Some great insights from Adam Shostack, author of the successful cyber security book “Threat Modelling” and Inventor of Elevation of Privilege card game in his session with Mark Vinkovits at the AppSec California Conference 2019 on why games are good for cyber security. Below is part of the transcript where Adam explains how games can resolve problems in scenarios where other kinds of collaboration don’t work as effectively.
Adam Shostack speaking at the conference:
So more generally than elevation of privilege I’ve come to the understanding that games are really good for security…Games enable help us solve important problems which we face and there’s a bunch of reasons that games work as a tool.
So if I bring out a card deck, this is a very modern sort of game.
They are attractive. They’re intriguing. If I start with some cards and I show these to you it’s like oh that’s interesting. Right? What is that? Let me learn about this and that’s powerful as we’re engaging with developers who might think that they have other things to do. It’s powerful as we engage with operations people.
I talked about flow. Flow is important. You saw me get into a little bit of a flow state as I was talking about those things and I forgot to hand off to Mark.
The other thing that it does is if I’m going to hand each of us a hand of cards, as play progresses around the table, I cannot be a Wallflower. I’ve got this card in my hand and I’ve got to say huh, how does this connect to the system. Not sure? I’ll go to my next card, then I’ll go to my next card and so it requires participation without being aggressive or demanding. If people are feeling a little frozen and I see this happen, they’ll say I think this card might have something to do with what we’re working on but I’m not exactly sure and they’ll get help from the people around them or they’ll just use the hint on the card and be able to act and so it creates this very fast feedback.
More importantly perhaps even most importantly is that when we’re playing a game, the act of playing gives us permission to behave differently than we might otherwise be in a meeting. I can explore an idea if I’m sitting with the most senior developers in the company who have founded it, built the code, they might say this is safe. I might freeze. I might not feel like it’s okay for me to tell these folks to explore. But if I’m playing a game with them I could say yeah it probably is but what about this right. I just have to play my card in this hand, so let’s see what happens and that permission also extends to disagreement… [basically] the game gives me a different context for a conversation and as security people that can be incredibly powerful because we don’t have a lot of playful conversations with the people around us.
The other thing to mention about Elevation of Privilege is that it produces real threat models. It’s not simply a training game that you play once and then you’re done and you know how to threat model. So that’s a valuable property of the game.
Now the game sits in a line of games. It was directly inspired by Protection Poker by Laurie Williams at North Carolina State. I heard a podcast that Laurie was in talking about it and I said that’s fun let me see if I can build a game to help people and then I learned about this whole ‘serious games’ movement and I thought, well if threat modeling should be simple, fun and have flow, I can build games for this.
I did this while I was at Microsoft. If you go to github Adam Shostak EOP you can download copies and we’ll give you more links at the end of the presentation but I do want to say thank you to Microsoft for enabling this open-source sort of engagement where Mark can take the game, and I heard from him after he had built the privacy extension, so if you want to do similar things, it’s worth thinking about serious games because this is a big field. It’s got its own conferences and a serious game is a game that has an explicit and defined educational purpose. The goal is not to play for pleasure, the guilt — you can, but the goal is present.
And there’s all sorts of things — table top exercises, persuasive games, games for health. We see a lot of use of gamification — points, badges, leader boards to help motivate people and there’s ups and downs to these things which I’m not going go into but I do want to give a shout out to a colleague at Microsoft who used gamification to help deliver Windows 7 so Windows is chipped in. I don’t even know, I think it’s now a hundred and thirty different languages. And QA in the translation from English into these other languages is a big expensive project. And so they gamified it. They said what we’re going to do is present you the English text and the Hungarian text and then they reached out to our office to their office now in Hungary and said hey all of your people should look at these screens and tell us where the translations are good and where they’re bad and it turns out that that work resulted in lower cost and better translation because of the use of a gamified structure.
So you can really think about games solving problems that you have — around engagement, around how do I get lots of people to do an activity that they might not understand really well. You know we don’t want to just present them walls of text and so I think serious games are important to security.