Training: Cyber Security Awareness Games for Employees
Bring Cyber Security Awareness to Life with our Cyber Game because innovative cyberattacks require an innovative solution
Why use Games?
Human error is now involved in over 90% of all security breaches. Social engineering threats such as phishing have become increasingly challenging because users do not have the skills to identify them. Unfortunately, many SaaS security awareness / human risk management platforms are too generic and not tailored to your organisation's risk profile. Using newsletters, leaflets, and email notifications about information security threats can sometimes be just a tick-box exercise. Current social engineering threats are quite sophisticated and nuanced. This leaves your organisation vulnerable. A more innovative approach is needed.
Table-top exercises (TTX), on the other hand, can be highly-customised and tend to foster a much greater level of participant motivation and engagement. Our table-top exercises involve a strategy game where participants must assume the role of the hacker. For most participants, they get to see a side to cyber and information security which they’ve never seen before. They get to understand how any organisation or job role could be a target and get to see the relevance of IT security controls. This change in mindset makes your team more vigilant and resilient against threats lowering your risk.
The Power of Role Reversal - “To Know your Enemy, you must Become Your Enemy”
Our tabletop exercises involve role reversal. This is where ordinary (non-technical) participants assume the role of the hacker. Role reversal exercises are a powerful antidote to real-life cyberattacks. Chinese general and strategist Sun Tzu recognised this almost 2000 years ago when he said, “To know your Enemy, you must become your Enemy.” Having employees that can adopt a hacker mindset when evaluating security threats greatly enhances the security posture of your organisation.
“Learning to think like an attacker, seeing how information about you can be used against you, will not stop it from happening, but it will make halting attacks in their tracks that much easier. It’s the closest thing to a security panacea I will see in my working lifetime”
Maxie Reynolds (2021)
What types of Games do you offer?
Some of our tabletop exercises include:
Let’s Go…do some Phishing Game
A general-level phishing game that brings cybercriminal techniques like CEO-impersonation to life. This game shows just how easy it is for a cybercriminal to spoof an email address or Office 365 login portal.
Let’s Go…do some Advanced Phishing Game
Some social engineering attacks target particular individuals, job roles, or industries. In this exercise, participants assume the role of a threat actor targeting a VAP (Very Attacked Person). Such roles include those working in the c-suite, finance, payroll and HR. Here participants get to understand just how well-researched and sophisticated some spear-phishing attacks are.
Let’s Go…do some Invoice Fraud
Invoice fraud (or business email compromise) continues to be a significant financial risk for organisations. Even though organisations have put controls in place to prevent such attacks, cybercriminals are managing to bypass them. In this exercise, participants assume the role of a bad actor executing an invoice fraud (Business Email Compromise) attack. Using social engineering they have to infiltrate the target’s email account. They also have to devise a credible pretext as to why the bank account details on the new invoice have changed. They’re also tasked with devising a technique to bypass verification checks which an organisation might be using to prevent invoice fraud. Here participants get to understand how easily email accounts can be compromised and monitored by cybercriminals. They also get to understand how inward or outbound payments of your organisation can get intercepted by cybercriminals. Having employees being able to detect the key elements of an invoice fraud attack in action can stop such an incident dead in its tracks.
Let’s Go…launch a Ransomware Attack
Many users don’t understand the connection between phishing, internet browsing activities and password hygiene. In this exercise, participants are tasked with launching a ransomware attack on one of their peer organisations. Participants get to understand how phishing, malware, and poor password hygiene are linked to ransomware attacks.
Let’s Go…spread some Malware
Even though most organisations have their systems in locked-down mode, privilege-escalating malware still presents a significant risk for organisations. In this exercise, using our easy-to-understand malware-themed prompt sheets, participants have to launch a malware attack on a fictitious organisation (operating in the same industry sector as them). Here participants see just how easy it is for malware to bypass anti-spam solutions, email gateways (such as Proofpoint) or the inbuilt filters of Office365.
Benefits
Brings Learning to Life
Cyber and information security risks can be a dry topic. Our tabletop exercises bring these risks to life. Participants can put into action the content they’ve learned straight away. It reinforces students’ understanding of information security threats.
Engagement
The “play instinct” is innate to humans since childhood. When social engineering-based threats are discussed in the context of a game, people learn without realising that they’re actually learning. Game-based exercises often have the power to engage in a way other learning mediums don't.
Customised Training at Role Level, Department Level, and Industry Sector
The type of threats targeting your finance department are probably going to be different from those aimed at your sales department. Likewise, the type of threats targeting a SaaS organisation are going to be different to those targeting a government body. Our tabletop exercises can be customised to role-level, department-level, or industry sector. Compared to generic e-learning content, customised training content greatly enhances engagement and understanding of how information security threats play out.
Your Team see Information Security Risks through a new Lens
For ordinary users, IT security concepts can be quite abstract. Tabletop exercises bring to life how these information security risks play out in the real world. They get to see risks such as credential theft in context and through a new lens. This also enables them to better understand the relevance of your security policies and controls.
A Broadened Risk Radar
After a cyberattack or data breach, many users will claim they were never aware or informed about the risk which they fell prey to. Our CyberGame exercises broaden the “risk radar” of your team. After training, they will have a broader view of evolving risks such as multi-stage phishing, AI-enhanced impersonation, and the latest Office 365 threats.
Real-World Scenarios Simulated
In our exercises, we use threat scenarios that your organisation has seen before. But we also use the latest cyber-threat intelligence to introduce new and evolving threats commonly targeted toward your industry. For example, many users still erroneously belief that email phishing is one-step process. Our exercises demonstrate how attacks like multi-stage phishing work.
Social Learning
Our table-top exercises are designed to promote social learning. Social learning is powerful because it leverages the natural human propensity to learn new information from their colleagues. During our exercises, participants will analyse, learn, and react to the knowledge shared by their peers.
Real-time Feeback
Groups are given real-time feedback from a SANS-certified human risk management instructor.
How does it work?
Each of our tabletop exercises works differently.
As an example, our Let’s Go Phishing game works like this:
-
Participants are divided into groups
-
Each group assumes the role of a cybercriminal group. They now have to think like cybercriminals
-
A cyberattack challenge is presented to them. For example, “This is ABC Ltd. How are you going to socially-engineer one of their employees to gain access to their client database or deploy a ransomware attack on them?”
-
Questions are presented to participants, encouraging them to detail the step-by-step elements of their attack
-
Prompt sheets containing various attack vectors, malware tools, and social pretexts are provided
-
Groups appoint a spokesperson to present their tactics
-
At the end of the session, feedback is given to each group.
How are your tabletop exercises delivered?
Our CyberGame tabletop exercises are delivered on-site or virtually over Zoom. Group exercises are facilitated by the “breakout room” feature of Zoom.
Checklist for Conducting Great Information Security Table-Top Exercises
-
Each tabletop exercise should have clear goals and learning objectives.
-
Participants should have a grounding in the basics of information security risks and cybercriminal modus operandi. (Our core CyberSecurity Awareness Masterclass normally provides this). Your exercises should be designed so participants can use and contextualise the content they’ve learned during their core training.
-
Use language that your audience will understand. There is no point in using terms like “keylogger” or “hijacked domain” if your audience doesn’t know what these terms are. If at all possible, try to limit the use of technical jargon. In cases where there is no other option, make sure you provide participants with simplified explanations of technical concepts or terms on your prompt sheets.
-
Your cyber and information threat scenarios should be as real-life as possible. If participants are quietly thinking, “That sort of cyberattack would never happen here”, you’re doing it wrong! Participants must be “shown the evidence”, so to speak, of what can happen before, during, and after cyber-breach incidents. In our CyberSecurity Awareness Masterclass, we show participants real-life examples of cyberattacks and data breaches that have happened to their peers.
-
Participants should have a feeling of psychological safety. “Putting people on the spot” by asking them questions in front of their peers could make some extremely uncomfortable. You need strike a balance between a relaxed but challenging environment that is conducive to learning.
-
Make your exercises emotional. Emotions like curiosity can increase the motivation to learn. There is a reason why murder mysteries frequently top Netflix charts and best-seller lists. Moreover, emotional experiences are more likely to be remembered than non-emotional ones
-
Successful cyberattacks and data breaches often use an element of surprise. During role-reversal exercises, encourage participants to interleave some curveball elements into their simulated attacks
-
After the session, get the evaluation and feedback ball rolling. While instructor feedback is important, don’t be afraid to get the groups to evaluate each other's strategies first. This stimulates a bit of healthy rivalry, gets your group into a deeper conversation about information security, and encourages powerful social learning.
-
Make sure that your exercises use the right level of challenge. Exercises perceived as too easy won’t engage participants for maximum learning. Exercises that are perceived as too technical can leave participants overwhelmed. The sweet spot for maximum learning transfer is usually somewhere in between.
Case Study
“One Close Call Too Many”: a case study of an Irish government agency lowering their human IT risk with SecureClick’s Cybergame exercises.
How we helped an Irish regulatory body increase their human cyber resilience scores from 38% to 79%
Problem: Their team was getting some very sophisticated impersonation-themed phishing emails. These emails were mimicking their CEO and other stakeholders. Furthermore, some of their peer organisations in the UK and continental Europe had been subject to some pretty nasty crypto-ransomware attacks. After experiencing a few “near-miss” incidents. They felt that it was one close call too many. They were already using an e-learning platform for training and were conducting simulated email phishing attacks. However, their IT teams and management felt this was insufficient and wanted to lower their human IT risk as much as possible.
Solution: We first conducted a risk assessment to probabilistically determine their risks. These risks were divided into high, medium and low. Using this information, we conducted our online human risk assessment survey to establish a human risk baseline of their team (or Human Risk Resilience Score). Their HRRS came in at 38%. Knowing their key human vulnerabilities, we designed a customised tabletop exercise for them. This exercise was designed to reflect the type of threats the agency was seeing but also included threats seen by their peer organisations.
We divided the participants into 4 groups. We tasked them to devise a plan to impersonate the CEO of another government agency and trick one of their employees into downloading malware. For this exercise, they had to decide what channel to use (e.g., email, SMS, etc.), what sort of malware they would deploy, and what pretext, emotional trigger, etc., they would use. Each group received prompt sheets of various attack types and malware tools. The malware sheet included tools such as keyloggers, RATS and browser extensions. The attack vector sheet included attack types such as vishing, smishing, and email impersonation techniques. We then asked each group to devise a “curveball attack.” Here they had to devise an innovative tactic to persuade an employee in the target organisation to download crypto-ransomware onto one of their devices. (A dedicated Curveball Attack prompt sheet was provided.) The objective here was to get participants thinking up some unusual ways their organisation might get attacked. Finally, we asked participants to make some post-attack recommendations to the board (of their victim organisation) about how social engineering attacks could be prevented in the future. (When IT security behaviour modifications are devised by participants themselves, they have a much high probability of being adopted). For their team, this was a truly immersive learning experience. They got to see how impersonation and ransomware attacks happen in a totally different light. Even their in-house IT team was pleasantly surprised that some of their non-technical employees were now talking about cryptors, email address spoofing tools, RATS, Office 365 phishing kits, and multi-factor authentication in a very fluent and matter-of-fact way.
Results: One month later, we re-ran our human risk assessment survey. This time, their Human Risk Resilience Score came in at 79% - more than twice that of their pre-training baseline. Their management and IT teams could now sleep a little sounder at night.