George Bilbrey - Hacking The Brain with Gamified Learning

all right so for those of you guys that are filing in here at the end of this the qr code up here is the same as the link above it yes it is benign i promise i'm not trying to infect your phone's laptops mobile devices you brought with you this is a participation mechanism i'm trying out today during this presentation you feel so inclined please help me out participate if you don't i'm gonna have some blank slides it's gonna look really weird on the recording if you didn't hear my spiel the first time no rude vulgar phrases stuff like that anything that would offend somebody keep it professional but answer truthfully okay i'll give everybody a second to snip

that if they need it it'll also be on the next couple slides moving forward just in case any late comers come in

cool you got it so we're good so let's go let's start this so before i go into anything else if you're doing this from your phone now it should have changed to a question to answer on your mobile device as you guys respond i will see them

cool there we go we got one dull who was that that's why i know awesome important very true tedious boring hack the box somebody's giving a shout out there generic these are all great answers guys this is a lot of what i was expecting to be honest too which is a little sad i kind of said something about the state of the way we handle training especially stuff like annual training right and today's new digital age where we have all these cool technologies and tools at our disposal it's still very boring all right we'll move on that's a good enough set of answers so why are we here why are you guys coming to listen to me i'm forgiving my

presentation called hacking the brain learning by playing i decided to throw kind of that traditional slide model out out the window here i got really used to building slides in the dod where they were very dull you never used anything but black font it all had to always be the same but you know what we're going to build something a little different we're talking about playing after all so who am i i am treycraft you'll see my little gamer tag on twitter you can find me on hack the box i am a content developer developer for hack the box academy sorry i'm making you move a lot besides that i like to play i played a lot of our own

content on hack the box i am an educator i am a husband and father a little bit of a gym junkie and i love video games especially card games too so if anyone in here plays magic i love the new set yep got a couple guys generic disclaimer you guys have all seen this before right my thoughts are my own what i say through these slides do not represent the thoughts or opinions of hack the box themself or any of my previous employers they are of me so problem you guys already hit it a little bit right how we always handle annual training currently it's dull it's tedious it's very important this is things we have to do

but no one likes doing it right in your head when i said annual training in that poll question you like internally groaned i could see some of you do it i heard a couple and that's typically what we see over on the left right don't click links from nigerian princes like how many times have you heard that and just having someone stand up here like much like i'm doing right now and just run their mouth at you for an hour hour and a half two hours and you might remember three to five didn't engage you they used easy monotone voice and just kind of talk like that doesn't do anything for you right you're not entertained you're not

excited about the topic because the speaker's very not excited about the topic but what's one thing we all get really excited about we love to play we like games like to like have fun why does our training have to be like it is on the left when it could be what it is on the right i'd say she's having a way better time than those guys sitting in that lecture pew right now so this slide is pretty interesting this is going to roll on for a second did a survey looking through the internet doing the whole google research all that fun stuff right to find out what some of the essential skills and competencies were

deemed for a normal i.t cyber security technician this isn't anybody that specializes in anything you just work in this field this list is about 25 or so skills that's pretty daunting right that's a lot of stuff to master in a lifetime do you think you have a mastery over this stuff do you do this stuff every day in your daily job i'm curious to see how cancer so i have a poll for this you guys should have it too on your devices of those 25 or so skills that were on the slide how many would you say you use daily how many of those would you say you're competent in that you feel like you

could potentially do the job and you could do it with minimal assistance and minimal google i'll give you a few seconds to say again exactly exactly that was the point there's too many there to remember it all there's no way you can do it like somebody could work in this field for a lifetime and they're not going to master that list and that's that was the i'm glad you said that out loud because that was the whole point of give it another second all right so we have 13 14. awesome thanks for participating guys this makes this a lot more fun for me too because i'm not just going please somebody do something all right so

about half of you said one to three of the skills you'll half says four to eight some of you are saying nine to more nine or more you guys are awesome whoever that is if you're doing that kind of work and you're probably overworked to be honest you all need a break so next one how many would you consider yourself competent see this is very telling now isn't it we had a lot of people say four to eight they do daily but majority of those same people said they might be competent at half of that how does that make you feel about the state of the way your job roles are right now of the way the training you received to

be in a position set you up is that something you've ever actively thought about before or realized about yourself and the role you're actively feeling no you're good this is meant to be interactive

oh yeah it is definitely an issue that you can do more self-teaching and self-researching than you can actually attending training sometimes and it's scary so let's move on what's the solution i caught the audio that time it didn't go through the speakers though who knows what this game is has anybody seen this before yep as mario teaches typing this came out like late 80s early 90s i loved this game as a kid this is my first exposure to computers and nothing made me want to play on one more at that time of course a few years later i found things like everquest and quake and it was all downhill from there but this was the start and this is a

perfect example of what i'm talking about and getting back to that grassroots learning as a kid you didn't learn by listening to a teacher talk to you all day you learned by playing you just experimented you had fun you weren't afraid to fail but then slowly we started growing up and we started caring about our self-image and all these other little social factors and now all of a sudden it's a problem this is where we should be with gamified learning it can help us improve the completion rates for ourselves when we do start trainings when we do other safe self-paced learning you attend a sans conference something like that or if you just decide to sit through

another college class if you go and self-teach yourself from a book as long as you can make it fun if you can make it a game or turn it around i guarantee you'll do better you'll have a higher completion rate you'll retain more of that knowledge because you're going to apply it to other senses as well you did something you had fun you had a strong emotional reaction all of those things tie into your memory and those triggers to help you recall that information so if you have to do something why not have fun while you're doing it right why a little more detail into this this field itself is largely a hands-on field right there might be a couple of

you in here that are in that higher level management role where a lot of your job relies around policies and procedures and managing people and hurting cats i guess you could say as opposed to the actual hands-on in the mooc doing incident response working in a sock or something like that but for the most part it's all hands-on especially at the junior level and the stuff that we're trying to teach in academia today so why would we deliver that training in a hands-off manner it doesn't really make sense to me and i would hope it doesn't make sense to you so 38 of us are gamers according to the latest stats for 2021 on a poll in america and that age group

fell from 18 to 34. the next leading age group was obviously children to 18 and then it tapers off from there why was that anyone know why would our current age group be the highest amount of gamers right now in america we grew up with them we came up in the 80s and 90s that was our past that was what made us us that's why we're probably in this field as part of it is you saw something you really like dealing with computers and you just kind of fell in i know i did with that kind of stuff and with that knowledge in mind on average people spend nine hours a week playing video games

if that number sounds close to true to you ask yourself how long do you spend doing any kind of annual training how long do you spend refreshing some knowledge or rules or policies you need to know for your job probably not nine hours right that stuff's dull it's boring you can find it when you need it right that's always your answer i'll find it when i need it i'll look it up later taking that very dull topic and turning it into a game or turning it into even just something interactive with like pictures and sounds and stuff that elicits emotion will improve that engagement just from your students from your staff from whoever you happen to be

using that training for by up to 60 percent if you guys whoever in here if you're a hard stats number person i have the links to the polls and the research for this i can give it to you if you want it but for the sake of this demo take me on faith all right and it helps increase productivity too if you can increase productivity for someone inside their workforce say on how many alerts and stuff they triage a day if you turn that into a game now you're getting more productivity out of your staff you're getting more stuff checked out you're being more effective as a company in what you're doing and all you did was give a small challenge

so keep these things in mind as you leave here today and as you go back out into academia or into your job roles or managerial roles whatever you're doing you can have a little bit of fun at work it doesn't have to be work so another one this poll is there for you this one's not really for me i'm curious to see what you say but i want to know how long you guys think you spend playing a game zero we got some book worms in here huh three hours that sounds closer to right four six there's our mmrpg players so it's a lot of time it happens to be your prerogative for that one but i

understand it that makes sense but overall these are good answers still these are all it's a lot of time and that's what i was wanting to impress on you guys is we sink a lot of time into stuff that we love or that makes us feel good and not a lot of time into the dull and mundane so how can this help us from a cognitive sense we're taking huge huge skills and competencies right each one of our fields if you think about it in cyber security today is a nation and of itself you can be a person that all you do is traffic analysis all you do is endpoint incident response or all you happen to do is say deal with

virtualization build servers like that's your job that's a niche and i would like to say i know in my mind i'm very kind of put myself down at times but i don't think i'm a master at any of those roles and i don't think i'll ever get there because this role evolves so quickly with what we do taking that knowledge breaking it into smaller chunks and turning it into something that can be easily digestible say in a half hour an hour or through one session can help with that recall can help from that cognitive aspect and it will provide growth because over time those small chunks you broke stuff down into will start to combine become bigger

chunks those bigger chunks become an overall process in your brain in your way you do your tasks throughout your day and it makes recall easier it now becomes muscle memory it's not just oh man how did i do x again and then you go look through your one note you dig through it all forever it slowly builds and you get the recall and it helps from an emotional standpoint i think one of the biggest pieces this will help with especially for those of you that are dealing with children or high schoolers at this time is that fear of failure everyone hates to fail everyone hates looking stupid you don't it's like me right now i hate that i said stand up

here in front of you and i stuttered two slides ago that's eating me in the back of my head is it a big deal no but that's a failure in my eyes and that problem elicits an emotional reaction and i'm sure it will for many other people if we can take that failure by having them consistently do it do that task over and over again and fail and fail and fail eventually that becomes a challenge right that's no longer something you fear that's something you have to conquer that's something you want to conquer for the gamers in here who's ever played dark souls what'd you spend most your time doing in that game dying and reloading right

what did that make you do with that game yeah you put it down for a while mostly you die reload play again die reload play again then you rage quit throw your controller and you come back a few hours later or a day later and you try the same exact level again and you keep on going eventually you get past that stuff that game's a great example of this being a motivator the next piece is that social aspect by gamifying your learning and whatever the lesson is you're trying to pass on to people you're giving them a chance to put on a new hat for a little while they can explore a new identity and see

if they like it see if it's something they want to do see if it's something they have an actual interest in they might need it for that lesson at the time or might be a requirement but it allows them to change their mindset it's no longer me trey taking a class about incident response i am now the responder i'm a detective doing some research i'm looking for clues it's a whole different scenario right like that sounds interesting thinking about me just sitting in a class sounds super boring like you guys were turned off at the thought of that but being a super spy that sounds really cool being a secret agent going to doing research and talking to people that have

issues like all that stuff is interesting and that's how people can try on and play at for a little while so the old hats in here will love this one i have the answer to your prayers i can tell you how to fix this issue right now can anyone tell me what that is yep probably one of the most famous things when it comes to cheat codes out there right now right i put that in there just for some giggles thanks for participating and helping me out so these are the four main ideas that i like to address when we think about gamifying learning so think about any topic that suits you for your role and

what you're doing if you happen to be a manager or someone that develops training or works in academia if you can apply these four main tenets to that training you will see a much larger uptick in the way your students react to you the way they recall that information even the fact that them just loving to come to class from that point on knowing hey we're gonna play a game today we're gonna do something cool not just sit there and listen to the teacher talk right what was everyone's favorite day back in high school or middle school when you go to class skip day followed closely by jeopardy or when you saw the tv cart roll out right

those were the cool days you were never excited to listen to a teacher talk but you loved playing while you're there first one narrative how does this look for you guys up there good cool so i put this one up here as a good example of applying a narrative to something that could be considered really dull or mundane this is a little bit of a spoiler for a class that i'm building currently i give the student the scenario you're a junior sysadmin security to work for that company so they think you have what it takes they're going to issue you a challenge a challenge is is you're going to finish this module at the end of it there's a

skills assessment if you pass that skills assessment you qualify to be on their team so now i took something that is generic i.t and gave them a focus gave them a challenge there's something different to do that narrative will entice people to continue on and playing or it'll hook them in all of a sudden now they're invested in the process in the scenario it's not just because it's good for them or they have to know it for their job they want to know how the story plays out they want to see what the skills assessment are that kind of a thing challenges quest chains to break up big ideas we talked about how our memory is and how

we retain information and you can only take so many chunks in at a time if any of you have worked in psychology or anything like that before you get the basis of chunking theory and short-term memory you can only take so much before your brain just lets it slide in one ear and out the other by taking those big level topics like let's say traffic analysis and breaking it into different pieces like okay let's talk about tcpip let's talk about the individual levels in the model now we're taking this really big topic and we're making it into a smaller quest each one of those quests will build upon each other and eventually you complete that chain or those challenges

what we're doing here is you're giving them something that's small easily digestible you're defining a rule set of what they have to do what the requirements are to beat that challenge and in the end you're giving them a reward i built out this little quest window here anybody recognize that i'm sure it's world of warcraft right that was pretty fun to make but gave a little scenario here can you decrypt this message it washed up on the shore but it just looks like gibberish to me i don't know what it says can you help me out what's the objective of the quest decode this message for traycraft and let's see where this clue leads what's

the reward knowledge you might learn something i might get a new quest the chain might continue or it might be the end and it'll give you the big answer you've been looking for the entire time [Music] yes it played that time so progress mechanics this is a big one i think this is a factor in a lot of our lives is we're very competitive by nature if you can give your students or even yourself some form or mechanism to level up to gain experience through class or prestige it'll increase your engagement it'll ensure that they're there they're on task yes sir and they're ready to go things like badges and flare obviously i'm saying i work for hack the box i

gave you a couple examples from our site badges are something they're very very simple right oftentimes meaningless they mean you you hit a hurdle or an accomplishment you did a thing or you talk to a person stuff like that people love badges though like that's your thing if anyone here like plays candy crush like you you cracked a million purple candies and you get a new badge like that stuff makes people happy it makes you cool you get a little neurochemical reaction happen in your head and you love it and you remember it and you want to do it again the same thing applies to stuff like rankings or flair it's really cool and you can see it and

how people go crazy in the hack the box discord when they go from like noob to script kitty or script kitty to hacker people love that stuff and that's just intrinsic to our nature if you can rank up if you can show progress and be able to show your friends progress it'll go a long way you can take that whole fear of things like grades and taking tests and you can turn it who okay who in here is in college right now apparently how many of your professors grade your test the day you turn them in none right how about a week later

usually like the night before right is that scary to you or are you all right with that that's fine no right he's like no that's not cool it's not okay because now you sit and you prep for weeks going okay did i pass that test did i get that knowledge do i know what's going on or did i fail by sprinkling grades or giving them experience points in between you're giving immediate feedback you're helping keep the cycle along you're helping them progress because they're going cool i passed awesome next skill i learned it move on or crap i failed try that again do it again and it helps with retention it helps bring it all together

people like that instant feedback so keep this in mind as you start building out new training or as you try to implement some kind of program with your students and collaboration this one i feel is a really big deal and this is a life skill most people don't get which is kind of weird to say encouraging teamwork focusing on puzzles and challenges and stuff that require your students or whoever's taking that training or that learning progress to work together can go a long way most people don't like talking to other people you don't like asking for help you don't like saying you don't know but if you make them have to you normalize it it's no longer a fear it's

no longer an issue they realize it's okay it's okay not to know everything it's okay to ask for help so as long as you build in mechanisms that one allow them that outlet to ask you or a neighbor for help or to collaborate and join a group for the raid do that kind of stuff yeah see got a smile there too it makes it easier you're not as afraid you're ready to go you want to do it now you're not just hiding in the back hoping no one notices you so that's kind of where i'm trying to get with this i wanted to normalize those issues and bring them to the forefront and make them okay it's

not a problem any longer disclaimer for gamified learning for all its pluses and all the great things that i think it entails and i feel about it it does have problems so it's not a one-shot solution it's very tedious and time-consuming to build out these kind of stuffs that little quest window i made a couple slides earlier that took me about five hours to put that together i had to source the exact fonts find the quest little bubble window go through and actually make the base64 encoded text and do all these other kind of things but i feel like it was worthwhile just to see the reactions i got out of some of you when i put that up there

not every student's going to react that way though some students really don't like being put on the spot some may not like narrative they might be the competitive type or all they do is they play pvp all day they don't even look at the scenario of their games and stuff like that so that kind of stuff might not hook them the key is to find that balance and understand your audience and who you're talking to and dealing with because then you can almost tailor make it to each person use the same general scenario but you put little sprinkles of that influence throughout so that it keeps them coming and keeps them progressing this i'm putting out here for you guys

am i close close to time five okay some resources to help you level up if you're looking for a general skills progression for all the individual learners out here the self-taught people like we have up here hack the box academy we've got some awesome classes from linux and windows fundamentals hacking wordpress to fuzzing applications to attacking comments services and apps how many of you have ever attacked splunk before would you know how you want to try we've got a class that'll let you do it you can learn from so many other places besides us though youtube is an invaluable like resource it is a gold mine for stuff out there if you want to know

and i'm sure you can think of three four five other names or places you can go to find general skills training right ctfs if you've never played holiday hack challenge go home tonight and play it you've got homework it's a game you'll have fun that's where the picture comes from here holiday hack challenge is probably my favorite thing to play come holiday season it's literally a game that takes cyber and makes it a game in that previous image i was an elf in santa's castle in the north pole trying to hack an arcade shelf so i'm literally playing a game trying to hack a game like what's cooler than that when it comes to i.t

and cyber there's not much for pico ctf if you've never played a ctf before and you're it's still afraid or a scary thing for you they will literally teach you how to ctf that's what their entire website is dedicated to and it's a cool little resource what about learning programming languages i'll say for me this is a personal problem that i have was it's always been a daunting and scary thing these three resources here oh wire if you don't know bash it is a fun way to learn bash with under the wire it's the same thing but for powershell they've turned these programming languages and they've made them into a game into challenge into puzzles and there's plenty of

different levels as you solve one level the password or the phrase or whatever happens to be the flag that you found is the password to let you into the next level so it's a progression game and it's really fun it made powershell and bash not as daunting this third one down here the little computer screen that's from a website called python challenge it's basically just based on your url and it allows you to experiment and play with python and the challenges they give you are to affect the web this example they give you a hint where they're saying try messing with the url in the address block if you can change it you'll progress to the next level

and then they give you little hints obviously through the pictures did anybody decode that it's right here in the text box too if anyone wants to give it a try no man i'll leave it up for a second or two if somebody wants to give it a try i'll take questions while we're going first one answer that i've got a cool little gift for you all right cool whoever that was who's that first one hand come see me after this all right figured at least somebody would give it a try what questions do you guys have for me i got a few minutes left right cool perfect timing i did this in an hour and 15 minutes two

nights ago so i'm kind of proud of myself for bringing that down to a half hour any questions comments concerns

sorry can you speak up please oh yeah there you go that works too

i would solve that issue by finding the balance not everyone likes games some of you might prefer a board game or you might just like to read and that's your thing that's where in traditional learning you take that lecture model say today we do a lecture we do a talk about a specific skill tomorrow we play a challenge that lets you practice the skill that would be my recommendation on how to solve that problem yes sir

the answer to that question is i don't know your employer so i couldn't tell you but what i would say is they probably have a training program in place already get involved if that's something you feel strongly about help them that's something you can change on your own a lot of this stuff is pretty easy with stuff like ctfd you can stand a ctf up in hours add some questions add some answers and you're good so if it's something that you have interest in that would be the easiest way is to just be involved in that training team yes probably last one right here

same with if you like learning new languages duolingo is a perfect example by learning all right well that was my talk guys thanks for coming to listen to me live here thanks for participating in the poll everywhere i was hoping that worked out if you have questions comments concerns you just want to reach out to me and say you did awesome or you suck that's me on twitter and you can find me in various discords as well thank you [Applause]