Skip to main content
SpringerLink
Log in

From Lessons Learned to Improvements Implemented: Some Roles for Gaming in Cybersecurity Risk Management

  • Chapter
  • First Online:
Advances in Cybersecurity Management

  • 2225 Accesses

Abstract

Effective cybersecurity risk management hinges on a strategic blend of people, processes, and technology working together to recognize and prevent attacks; mitigate and minimize negative impacts should attacks succeed; and resume operations after recovery. Ideally, risk management involves processes that engage the entire organization continually and holistically—not just episodic reactions by a few key personnel in times of crisis. The translation of lessons learned into implemented and validated improvements may be a missing or underutilized best practice. This chapter explores ways gaming can be used as a complement to authoritative standards and frameworks to optimize an organization’s cybersecurity posture and preparedness. A variety of gamified approaches are described and presented as useful tools with differentiating value at multiple stages in an ongoing cybersecurity risk management cycle. State-of-the-practice exemplars and successes are cited as are approaches to adapting games to both assess and improve an organization’s cybersecurity posture. The chapter concludes with some speculations about how games focused on cybersecurity can be expected to evolve and gain greater traction for risk management in light of emergent technologies and increasingly complex threat and defense landscapes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Verizon. (2020). 2020 Data Breach Investigations Report Retrieved December 2020, from https://enterprise.verizon.com/resources/reports/dbir/

  2. National Institute of Standards and Technology. (2020). Cybersecurity framework. Retrieved December 2020, from https://www.nist.gov/cyberframework

  3. DoDI 8510.01. (2020, December 29). Risk management framework (RMF) for DoD information technology (change 3). Retrieved December 2020, from https://fas.org/irp/doddir/dod/i8510_01.pdf

  4. International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). (2020). ISO/IEC 2700, Information security management. Retrieved December 2020, from https://www.iso.org/isoiec-27001-information-security.html

  5. Fortune. (2020). Cyber security market size, share and industry analysis. Retrieved December 2020, from https://www.fortunebusinessinsights.com/industry-reports/cyber-security-market-101165

  6. Carnegie Mellon Software Engineering Institute. (2020, June). OCTAVE FORTE: Establish a more adaptable and robust risk program. Retrieved December 2020, from https://resources.sei.cmu.edu/asset_files/FactSheet/2020_010_001_643960.pdf

  7. Splunk. (2020). Bring data to every security challenge. Retrieved December 2020, from https://www.splunk.com/en_us/cyber-security.html

  8. Rapid7. (2020). The Rapid7 insight cloud. Retrieved December 2020, from https://www.rapid7.com/products/insight-platform/

  9. Red Canary. (2020). Your security ally. Retrieved December 2020, from https://redcanary.com/

  10. AT&T Business. (2020). AT&T Alien labs. Retrieved December 2020, from https://cybersecurity.att.com/alien-labs

  11. Laamarti, F., Eid, M., & El Saddik, A. (2014). An overview of serious games. International Journal of Computer Games Technology. Retrieved December 2020, from https://doi.org/10.1155/2014/358152

  12. Yee, N. (2006). Motivations for play in online games. CyberPsychology & Behavior, 772–775. Retrieved December 2020, from https://www.liebertpub.com/doi/abs/10.1089/cpb.2006.9.772

  13. Michael, D. R., & Chen, S. L. (2006). Serious games: Games that educate, train, and inform. Mason, OH: Cengage Learning.

    Google Scholar 

  14. The Historical Miniatures Gaming Society. (2020). The history of wargaming. Retrieved December 2020, from https://www.hmgs.org/page/WargamingHistory

  15. Dunnigan, J. (2000). How to play and design commercial and professional wargames. Lincoln, NE: Writers Club Press.

    Google Scholar 

  16. Perla, P. P., et al. (2014). Wargame-creation skills and the wargame construction kit. Alexandria, VA: CNA. Retrieved December 2020, from https://www.cna.org/cna_files/pdf/D0007042.A3.pdf.

    Google Scholar 

  17. Perla, P. P. (1990). The art of wargaming: A guide for professionals and hobbyists. Annapolis, MD: Naval Institute Press.

    Google Scholar 

  18. Sabin, P. (2012). Simulating war: Studying conflict through simulation games. New York, NY: Continuum International Publishing.

    Google Scholar 

  19. Oriesek, D., & Schwarz, J. (2008). Business wargaming: Securing corporate value. Burlington, MA: Ashgate Publishing.

    Google Scholar 

  20. McHugh, F. (2013). U.S. navy fundamentals of war gaming. New York, NY: Skyhorse Publishing.

    Google Scholar 

  21. Salen Tekinbas, K., & Zimmerman, E. (2003). Rules of the game: Game design fundamentals. Cambridge, MA: MIT Press.

    Google Scholar 

  22. Schechter, B. (2020). Wargaming cyber security. Retrieved December 2020, from https://warontherocks.com/2020/09/wargaming-cyber-security/

  23. Global ECCO. (2020a). Cyberwar 2025. Retrieved December 2020, from https://nps.edu/web/ecco/cyberwar-2025

  24. Global ECCO. (2020b). Game Center. Retrieved December 2020, from https://nps.edu/web/ecco/game-center

  25. Kim, J. T., & Lee, W. H. (2015). Dynamical model for gamification of learning (DMGL). Multimedia Tools and Applications, 74(19), 8483–8493. Retrieved December 2020, from https://doi.org/10.1007/s11042-013-1612-8

  26. OverTheWire. (2020). Wargames. Retrieved December 2020, from https://overthewire.org/wargames/

  27. UnderTheWire. (2020). Wargames. Retrieved December 2020, from https://underthewire.tech/wargames.htm

  28. Sheng, S., & Magnien, B., et al. (2007). Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 2007 Symposium on Usable Privacy and Security. Pittsburgh, PA, USA. Retrieved December 2020, from http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf

  29. Rife, S. (2020). What are the types of wargaming? Retrieved December 2020, from https://sjrresearch.tumblr.com/post/627212350815076352/what-are-the-types-of-wargaming

  30. Bipartisan Policy Center. (2010). Cyber ShockWave Hits Washington. Retrieved December 2020, from https://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html

  31. Nakashima, E.. (2010, February 17). War game reveals U.S. lacks cyber-crisis skills. The Washington Post. Retrieved December 2020, from https://www.washingtonpost.com/wp-dyn/content/article/2010/02/16/AR2010021605762.html

  32. U.S. Naval War College. (2020a). Game reports. Retrieved December 2020, from https://usnwc.edu/Research-and-Wargaming/Wargaming/Game-Reports

  33. U.S. Naval War College. (2020b). Cyber & Innovation Policy Institute. Retrieved December 2020, from https://usnwc.edu/Research-and-Wargaming/Research-Centers/Cyber-and-Innovation-Policy-Institute

  34. Atlantic Council. (2020). Cyber 9/12 security challenge. Retrieved December 2020, from https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-initiative/cyber-912/

  35. Bell, B. (2005, March 17). Auburn U. applies defense software to Civilian simulations. The Auburn Plainsman.

    Google Scholar 

  36. Long, D. T., & Mulch, C. M. (2017). Interactive wargaming cyberwar: 2025. Monterey, CA: Naval Postgraduate School.

    Google Scholar 

  37. Cybersecurity & Infrastructure Security Agency. (2020a). Cyberstorm: Securing cyber space. Retrieved December 2020, from https://www.cisa.gov/cyber-storm-securing-cyber-space

  38. Cybersecurity & Infrastructure Security Agency. (2020b). Publications library: Cybersecurity. Retrieved December 2020, from https://www.cisa.gov/publications-library/Cybersecurity

  39. Air University. (2020). U.S. Air Force Wargaming Gateway. Retrieved December 2020, from https://www.airuniversity.af.edu/lemay/display/article/1099721/us-air-force-wargaming-gateway-mil-only/

  40. U.S. Army War College. (2020). Wargaming operations division. Retrieved December 2020, from https://csl.armywarcollege.edu/DSW/WOD/

  41. U.S. Marines, Marine Corps Warfighting Laboratory. (2020). Retrieved December 2020, from https://www.mcwl.marines.mil/divisions/wargaming/

  42. RAND Corporation. (2019). Next-generation wargaming for the U.S. Marine Corps. Retrieved December 2020, from https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2227/RAND_RR2227.pdf

  43. Booz-Allen Hamilton Inc. (2020). Experiential analytics. Retrieved December 2020, from https://www.boozallen.com/expertise/consulting/wargames-and-exercise-design.html

  44. ICONS. (2020). Participate in simulations from anywhere with ICONSnet. Retrieved December 2020, from https://www.icons.umd.edu/about/iconsnet

  45. Keller, J. M. (1987). Development and use of the ARCS model of instructional design. Journal of Instructional Development, 10(3), 2–10.

    Article  Google Scholar 

  46. Center for Army Lessons Learned. (2020). How to master wargaming. Retrieved December 2020, from https://usacac.army.mil/sites/default/files/publications/20-06.pdf

  47. Center for Internet Security. (2018). Tabletop exercises: Six scenarios to help prepare your cybersecurity team. Retrieved December 2020, from https://www.cisecurity.org/wp-content/uploads/2018/10/Six-tabletop-exercises-FINAL.pdf

  48. Homeland Security Systems Engineering and Development Institute. (2018). Framework for enhancing cyber wargaming with realistic business context. Retrieved December 2020, from https://www.mitre.org/publications/technical-papers/cyber-wargaming-framework-for-enhancing-cyber-wargaming-with-realistic

  49. Winnefeld, J. A., Jr., Kirchhoff, C., & Upton, D. M. (2015, September). Cybersecurity’s human factor: Lessons from the pentagon. Harvard Business Review. Retrieved December 2020, from https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon

  50. American Psychological Association. (2020). Dictionary of psychological terms: Cognitive overload. Retrieved December 2020, from https://dictionary.apa.org/cognitive-overload

  51. Yew, T. M., et al. (2016). Stimulating deep learning using active learning techniques. Malaysian Online Journal of Educational Sciences, 4, 49–57. Retrieved December 2020, from https://files.eric.ed.gov/fulltext/EJ1106447.pdf

  52. Cybriant. (2019). 5 key considerations for incident response tools. Retrieved December 2020, from https://cybriant.medium.com/5-key-considerations-for-incident-response-tools-e3fde18a6b52

  53. Long, P. D. (2016). Calculating the cost of downtime in your business. Retrieved December 2020, from https://www.askbis.com/calculating-cost-downtime-business/

  54. ImmersiveLabs. (2020). Learning like hackers to stay ahead of the game. Retrieved December 2020, from https://www.immersivelabs.com/product/features/gamified/

  55. Wargaming Co. (2020). History of Wargaming Project. Retrieved December 2020, from http://www.wargaming.co/

  56. PAXsims. (2020). Simulations and gaming miscellany. Retrieved December 2020, from https://paxsims.wordpress.com/

  57. Military Operations Research Society. (2020). Retrieved December 2020, from https://www.mors.org/

  58. Dunnigan, J. F. (1992). The complete wargames handbook: How to play, design, and find them (revised). New York, NY: Quill.

    Google Scholar 

  59. The Fair Institute. (2020). What is FAIR. Retrieved December 2020, from https://www.fairinstitute.org/

  60. RAND Corporation. (2020). Wargaming. Retrieved December 2020, from https://www.rand.org/topics/wargaming.html https://www.rand.org/topics/wargaming.html

  61. RedLegg. (2020). TableTop exercise: Pretty much everything you need to know. Retrieved December 2020, from https://www.redlegg.com/solutions/advisory-services/tabletop-exercise-pretty-much-everything-you-need-to-know

Download references

Author information

Authors and Affiliations

  1. Norfolk State University, Norfolk, VA, USA

    Mary Ann Hoppa

Authors
  1. Mary Ann Hoppa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mary Ann Hoppa .

Editor information

Editors and Affiliations

  1. University of Detroit Mercy, Detroit, MI, USA

    Kevin Daimi

  2. Ulster University, Newtownabbey, UK

    Cathryn Peoples

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Hoppa, M.A. (2021). From Lessons Learned to Improvements Implemented: Some Roles for Gaming in Cybersecurity Risk Management. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-71381-2_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-71380-5

  • Online ISBN: 978-3-030-71381-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation