The Gamification of Cybercrime, and What it Means for Security

Most gamers are constantly trying to get past a powerful boss, avoid a difficult trap, or complete a quest. If they get stuck, they often go online looking for clues on how to complete a particular challenge. Failing that, many then start to seek out cheat codes that will give them the necessary edge. Unfortunately, these gamers are only a few clicks away from cheat codes to the dark web of cybercrime tools.

Gaming is an activity that develops a lot of skills useful to both sides of the cybersecurity struggle. While grinding against the current set of opponents or navigating the ever-present dungeon, gamers quickly learn to continually look for clues, tools, weapons and other aids to success. They learn persistence, endurance, observation, logic, and the benefits of learning from a failure and trying again.

Play More Games

Gamification is growing in importance as a tool to drive a better-performing cybersecurity organization. Four in 10 organizations say they already organize a gamification exercise at least once per year. The most common is capture the flag, followed by red team versus blue team.

Frustration Leads to Anger; Anger Can Lead to the Dark Web

Studies of gamers have found a relationship between the difficulty curve and the resulting frustration of the player. This frustration can lead a player down a dark path. If the challenge is too hard, or the failure too frequent, the player will often begin to look for outside help, ranging from tips to cheat codes. Stumbling across the dark web in their search, they might find tools that can disrupt their opponents or take out their frustration against the gaming company.

For example, after the Mirai botnet was released, one of the most popular uses of this code was to unleash DDoS attacks against gaming servers. Depending on the traffic level generated, these attacks could create lags to give a player or group a competitive advantage, or seriously disrupt the gaming company’s business.

Unfortunately, gamers attacking each other and the companies that serve them is not the end of it. These easy attacks can lure gamers deeper and deeper into the world of cybercrime, as they explore the resources of the dark web and turn their skills to new challenges. The relentless attacks against systems of governments and corporations are not coming solely from organized groups of criminals or nation-state-sponsored teams.

Whether it’s the gaming aspect, frustration, or the lure of dark deeds that leads them astray, as an industry we need to address this problem. What better way than by hiring them!

If You Can’t Beat Them, Have Them Join You

There is also a correlation between the use of gamification and happier cybersecurity staff. If we look at the most popular game, capture the flag, more than half (54 percent) of respondents who are extremely satisfied in their roles say they use this gamification technique once or more a year, compared to just 14 percent of those employees who are dissatisfied in their roles. This correlation becomes even more apparent when we look at it from the perspective of those not running games, including:

Respondents who are dissatisfied are far more likely (around 7 in 10) to be working in organizations not running cybersecurity games at all compared to those who are extremely satisfied (around 4 in 10).
Eighty percent of extremely dissatisfied employees who report their organization does not use gamification say they wish they did run games such as a bug bounty or hack-a-thon.

The skills that make good gamers also make for good security personnel: observation, persistence, logic, and learning from failure. With or without a four-year degree, gamers with some coding or IT experience have the potential to be significant contributors to a cybersecurity operation.

Not game over yet

It’s time to invite gamers in the corporate arena to answer the call of duty and join the clan in the ongoing battle against malware, phishing, exploits, and the other monsters that inhabit the cybersecurity dungeons.