Security Training Gamification
I receive tons of emails from around the world regarding gamification, asking me for feedback or share their story. I read all of them and many of them are interesting but because of my 24/7 limited time and full agenda (between my clients, my video show, writing my own content, and writing my book, along with a few startup projects) I’m forced to dig deep only a few projects. ?Few days ago, I received an email from Marius Corici, CEO and Co-founder for the CTF365 startup project, asking me to take a look at what he’s working on it. That, really caught my attention and I started to do a little research.
We live in a digital, connected world and security is one of the most important issues that today’s world confront with. According to Scientific American’s blog, last year there were 20 threats per second world wide which translates into over 1.7 millions threats per day. Don’t believe me? Google “hacked”.
The Gamification Challenge
Security training is generally dull and boring, but essential.
When it comes to learning information security, there are a few ways that people do. Through CS faculties (basics), security training companies (dull) or self taught – Google, forums, blogs (monotonous).
However somebody has to do it because is essential.
Frost & Sullivan predicts global employment of information security professionals to increase by 332,000, ending 2013 at 3.2 million and reaching ~5 millions by 2017. These 5 million we talk are these that get a world wide recognized security certificate. Beside them there are around 25 millions users that regularly check into security, hacking and system administrator forums.
The Gamification Solution
What if we could have a method of security training that is not dull and boring – a method that would be fun, entertaining, challenging and community driven?
We all know the best way to learn is to learn through applications, and that’s where gamification excels at with great results on education and training. Learning information security through gamification would increase students/employee engagement, improve retention rate and speed up the learning curve/process.
I recently wrote a post about the Top 10 Education Gamification Examples that Will Change Our Future. Feel free to take a look.
CTF = Capture the Flag Gamification
Information Security through Gamification is not a brand new concept. In fact it’s been around for a while since the internet started. It is called CTF – Capture The Flag. The DefCon conference has one of the first CTF competitions and you can even check CTF Time to see where a CTF (within the information security industry) will take place. If you dig into CTFs, you’ll find CTFs organized by CS faculties, companies or even governments agencies.
However there are a few problems thatmany CTF competitions have:
• They Don’t last – Nowadays CTFs last between 24 hours up to 3 days only.
• Most have Geographical Limitations – Often times you have to be physically in that room/building.
• They are Scattered – it happens all over the world but they are scattered and short, which means almost all of them are small too.
• They Don’t Count – because of the problems described above, HR departments don’t concern themselves too much to high-achievers in these games.
That’s why the team behind CTF365 decided that it is time to change the way Capture the Flag is designed and held by bringing a brand new approach to push security gamification into a bigger scale:
Game Design of CTF365
The game is team-based which means it will improve and strengthen communication skills as teams are forced to work together under pressure developing critical attributes of any enterprise security team, especially for those like Red Teams, CERT, CSIRT etc.
Teams are from all around the world
There are over 8500 registered users and more than 590 teams waiting for launch.
Basically they’ve built an internet within The Internet. A place where security professionals, security students and security wannabes, system administrators and programmers can play and get continuous training over information security.
How does CTF365 work?
CTF365 is a real life game where “Players” build their own Fortress/VPS (virtual private server) and defend them while attacking other servers. It’s what happened in real life when your server or computer networks are under attack by hackers.
Below are some questions I asked Marius:
Define CTF365 in one sentence.
“World of Warcraft for Hackers.” As a “Player”, the awesome magic moves and fighting techniques will be represented by your ability to write crazy powerful scripts to hack.
How did CTF365 get your initial 8500 registered users before launch?
We do the usual strategies when your marketing budget is close to none:
• Word of Mouth – Very powerful tool. This got us to hit the top on Hacker News and we got over 12,500 unique visits in one day and over 1000 registered users.
• Referral campaigns – Bring 5,10, or 15 Players and get access to the Private Alpha, Private Beta, as well as premium accounts for testing.
• Strategic partnerships – Free access for not-for-profit Information Security Conferences. This helped us to get featured on The Hacker News.
Why do you think CTF365 will catch your target Players’ attention?
I’m not an expert in gamification but looking at your Octalysis Framework I can tell that at the beginning, CTF365 will have 4 Core Drives out of 8:
Epic Meaning & Calling – Learning, Training and Improving Security Skills. As a “Player”, playing CTF365 is like haven for everyone interested in information security starting from security professionals and security wannabe, all the way up to system administrators and developers. They can do and test things that are forbidden like attacking and hacking everyone else system without worries about legality.
Ownership & Possession – They can build their bases from scratch, own virtual goods (e.g. servers, routers, etc.), speedup learning curve and improving retention rate.
Empowerment of Creativity & Feedback – Using different techniques they’ll be able to unlock certain milestone while having real-time control over their servers and receiving instant feedback.
Accomplishment Core – Nothing would make them happy than being in “Hall of Fame” leaderboard, wining prizes while collecting points and badges for their real skills.
What’s your ambition with CTF365 project
There are three goals that we want to achieve:
- We want CTF365 to become a prerequisite for the InfoSec industry. A security professional certificate is important, but more important is what you really can do hands on.
- Become the World of Warcraft for the ITC industry. Using specific hacking tools is one thing, writing powerful scripts as a programmer is even cooler. Programmers can team up with ethical hackers to boost their teams.
- Linkedin on steroids for HR departments when hire security professionals.