating. However, in general, let’s not consider this as a good practice to validate passwords! 😉
Collecting & processing responses
In order to capture answers to be provided through the investigation report, we used Microsoft Forms (we could not use our web application as it’s a frontend-only one). The great thing about using Microsoft 365 tools is that it allowed us to process the input through a Microsoft Power Automate flow. That way we could already pre-calculate some of the scoring and redirect the output in order to make it easier for the host to preview.
Additionally, we aimed at providing a leader board in real-time and give the result to the players just after they finish the game for the ultimate game/competition experience. It was a challenge to give instantly the overall score for 11 questions, all having different weight, some even having a negative score. To ease our task, we went for Microsoft SharePoint Lists. They are similar to Excel sheets, but more user friendly as the formatting can be customized and the output is really visual.
Having implemented the above, our game was ready to be played!
As for any online security awareness campaign, there are inherent challenges that we tried to overcome by being as prepared as possible. On our side as well as on the client’s side.
Reaching a broad audience
Let’s get things straight. Gamification is hot. However, don’t expect people to sign-up just because it’s a game you’re offering. Add some “online fatigue” to the mix and you have a real challenge at hand.
Therefore, it is best to not leave things at chance. From what we have experienced, the following points are important:
- Investing time in a proper communication plan and clearly explain the goal of the exercise (by the way, planning for Cyber Month 2022 starts now!). Also showing the platform: a cool set up, e.g. with a small video walkthrough, will attract attention! Word of mouth advertising can spark the interest of a colleague. Capturing testimonials from happy early joiners and sharing them with everyone can help too.
- Adding a bit of competition by using leader boards can also motivate people into playing your game. A small prize and a big recognition for the winners is always cares for effective communication material.
Testing, testing, testing
From the scenario itself to the most technical parts such as the accessibility of the material or the software used for communicating, testing is crucial. Each issue you will encounter early-on, will prevent this issue from happening during actual game sessions.
How we performed the testing phase:
- We went for three distinct dry runs, with people from different backgrounds and skills, different teams, and with different computers 😊. Not everyone is used to collaboration tools and games, and dry runs enabled us to identify confusing items and rework them.
We had multiple people in our team running the game, sometimes at the same moment too so we needed them to operate with a certain degree of autonomy and know to handle every potential error. We thus thought about the most plausible failure scenarios and prepared a B-plan for each of these cases. Documenting those fallback procedures is essential to ensure issues can be tackled rapidly, when in the midst of the action.
At the end of the day, the CSI concept and the use of Gather.Town as a dedicated space really lived up to our expectations. Participants had fun creating avatars and indicated they had a great time while reinforcing knowledge on Cyber Security Awareness topics they might have come across in the past… If this is setting the bar for next year, we cannot wait to see what Cyber Security Awareness Month has in store for use!
About the authors
Sophie Madessis is a member of the NVISO Labs team involved in various R&D tasks to support other teams regarding cyber security related projects. Along with performing some security assessments, she likes spending time on automating processes using Power Automate and other Microsoft tools. You can find Sophie on Linkedin.
Hannelore Goffin is a senior consultant within the Cyber Strategy team at NVISO where she is passionate about raising awareness on all cyber related topics, both for the professional and personal context. Next to awareness, Hannelore focuses on third party risk management. You can find Hannelore on Linkedin.
You can follow NVISO Labs on Twitter to stay up to date on all our future research and publications.