Massive breaches in corporate and government security in the last few years mean that most organizations are now aware of the importance of cybersecurity training. However, there are some challenges in training cybersecurity professionals. For one thing, there’s a severe cybersecurity skills gap.
Mike Moniz, president, founder and CEO of Circadence Corp., identifies two additional challenges. First, there’s a shortage of qualified cybersecurity instructors. Second, it’s difficult to truly reproduce real-life cybersecurity threats with the same sophistication and passion that hackers or nation states have when they commit a cybercrime.
Moniz believes Circadence addresses these challenges. Circadence launched its first training product in December after over 20 years in the online gaming industry. Recognizing the high demand among U.S. government organizations for persistent cybersecurity training, Moniz and his team started working with federal agencies on cyber ranges, virtual replications of operational environments. The benefit of cyber ranges, Moniz says, is that “in a virtual environment, if we break the network, we just respawn it.” They approximate a real-life scenario without the real-life risk.
While working with the government, Moniz says, he and his team saw the need for a cybersecurity training platform that was engaging and didn’t rely on instructors. Circadence’s new product Project Ares introduced game theory and artificial intelligence to cybersecurity training. Moniz says that the millennial generation is “very much a maker generation”; combine that with his statement that many cybersecurity professionals are also gamers, and it makes an online, simulation-based gaming platform an ideal solution for cybersecurity training.
Project Ares uses machine learning to continuously update the gaming environment based on new problems and data, which works more efficiently than an instructor ever could. “We have our own deep learning adversary,” Moniz says, “a very challenging opponent to help [learners] evolve to that world-class level.” They’re also working on a program for individuals and organizations to create their own games as well as virtualization technologies to scale “high-fidelity environments” that aren’t just technical but also physical, like an aircraft carrier or a bank.
The Benefits of Serious Games
Andrew Hughes, president of Designing Digitally, compares using serious games for learning to the experience of a child learning not to touch a hot stove: While every child’s parents tell them not to touch the stove, he says, none of us really learned that lesson until we touched the hot stove. “Traditional e-learning is telling you not to touch the stove,” he says, but with serious games, “we can actually have you experience what that ‘hot’ feels like.”
Gaming can increase engagement and retention; Moniz says that the skills you learn in a game “are less perishable because you … internalize” them. In the case of cybersecurity training, it also improves much-needed creativity. “Cybersecurity’s not like teaching a pilot to fly an airplane, where you pretty much follow the checklist,” he says. The “creativity of your adversary, of someone who’s trying to steal from you or exploit your system, is not defined by a set of known rules but … by their own creativity.” It’s crucial, then, that the people who fight these threats are creative as well. Immersing cybersecurity professionals in a game helps them learn to think adaptively when faced with new challenges.
Tips for Implementing Serious Games
When developing a game, Hughes says, “do not start with your theme.” Instead, start by identifying the business problem the training should solve and then determining the learning objectives of the game. Next, learn about your audience. Understand their interests, their hobbies, the games they enjoy playing, the devices they use and what motivates them. It’s important to “really [dig] into the target audience,” Hughes says, “so when you actually decide what type of game to build, you have a very strong understanding of who you’re building for.”
It’s also important, he says, not to have a “field of dreams mentality.” Just because you build it, it doesn’t mean they will use it. Develop incentives based on your understanding of the target audience, and market the game internally. This is especially important if your learners have had negative experiences with e-learning.
As with any training initiative, measurement is important, but it’s also important to know why you’re measuring what you’re measuring rather than collecting data for the sake of data. Learn how engaged learners were: Did they finish the game? What was their score? How long did it take them? How many times did they attempt it? Hughes says the more engaged the learner is, the better their retention will be.
A decade ago, according to Hughes, people said that using serious games for adult learning wouldn’t work – that adults wouldn’t want to play. But, it’s “quickly becoming a standard,” and the benefits are undeniable. For topics like cybersecurity, where the ability to simulate reality in a safe environment is of utmost important, serious games are a solution to what can be a very costly problem.