>
SecurityCom:
A multi-player game for researching and teaching information security
teams
Doug
Twitchell, PhD
Illinois
State University
School
of Information Technology
Security
Education and Training
Why?
The
easy part
That00
why we00e here
Integral
to a comprehensive security plan
How?
Not so
easy00/font>
Classroom?
Books?
Certifications?
Apprenticeships?
On-the-job?
Learning
According to Bloom
Bloom:
Lowest/Easiest
is Knowledge
(i.e.,
memorizing, defining, recognizing)
Books/Lectures
Highest/Hardest
is Evaluation
(i.e.,
assess, compare, judge, predict)
Long experience
Middle
is Application
(i.e.,
use, operate, demonstrate)
What we
can hope for in security education
http://officeport.com/edu/blooms.htm
Experiential
Learning According to Kolb
Concrete
Experience
Active
Experimentation
Reflective
Observation
Abstract
Conceptualization
Security
Learning for Teams
Security
function
Usually
involves more than one person
Doesn00
happen in a vacuum
Organizational
constraints
Budgetary
constraints
Security 00/font>
Agility
Decisions
made with others across the organization
Security
00echies00not often prepared for this
Security
may lose out (bias => agility)
Experiential
Learning in Security Education and Training
How to
get to the application level with teams
Demonstrations
Not really
application
Labs
Tutorials
Step-by-step
Assignments
Figure
out parts on your own
Work/Study
and Internships
Best
Sometimes
difficult to get
Uncontrolled
(may not coincide with curriculum goals)
Games!
Games
In Security Education
Advantages
Disadvantages
Controlled
You decide
what they learn and how they learn it
No distracting
outside information
Cause/Effect
demonstrated immediately
Quick
Can be
designed to do in < 1 hour
Part of
a lecture
Cheap
Not much
equipment needed
Familiarity
Younger
students, at least
Motivation
Competition
Use for
Research
Main disadvantage:
Not as
close to 00eal life00as real life is
Not free
Some equipment
required
Design
and setup required
Students
must learn how to use
Games
in Security Education:
CyberProtect
Two games
you might know about
CyberProtect
Defense
Information Systems Agency
Free and
freely distributable
Won awards
Quick/Easy
to use
Single
player
Turn-based
Somewhat
outdated
Demo!
Games
in Security Education:
CyberCIEGE
CyberCIEGE
Naval Postgraduate
School
Free for
some by request
3D!
Simulation
based
Game-building
language
Some pre-built
scenarios
Not as
quick/easy as CyberProtect
Currently
only single-player
But
claims that multi-player is in the works
Demo!
StrikeCom
StrikeCom
Built for
researching interpersonal deception
Used for
teaching Network Centric Warfare
Office
of Force Transformation
Seminars
around the world
National
Defense University (until they were hacked)
Received
great feedback 00students could 00eel00the concepts, and it broke
up the 00eath by PowerPoint00/font>
Multi-player,
collaborative game 00b>Teams!00
Taught
usefulness of shared-situational awareness and alternative communication
channels
Demo!
SecurityCom
Wanted
a game
Quick/Easy
like CyberProtect
Multiplayer/Collaborative
like StrikeCom
Configurable
like CyberCIEGE
Web-based
Easy
to install (web browser only) and administer
Familiar
interface
Built from
ground-up
Ruby on
Rails
AJAX
Demo!
Goals
Use SecureCom
As an experiential
learning tool
Active
Experimentation
Concrete
Experience
Integrated
in to lecture
First concept
Security
in the organization
Security 00/font>
Agility
Players
with differing goals
Need for
trade-offs
We teach
this, but they need to 00eel00it
Testing
SecureCom: Experiment 1
Lecture Only
Lecture +Activity
Teach concepts
Organizational
goals
Conflicts
Trade-offs
Relation
to risk management
Overview
of concepts
Activity
Groups
of three
Come up
with a security plan on paper
Lecture +SecureCom
Overview
of concepts
Play Game
Groups
of three
Secure
the system across 4 rounds
Test learning
outcomes
Pre/Post
test
Survey
Testing
SecureCom Experiment 2
Choose
two concepts
Use CyberProtect,
CyberCIEGE, and SecureCom as teaching aids
Compare
learning outcomes
Bonus:
Security Research Using Games
Games are
useful for research
Research
besides teaching/learning research
Research
using StrikeCom
Deception
Leadership
Controlled
environment
Motivated
subjects
Full interaction
recorded
Bonus:
Security Research Using Games
Planned
research using SecurityCom
Shared-situational
awareness
Network-Centric
Warfare tenet
The ability
for all involved to simultaneously have knowledge of current battlefield
situtation
Security
Planning
Does having
shared-situational awareness help groups who make security decisions
make better decisions?
Network
is the 00attlefield00/font>
Compare
groups with SSA to those with only language-based communication
Conclusion
Security
education is important
Need to
make sure SE results in at least 00pplication00level learning
Use Experiential
learning to accomplish
Games help
complete experiential learning cycle
CyberProtect
and CyberCIEGE are currently available, but single player
SecureCom
is on its way and is collaborative
Two experiments
are planned to test SecureCom
SecureCom
and games like it can also be used for research
Questions?
1
We agree that it is important
We don00 agree on how to do it
2
Last point: Perhaps with some analysis
too
With the limited time that we have
3
Active Experimentation and Concrete
Experience help students 00eel00the concepts being taught
4
5
6
7
8
9
10
11
12
Teaching two security courses where
this can be done
13
14
15
16
17
18
download SecurityCom: A multi-player game for researching and teaching ...
