CTF365 turns Information Security into an Epic Battle through Training Gamification

Training Gamification

Security Training Gamification

I receive tons of emails from around the world regarding gamification, asking me for feedback or share their story. I read all of them and many of them are interesting but because of my 24/7 limited time and full agenda (between my clients, my video show, writing my own content, and writing my book, along with a few startup projects) I’m forced to dig deep only a few projects. ?Few days ago, I received an email from Marius Corici, CEO and Co-founder for the CTF365 startup project, asking me to take a look at what he’s working on it. That, really caught my attention and I started to do a little research.

We live in a digital, connected world and security is one of the most important issues that today’s world confront with. According to Scientific American’s blog, last year there were 20 threats per second world wide which translates into over 1.7 millions threats per day. Don’t believe me? Google “hacked”.

The Gamification Challenge

Security training is generally dull and boring, but essential.

When it comes to learning information security, there are a few ways that people do. Through CS faculties (basics), security training companies (dull) or self taught – Google, forums, blogs (monotonous).

However somebody has to do it because is essential.

Frost & Sullivan predicts global employment of information security professionals to increase by 332,000, ending 2013 at 3.2 million and reaching ~5 millions by 2017. These 5 million we talk are these that get a world wide recognized security certificate. Beside them there are around 25 millions users that regularly check into security, hacking and system administrator forums.

The Gamification Solution

What if we could have a method of security training that is not dull and boring – a method that would be fun, entertaining, challenging and community driven?

We all know the best way to learn is to learn through applications, and that’s where gamification excels at with great results on education and training. Learning information security through gamification would increase students/employee engagement, improve retention rate and speed up the learning curve/process.

I recently wrote a post about the Top 10 Education Gamification Examples that Will Change Our Future. Feel free to take a look.

CTF = Capture the Flag Gamification

Information Security through Gamification is not a brand new concept. In fact it’s been around for a while since the internet started. It is called CTF – Capture The Flag. The DefCon conference has one of the first CTF competitions and you can even check CTF Time to see where a CTF (within the information security industry) will take place. If you dig into CTFs, you’ll find CTFs organized by CS faculties, companies or even governments agencies.

However there are a few problems thatmany CTF competitions have:

• They Don’t last – Nowadays CTFs last between 24 hours up to 3 days only.
• Most have Geographical Limitations – Often times you have to be physically in that room/building.
• They are Scattered – it happens all over the world but they are scattered and short, which means almost all of them are small too.
• They Don’t Count – because of the problems described above, HR departments don’t concern themselves too much to high-achievers in these games.

That’s why the team behind CTF365 decided that it is time to change the way Capture the Flag is designed and held by bringing a brand new approach to push security gamification into a bigger scale:

Game Design of CTF365


The game is team-based which means it will improve and strengthen communication skills as teams are forced to work together under pressure developing critical attributes of any enterprise security team, especially for those like Red Teams, CERT, CSIRT etc.

Teams are from all around the world

There are over 8500 registered users and more than 590 teams waiting for launch.

Basically they’ve built an internet within The Internet. A place where security professionals, security students and security wannabes, system administrators and programmers can play and get continuous training over information security.

How does CTF365 work?

CTF365 is a real life game where “Players” build their own Fortress/VPS (virtual private server) and defend them while attacking other servers. It’s what happened in real life when your server or computer networks are under attack by hackers.

Below are some questions I asked Marius:

Define CTF365 in one sentence.

“World of Warcraft for Hackers.” As a “Player”, the awesome magic moves and fighting techniques will be represented by your ability to write crazy powerful scripts to hack.

How did CTF365 get your initial 8500 registered users before launch?

We do the usual strategies when your marketing budget is close to none:

• Word of Mouth – Very powerful tool. This got us to hit the top on Hacker News and we got over 12,500 unique visits in one day and over 1000 registered users.

• Referral campaigns – Bring 5,10, or 15 Players and get access to the Private Alpha, Private Beta, as well as premium accounts for testing.

• Strategic partnerships – Free access for not-for-profit Information Security Conferences. This helped us to get featured on The Hacker News.

Why do you think CTF365 will catch your target Players’ attention?

I’m not an expert in gamification but looking at your Octalysis Framework I can tell that at the beginning, CTF365 will have 4 Core Drives out of 8:

Epic Meaning & Calling – Learning, Training and Improving Security Skills. As a “Player”, playing CTF365 is like haven for everyone interested in information security starting from security professionals and security wannabe, all the way up to system administrators and developers. They can do and test things that are forbidden like attacking and hacking everyone else system without worries about legality.

Ownership & Possession – They can build their bases from scratch, own virtual goods (e.g. servers, routers, etc.), speedup learning curve and improving retention rate.

Empowerment of Creativity & Feedback – Using different techniques they’ll be able to unlock certain milestone while having real-time control over their servers and receiving instant feedback.

Accomplishment Core – Nothing would make them happy than being in “Hall of Fame” leaderboard, wining prizes while collecting points and badges for their real skills.

What’s your ambition with CTF365 project

There are three goals that we want to achieve:

  1. We want CTF365 to become a prerequisite for the InfoSec industry. A security professional certificate is important, but more important is what you really can do hands on.
  2. Become the World of Warcraft for the ITC industry. Using specific hacking tools is one thing, writing powerful scripts as a programmer is even cooler. Programmers can team up with ethical hackers to boost their teams.
  3. Linkedin on steroids for HR departments when hire security professionals.

Top 10 Gamification Lessons Inspired by South Park

South Park Gamification

The Genius of South Park

So I’ve been aware of South Park for over a decade now, but I wasn’t a fan because I just thought it was just some potty-mouthed kids who cussed a lot and loved gory death scenes. I didn’t even think the kids had different personalities.

However, last year my friends decided to watch a bunch of South Park for after-work relaxations, and I happened to drop in on a few episodes. What I realized, is that once you get pass the potty-mouth cussing and gory scenes (which I still don’t like), all the kids (and parents) have their unique personalities, flaws, insecurities, and moments of strength. It also actually brings a lot of insights to many deep social issues as well as psychological maneuvers that fit perfectly inline with my Gamification Framework Octalysis.

My mission here on the blog is to teach you how to do *good* gamification design, which is beyond just the Points, Badges, and Leaderboards, but ties directly into the 8 Core Drives of Octalysis (which are intrinsic motivations). But of course, it’s difficult to remember all 8 Core Drives, let alone using them in actual design and thinking.

Hence I thought presenting some lessons of gamification through fun episodes of South Park is a good way to learn in a fun way (after all, Education in Gamification is a big field these days).

1. Cartmanland

In this episode, Cartman inherits $1 Millions from his deceased grandmother, and decides to use almost all it to buy a struggling theme park.

Instead of trying to improve its business, Cartman makes a TV commercial to show how fun “Cartmanland” is and emphasizes that no one besides him can enjoy it.

After realizing he needs to hire a security guard to keep people out, he starts to accept one customer a day to pay the security guard. Then he starts to realize that he needs to hire and pay for more things in order to sustain operations, so he started to open it up to 2, 3, 4, 10s, and then hundreds of people everyday.

Since people all saw how they couldn’t get into Cartmanland, when they learned that it is starting to accept more people, they rushed to get in.

Eventually, everyone wanted to go to Cartmanland and it went from a near-bankrupted theme park into one of the most popular ones ever. This is a great example of the Octalysis Core Drive: Scarcity & Impatience (#6), where people want something, just because they can’t have it.

2. You have 0 Friends

This is a pretty straight foward episode regarding the Core Drive #5: Social Pressure & Envy. In this episode regarding Facebook, Stan sees that every one of his friends is using Facebook, and all of them are feeling that they’re not really “friends” unless Stan adds them.

Stan eventually succumbs to the pressure and starts to use his Facebook account. Then his dad and girlfriend all get mad him for not adding them as friends or changing his status to being in a relationship.

On the other hand, Kyle added an unpopular kid who had no friends in school, which resulted everyone else unfriending him due to “bad association.” Unable to stand the social pressure, Kyle finally unfriends the unpopular kid in school, hoping to add back his popularity again.

In this episode, we also see Core Drive: Development & Accomplishment (#2), as everyone tries to keep track of their friend count, with Cartman jumping for joy when he sees that he had more friends than Kyle.

3. Butters’ Bottom Bitch

In this episode, after Butters becomes a customer of a girl who would kiss anyone for $5, he decides to start a “girl kissing business” where he would hire girls around school and kiss other boys for money.

To motivate the girls, Butters introduced an “employee motivation” system, where the girls would earn a sun on a calendar every time they got clients, but if the girls fail to show up to work that day, they would get a stormy cloud.

This, like most badge and leaderboard systems, focuses on Core Drive #2: Development & Accomplishment, Core Drive #5: Social Pressure & Envy, as well as Core Drive #8: Loss & Avoidance.

It works in kindergarten, and it works for pimps.

4. Chinpokomon

Marketing Gamification: Old Spice launches the Game DIKEMBE MUTOMBO’S 4 1/2 WEEKS TO SAVE THE WORLD

New to Gamification? Check out my post What is Gamification & my Gamification Framework: Octalysis

Old Spice Does it Again

(Note: to play the actual game, scroll down until you find the source of the thrillingly annoying music, and then fullscreen it.)

In 2010, Old Spice swept across all media channels with their “Hello Ladies…” campaign. That was shared and spread on every platform possible, and was one of the most common conversation starters during the time (Of course, those conversation starters later moved on into Rebecca Black’s “Friday” and the wonderful Korean dance Gangnam Style).

Old Spice got men here and there to smell good for some time, but men being men, got back to their good old habits of NOT smelling like an adventure, baking gourmet cakes with the kitchens they made with their own hands,  and definitely NOT swan diving.

Old Spice needed to come up with something more epic for the manly men, not just for the women’s men, and so they again put together the smart minds of Wieden+Kennedy Portland to figure out something that would spread like wildfire again.

The WK folks thought….so what do men like? They like basketball, they like to be the hero and save the world, they like random humor….and, they like video games.

Mix Basketball, a World-saving Hero, Random Humor, and Video Games together, and what comes out of the blender is their newest masterpiece: DIKEMBE MUTOMBO’S 4 1/2 WEEKS TO SAVE THE WORLD (yes, it has to be all caps).

Marketing Gamification through a game to save the world

DIKEMBE MUTOMBO’S 4 1/2 WEEKS TO SAVE THE WORLD is a 8-Bit styled game where users control the Basketball Legend Dikimbe Mutombo to prevent the 2012 end of the world (according to the Mayan’s calendar) from happening by accomplishing small quests that eventually leads to carving up more dates on the Mayan calendar so we can delay humanity’s extinction. At least until the day we invent self-combing hair.

Actually, I’m not sure how the small quests have anything to do with carving the Mayan calendar, but those quests are always relevant to the times: from getting people to stop dancing Gangnam Style so they can vote (with the boss fight being the State of Ohio), to getting rid of a fluffy toy called Blurgies while playing It’s Thanksgiving by Nicole Westbrook, a successor of Rebecca Black).

Of course, we don’t know what will happen next because each stage only unlocks one week at a time (explained later).


Below is the analysis of the campaign through my Complete Gamification Framework called Octalysis:

Dikimbe Mutombo Gamification from Old Spice


As you can see, DM4.5WTSTW (this is my new abbreviation) has a strange rocket shape, as it scores incredibly high in Epic Meaning & Calling, Unpredictability & Curiosity, and Scarcity & Impatience, but very low on most others. Because of that, it earns itself an Octalysis score of 260 (which is almost as high as Twitter!) Continue reading Marketing Gamification: Old Spice launches the Game DIKEMBE MUTOMBO’S 4 1/2 WEEKS TO SAVE THE WORLD

Gamification Research: How Diablo III uses Game Mechanics to become Winning & Addicting

New to Gamification? Check out my post What is Gamification & my Gamification Framework: Octalysis

Blizzard Entertainment, a company that knows how to do gaming right (though not perfectly), has hit it big with their latest game Diablo III, launched in May of 2012. Within a week, they already sold 6.3 Million Copies, and as of September 2012, already made it to the Top Selling PC Games of all-time. Its success not only rides on the popularity of its predecessor Diablo II, but also stems from the utilization of a great amount of smart game mechanics to make users engaged and addicted.

This article analyzes the techniques and game mechanics that Diablo III uses to achieve the status of Winning & Addicting.

Basic Game Mechanics

1) High Quality Graphics and Sound

This is required for most games, and Blizzard is one of the best at it. Unfortunately, we won’t be learning too much from this because Gamification only applies to gaming elements that are still there after you strip out all the graphics, sound, action and apply them to professional activities.

2) Leveling Up System

Pretty basic too. Pretty much all RPGs (Role Playing Games) have a leveling up system. When a player kills monsters, he gains Experience, which allows his character to level up and become stronger. A leveling system makes players feel that they are having progress and are improving themselves, even though the tasks they do are very mundane. A sense of improvement and accomplishment is key here.

3) Progression through a storyline

Again, like all RPGs, there is a storyline that makes players want to continue to play and find out what’s next. This is similar to wanting to finish a book or movie. Unfortunately, Diablo III’s storyline isn’t that great, and it makes you play through the same storyline in 4 different levels to beat the game (not to mention “farming” the same area/quests over and over), so this factor is not strong in Diablo. It does, however, get first-timers to want to finish the level 1 difficulty once.

4) Points/Money Accumulation

A solid presentation on Gamification by Sebastian Deterding

New to Gamification? Check out my post What is Gamification & my Gamification Framework: Octalysis

Gamification presentation/research from Sebastian Deterding

I recently stumbled upon some Gamification Research by Sebastian Deterding and I think it is a great piece of work in the industry. It shows a heavy amount of research and utilization of Gamification.
As you know, I have always been saying that Gamification is not really a good word to use (sounds very gimmicky and suggests it is created from games), but it should really be called “Human-Focused Design.”
Sebastian calls it “Gameful Design” which I think is appealing but difficult to gain significant traction.
I strongly recommend going through the entire thing.