Abstract
Effective cybersecurity risk management hinges on a strategic blend of people, processes, and technology working together to recognize and prevent attacks; mitigate and minimize negative impacts should attacks succeed; and resume operations after recovery. Ideally, risk management involves processes that engage the entire organization continually and holistically—not just episodic reactions by a few key personnel in times of crisis. The translation of lessons learned into implemented and validated improvements may be a missing or underutilized best practice. This chapter explores ways gaming can be used as a complement to authoritative standards and frameworks to optimize an organization’s cybersecurity posture and preparedness. A variety of gamified approaches are described and presented as useful tools with differentiating value at multiple stages in an ongoing cybersecurity risk management cycle. State-of-the-practice exemplars and successes are cited as are approaches to adapting games to both assess and improve an organization’s cybersecurity posture. The chapter concludes with some speculations about how games focused on cybersecurity can be expected to evolve and gain greater traction for risk management in light of emergent technologies and increasingly complex threat and defense landscapes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Verizon. (2020). 2020 Data Breach Investigations Report Retrieved December 2020, from https://enterprise.verizon.com/resources/reports/dbir/
National Institute of Standards and Technology. (2020). Cybersecurity framework. Retrieved December 2020, from https://www.nist.gov/cyberframework
DoDI 8510.01. (2020, December 29). Risk management framework (RMF) for DoD information technology (change 3). Retrieved December 2020, from https://fas.org/irp/doddir/dod/i8510_01.pdf
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). (2020). ISO/IEC 2700, Information security management. Retrieved December 2020, from https://www.iso.org/isoiec-27001-information-security.html
Fortune. (2020). Cyber security market size, share and industry analysis. Retrieved December 2020, from https://www.fortunebusinessinsights.com/industry-reports/cyber-security-market-101165
Carnegie Mellon Software Engineering Institute. (2020, June). OCTAVE FORTE: Establish a more adaptable and robust risk program. Retrieved December 2020, from https://resources.sei.cmu.edu/asset_files/FactSheet/2020_010_001_643960.pdf
Splunk. (2020). Bring data to every security challenge. Retrieved December 2020, from https://www.splunk.com/en_us/cyber-security.html
Rapid7. (2020). The Rapid7 insight cloud. Retrieved December 2020, from https://www.rapid7.com/products/insight-platform/
Red Canary. (2020). Your security ally. Retrieved December 2020, from https://redcanary.com/
AT&T Business. (2020). AT&T Alien labs. Retrieved December 2020, from https://cybersecurity.att.com/alien-labs
Laamarti, F., Eid, M., & El Saddik, A. (2014). An overview of serious games. International Journal of Computer Games Technology. Retrieved December 2020, from https://doi.org/10.1155/2014/358152
Yee, N. (2006). Motivations for play in online games. CyberPsychology & Behavior, 772–775. Retrieved December 2020, from https://www.liebertpub.com/doi/abs/10.1089/cpb.2006.9.772
Michael, D. R., & Chen, S. L. (2006). Serious games: Games that educate, train, and inform. Mason, OH: Cengage Learning.
The Historical Miniatures Gaming Society. (2020). The history of wargaming. Retrieved December 2020, from https://www.hmgs.org/page/WargamingHistory
Dunnigan, J. (2000). How to play and design commercial and professional wargames. Lincoln, NE: Writers Club Press.
Perla, P. P., et al. (2014). Wargame-creation skills and the wargame construction kit. Alexandria, VA: CNA. Retrieved December 2020, from https://www.cna.org/cna_files/pdf/D0007042.A3.pdf.
Perla, P. P. (1990). The art of wargaming: A guide for professionals and hobbyists. Annapolis, MD: Naval Institute Press.
Sabin, P. (2012). Simulating war: Studying conflict through simulation games. New York, NY: Continuum International Publishing.
Oriesek, D., & Schwarz, J. (2008). Business wargaming: Securing corporate value. Burlington, MA: Ashgate Publishing.
McHugh, F. (2013). U.S. navy fundamentals of war gaming. New York, NY: Skyhorse Publishing.
Salen Tekinbas, K., & Zimmerman, E. (2003). Rules of the game: Game design fundamentals. Cambridge, MA: MIT Press.
Schechter, B. (2020). Wargaming cyber security. Retrieved December 2020, from https://warontherocks.com/2020/09/wargaming-cyber-security/
Global ECCO. (2020a). Cyberwar 2025. Retrieved December 2020, from https://nps.edu/web/ecco/cyberwar-2025
Global ECCO. (2020b). Game Center. Retrieved December 2020, from https://nps.edu/web/ecco/game-center
Kim, J. T., & Lee, W. H. (2015). Dynamical model for gamification of learning (DMGL). Multimedia Tools and Applications, 74(19), 8483–8493. Retrieved December 2020, from https://doi.org/10.1007/s11042-013-1612-8
OverTheWire. (2020). Wargames. Retrieved December 2020, from https://overthewire.org/wargames/
UnderTheWire. (2020). Wargames. Retrieved December 2020, from https://underthewire.tech/wargames.htm
Sheng, S., & Magnien, B., et al. (2007). Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 2007 Symposium on Usable Privacy and Security. Pittsburgh, PA, USA. Retrieved December 2020, from http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf
Rife, S. (2020). What are the types of wargaming? Retrieved December 2020, from https://sjrresearch.tumblr.com/post/627212350815076352/what-are-the-types-of-wargaming
Bipartisan Policy Center. (2010). Cyber ShockWave Hits Washington. Retrieved December 2020, from https://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html
Nakashima, E.. (2010, February 17). War game reveals U.S. lacks cyber-crisis skills. The Washington Post. Retrieved December 2020, from https://www.washingtonpost.com/wp-dyn/content/article/2010/02/16/AR2010021605762.html
U.S. Naval War College. (2020a). Game reports. Retrieved December 2020, from https://usnwc.edu/Research-and-Wargaming/Wargaming/Game-Reports
U.S. Naval War College. (2020b). Cyber & Innovation Policy Institute. Retrieved December 2020, from https://usnwc.edu/Research-and-Wargaming/Research-Centers/Cyber-and-Innovation-Policy-Institute
Atlantic Council. (2020). Cyber 9/12 security challenge. Retrieved December 2020, from https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-initiative/cyber-912/
Bell, B. (2005, March 17). Auburn U. applies defense software to Civilian simulations. The Auburn Plainsman.
Long, D. T., & Mulch, C. M. (2017). Interactive wargaming cyberwar: 2025. Monterey, CA: Naval Postgraduate School.
Cybersecurity & Infrastructure Security Agency. (2020a). Cyberstorm: Securing cyber space. Retrieved December 2020, from https://www.cisa.gov/cyber-storm-securing-cyber-space
Cybersecurity & Infrastructure Security Agency. (2020b). Publications library: Cybersecurity. Retrieved December 2020, from https://www.cisa.gov/publications-library/Cybersecurity
Air University. (2020). U.S. Air Force Wargaming Gateway. Retrieved December 2020, from https://www.airuniversity.af.edu/lemay/display/article/1099721/us-air-force-wargaming-gateway-mil-only/
U.S. Army War College. (2020). Wargaming operations division. Retrieved December 2020, from https://csl.armywarcollege.edu/DSW/WOD/
U.S. Marines, Marine Corps Warfighting Laboratory. (2020). Retrieved December 2020, from https://www.mcwl.marines.mil/divisions/wargaming/
RAND Corporation. (2019). Next-generation wargaming for the U.S. Marine Corps. Retrieved December 2020, from https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2227/RAND_RR2227.pdf
Booz-Allen Hamilton Inc. (2020). Experiential analytics. Retrieved December 2020, from https://www.boozallen.com/expertise/consulting/wargames-and-exercise-design.html
ICONS. (2020). Participate in simulations from anywhere with ICONSnet. Retrieved December 2020, from https://www.icons.umd.edu/about/iconsnet
Keller, J. M. (1987). Development and use of the ARCS model of instructional design. Journal of Instructional Development, 10(3), 2–10.
Center for Army Lessons Learned. (2020). How to master wargaming. Retrieved December 2020, from https://usacac.army.mil/sites/default/files/publications/20-06.pdf
Center for Internet Security. (2018). Tabletop exercises: Six scenarios to help prepare your cybersecurity team. Retrieved December 2020, from https://www.cisecurity.org/wp-content/uploads/2018/10/Six-tabletop-exercises-FINAL.pdf
Homeland Security Systems Engineering and Development Institute. (2018). Framework for enhancing cyber wargaming with realistic business context. Retrieved December 2020, from https://www.mitre.org/publications/technical-papers/cyber-wargaming-framework-for-enhancing-cyber-wargaming-with-realistic
Winnefeld, J. A., Jr., Kirchhoff, C., & Upton, D. M. (2015, September). Cybersecurity’s human factor: Lessons from the pentagon. Harvard Business Review. Retrieved December 2020, from https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon
American Psychological Association. (2020). Dictionary of psychological terms: Cognitive overload. Retrieved December 2020, from https://dictionary.apa.org/cognitive-overload
Yew, T. M., et al. (2016). Stimulating deep learning using active learning techniques. Malaysian Online Journal of Educational Sciences, 4, 49–57. Retrieved December 2020, from https://files.eric.ed.gov/fulltext/EJ1106447.pdf
Cybriant. (2019). 5 key considerations for incident response tools. Retrieved December 2020, from https://cybriant.medium.com/5-key-considerations-for-incident-response-tools-e3fde18a6b52
Long, P. D. (2016). Calculating the cost of downtime in your business. Retrieved December 2020, from https://www.askbis.com/calculating-cost-downtime-business/
ImmersiveLabs. (2020). Learning like hackers to stay ahead of the game. Retrieved December 2020, from https://www.immersivelabs.com/product/features/gamified/
Wargaming Co. (2020). History of Wargaming Project. Retrieved December 2020, from http://www.wargaming.co/
PAXsims. (2020). Simulations and gaming miscellany. Retrieved December 2020, from https://paxsims.wordpress.com/
Military Operations Research Society. (2020). Retrieved December 2020, from https://www.mors.org/
Dunnigan, J. F. (1992). The complete wargames handbook: How to play, design, and find them (revised). New York, NY: Quill.
The Fair Institute. (2020). What is FAIR. Retrieved December 2020, from https://www.fairinstitute.org/
RAND Corporation. (2020). Wargaming. Retrieved December 2020, from https://www.rand.org/topics/wargaming.html https://www.rand.org/topics/wargaming.html
RedLegg. (2020). TableTop exercise: Pretty much everything you need to know. Retrieved December 2020, from https://www.redlegg.com/solutions/advisory-services/tabletop-exercise-pretty-much-everything-you-need-to-know
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Hoppa, M.A. (2021). From Lessons Learned to Improvements Implemented: Some Roles for Gaming in Cybersecurity Risk Management. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-71381-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71380-5
Online ISBN: 978-3-030-71381-2
eBook Packages: Computer ScienceComputer Science (R0)