Circadence’s Wes Knee shares insight into why and how gamification enables cyber training and skill building for professionals in today’s talent gap.
What happens when cyber security and machine learning work together? The results are pretty positive. Many technologies are leveraging machine learning in cyber security functions nowadays in order to automate and augment their cyber workforce. How? Most recently in training and skill building.
Machine learning helps emulate human cognition (e.g. learning based on experiences and patterns rather than inference) so autonomous agents in a cyber security system for instance, can “teach themselves” how to build models for pattern recognition—while engaging with real human cyber professionals.
Machine learning as a training support system
Machine learning becomes particularly valuable in cyber security training for professionals when it can support human activities like malware detection, incident response, network analysis, and more. One way machine learning shows up is in our gamified cyber learning platform Project Ares, under our AI-advisor “Athena” who generates responses to player’s queries when they get stuck on an activity and/or need hints to progress through a problem.
Athena generates a response from its learning corpus, using machine learning to aggregate and correlate all player conversations it has, while integrating knowledge about each player in the platform to recommend the most efficient path to solving a problem. It’s like modeling the “two heads are better than one” saying, but with a lot more “heads” at play.
Machine learning as an autonomous adversary
Likewise, machine learning models provide a general mechanism for organization-tailored obscuring of malicious intent during professional training—enabling adversaries to disguise their network traffic or on-system behavior to look more typical to evade detection. Machine learning’s ability to continually model and adapt enables the technology to persist undetected for longer (if it is acting as an autonomous agent against a trainee in our platform). This act challenges the trainee in the platform in a good way, so they begin to think like an adversary and understand their response to defensive behavior.
Machine learning supports cyber skills building
Companies like Uber use machine learning to understand the various routes a driver takes to transport people from point A to point B. It uses data collected to recommend the most efficient route to its destination.
It increases the learning potential for professionals looking to hone their cyber skills and competencies using machine learning.
Now imagine that concept applied to cyber training in a way that can both help cyber pros through cyber activities while also activating a trainee’s cognitive functions in ways we previously could not with traditional, off-site courses.
Machine learning abilities can analyze user behavior for both fraud detection and malicious network activity. It can aggregate and enrich data from multiple sources, act as virtual assistants with specialized knowledge, and augment cyber operators’ daily tasks. It’s powerful stuff!
Hear why and how teachers deployed Project Ares in the classroom to elevate cyber learning and teaching and what students thought of the experience.
Every day we get more interconnected and that naturally widens the threat surface for cybercriminals. In order to protect vulnerabilities and keep pace with hacker methods, security – and non-security professionals must understand how to protect themselves (and their companies). And that involves looking for new ways to improve cyber security. To start, we believe cyber security can be improved by focusing on three areas: enterprise-wide cyber awareness programs, within cyber teams via persistent training, and in communication between the C-suite and the CISO. Check out our recommendations below and if you have a strategy that worked to improve cyber security in your company or organization, we’d love to hear about it.
Company-Wide Security Awareness Programs
Regardless of company size or budget, every person employed at a business should understand fundamental cyber concepts so they can protect themselves from malicious hackers. Failure to do so places the employee and the company at risk of being attacked and could result in significant monetary and reputation damages.
Simple knowledge of what a phishing email looks like, what an unsecured website looks like, and implications of sharing personal information on social media are all topics that can be addressed in a company-wide security program. Further, staff should understand how hackers work and what kinds of tactics they use to get information on a victim to exploit. Reports vary but a most recent article from ThreatPost notes that phishing attempts have doubled in 2018 with new scams on the rise every day.
But where and how should companies start building a security awareness program—not to mention a program that staff will actually take seriously and participate in?
We believe in the power of gamified learning to engage employees in cyber security best practices.
Our mobile app inCyt helps novice and non-technical professionals learn the ins and outs of cyber security from hacking methods to understanding cyber definitions. The game allows employees to play against one another in a healthy, yet competitive, manner. Players have digital “hackables” they have to protect in the game while trying to steal other player’s assets for vulnerabilities to exploit. The back and forth game play teaches learners how and why attacks occur in the first place and where vulnerabilities exist on a variety of digital networks.
By making the learning fun, it shifts the preconceived attitude of “have to do” to “want to do.” When an employee learns the fundamentals of cyber security not only are they empowering themselves to protect their own data, which translates into improved personal data cyber hygiene, but it also adds value for them as professionals. Companies are more confident when employees work with vigilance and security at the forefront.
Benefits of company-wide security awareness training
- Lowers risk – Prevents an internal employee cyber mishap with proper education and training to inform daily activities.
- Strengthens workforce – Existing security protocols are hardened to keep the entire staff aware of daily vulnerabilities and prevention.
- Improved practices – Cultivate good cyber hygiene by growing cyber aptitude in a safe, virtual environment, instead of trial and error on workplace networks.
For more information about company-wide cyber learning, read about our award-winning mobile app inCyt.
Persistent (Not Periodic) Cyber Training
For cyber security professionals like network analysts, IT directors, CISOs, and incident responders, knowledge of the latest hacker methods and ways to protect and defend, govern, and mitigate threats is key. Today’s periodic training conducted at off-site training courses has and continues to be the option of choice—but the financial costs and time away from the frontlines makes it a less-than-fruitful ROI for leaders looking to harden their posture productively and efficiently.
Further, periodic cyber security training classes are often dull, static, PowerPoint-driven or prescriptive, step-by-step instructor-driven—meaning the material is often too outdates to be relevant to today’s threats—and the learning is passive. There’s minimal opportunity for hands-on learning to apply learned concepts in a virtualized, safe setting. These roadblocks make periodic learning ineffective and unfortunately companies are spending thousands of dollars every quarter or month to upskill professionals without knowing if it’s money well spent. That’s frustrating!
What if companies could track cyber team performance to identify gaps in security skills—and do so on emulated networks to enrich the learning experience?
We believe persistent training on a cyber range is the modern response for companies to better align with today’s evolving threats. Cyber ranges allow cyber teams to engage in skill building in a “safe” environment. Sophisticated ranges should be able to scale as companies grow in security posture too. Our Project Ares cyber learning platform helps professionals develop frontier learning capabilities on mirrored networks for a more authentic training experience. Running on Microsoft Azure, enterprise, government and academic IT teams can persistently training on their own networks safely using their own tools to “train as they would fight.”
Browser-based, Project Ares also allows professionals to train on their terms – wherever they are. Artificial intelligence via natural language processing and machine learning support players on the platform by acting as both automated adversaries to challenge trainees in skill, and as an in-game advisor to support trainee progression through a cyber exercise.
The gamified element of cyber training keeps professionals engaged while building skill. Digital badges, leaderboards, levels, and team-based mission scenarios build communicative skills, technical skills, and increase information retention in this active-learning model of training.
Benefits of persistent cyber training
Gamifying cyber training is the next evolution of learning for professionals who are either already in the field or curious to start a career in cyber security. The benefits are noteworthy:
- Increased engagement, sense of control and self-efficacy
- Adoption of new initiatives
- Increased satisfaction with internal communication
- Development of personal and organizational capabilities and resources
- Increased personal satisfaction and employee retention
- Enhanced productivity, monitoring and decision making
For more information about gamified cyber training, read about our award-winning platform Project Ares.
CISO Involvement in C-Suite Decision-Making
Communication processes between the C-suite and CISO need to be more transparent and frequent to achieve better alignment between cyber risk and business risk.
Many CISOs are currently challenged in reporting to the C-suite because of the very technical nature and reputation of cyber security. It’s often perceived as “too technical” for laymen, non-cyber professionals. However, it doesn’t have to be that way.
C-suite execs can understand their business’ cyber risks in the context of business risk to see how the two are inter-related and impact each other.
A CISO is typically concerned about the security of the business as a whole and if a breach occurs at the sake of a new product launch, service addition, or employee productivity, it’s his or her reputation on the line.
The CISO perspective is, if ever a company is deploying a new product or service, security should be involved from the get-go. Having CISOs brought into discussions about business initiatives early on is key to ensuring there are not security “add ons” brought in too late in the game. Also, actualizing the cost of a breach on the company in terms of dollar amounts can also capture the attention of the C-suite.
Furthermore, CISOs are measuring risk severity and breaking it down for the C-suite to help them understand the business value of cyber. To achieve this alignment, CISOs are finding unique ways to do remediation or cyber security monitoring to reduce their workloads enough so they can prioritize communications with execs and keep all facets of the company safe from the employees it employs to the technologies it adopts to function.
Improving Cyber Security for the Future
Better communications between execs and security leaders, continual cyber training for teams, and company-wide cyber learning are a few suggestions we’ve talked about today to help companies reduce their cyber risk and harden their posture. We’ve said it before and we will say it again: cyber security is everyone’s responsibility. And evolving threats in the age of digital transformation mean that we are always susceptible to attacks regardless of how many firewalls we put up or encryption codes we embed.
If we have a computer, a phone, an electronic device that can exchange information in some way to other parties, we are vulnerable to cyber attacks. Every bit and byte of information exchanged on a company network is up for grabs for hackers and the more technical, business, and non-technical professionals come together to educate and empower themselves to improve cyber hygiene practices, the more prepared they and their company assets will be when a hacker comes knocking on their digital door.
Circadence’s inCyt security awareness platform was recognized as a Silver winner by the International Serious Play Awards Competition for its ingenuity and gamified learning approach to support enterprise companies in learning cyber practices.
10 preventative measures for cybersecurity risks in our critical infrastructure industries.
Circadence’s Josh Davis shares what will transform cyber security for the better.