Cybersecurity Gamification: Cyber challenges to prepare you for a real attack
Joseph Carson
Lack of practical cybersecurity skills and experience is a major problem in our industry, causing a worldwide shortfall of 3.5 million jobs. According to the latest Cybersecurity Workforce Study, the skills gap is growing Cybersecurity Workforce Study, with 26% more jobs unfilled in 2022 than in 2021. Cybersecurity training simply isn’t keeping up with the demand.
Many IT and security pros, along with the companies they work for are turning to cybersecurity gamification, also known as hacking gamification, to improve the skills they need to get the job done. Keep reading to learn more about cybersecurity gamification, how you can get involved, and some common examples of gamification in action.
What is cybersecurity gamification?
Gamification in cybersecurity is a strategy that incentivizes people to solve security-related challenges through competitions and rewards to improve their hands-on technical expertise and collaboration skills. Hacking gamification uses game theory and game mechanics not simply for fun but also to understand and improve cybersecurity decision-making.
The concept of gamification in business isn’t new. Many companies use it for onboarding new employees, performance management, and customer loyalty programs. If you've ever earned “badges” for answering questions in a tech community, you’ve participated in gamification.
Why do companies use gamification for training?
The knowledge retention rate for employees with traditional learning and development methods is only about 5%. But with experiential learning, retention can be as high as 90%. Through hands-on learning formats such as gamification, participants are more likely to remember skills and be able to put them to use.
Hacking gamification puts employees in real-world scenarios and makes them think under pressure. It relies on critical thinking and collaboration to achieve optimal outcomes.
Some organizations even offer incentives, such as rewards for in-game achievements, encouraging employees to participate.
Why gamification for cybersecurity?
Reading about cybersecurity—or even passing your CISSP or other exams—doesn’t necessarily make you an expert in a battle against a cyber criminal.
The best defense is to know thy enemy—not just knowing what an attacker is most likely thinking, but also their preferred techniques.
Gamification teaches people to learn how cyber criminals think and act so they can apply new strategies to combat them. This is important because hackers often think outside the box to penetrate networks and gain access to sensitive data. By thinking like a hacker, you can potentially anticipate a threat actor’s moves and take preventive actions to thwart their plans.
When you make it harder for hackers to achieve their goals, they may choose another victim. When you make them jump through hoops, they make more noise, making them more likely to be caught.
Let’s examine four benefits of gamified cybersecurity training.
Continuous training for IT and security professionals
Keeping up with cyber criminals requires ongoing training for IT and security pros, particularly in cyberattack defense and response. Strategies and tools used by cybercriminals are constantly changing, and cyber attacks are becoming more complex. The more practical experience you have combatting threats and working across teams to solve problems, the more effectively you’ll be able to reduce risk for your organization.
For example, when a new vulnerability is discovered, you can use cybersecurity gamification to learn about the vulnerability, how it is exploited, and what you can do to reduce the risks against your organization. Hacking gamification was heavily used to educate and mitigate the Log4j vulnerability.
New career opportunities
Gamification gives people a platform to showcase their cybersecurity skills and get noticed by a community of professionals. Many gamification platforms have a leaderboard to show who has gained the most points based on progress on challenges. Many companies are now creating challenges to discover the best talent. This can lead to new career opportunities for cybersecurity professionals while helping companies discover hidden talent and fill positions.
Better teamwork across IT, development, security, and incident response functions
Many companies succeed by implementing cybersecurity training as a team activity. Gamified training helps break down silos and increases teamwork among different business units and skill sets. This, in turn, brings teams closer together and increases learning opportunities.
In a cybersecurity game, it’s a good idea to mix skill sets within a team. For example, you may want to combine developers who are used to building technology with people who are used to tearing systems down.
Think of it as: blue team + red team = purple team.
In addition, it’s good to mix people with varying levels of knowledge and ability. You don’t want to put all your best people on the same team, after all. Gamification also brings the fun back into cybersecurity and enables teams to work together, solving challenges and learning new skills from each other.
Basic cybersecurity training for business users
Cybersecurity training is something many employees dread because—let’s face it—it’s often incredibly boring. Rather than assigning people to review a narrated PowerPoint deck and take a series of quizzes, what if you turned their mandatory compliance training into a game? Give them a chance to compete for prizes, and suddenly people are much more likely to get and stay engaged. Plus, they’re more likely to remember what they learned the next time a phishing email enters their inbox.
Cyber Insurance Research Report Results
How does cybersecurity gamification work?
The great part about cybersecurity gamification is that anyone can do it, regardless of their level of security knowledge or training. It’s for anyone who has the desire, curiosity or need to learn cybersecurity basics and advance their skills.
With this in mind, there are a few different ways to approach cybersecurity gamification, even if your company isn’t organizing a competition. You can find single-player games and competitions on social channels. You can also participate as a team in multi-player games through online groups or Meetups.
Some of the most common and popular cybersecurity gamification platforms:
- HackTheBox
- Cybrary
- ImmersiveLabs
- TryHackMe
- Bug Bounty Platforms
- VulnHub
- Web-Security Academy
- OWASP Juice Shop
- PENTESTERLAB
- RootMe
- CTF
- Hack.Me
These are just some of the many platforms that provide different ways to learn cybersecurity skills, such as walkthroughs, interactive learning to exploratory challenges.
Examples of cybersecurity gamification
Now that you have a better idea about cybersecurity gamification and how it works, let’s examine what it looks like in action.
Cybersecurity simulations
Cybersecurity simulations involve manufacturing threats and teaching participants how to respond to real-world situations. For example, a simulation may involve a criminal using a pass-the-hash attack to steal passwords, gain access, and escalate privileges. It could reproduce the latest attack scenario in the news or focus on a particular Common Vulnerabilities and Exposures (CVE). Check out Game of Threats from PwC, which creates a realistic experience and requires players to make quick, high-impact decisions with minimal data.
Some of the most common gamification simulations are discovering credentials, cracking passwords, and privilege escalation techniques.
If you are interested in seeing some live hacking gamification walkthroughs, then check out our on-demand webinar, where we demo live cybersecurity gamification challenges.
On-Demand Hacking Gamification Webinar - Watch Now
Cybersecurity capture the flag (CTF)
War games like cybersecurity capture the flag competitions allow participants to use cybersecurity tools to discover hidden clues. You’ll learn where to put your mousetraps so you can catch the hacker in their tracks. At the end of the competition, the team that racks up the most flags during the event wins. There are many CTFs worldwide, from online to large in-person CTFs at cybersecurity events such as Defcon.
Hackathons
Hackathons are events where individuals compete to complete cybersecurity tasks and solve challenges, often under time pressure. Some companies run hackathons to keep their workforce motivated and identify prospective employees—like a casting call for talented, creative tech staff. Some hackathons are open to the public and don’t require advanced knowledge or credentials to join.
Ethical hacking platforms
Gamified ethical hacking platforms encourage employees to penetrate system defenses in interactive and challenging ways. These gamified employee training programs teach users to learn through trial and error while focusing on specific areas like Windows security and incident response.
eSports
You don’t have to be a player to benefit from cybersecurity gamification. It also pays to watch other people play. Like Twitch for cybersecurity, you can stream ethical hacking competitions to learn the moves and cheer for your favorites.
The future of cybersecurity gamification
As cyber threats are now pervasive, everyone must sharpen their skills to reduce risk. Cybersecurity gamification can be an effective strategy to meet this goal.
Check out our recent podcast featuring Ian Austin of Hack the Box and Joseph Carson, Delinea’s Chief Security Scientist, and Advisory CISO, for the latest on ethical hacking and cybersecurity gamification: Gamification of Ethical Hacking and Esports with Ian Austin.