In recent years, a steep rise in demand for cybersecurity professionals has resulted in a huge shortage of experienced employees. By 2021, there will be 3.5 million unfilled positions.
The growing demand for cyber professionals makes many young people consider a career in cybersecurity, which creates a demand for educational opportunities in the field. However, in many cases, classroom lessons are not enough. Many experts claim that there is a need to change the way we provide education
There are many new approaches on how to improve this learning experience. One of these approaches is called gamification, which involves transforming the classroom environment into a game.
Playing games is a natural way for us humans to learn. We practice by playing games, and we obtain new skills. We learn a lot by playing, and most importantly, we have fun.
Therefore, if we incorporate gaming elements into the learning experience, we will learn a lot more -- because we enjoy the process
I personally believe that this approach is especially relevant to cybersecurity education, where there is a need to experience real-life scenarios in order to really understand and digest all the data learned in a given class.
One of the popular and old-timer games in the cybersecurity industry is the CTF. This is a capture the flag challenge that requires participants to prove their skills in fields like hacking and reverse engineering, all with the goal of finding a flag and winning the contest. Although participating in CTF challenges is both fun and educational, it appears that this game has one serious limitation: It is mainly a game for advanced security professionals.
We gathered some statistics from our own CTF game and found that they've remained relatively consistent for several years now. We can see that most of the people who register for the challenge score zero points. That means they were not able to solve even the simplest challenge. Other than this group, about 80% solve the entry-level challenges only, and less than 3% solve all challenges. These statistics suggests that CTF is an educational game that targets advanced and expert players only. There still is a place for a game that will help entry-level students learn and experience cybersecurity theory.
So we released an open training game for beginners, and feedback we received from the community after releasing this game was very positive. In developing our own gamified training system, we learned a few important lessons that you, too, can apply to your training efforts. Start with these first steps:
1. Choose A Game Format: Inventing a new game is not an easy task. You should not try to build everything from scratch. There are many well-established game categories that actually define a framework for a successful game. Some examples include simulation games, puzzles, adventure games and many more. We chose the visual novel style for our training project, which is an interactive storytelling genre that originated in Japan. This format allows us to present information to players in a more linear way. No matter what you choose, following an established framework assures that people can actually play and enjoy such a game.
2. Define Your Target Audience: The first thing you need to do is to decide the level of your players. Are you approaching beginners? Are you approaching experts? What preliminary knowledge is needed in order to play your game? Then, you need to define the content your game will include. If you approach beginners, you might choose topics like understanding the security log, getting familiar with the right tools, etc. If you approach advanced students, you might choose topics like performing memory analysis, understanding the anatomy of an attack, etc. Either way, in the end, you really just need to concentrate on building your game for the right people. If it doesn’t include everything you planned, that is not such a big problem, but if it does include everything you planned and people don’t play your game in the first place, you kind of missed the whole point.
3. Be Flexible: When building a game, you need to be creative. Many times, this includes allowing yourself to deviate from the original plan and go in directions you did not anticipate. You might find yourself removing an entire section of the game or choosing a different concept. One of our team members once told me it reminded him of the process of making a film. You might even want a technological infrastructure that allows such constants to change. Such flexibility is crucial, since your content is ever-changing, and your game needs to adapt to new tools, new tactics and new methods.
There are so many different things you need to plan for and consider when building a new game, but the most important is to not be afraid of the unknown. Let your imagination thrive and enjoy the ride. Remember, the process of educating your cybersecurity personnel should be fun and engaging -- so, too, should your creation process.
