The importance of cybersecurity awareness training should be value with the joyful whoops of winning, not the eyerolls of forced education. Simultaneously, cybersecurity Awareness Month doesn’t come with parades, even though it should. To celebrate, bring your work teams together to play an RPG where everyone learns the vocabulary of cybersecurity as well as the different actions that protect and harm systems.
With that said, cybersecurity awareness training is only one part of an agile compliance program. Join CEO Ken Lynch at ISACA to learn how you win the security game by using compliance to defend your systems.
Make Your Own Cybersecurity Awareness Training Roleplaying Game
RPGs offer an excellent opportunity for ongoing cybersecurity awareness training because your employees need to spend only a few minutes to take their turn before going back to work.
RPGs have been shown to help foster empathy. Think about how often you get frustrated because people assume that all you need to do is update software. You want your employees to understand your job better? Turn them into fictional CISOs and CIOs.
Create the Cybersecurity Story
To create a successful cybersecurity awareness training RPG, a pen-and-paper storyline works best. You can either have employees take turns once a day using email or have small groups sit together for an hour of training.
In your story, a CISO or CIO tries to protect the systems as hackers try to access a victim’s computer, leading a response team to help limit the breach’s repercussions. Essentially, you’re showing the life cycle of a breach while giving people roles that help them learn how everyone’s actions interact.
Create Your Characters
For ease of action, a cast of four characters makes sense.
- CISO/CIO: Sets risk, policies, and goals
- Hacker: Actively tries to break into systems to steal information
- Response Team: Not only follows response protocols after hacker gets information but also helps protect information
- Victim: Is the point of entry for the hacker
Create skill categories to help define the different character roles. In terms of cybersecurity awareness training, four fundamental skills overlap the different roles.
- CISO/CIO: Observation 7, Technical Ability 8, Caution 10, Knowledge 8
- Hacker: Observation 7, Technical Ability 10, Caution 5, Knowledge 8
- Response Team: Observation 7, Technical Ability 10, Caution 6, Knowledge 8
- Victim: Observation 5, Technical Ability 3, Caution 8, Knowledge 6
All characters should start out with the same level of health. Every time the hacker gets closer to the systems, the CISO/CIO, Response Team, and Victim lose health points. Every time one of those characters protects the security of the systems, the hacker loses health points.
Acting the Roles
For a short game like this, you want to have each party act according to an easy mechanic. The easiest option would be to assign “dice rolls” to each activity. In other words, if the victim receives a phishing email, you could say, “Notices email is fake if roll is 5 or above.” The best part is that the dice rolls can be done using virtual dice.
Once you’ve created your characters and given them abilities, you can incorporate additional bonuses to make events more or less likely.
- CISO/CIO: Patched vulnerability in time
- Hacker: Found 0 Day vulnerability in website’s form
- Victims: Noticed phishing email and reported it
- Response Team: Informed affected parties within 48 hours
How to Level Up
The different skill rates align with how the characters fit into the overall cybersecurity world. As the game continues, however, different roles can “level up.” As a victim learns new cybersecurity knowledge, for example, they gain skill points that strengthen the character.
For greatest playability, employees skills lessen the number needed to complete the action. For example, noticing the email takes a roll of 5 or better. However, taking a cybersecurity class can level up their Knowledge to a 7, meaning they are better at detecting things. With this new skill, the employee now can notice a fake email with a roll of 4 or better, making it easier for them to catch the phishing email.
- CISO/CIO: Organizes SOC team, Purchases GRC automation tool, Establishes risk profile appropriately
- Hacker: Finds vulnerability in form field (SQL injection), Creates realistic phishing email, Places malicious code in a PDF downloadable file
- Response team: Attends training on response protocols, Gathers evidence needed to respond to event, Regularly analyzes network traffic for signs of external attack
- Victim: Takes cybersecurity course, Incorporates a strong password for access, Learns to recognize phishing emails
As the characters go through the story, they can choose to do certain things. So, for example, a Victim may have to choose between a cybersecurity class and being late to a lunch date. If the player chooses the lunch date, they don’t get the level up skill. If they choose the class, they do.
Alternatively, players could roll die to earn skills. “You show up to your cybersecurity class. Roll a 5 or higher to pass.”
If you want to reinforce good decisions, basing skills progress on choices is a better mechanic.
How to Attack and Protect Your Systems
If you’re trying to make this fun as well as educational, you need to create specific events and show how they lead to the security breaches.
Examples of Attacks
- CISO/CIO: Hires White Hat hackers to do penetration testing, Passes SOC 1 Audit
- Hacker: Adds extra tools to their arsenal, Looks at endpoint for vulnerability
- Response Team: Conducts security awareness training, Documents controls
- Victim: Contacts manager if they feel something is off, Sets up strong password
Examples of Defenses
- CISO/CIO: Backs up data, Encrypts data
- Hacker: Uses VPN to hide,Uses Tor browser to hide
- Response Team: Uses a central authentication system, Enforces mobile device management system
- Victim: Protects passwords, Uses pop up blocker to protect against malvertisements
By creating attacks and defenses in the game, your employees will learn how to react to attacks and how they can prevent them.
How to Heal Your Systems
Ultimately, you want to be able to keep hackers from winning the game. To do this, you need to set up a mechanic that offers “healing” should an attack occur.
- CISO/CIO: Hires a third-party threat analyst, Updates all systems
- Hacker: Uses public WiFi to hide from detection, Uses supply chain attack to hide
- Response Team: Reviews state and federal laws about communication timing, Answers questions in timely manner
- Victim: Changes passwords, Stops using work internet for non-business activities
Being able to heal your systems helps your players learn better practices. This not only shows them what they can do if something happens but also helps them better understand how to engage in safe activities overall.
Of course, training requires tracking information, and that means organizing yourself across multiple departments. To see how automation can help you celebrate Cybersecurity Awareness Month, book a demo with our GRC experts.