No one left behind : Security Defense through Gamification including CTFs presented at lascon 2017

by Kashish Mittal,

Summary : Do you think that the Information Security training at your company gives an employee a fighting chance against a sophisticated attacker? With data behind breaches continually showing that employees are a root cause of incidents, we need to provide solutions to help them defend themselves. We all know the old school measures of videos, lectures and policy tomes are ineffective, so why not try something new?
I present a new approach - Security Gamification meets CTF (Capture the Flag). CTFs have been a training ground for security professionals and enthusiasts, but in this presentation I will show how to apply similar concepts of CTFs to non-technical employees. The end result is engaging, employs the ‘learning by doing’ methodology and has friendly competition built in. Who doesn’t love solving puzzles over watching another boring video with a quiz at the end! The training emphasizes on a ‘No one left behind’ principle in which all the employees at a company get trained in CyberSecurity defense.
The presentation will include issues with current Security training methods and how Gamification and CTFs address these. I will recount some war stories of how i rolled this out at some of my previous employers and the lessons learnt from those experiences. The presentation will also delve into the difference that this training made and metrics that can be used to quantify the differences at the attendees’ companies.Then, it will go on to talk about how to present this to the management team in order to get buy-in. The attendees will have some chances to do some exercise with their arms as the presentation is interactive.
Some other pros of this training are that it is highly scalable, helps employees get into the attacker mindset, can effectively track increase in employees’ awareness levels etc. Also, the Security puzzles created are customized as per job function and level of the employee. We don’t give the same Sales training to a developer as a Sales guy, so why give everyone the same Security training ? Finally, the presentation will demo some Security puzzles for both technical as well as non technical employees.