PG - I Got More Games Than Milton Bradley: Incentivize a Positive Change in Your Security Culture -

with that let's get started sir it's yours thank you welcome everybody so I've been hanging around here for the last two days I've seen a couple talks though the keynotes and every talk that I go to there's there's always a common theme no matter no matter what the subject of the talk is somehow the human risk factor always comes up that we need more core change and how we associate ourselves with end-users with people to to better the security into the culture you know I tend to see this as a village you know it takes a village to raise a baby it takes a community of security people to incorporate more change into non security people it's all of our jobs to

make security something that is a positive and not something that is negative I saw Allison Miller talk about the behavioral economics and behavioral science of change and then just Corman come up with his how to lose friends talk the Alex day most I don't know if anybody called the black hat talk this morning he was talking about the empathy gap that there is there is a gap between people and us and you know us as the security community and we need to figure out how to fill that gap and time and time again over the last 20 years we've tried to fill that gap with technology where it takes people problems it takes people to solve people problems not

technology technology is just gonna fail like it's been failing we're always one step behind we're always putting millions of millions of dollars if we can just have a positive effect on our end users and you know the people even around us in our family and community we're gonna get a lot more value than more of a fear-based approach so I'm gonna get right into it my talk is on I got more games than Milton Bradley how I incentivize positive change in our security culture Milton Bradley in order to know who Mel and Bradley is let's talk about this guy does anybody know who that is Abraham Lincoln what's missing from Abraham Lincoln his beard and his hat

you're right I'm going for his beard though so during the middle of Abraham Lincoln's 1860 presidential campaign a little girl wrote to him and said hey you should grow a beard well he was a very appreciative of her message and he did Milton Bradley had set up shops creating a ton of portraits of Abraham Lincoln he saw him as income and he saw him as the the future president he invested his entire fortune into these pictures so when Abe Lincoln grew his beard his whole stock was gone so Milton Bradley decided to throw it all away and start a new career in games and since then he's given us battleship Connect for hunger hangar hippos Simon

twister Yahtzee just too just to name a few this is me my name is Drew Rose obviously I'm running a company called living security now we're focusing on the human factor of risk at live psycho where's the Twitter handle up there enough of that this the rest of this slides is on a case study from American campus community a previous employer of mine American campus communities the stats are on the screen you know thirty three hundred employees thirty one hundred and thirty thousand residents of student housing across the country it's a nine billion dollar company we have one hundred and eighty offices around the country that we have employees at so a ultra remote so know that a lot of the

things that we're going to be talking about and especially when in the game section it's based off my work at American campus communities so oh the problem we we mostly all know the problem sorry about that

yeah let's talk about the agenda first so we're gonna talk about the problem the problems me really quick through and a lot of us already know what the problem is with traditional security awareness training and mandatory compliance we're talking about the solution how we can leverage games actual board games card games in your face games to do so and then we're gonna give you a couple concepts of how to go to your organization and build these games or play these games with some of your employees and and I feel you know back to the village topic you know if you're not the security awareness person on your team these there's certainly some really great takeaways that you can

bring to your company and provide an impact

there's notes

okay so the problem the problem is for the last 10 years security awareness training has been you know very strictly compliance based PCI HIPAA and this have all said thou shalt have sprit awareness training so we did it so what do we do we got these are really cheap really crappy animated videos where we assign to the employees and say watch this for 30 minutes or an hour a year and you're secure we may do a fishing assessment every quarter it's cheap it's easy it's testable those are the good things it's not realistic it gives a false sense of security you know it kills the relationships as soon as I assign you training as a new employee at a company

I'm already putting kind of a hardship on your life you have to take an hour out of your day to do this training it's not conducive debility and relationships so what is the solution my solution my approach is this recognition or boredom relationship so I want to recognize you as a person who you are what makes you tick what makes you not tick what makes you successful and I want to I want to play on that I want to give you toys if you don't want to watch a video if you want to read a book if you want to go to a talk if you want to do something on your own to be more aware and be a

better employee in terms of security then let's do it I want to reward you for doing the right thing I want to I want you to make a positive impact on my company so I want to reward you whether that's you know swag we're gonna talk about whether that's you know a fun game to play that you know take some time out of your day and you know whether that's enjoying time with your friends and ultimately I want to do these things to build a relationship if I have a relationship with everybody in my office when something comes up like an incident like ransom or a spam or phishing email when they do something dumb like lose

their laptop they know who I am they know my face they know to come to me they know that I'm a decently nice guy and I'm not going to badger them or or fire them for it that I need to know as fast as I can to secure the incident so the relationship is key and I will spend money on swag versus money on training videos because I know that's me a more effective approach to build that relationship so let's get into the games this is some work done I have all the sources on the top right I'm going to publish these the this deck if you want to do your research there's four games

fall into four different categories of fun easy fun hard fund people fun and serious fund your easy fun these are a lot of video games fall into easy fun they're you know you're they touch on your curiosity they fill attention you want to figure it out it's a very exciting there's a lot of adventure Mario Kart life a lot of video games fill this category your hard fun these are games like chess a Tetris halo there's a lot of personal triumphs there's a challenge so you want to master the game your people fund this is like I put bowling on there a lot of people people will say the ones that enjoy people fun is I'm not here for the

game I really don't like it but I enjoy playing with other people it's your team work it's your chance to you know communicate and congregate with your with your people around you and just enjoy that experience together I don't know a lot of people who really enjoy bowling but they love going bowling with their friends have some beers kick it back have a little competition of who can break 100 and then they're serious fun this is to generate the emotion the perception to put you into the game this is you want to have like a behavior change like your mindset is gonna be turned off World of Warcraft is a great game of serious fun where you're

completely immersed you're somebody else when you're playing that game I'm gonna talk a little bit about a security awareness escape room that I put on where it's it can be serious fun because you just get into your character and you just go with it some of the basic desires that this this research is based off of a dr. Rees some of you all may have heard of him he identified these 16 fundamental drivers of motivation 16 basic desires that these are your performance Dreyer drivers basically everybody here is a profile everybody here it's like a fingerprint you're gonna have a different desire things are gonna you're going to be motivated to do something different than what you're

going to be motivated for and on different scales people that develop really good games in the gaming industry are able to touch on a lot of these different performance drivers to get a lot of different participants a lot more engagement you know it will go through some of the examples of these drivers and with each of the driver each of the basic desire I've associated game that kind of encapsulates that the basic driver and I keep having a switch back and forth I'm really sorry about this so acceptance acceptance is the need to be appreciated in part of a group counter-strike running with your team going missions with each other honor its the next one

curiosity Trivial Pursuit this is the need to learn to to get gain knowledge to play and understand something eating there's a basic desire of eating this is the desire for food pac-man is a really fun game if you're if you're hungry to satisfy that desire for for eating family the need to to relate in to have a family and to care about your family the sims is a great great game for that honor to be invested into something that your clan your tribe your your your country nationality or your football team idealism has anybody ever heard of em to see the game I didn't either apparently as a game put out by Amnesty International they were trying to

completely obliterate the a worldwide the death penalty so they published a board game to try to accomplish that I don't think it worked independence this is a need to be distinct and self-reliant Oregon Trail is a really fun game you're in charge you get to make the decisions throughout the whole game it's it's up to you whether you you know you and your family survives and you make it to the end or you die of dysentery order this is the need for structure in your life Tetris my wife loves Tetris because it just it's the little boxes it's just a come you know when there's a gap in the box that drives her nuts physical activity

the need to be playful the need to get physical with an activity twister football a lot of sports games can fall into this category power risk the conquest to be a leader romance life this was one of Milton Bradley's first games actually and there's a lot of really dark stuff happening in the first games of life you guys can take a look at it later but you know you when you're playing the game of life you're getting married you're having kids all that good stuff saving Pokemon I'm gonna try to get through this little bit quicker social status Warcraft you know you give 2.75 or or what I've never played Warcraft I'm sorry I'm a terrible nerd

but once you get to a certain status level you're just more important in your guild or in your competition tranquility candy crush to just put you in a zone a lot of casino games kind of focus on that basic desire they try to get you into that zone to gamble more and vengeance Angry Birds so let's I'm really excited to bring forth the this is you know the the good part of my talk I'm really excited to bring turds you saw I was able to develop some games and and I'm not a genius all the games I'm gonna bring to you have been kind of altered from real-life games this game was a game called security Bowl it pits

two football teams in a classic gridiron match the team calls plays using cards available available you see the defender cards and the hacker cards yardage gained is determined by the roll of the dice the offense plays are like denial service or fishing and the defense plays our technologies or processes like firewall or vigilance or the help desk the game is intended to be played with a referee the referee that's us that's a security person that's the person that can say what's the dial service why is a firewall good at stopping a denial service attack you know going through some of the other questions it just to play with ten people as a referee it's really fun because you'll get a lot of

engagement while they're playing like well I don't know what that is what's the Web Application Firewall why is that important to our organization it gives you an opportunity for them to ask you the questions as they're learning and understanding and trying to figure out how to play the game teams can challenge plays where actually yardage by answering these security questions it's it's mostly luck to be honest it's a lot of dice rolling the challenge plays are basically if you get a if you get a question right you roll the challenge dice and can give you an automatic touchdown an automatic turnover or multiply the dice you've already rolled so you could be winning the game and get

a challenge and then all of a sudden you give the other team a touchdown so a little bit more about the game so when you play a card you put them down at the same time and you kind of match up what the other team has played and then the football is the outcome of the dice roll so the black dye is the defense dye the color dye is the offense dye for instance a firewall is a really good defense to a do s that means the defense gets to roll to black dye which usually results in a negative yardage gained so there is some there can be some strategy for playing the game because there are

really good offense cards that are always going to get a lot of color dye and then there's yard there's a lot of good defense that have a lot of blacks and I'm like firewall so here's some of the teams playing the game you can see a lot of basic desires coming out you see some physical physical activity on the left just you know people getting really excited and playing - whether they're you know super technical or not it's a game and we're playing off that competition factor this is the other game security cards if anybody has ever played has anybody played flux the flux the card series there's a couple guys basically this is a ripoff of flux a cyber security flux

card games it's a really really easy game to play you start with one rule draw one play one as you play the game you add more rules you add goals you add actions this one you have your your played cards your hackers in your defenders you have your goals that's what that's how you win the game thank you for the ten minutes I'm way ahead of schedule talk really fast I'm sorry guys the defender goal that's how you play that's how you win the games the action you have a lot of fun with action one of my favorite cards in the in the deck is what's my alias card where everybody playing the play in the game has to

choose an alias and as they're talking they have to throw their alias on at the end of their sentence every time where they lose a turn so it turns into something fun like oh my a lease is what so you know I'll say something and then always end the sentence and what and you can you can be really creative with this with this game again this game is intended to be played with a referee or a security you know semi expert somebody that can explain you know how a web application fire will stop the sequel injection the theory isn't to make people really really smart on cybersecurity or you know experts it's to raise awareness right it's to make

them have a positive approach to security in their daily life it's to say hey phishing emails coming through my desk I'm not scared I know what to do this is something that happens you know I remember this game or I remember this activity or this engagement with my security team and I'm just going to go for it and contact the help desk or the security team to let them know again playing these games with with my employees at the with my end users it just built them around to I would grab them at lunchtime I would have the deck in my hands I would have some swag with me so hey you you you and you do

you want to play a game with me I got a I got a $5 Starbucks gift card I'll literally bribe them in part about the rewards is I don't care how you got to my table or my room I care that you're here now I don't care what your motivation was I'm gonna leverage that and try to build a relationship with you because of it this is another action card they're playing rock-paper-scissors for to trade hackers and defenders again to win the game I'm gonna I have some really cool stuff I have these games published for you guys for free at the end of it I'll give you the link so you can get them printed out and this is

something you can take to your organization and play with there is a couple cards that are kind of fun that like nobody wins the game or everybody wins a game or if if you've never played flux I definitely recommend it as a family game and you could even bring cybersecurity flux home even without like the security aspect of it it's it's pretty fun to play so these scape rooms so I designed a security awareness escape room for the American canvas communities has anybody done in escaper and more panic room in here yeah so if you've ever done it an escape room or you know the concept they're already built on security tenants you're picking locks you're

looking for information laid out you're trying to put Clues together you're trying to solve you know a series of puzzles to accomplish a goal to escape the room to unlock the door to stop the bomb to figure out who done it so being able to manipulate an escape room inside of a corporate organization it gives you the opportunity to number one set up probably the one one of the most fun and engaging activities that they'll ever go through at their company but you have that opportunity to focus on the security tenants while they're happening like oh this is what happens when you have a really easy password to guess or you write your password down on

a sticky note and you put in underneath your computer or you click on a phishing email this is what happens after the fact or you leave PII out like Social Security numbers are just lying around in files or what have you so develop the escape room tie touch this one I'm gonna give it away this one the the biggest security tenant I touched on was insider threat so we had teams of I think five or six go through before the teams came into the room I found one person and I gave them a cell phone and they were the insider they were the rat they were the whodunit person and their goal was to sabotage

the rest of their team from solving the puzzles and if they didn't make the time the 45 minutes they won if they made it under the 45 minutes the the team won and they lost and the TEL was so I gave them a cellphone and just put it in their pocket and fast forward to you know 15 or so puzzles they came to an errand page who is page for a website that had a cell phone number on it as published and they called the cell phone and so they're all that's what they're doing around the computer there where they're kind of figuring out the last part they pick up the phone they call that phone number it rings in their

pocket and they're like oh crap it was you the whole time that girl right there it was her and they're all angry at her because she screwed them over the whole time and they start going back for 45 minutes they're like you were hiding this and you did this over here and you did that over there and it's like it says you're touching that emotional it kind of betrayal but kind of in a fun way because I mean nobody hated each other going into the room what's cool about it games like this touching on the different basic desires that I brought up in the past is this game touches on so many different basic desires loyalty physical activity

acceptance curiosity independence independence 5-minutes independence as like you know there's a really hard puzzle on the ground it's a mathematical equation I'm just gonna focus on it by myself you guys stay away from me I got this one saving there's if you ever done an escape room there's just a lot of stuff kind of comes out of the woodwork so you have to kind of figure out and organize it so when you have a group of five or six people coming in from all walks of life they may be co-workers they may be friends you're able to kind of make it fun and engaging for them in a very specific thing that they like to do

so let's every time I do that I lose my notes this is the last kind of activity that I did so I have I had over 180 remote offices I could build security culture really easy in my corporate headquarters because I was always arrows always around them I was so easy to just go grab someone at home and have some fun with them so I I did I've done a couple security awareness week type things with marylin offices this was one full activity lifecycle over the course of a week fish and Exec this one was really cool so I gave my MN users the opportunity to craft a fishing Mex message for an executive of our team

and I said hey you craft one send it to me I'll send it out through our fishing platform we'll see how you do if you get it successfully you're gonna get X amount of points so I game if I this whole process beware with this one so I challenged one property who had no really clue what to do to fish our CEO now we're nine billion dollar company this isn't a small mom-and-pop shops I hate fish our CEO it's going to be great so they crafted an email that was one of our competitors it was about a transaction we buy and sell real estate properties I didn't do my due diligence I didn't realize they used a legit email

address and a legit name of our competitor and I sent it to them and so our CEO is out like I think he was someplace out like a doctor's appointment with like his grandchild is terrible and he sees the theme like what the hell is this I I did not make it I'm not buying this or doing it so he sends it to our chief investment officer who without clicking on the link calls the competition look I just got this email what's going on completely backfired but it did raise awareness and I didn't get fired and we talked about recognition bill our CEO does these quarterly updates so for this competition we had our four winners because it was a

gamified approach and he actually was able to kind of call out that that incident and say holy crap this happened to me you guys did so good this was a spoofed email I had no idea like I called it that you know I didn't do what I was supposed to do you know we can do better from an executive side so there's complete buy-in from that fact even though it could have been tragic if it was a different competitor research pretty simple I'll go through this one sign a security incident put if sticker on it and send a picture password mayhem I III cracked all the passwords for the entire ad I issued a challenge hey make

your password something stronger and then I retracted and see who what percentages did the the greatest gap or the greatest who had the least and then USB mayhem I created a fictitious company I sent thumb drives with the regional managers name saying hey your regional said you need to install this application on your computer here's the thumb drive plug it in quick test don't send thumb drives in letters because they go through the automatic sorting machine and they rip them out so just some more advice for you guys so let's talk about rural wood I got two minutes left reward again you've heard a little bit through my methodology of how I do rewards you know I want them to be

memorable memorable meaning something that they're when they see it like a trophy or a pennant that they're gonna remember that event that they're gonna make oh yeah it's just that instantaneous little vibe of that was fun that was exciting that was great viral this is something like you know fitted centers fidget spinners were too viral actually completely bypassed a fidget spinner craze but you know this I did a swell bottle where I bought swell bottles for everybody if you came and participated in one of my security awareness games you got a swell bottle I had maybe 75% of people signed up and then after the first day when they realized we're getting this awesome brand new swell bottle that was custom

branded I got another 15% the days later they saw how much fun people are having and what they're getting for doing it and they went on unique and I wanted to bring it a Aaron's Thinking Putty is something you can brand it's a lot of fun it's like a kind of like a play-doh for adults moleskin notebooks I did gumball machines you can actually brand gumballs I don't know if you knew that so I had branded gumballs with little printed malware Mouse's I called him on the gumballs quality know no longer should we do pens highlighters crap like that you know invest you know invest in yetis swell bottles you know I've done Amazon smart home gift packs and tile

GPS tracker systems so how this is I'm not going to go too deep into it pick a game that you like yep I'm gonna stop now he's yelling at me if you can screw up I'll turn into that if you don't do a good job here's some ideas for games that you can do again I'm gonna get to the stick out to you and mousetrap I want to see some of you mousetrap I don't do it first that could be a frigging awesome game to Sakura fie and then just do it pick a game Sakura fie it find some friends friends and play it and that's me again I said that the security cards are published online

they were made through board games maker.com i believe so you can take the files throw them on there get them printed out pretty professionally the decks online as well I think the it'll be on peer list after this as well so I guess we have what like four and a half minutes or questions no no questions you sure oh man it like to can continue this conversation or to ask questions you can follow the speaker on peer list yeah I'll take down there thank you [Applause]