Game Theory & Its Applications Across Cyber Security by Ryan Rutan

so all right so here's the thing game theory is a very broad topic it can be very dense i'm going to try to do something in 20 minutes so and i talk relatively fast so i'm going to try to slow down and get a lot of information in let's see how which one of those sites work so um so really quick my name is ryan rutan i'm with seneck i'm the senior director of community there which means i get the privilege of running the synack red team we use gamification constantly on our platform and this is something that i do quite a bit some background for me the red team director for the last three years

community developer relations and enterprise game games last 13 years i was a developer api specialist integration architect and for the last 20 years hacker maker and author so i live and breathe technology i love talking about technology i see a lot of familiar faces here i've met today hopefully we'll have something interesting for you guys to learn really quick talking about game theory like i said it's very dense um you can have a lot of academics that go really deep on it the one definition that i really like about i think is really easy to kind of grok is the study of mathematical models for negotiation conflict and cooperation the way i like to visualize this is that game theory is

about taking these different graphs putting them on a grid and looking at where they intersect and where those intersection points are game theory is about moving those in the way where you want them to live for negotiation cooperation and conflict and moving those intersection points appropriately for gamification on my end the thing that i find that's very valuable for hackers is i actually see gamification is almost like an information disclosure it's the house tipping their hand saying hey this is what's valuable to me i'm giving you money i'm giving you points i'm giving you prizes it's telling you what they want you to do and it's up to you to determine is it what you want to do

and so for me this is really cool because if you look at modern games no one ever goes like back in my day i yes i said that i'm you know kind of old but end of the day you used to have a book how to read a game how to do something right you read the book and that's how you did it today it's in-app tutorials it's a game that shows you oh congratulations you did that here's some stuff keep doing it right those principles are a tldr of how to use the system how to use something so gamification can actually be a really good insight into the background mindset of the people who are running these

applications so i would honestly say don't just don't discard it as something kind of trivial in about 2010s i think the industry lost its mind and said hey we're gonna put badges in everything collect badges oh my god everything has a badge and it was ridiculous badges are good they are a tactic they are not gamification by themselves the reason why i say that is because the number one thing you need to do when you do gamification is to know your audience um a lot of people said i'm gonna be a i'm gonna go and grab game vacation off the shelf drop it in and everything's good badges work for some people they don't work for all

people um in terms of knowing your audience i put some motivators down here i wanted to kind of throw out real fast i'm focusing on the red side right now since that's kind of what i do on a day job financial you would think that it's the best motivator out there right i mean who doesn't like money but from a gamification perspective you need to make sure that this your goal is to make a game that scales and money is actually one of the most volatile markets or the volatile and motivators that you can have specifically because when you do money one when you're doing gamification you have to get money to create these programs and that's really hard to

justify so it's it's actually like a one-to-one thing you want to find a more deluded motivator the other reason why it's difficult is because as a player i expect that if i start off at a dollar and i become really good on your platform i expect two dollars for that expertise as a business if i put a dollar at the beginning what do i expect in terms of economies of scale i expect that dollar to go to 50 cents and as those lot lines diverge that's where gamification comes in you have to find other motivators that work with the community and with the players to make up that difference so that those lines are more congruent

for longer to make it so people stay sustained in the game other things that i have down here at the bottom are all things that are kind of emotional but they're things that i feel are very innate to the hacker culture and so i wanted to point those out reputation and recognition like people want to be acknowledged for good work that they do don't undercut that joy and passion i mean we've i hope i'm in a room of fellow people where when you see like a binary string you're like what the heck does that say i want to decrypt it i want to know what's going on i really enjoy technology um curiosity education like accepting the

challenge knowing that you want to do something more that's something you can use to motivate somebody giving them an opportunity opportunity to learn something that they haven't done before sense of duty also is a great one my one at the the bottom was something i really like as unique as the brown the concept of going from a number to a name like becoming personal and understanding that the game understands me and that it can help elevate my status but what's cool about all this is that so this is all the red team stuff um it's the same for the blue team though gamification applies to the pers the person not necessarily the domain so all these different motivators that you

have are also also work for the blue side as well and it's important because when we start talking about uh downstream or talk about the practical like sock gamification is the ability to create cross-pollinated games where you can have blue and red and purple and having all these games intermingle and ultimately creating a stronger security posture for your company now the things i will say in terms of the best practice site tip i can give you for this is you do not want to go all in on one type of motivator you want to diversify like i said your goal is to try to make those congruent line make those lines more congruent and you can't

overload something if you look at sense of duty right you might be able to tap that once tap it twice tap it three times and they're happy but then after a fourth time they get burned out like they there's only so much you can do you need to mult to kind of diversify things up a bit so tap into the education or tap into the money tap into passion like find different ways that you can motivate people to kind of get them to do the thing that you need them to do and since we're near gchq if you don't want to remember my framework mice for those who are in the audience i know what it is

money ideology compromise ego that's basically what i'm talking about so so some of the things that we do for the synagogue red team i want to try to do this really quick only because i want you to help understand the things that that we have in our red team we have three main personas that we do for games we have the hunter which is the the bug bounty hunter the person that wants to kind of do active engagement involved hunting specialist which is a person has a very specific set of skills that may or may not be used on a on a regular basis but the ability to tap into them when needed and then the most most

recent one we have is mentor which i've talked to a lot of you about today all three of those personas live in our community and they all play in the game and they have a mechanism for being recognized and rewarded and creating their own paths to success the main thing that we do which is i would consider it garden kind of basic that you need to do is have an element of a point system anyone been to a vr video arcade where you put a dollar in and you get a certain number of tokens back that have no monetary value only except in that arcade that is basically what you're doing you're trying to decouple their actions and put it into a

term that's really easy to say oh i need points i don't want to think about what i need to do to get those points but i just need to create that economy which is really important having leaderboards having things like uh reputation levels like you know where are you trending how have you been over the last 12 months those are all things that keep the keep you active and engaged like oh i don't want to lose my level oh i want to know where i am am i better am i worse do i need to you know step it up or can i kind of pump the brakes those are kind of garden variety things the thing that

i think that we do is really fun is around our recognition programs and what's important about them is that it allows people to have clear paths to success i just got a thousand points is that good i don't know like it's like it's but if we go out and say hey you know what 10 000 points a year that's really great that's a way that you can kind of become recognized become a top researcher with us and kind of earn some accolades and earn recognition that helps them understand well okay a thousand points that's that's i'm on the way but i'm not quite there yet it means i should need to go a little bit further

the other piece of that is that we actually use nested programs so there's the thing called sunk uh sunk cost fallacy which is actually the notion is like i've already invested this much time what's just a little bit more it pairs well with the notion that people have a hard time setting long-term goals um we have in our nested programs we have monthly annual and lifetime so lifetime goals are things that we set very thematic goals so our goals in the res synap researcher senate great team is to try to address the talent gap we want our researchers working on as many organizations as possible so that we can hopefully get that talent to affect as many companies

as possible and try to close that gap to the best that we can so we set that as a big thematic goal in our lifetime achievement working on 250 targets working across 100 organizations 1500 phones lifetime like things are really hard to grok when you're getting started but if you work back and say oh on an annual basis right we'll give you a hacker thrown or a customized hoodie or stuff like that and all you have to do is earn 15 000 points right they can see those goals and it's an annual way and the annual is kind of a build up to the lifetime and then we have a monthly one the monthly one is like well how much is

ten thousand points can i do it i'm not sure if i can here's a monthly competition that gives you a sample size of like hey i earned seven hundred points this month seven hundred times twelve oh that's eighty uh yeah it's eighty four hundred so i had to double check that real quick but again so it helps them understand like well if i want to hit that goal i got to step it up a little bit or if i'm over it i can back it off and it helps set the expectation so that they get a sense to play the game on a more regular basis one of the things that i've talked a lot

about today is the notion of in our community we've been pivoting over the last two to three years around getting away from competitive and going to more cooperative in the sense that seeing a lot of embracing in the community around researchers helping each other become better solving you know kind of making it so we can all have better skills and so our community is starting to pivot a lot of our game and game theory applications around getting researchers to do team-based objectives and achieve those goals and as a result of that having them decide where the prizes go and how that works so it's really a great way to build camaraderie and ultimately the motivators that we

have are all the ones i listed before like all these programs list so whether you've heard me talk about our women's group in the artemis community whether it's about our veteran community our mentors our annual recognition all of those there's pathways in our recognition program and our game to make it so that they can be their persona and find success and ultimately be recognized so the biggest question is how do you get started sustainability like the goal of a game of the solid game is to invest money into the and and invest money into the initiative and then have it sustain and be your 24 7 365 you know extra hand in the in whatever you're trying to do

first thing i have to tell and this is that you'll hear from every business person is you need to focus on measurable objectives when it comes to gamification you always have to pitch you always have to get money as a result of that you need to be able to measure and create a business value proposition to whoever holds the purse strings so when you talk about when you talk about doing things with the gamification you need to figure out what are the actual outcomes in my business or in whatever i'm doing that i can impact and make sure that you can measure it and that way you can ultimately start doing start doing some analysis now you need

to measure it both from the game side meaning for the company or for the host but you also need to do it from the player side the most important part of the game theory is that mutual success you need to make sure that you can invest money on the left and make sure you can change the outcome on the right and make sure that you can prove that model i always talk about planning macro but executing micro so understand the thematic direction that you want to go and taking a small chunk and executing it with that i also say budget for the experiment and then a program so take an experiment in terms of like ask for a

thousand dollars or ask for 500 or ask for a free pass to something and put uh put that as a reward or put an opportunity as a reward and try to test out the theory of like what motivates your community what motivates you the players in your game and as you learn more as you test those things out you'll be able to prove hey this type of motivator works this type of functionality works really well and as a result of that you can then take that experiment and codify it into an actual program with a bigger budget and with justification that shows hey i know that our community does this we can start experimenting and growing that

um last thing last couple things i'll say on this is setting expectations is really important so when you're dealing with early participants letting them know that one hey this is an experiment it may go completely horrible it may go be insanely great but taking and getting cooperative information from them getting their feedback and making sure that your motivators are properly assessed and then it's just rinse and repeat at that point you just take new chunks of that thematic goal and you kind of create new experiments grow your program you take it and kind of roll it out in stages so what does this look like um some from a red side so what i want to urge you to

think about is that when we talk about the motivators and why they're the same for every cyber security person what i'm gonna focus on right now is just the red side so if you wanted to build up a game for a sock and try to make it so that it was easier or more fun for people to be in the stock right or to be related to keeping your company safe on the red side you can look at players that are potentially in the sock or even things like in product qa anyone who has a contributing role in making a better security posture for your company so this role can extend outside of the sock and creating better prds that

include secure features better sec dev better you know overall qa these are all things that can improve your overall socket you can gamify and create a create a mechanism that allows to uh to reinforce good behavior the type of task that you have standard red team task you've got pen testing recon training you name it these are all things that help improve the posture of the company the benefits of this of doing gamification this realm is that one is orchestration everyone seemed like hive mind if stranger things hopefully yes great show but the notion is that um being able to control put this game out there and the game is helping control the actions of a bunch of people putting

a game with reward and incentive kind of gets people to flock to that direction to do this type of work and ultimately gets you get an element of unified growth or unified action for people all trying to go for the same goal recognition is really important when it comes to retention today finding security talent and keeping them getting a signal that says hey these are the people that have an objective objective impact on business value for the company and getting a game out there that gets them of rank and gets them a leader board to stick up and kind of be recognized is a great way to kind of retain the talent that is really

affecting the bottom line speed and quality are a natural derivative of this because most the time games are about i want to do something faster i want to increase the quality of this i want to do something more reliable and lastly the one i'm really big on right now and i've been for a long time this camaraderie hacking is a very siloed industry a lot of people have found that they are alone they don't feel like the need they can connect with people so increasing those connections with other researchers other people in the profession and creating teams that are really that really work well together so this is a byproduct of that now the way i would look at this

is that you've also got the blue side of this you have a game that you can run for the red side so you have like the red mvp if you will the red the red person of the month if you want you can create well these types of recognitions and goals and achievements to get that but then you've got the blue side and all the tasks that they do those can actually run independent as well and so again you want to make sure that there's an opportunity the same way we have specific recognitions for mentors or for hunters or specialists these are specific games that kind of co-exist but they're for different audiences nothing says a red person can't go and

participate in the blue side or vice versa but there's a clear path that says hey if you want to be recognized for the things that the blue side does and the things we want to motivate people to do there's a structure there for that and again the same well element here is that you have all the different organizations that you can tap into which is great the evolution though of purple makes a really interesting problem or an interesting opportunity because the problem historically has been how do i measure impact purple teams tend to have the tools that are needed to really aggregate the data and bring stuff in so if you've got the benefit of a purple

team that can digest all the information from systems like jira white hat or whatever that you're using to get that information you can use that as a way to kind of create a master game that says look here's a game that spans the entire company and ultimately creates an opportunity to say these are the people that are having the most impact on keeping this company secure and so for me this is an area where you can do you know red blue red versus blue you could have purple but again the reality here is if you can measure impact you do the work to understand what the outcomes are at the end that add value to your

business and make it more secure then you can make it more fun for people to do the things that they're doing and potentially incentivize them to move faster so my takeaways um focus on measurable business outcomes important if you're not doing that you're you're going to have a hard time making a game that scales point economy and leaderboards formal or informal you don't have to have a system to do it i've seen really effective games done with google spreadsheets and some really cool charts and you know what not so it just needs to be a way for people to understand how do i know where i am am i behind am i ahead where am i in relation to everything

and these things are really important for scale because at the end of the day if you need these things need to be updated relatively uh accurately and ultimately uh just responsive um communicate communicate clear paths to success again this is important understanding like i made a bunch of points or i've made a bunch of progress but how long how far along that path am i what is how successful am i and how what are the expectations to be successful nested programs i can't recommend them enough they are a great way to get the ball rolling and kind of keep people rolling um i've had researchers come in and tell me gamification it's silly it's stupid i'm never gonna do it

four months later they come back say oh my gosh this stuff works i can't believe how much i care about levels or the fact that i want to get these challenge coins or i want my customized hoodie or my hacker thrown or whatever right they see the prizes and they want it or they want the recognition like uh our synap acropolis is like a website that's basically building their personal brand so we help build the individual researcher's personal brand with this website and to get on it you have to earn 10 000 points well get on 10 000 points you've got to go and help a certain number of customers and then you know it all works itself back to a very

interesting opportunity where they can have a clear path of if i want to build my personal brand i know know what i need to do to go go do that last two things i'll say really quick most effective games are actually ones that are already being played so setting up an easy game so for example like i need to have an incident response an incident response game that's like you need to close 10 incident responses in a month and that's that earns you some kind of badge most people don't like gamification out of the right but when they realize that doing their normal day job will get them some extra money or get them some recognition and

they realize oh i'm almost there if i just did a little bit more i could actually get this little price like it's those recognitions like i'm pretty much there that's the piece that gets them over the hump and then they kind of start getting into the game and the last thing i'll just say is that you know understanding what motivates your audience is pretty interesting but if you don't know just ask like you don't want to guess ask have conferences have a calls with them take notes look for themes and try things out at the end of the day you don't have to be an expert as long as what you're doing is a reflection of the

players in the game they're going to enjoy and have a good time so i don't know what the time is but i actually did it pretty fast but if you ever have any questions oh look at that pretty good if you have questions twitter you can reach out to me at ryanrootand linkedin is actually my preferred way twitter is like really really crazy for me because the dms but i'm also uh we're giving away some swag at our table at the end and i also have cards and i just like to talk so just come say hi thank you [Music]

any questions all right yes sir

so the game so our experiments are time-bounded our games are perpetual and so and again our games are set up as programs that run annually lifetime and monthly and they're set up the reason why we do that is changing the game and changing the rules it creates whiplash like what ideally is what you want is you want people doing the same thing so for us the points system is our abstraction like we have things that people can do on platform off platform whatever to earn points and we frame everything that we do in terms of rewards and structures and progress in terms of points so if we want to do something side for temporary purpose

like an experiment we'll say hey okay we're going to do this off platform thing we're going to do this experiment and we're going to award these number of points and that's the way that we kind of can make it so that their efforts serve their their greater good if they would so experiments are time-bound but all of our games are perpetual and or recurring our recognition for example is every year so it's a rolling clock 12 months our lifetime is lifetime month is month so all right yes sir

uh what so maturity of the company a maturity of the players so so my personal so and i'm going to give a maybe a thing the the more rigid the company is historic like if every company has a stigma of being rigid it's harder to feel authentic with your game so yeah so again it's not about like hey we're gonna throw a bunch of money at this and make this great it just doesn't come off right it's better to start to really to start small and grow it organically so um that's the one thing you don't want the i don't want to use imposter syndrome because that's not what i'm talking there's a different connotation to that but really it's like

you want to make sure that it feels like it's a part of the culture like if your company has created a culture that's fun engaging and whatnot then you have a much better chance of rolling out these games and much exponential scale um in terms of like the uh the more kind of rigid companies money works really really well but again but the idea is that for me it's about um i for hackers i like gear like i never give out swag that's not functional it has to be functional like even if it's just cracking open a case of something like has to have a tool in it or something so finding out what kind

of gear what kind of tools then gears they like that's usually what i start off with and then kind of work from there so make it functional first and then you can kind of get into the luxury stuff that's like you know i consider like people ask me like put keyboards everything like to me like i never give keyboards that's way too intimate of a thing for like you know i will never give someone a keyboard because i am such a nitpicky person when it comes to my keyboard i will i have four of the same one just in case my one breaks you know that's the way i am so does that help answer miss okay

all right well thank you again for coming today and i'm glad to be here in the uk so thanks