Microsoft Azure Government Secret Helps Enhance Cyber Training

Reading Time: 2 minutes

Across the board there’s been a push from a policy perspective to get into secure cloud environments that provide organizations with the on-demand and protected availability that they need to improve business processes. Azure Government Secret is a cloud solution that delivers comprehensive and mission-enabling cloud services to US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. It can also have global implications for how cyber defenders prepare for tomorrow’s threats.

The April 2019 announcement of Azure Government Secret enables Circadence to deliver Project Ares to similar defense industry partners in support of their cyber training and readiness missions. Having the power of the Azure Secret cloud infrastructure behind Circadence is necessary to deliver infinite cyber range scalability for gamified training and learning opportunities to defenders across the globe who need specialized security and scalability in training programs.

As cyber threats grow more frequent and more malicious, it is mission critical to government cyber protection teams to have the flexibility and accessibility to scale training to their needs, with limitless opportunity for enhanced cyber preparedness. The persistent, gamified training and frontier learning that occurs in Project Ares, coupled with this new level of secure cloud, enhances the protection of the nation’s most critical digital assets and will undoubtedly contribute to our overall national security.

VP of Global Partnerships Keenan Skelly tells us how it helps improve cyber training today.

“Our partnership with Microsoft Azure allows us to build infinitely scalable cyber ranges to do cyber exercises and trainings,” said Skelly.

With the help from Microsoft Azure Government Secret cloud, Circadence can continue to evolve cyber training solutions that help today’s elite, DoD cyber security professionals anticipate, prevent, and react to threats more efficiently and effectively. In doing so, we are proud to contribute to a world-class security culture that proactively protects our most critical assets and our people.

Nichols College Students Spearhead Cyber Security Education for the Entire Campus 

Reading Time: 3 minutes

Policy makers are now prioritizing data security over talent, efficiency and controlling costs. As students growing up and being educated in the digital age, we are just starting to understand the importance of cyber security to individuals and their companies. Taking part in a Research Associate Internship on campus at Nichols College, our eyes have been opened to the vast number of threats we face on a daily basis.

Oracle conducted a study titled “Security in the Age of Artificial Intelligence,” where 341 C-Suite executives and 110 policy makers were asked of their plans to improve their company’s security in the next two years. The top answer from this sample was to train existing staff. Human error poses the greatest risk to these companies (Oracle). In order to mitigate this risk, it is imperative to understand the opportunity cost of training employees on the importance of cybersecurity. Prioritizing training would prevent small mistakes, potentially costing a company much more in the long run.

A Nichols College Associate Professor of Accounting and Finance, Bryant Richards, noticed a gap in cyber security education, wanting to bring cyber to campus in a big way, stating “As cyber risks have become ubiquitous throughout the industry, it is our responsibility to provide some degree of cyber literacy to our business students. We must train our accounting students to be data and technology professionals who understand accounting. The realistic and experiential nature of Project Ares matches how our students learn and provides a transformative learning experience.” Richards along with the two of us, helped Nichols partner with Circadence to complete a three-month pilot program of their gamified cybersecurity learning platform Project Ares.

What We Found: Circadence did a great job with Project Ares, with an appealing, gamified user interface that sucks you in and is easy to use. As a student with no technical experience in the cybersecurity field, Project Ares proved to be both engaging and challenging. It provided an abundance of resources through its Media Center and Mini Games. Users can obtain a base layer of knowledge, progressing into education on concepts like the Cyber Kill Chain and how hackers utilize it. The interactive Battle Rooms provide real-life, technical lab environments where users can spin up virtual machines, explore real-world tools, build their confidence, and hone their skills.

What We Learned: You do not have to be a professional hacker to steal someone else’s information or gain access to their computer. Understanding the code is no longer enough; this is much more than an individual problem. If your own device is compromised, the hacker can steal your personal information, and steal information from your employer and worse. This harsh reality surprised us when we first commenced our research. From clicking a wrong link in an email, to accidentally tapping an advertisement banner on your phone; these small errors can seem harmless but are really detrimental to your overall security.

The gamification of cybersecurity training has allowed those of us with no prior knowledge, a chance to get a leg up. With increased demand to train existing staff, new training approaches must be made for the next generation of cybersecurity specialists. Gamifying the process made it easily digestible, directly benefitting any potential company or individual.

The first step in becoming educated on cybersecurity is understanding that there are threats present in our everyday lives. In the words of the man who gave us our initial walkthrough of Project Ares, Brad Wolfenden compared cybersecurity to buying a gallon of milk, saying:

“I believe that part of the disconnect around cybersecurity best practices comes from the assumptions we make as consumers in general – that what we’re buying is designed and sold with our best interests, and security, in mind … The food you buy and eat is certified by the Food & Drug Administration to indicate it has been safely grown/ raised and suitable for human consumption. When making technology purchases, we cannot take these same conveniences for granted.”

It is everyone’s ‘job’ to maintain high ethical standards and awareness when operating on the Internet nowadays. It is no longer up to one person or pre-installed software to protect your personal information. The more we are educated on the basic underlying principles of cybersecurity, the safer we will all be.

References

Oracle. “SECURITY IN THE AGE OF AI .” Oracle, 2018, www.oracle.com/a/ocom/docs/data-security-report.pdf.

Wolfenden, Brad. “A Rising Tide Lifts All Boats: Celebrating National Cybersecurity Awareness Month.” Circadence, 30 Oct. 2018, www.circadence.com/national-cybersecurity-awareness-month/.

*Students R.J. LeBrun & Lorenzo Secola guest authored this blog post as part of their Research Associate Internship at Nichols College 

 

 

 

Guest Blog: Reimagining Cyber Learning for Students, Featuring Divergence Academy

Reading Time: 3 minutes

 

It’s one thing to talk about the importance of teaching cybersecurity in an engaging way, and another thing to actually do it. Divergence Academy is proud to partner with Circadence to reimagine how cybersecurity is taught to current and aspiring professionals.

About Divergence Academy

Divergence Academy is an education institution creating adaptive learning solutions to empower individuals to pursue the work they love on the most relevant skills of the 21st century – from web development to data science to product management. It was established in 2014 as the first Data Science school in the Dallas/Fort Worth area school that used a hybrid approach to learning. It offers immersive and weekend programs for working professionals, college grads and transitioning workers.

In early 2017, the academy grew to partner with leading cybersecurity organizations including E.C. Council and CompTIA to offer certified learning for students. However, it found that the curriculum was missing something—a “WOW” factor—a platform where learning could be managed and developed using a more hands-on approach, allowing students to level up and reinforce the skills they were learning towards certification.

A Gamified Approach to Cyber Learning

In realizing that we needed a more robust learning platform that complemented the certifications we offered, we were introduced to Circadence, a market leader in cybersecurity readiness, known for its Project AresÒ cyber range solution. It incorporated gamification into every aspect of the learning process, which encouraged students to progress through real-world exercises at their own pace and with a level of engagement unseen in previous traditional course sessions.

Finding Project Ares put us on the map as an institution that put learning to work and it showed that we are not just an AI school but a school that teaches what we preach!

The Class: Cybersecurity Professional Penetration Tester

We launched our 12-week class using Project Ares in early February 2019. The program is a 400-hour course delivered over 2 weekday evenings and Saturday to prepare students for the role of Certified Ethical Hacker. We have a mix of students from mathematicians to software engineers to IT students all with varying levels of knowledge of cybersecurity, but anxious to learn.

In Project Ares, students are able to identify “learning moments” where they begin to connect the dots on how a cyber concept is applied to a real scenario. They try to solve problems together, which is exactly what a real cybersecurity job would require.

Not only are students learning industry-wide technical competencies such as information assurance, risk management and incident detection but also workplace competencies like teamwork, planning and organizing, problem-solving, and more. In preparing for a CEH role, students engage in the battle rooms, learning foundational skill sets and then apply them to a methodology in the missions. Skills like system hacking are learned in Missions 8-10, 12, and 13, and enumeration in Mission 1, and reconnaissance in Mission 1.

The feedback from them is reassuring that Divergence Academy and Circadence are a powerful partner. We hear they enjoy collaborating with their peers in exercises within the platform and they kind of form their own “tribes” if you will and that’s the beauty of gamified learning. It really teaches these students how to work together, build soft skills, and technical skills needed for today’s workforce.

The Impact of Project Ares

Project Ares has allowed our instructors to really focus on our student’s performance. The automated, in-game advisor Athena within Project Ares helps students progress from activity to activity and solve problems quicker, which helps instructors prioritize the pace of learning from all students and in using the trainer view in Project Ares, see where the skills gaps are and how to better inform the exercise content to meet the individual needs of the students. Further, the automatic scoring and badging in the platform coupled with the media center allows instructors to easily align course curriculum with the platform’s games, whether it’s in a mission, a battle room, or through a mini-game.

A Vision Come to Life

Divergence Academy is excited to build a network with local community colleges in the Dallas/Fort Worth area in order to help upcoming graduates and faculty see us as a school that takes student learning to new levels—applied levels—practical levels that are relevant to the workforce. We hope local schools see our trade school as the next step in their learning journey to cybersecurity professionalism and understand that they will be able to get hands-on skill building (or upskilling) and practical experience.

 

To learn more about Divergence Academy and how they’re using Project Ares to support student learning, visit https://divergenceacademy.com/.

 

Guest Blog: Taking Cybersecurity Learning to a Whole New Level

Reading Time: 2 minutes

Last week I was lucky enough to be able to attend Circadence’s Cyber Learning Tour at the Microsoft Technology Center in Chicago.  This event was hosted by Laura Lee, VP of Rapid Prototyping,  and one of the lead creators of the Project Ares training platform.

The opportunity to attend this event and hear from the brains behind Project Ares was an eye-opening experience for me.  The passion that Laura spoke with was something that I could relate to.  As someone who personally advocates for introducing more people to information technology and more specifically cybersecurity, it was amazing to hear Laura Lee talk about how she utilizes Project Ares in schools as early as middle school to educate students on not only the importance of cybersecurity but also real-world scenarios.  Hearing Laura talk about kids using Metasploit, Nmap, Wireshark and learning how to defend simulated cyber-attacks or infiltrating networks with Project Ares is taking learning to a whole new level.

One of the more interesting topics Laura brought up about the platform is the scoring capability and how it works within the learning environment.  She often finds students begin competing against each other on the platform by going through missions and assessments over and over again to see who can get the better score.  This brings another avenue of excitement and energy to cybersecurity that could lead to more exposure with things such as e-sports using Project Ares.

The fact that Circadence has created a learning environment that brings gamification, cybersecurity, and training to the same platform is ground-breaking to me.  Here is a platform that will simulate real-world scenarios like bank networks, power grids, and other enterprise networks and you either must attack (red team) or defend (blue team) using real-world skills and tools.  If you’re a rookie at cybersecurity, Project Ares offers a variety of battle rooms and assessments that will help get you up to speed.

To hear more about why gamification and AI-powered cyber learning is the future of cybersecurity skill building, check out one of their other Cyber Learning Tour stops here: https://marketing.circadence.com/acton/media/36273/cyber-learning-tour-with-microsoft.

Follow Zach’s YouTube Channel I.T. Career Questions for all things cybersecurity learning and development here: https://www.youtube.com/channel/UCt-Pwe2fODjH4Wuwf5VqE7A.

Making Cybersecurity BETTER: Dan Manson to Speak at RSA 2019

Reading Time: 2 minutes

With the New Year in full swing, we are resolved to improve not only our own products to meet industry shifts but helping improve cyber professional’s skill sets against evolving threats. One of the ways we are doing this is through the help of our team member Dan Manson, Instructional Designer (Level 5) and current Professor of Computer Information Systems at California State Polytechnic University, Pamona.

Dan is speaking on a panel discussion at the upcoming RSA 2019 conference, titled “How to Create a Truly Diverse Cyber Workforce” on Thursday, March 7 from 1:30 p.m. – 2:30 p.m. alongside panelists Mat Neufield, CISO for Unisys, Jordan Jacobson, California State Polytechnic University, Pomona student. Shelly Westman, principal with EY will moderate.

It is at events like RSA (Find Circadence and Project Ares at booth 6583), the Circadence team and visitors to our booth share industry perspectives and explore dynamic learning solutions for cybersecurity professionals. The insights from these meetings often influence our advance product capabilities, features, and offerings.

In addition to sharing his expertise on the ways to diversify the cyber workforce, Dan looks forward to playing an integral part in our Project Ares® cyber learning platform evolution alongside the rest of our incredible team.  He is helping integrate proficiency standards and competencies into Project Ares curriculum to improve the overall training value, player scoring, points, badges, etc. He also supports the analysis of how well the training content aligns to the NIST NICE Cybersecurity Workforce Framework, identifying the gaps for our Cyber Education and Training department to consider in curriculum design.

We know the cybersecurity landscape is fluid, in a constant flux of improving security provisions, processes, technology, and the professionals behind it all. Circadence understands that there is no “one-size-fits-all” solution, which is why our solution capabilities ride on the coattails of the frequent industry changes. Our “Living our Mission” blog series keeps customers and interested parties current on the latest updates to our platforms and the benefits of the developments on organizational security posture.

To learn more about how our gamified learning platform Project Ares is supporting a more diversified workforce in the midst of a widening skills gap, download our white paper “The Importance of Gamification in Cybersecurity Training” now. 

 

Oil and Gas Cyber Security: Understanding Risks, Consequences, and Proactive Measures

Reading Time: 4 minutes

The oil and gas sector is susceptible to security vulnerabilities as it adopts digital communication methods that help power energy production and distribution. To understand the cyber threats to the oil and gas industry, there exist approximately 1,793 natural gas-powered electricity plants in the U.S. and they generated 34% of the nation’s electricity in 2018. Much of how we live and work is dependent upon the energy produced from oil and gas production, including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. Therefore, even the smallest cyber attack on one of the thousands of interconnected and digital systems can pose a serious cyber risk to oil and gas production.

A company that goes through an attack can experience a plant shutdown, equipment damage, utility interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of surveyed oil and gas senior executives have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.

Cyber Attacks on Oil and Gas, Energy, Utilities Companies in History

Security threats to the oil and gas industry have already manifested across facilities worldwide with no signs of slowing down.

  • In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computers and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.
  • In December 2018, Saipem fell victim to a cyber attack that hit servers based in the Middle East, India, Aberdeen and Italy.

These examples show other oil and gas companies the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.

How Circadence Can Help

To manage security risks in the oil and gas sector while lessening the attack surface, cyber security teams need to be prepared to address all possible scenarios that can occur in order to effectively protect and defend infrastructures.

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in the oil and gas industry. Further, targeted training can be achieved from the library of mission scenarios to work on specific skill sets.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kind of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close skills gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem-solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cybersecurity teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Users are the last line of defense against threat actors so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cybersecurity in oil and gas sectors.

This solution coupled with proper collaboration between IT and OT divisions to share real-time threat intelligence information will do wonders for companies looking to stay out of the negative news headlines and stay safe against an attack.

Download our Infographic “oil and gas cybersecurity” for more details on cyber readiness and training.

oil_gas_infographic

DOWNLOAD INFOGRAPHIC

Close the Cybersecurity Workforce Gap with Apprenticeships, Internships, and Other Alternative Pathways

Reading Time: 4 minutes

We’ve all heard by now that the cyber workforce gap has reached a level of desperation that puts all of us, and our country, at risk. It’s time we start moving the conversation away from the problem and towards innovative solutions.

To truly narrow this cyber workforce gap, it’s crucial to solicit the collaboration and support of the “golden trifecta” – academia, commercial industries, and government. And while educating and training high school and university students is important, this should not be our only focus; re-skilling and upskilling populations such as Veterans, minorities, career changers, women, persons with disabilities and learning differences, and others, have tremendous potential to both shrink the gap and contribute much needed diversity to the cyber workforce.

Recognizing National Cybersecurity Career Awareness Week (Nov. 12-17), we thought it prudent to share three tools that can help prepare the next generation of cybersecurity professionals to address ever-evolving threats and the aforementioned challenges.

Apprenticeships

Compared to other professions, cybersecurity apprenticeship programs are scarce.  Yet, there is hardly a better way for an organization to fill its pipeline with well-qualified cybersecurity talent than by building an apprenticeship model into existing recruiting strategies. By integrating an “earn while they learn” model, employers can leverage a unique opportunity to grow their own talented pool of cyber professionals who have the highly desired combination of hands-on skills and foundational, academic knowledge.

“This is absolutely fundamental, and a key plan in meeting the workforce needs. Our solution to the gap will be about skills and technical ability,” says Eric Iversen, VP of Learning & Communications, Start Engineering. “And the most successful of apprenticeship programs offer student benefits (e.g., real-world job skills, active income, mentorship, industry-recognized credentials, an inside track to full-time employment, etc.) and employer benefits (i.e., developed talent that matches specific needs and skill sets, reduced hiring costs and a high return on investment, low turnover rates and employee retention, etc.)”

These types of opportunities are especially beneficial for recruiting individuals who may be switching careers, may not have advanced degrees, or are looking to re-enter the field. The U.S. Department of Labor, provides guidance on starting apprenticeship programs.

Internships

The hardest part of being a young professional is finding that first career opportunity. However, that is a particular challenge for aspiring cyber professionals when just about every job posting they find asks for some level of relevant, industry experience. The problem is, not many organizations are willing to give it! For organizations looking to bring fresh ideas, perspectives and talent through the door, internship partnerships with local academic institutions can be a great workforce development tool. Many community colleges, technical colleges, and universities have well-oiled practices of connecting their students with local companies. In fact, it’s not uncommon for most students, both undergraduate and graduate, to be required to complete an internship in their field of study before graduation. Much like a successful apprenticeship program, a strategic internship program enables a situation where everyone involved, wins.

Alternative Pathways

While there are many models to be considered here, the following two are typically the most accessible and well-received for both students and employers.

  • “Stackable” Courses, Credits & Certificates: Simply put, “stackable” learning opportunities allow students to quickly build their knowledgebase and achieve industry-relevant experience that leads directly to employment. The idea here is two-fold.

a). High school students can enroll in college-level coursework and/or earn cybersecurity-focused certificates while completing their high school career.

b). College-level students can leave higher education for a job, and later return with credits that count toward the next certificate or degree.

This approach continues to gain traction as high school counselors and college administrators respond to the rapidly evolving nature of our economy.

  • Cyber Competitions & Hackathons: There is hardly a better vehicle for the practical application of one’s skillset than participating in a cyber competition or hackathon. These types of opportunities are becoming more and more common, and many times, cyber enthusiasts of all proficiency levels view cyber competitions and hackathons as the “latest and greatest” in extra-curricular activities. While numerous studies can be cited to support the significant traction cyber competitions and hackathons have gained, the fact is they’re changing the landscape in important ways. For example, cyber competitions and hackathons are often cited as positively impacting one’s exposure to the industry. Cyber competitions:
    • Support exposure to new and emerging technologies
    • Enable networking opportunities with like-minded folks
    • Offer environments for learners to demonstrate their abilities
    • Provide opportunity for new talent recruitment

Circadence is proud to lend its platform Project Ares® for many local and national cyber competitions including the cyberBUFFS, SoCal Cyber Cup, and Paranoia Challenge so students can engage in healthy competition and skill-building among peers. For more information on cyber competitions and hackathons, check out the Air Force Association’s CyberPatriot, Carnegie Mellon’s picoCTF, Major League Hacking, and the National Cyber League.

Closing the cyber workforce gap will take diversification in all sense of the word.

  • Diversity from supporting organizations, institutions, and companies.
  • Diversity in learning approaches and experiences.
  • Diversity in learners themselves.

Enterprise, government and academic institutions must pursue innovative and engaging ways new to attract underrepresented professionals to apprenticeships, internships and alternative pathways to add diversity to the cybersecurity workforce. And based on the current state of our cyber workforce, this suggestion is not just important, it is essential.

Many desired outcomes become a reality when we emphasize these efforts. It’s the unique perspectives, the inspired teamwork, the widened pool of well-qualified talent, the creativity and the “all-hands-on-desk” (see what we did there?) mentality that will help strengthen the cybersecurity industry not just for students, but for all agencies and businesses. Let’s embrace all of it!

Keeping Critical Infrastructure Strong and Secure

Reading Time: 2 minutes

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to protect our Nation’s critical infrastructure.  Circadence’s mission is to build awareness about how next-generation cybersecurity education and training can improve cyber preparedness. This month is an excellent time to talk about that in relation to critical infrastructure.

“We are seeing government agencies and companies work to make systematic, holistic, and cultural changes through improved cybersecurity standards, best practices, processes, technology, and workforce,” said Josh Davis, Director of Channels. “The massive, distributed, and legacy infrastructure we have today demands a layered security approach that focuses on building a true understanding of what’s at risk within critical infrastructure systems —and that requires a targeted focus on the people who operate these systems both digitally and physically.”

We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the communication systems we rely on for business as well as staying connected to friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

During November (and year-round), Circadence focuses on engaging and educating public and private sector partners to raise awareness about the security posture of the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.

Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks.

This November, help promote Critical Infrastructure Security and Resilience Month by:

Our virtualized cyber ranges-as-a-service (CyRaaSTM) provide public/private entities the opportunity to train in realistic cyber environments that mirror their actual interconnected, internet-of-things networks. These virtualized ranges can model the digital footprints of companies, agencies, entire city networks and even Nation State operation exercises, into living physical and fifth domain environments. Teams can collaborate and train together to test and improve their cyber skills in protected environments that can scale and flex as their organizations’ inter-connected structure does, but without impacting live systems and networks.

By combining Circadence’s Project Ares®, Orion Mission Builder™, and StrikeSet™, your organization can learn and grow without impacting your operations. This next-generation combination transforms traditional lecture-based learning, taking it out of the classroom and into interactive real-world environments, at any scale, anytime, anywhere.

We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.

To learn more, visit www.dhs.gov/cisr-month.

Game On: The Benefits of Active, Gamified Learning in Cyber Training

Reading Time: 3 minutes

What is gamified learning? Before we dive into that question, let’s discuss some of the ways we currently learn about cyber today. Traditional cyber training has been conducted in the same way for years, comprised of static, classroom-style settings complete with a teacher lecturing and passive listeners. This model causes people to forget 

  • 40% of what they’ve learned after 20 minutes 
  • Between 50-80% of what they’ve learned after one day   
  • 77% of what they’ve learned after six days
  • 90% of what they’ve learned after one month  

In addition to forgetting material learned, there’s minimal opportunity for the student to proactively solve problems, think critically, and analyze material. Instead, they superficially understand concepts without truly learning their application to real-world situations. This leaves the trainees disengaged, disempowered, bored, and unmotivated.  

We believe there’s a better way to deliver information security training—a way that engages teams in healthy competition and in critical thinking and problem-solving activity. Through active learning, studies show learners are more engaged, empowered, excited, and possess deep, conceptual understandings of topics learned. Active learning involves collaborating with teams and applying concepts to real-world exercises and scenarios, which improves retention rates to 75%, compared to 5% through traditional learning methods. 

So why is active learning so important for cybersecurity professionals?

Because the undeniable jobs shortage affecting the industry is prompting CISOs to take a closer look at ways in which they can close the skills gap. The first step involves leveling up existing cyber teams by equipping them with the tools and skills they need to do their jobs better. Without proper cyber training and skills development, professionals can’t keep pace with evolving cyber threats, causing teams, organizations, and companies to succumb to hacker attacks.  

How significant is this issue? According to a recent ESG/ISSA study, 70% of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage, with ramifications such as an increasing staff workload, hiring and training junior personnel rather than experienced professionals, and situations where teams spend most of their time dealing with the emergency du jour, leaving little time for training, planning, strategy, etc.  

So what can we do about this?  

Consider gamified cyber training 

Not only is hands-on, active learning important but we believe that gamification is the natural, logical step in training the next gen learner (born after 1980), who has never known a world without video games. Gamification is often defined as the process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. When we think about the benefits of gamification of cyber security training, it is a learning style best suited for today’s learner who grew up playing video games and being motivated by elements like leaderboards, competition, collaboration, and social proof/progression. 

Even academic institutions across cyber schools are exploring cyber security games for students to complement their classroom learning. Some institutions like CU Boulder have even crafted an entire class around gamified cyber training using Project Ares in their syllabus.

Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. Further, it enables learners to apply what they know to simulated environments or “worlds,” creating a natural flow that keeps learners engaged and focused. Organizations that offer gamified exercises to teams report that 96% of workers see benefits including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times, and enhanced self-efficacy.   

In gamified environments, trainees are typically:  

  • rewarded for good behavior 
  • incentivized to maintain good behavior 
  • encouraged to dialogue about their lessons learned with peers 
  • reminded of what they don’t yet know and held accountable 
  • engaged in their progress thanks to leaderboards 
  • prepared to participate in simulated threat situations that further prepare them when real-world situations occur 

 

Active, gamified cyber training is only effective if employees apply their skills learned and acquired to real-world scenarios. For this reason, cybersecurity leaders are encouraged to measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of the organization.  

“Keeping our workforce engaged, educated and satisfied at work is critical to ensuring organisations do not increase complexity in the already high-stakes game against cyber crime,” Grant Bourzikas, chief information security officer at McAfee. (ComputerWeekly) 

Great, there are clear benefits. Now what?

Now it’s time to reflect on how your organization can benefit from gamification in cybersecurity training. First, look at what training (if any) is currently occurring. Then, speak with teams about where they’d like to improve and draw clear parallels between the investment in training and desired business outcomes. And of course, when you’re ready to learn more, contact us to see how gamified training actually works through our Project Ares® platform.