A Virginia agency built an escape room for cybersecurity training
No government agency wants its employees to fall for a phishing scam, but the Virginia State Corporation Commission, which holds Social Security numbers, credit card numbers and industrial trade secrets in its data banks, really doesn’t want its employees to fall for one. So to ensure its staff are fully mentally engaged in their mandatory cybersecurity training, the VSCC recently borrowed from a recreational trend and built an escape room.
Officials told StateScoop the agency designed the room itself and started running hundreds of employees through it last fall. The repurposed conference room contains a series of puzzles that require the players to recall their training and apply it to a hypothetical phishing attack that must be thwarted within a time limit. If they fail, simulated hackers will disable the computer that processes their paychecks.
“They will be able use the policy, the usage standards, the compliance information they’ve learned from both HR and security as tools to help them solve the puzzles within the room,” said Terri Helfrich, VSCC’s information security officer.
As with many government agencies, VSCC has required its workers to undergo cybersecurity training for years, but Helfrich said that the PowerPoint presentations the agency had traditionally used made for a “very low-energy, low-engagement affair.”
Phishing attacks are a common point of entry for hackers prying their way onto organizations’ networks, resulting in data theft or ransomware infections that can cripple operations and cost millions to recover from. But people seemed uninterested in hearing how one click on the wrong email could be disastrous for the entire agency, she said.
To solve this problem, the agency settled on an escape room after brainstorming for activities with high engagement. The agency didn’t hire outside help or have any experience developing the type of interconnected puzzles typically found in an escape room, she said, but everyone pitched in and developed the activity. Helfrich said it wasn’t very difficult to develop and it didn’t even take very long.
Kendra Burgess, VSCC’s human resources manager, said the escape room has been received positively, with employees looking more energetic and attentive when it’s their turn to be trained in it. But officials say it’s still too early to tell if that will translate into the most important metric for retention: whether they actually click on fewer phishing emails.
Before the escape room, VSCC ran a small training fair last year, in which staff played security-centric adaptations of game shows like “Jeopardy!” and “Family Feud.” Burgess said the escape room was the next logical progression away from stuffy slideshows and droning lectures.
“We went from what I call lecture-based learning to what I call experiential learning by putting the participant in a more fun scenario and get them involved in their own learning. That’s what makes learning stick,” Burgess said.
PowerPoint “kind of sucks”
The training isn’t entirely fun and games. Groups of employees must listen to a 15-minute lecture that provides updates to policy changes before they enter the escape room. But overall, the emphasis has been shifted strongly toward interactive experience, Burgess said.
Making mandatory training more fun and engaging is a challenge many are taking on, said Masha Sedova, co-founder of Elevate Security, a company that tailors interactive training programs for private businesses.
“Most training involves CBTs — computer-based training,” she said. “Maybe an animated PowerPoint, maybe a video. While that’s easy to roll out from a practitioner’s standpoint, it kind of sucks from the end-user’s experience. And the reason it sucks is because it’s passive learning.”
Research by the National Training Laboratories, a nonprofit behavioral psychology center, claims that passive learning methods like lectures or audiovisual presentations generate much lower retention rates among students than active learning methods that require students to query and apply their knowledge as they learn. The extent of the difference between various forms of teaching and how effectively it can be measured is contested among researchers, but Sedova said she believes that passive learning techniques generally yield a “dismal” 15 to 30 percent retention rate, compared to 70 to 90 percent for active learning.
One of Elevate Security’s products is a tabletop game called Hacker’s Mind, which the company describes as “an immersive role-based experience” in which players take on the roles of hackers, choosing an attacker type, attack vector and manipulation tactic. The company claims that workers at a business with more than 25,000 employees became 52 percent less likely to click on malicious links and 80 percent more likely to report suspicious activity after playing the game.
Sedova said the reason Hacker’s Mind and other interactive learning experiences are effective is because it introduces people to the mindset of an attacker and relocates the discussion about cybersecurity from the realm of abstraction to the real world.
Sedova said her company also has a product called Security Snapshot that uses incentives like badges to benchmark individual progress and encourage further development. She said this measurement of progress against the training is the component that government organizations, especially those like VSCC that may not have the scientific knowledge backing their experimental training methods, need to include in their programs.
“Don’t forsake the end goal for fun,” she said. “That’s the danger with anything that’s gamified. It’s not just about the badges or the reward or the game itself. It’s about the end outcome you’re driving toward. And I’ve seen escape rooms that had high engagement but low ROI on the time and money spent because people didn’t actually change their behaviors at the end of it.”
Sophisticated attacks
State governments are often hesitant to adopt new ideas, and the prospect of designing a training program around a faddish diversion could prove a hard sell for administrators.
But Utah State Chief Information Officer Mike Hussey told StateScoop that he’s watching as attackers become more sophisticated in their methods, and that’s making him interested in any new security training techniques that could help safeguard against those attacks.
“They’re getting better. They are bright folks out there, so it’s a challenge,” he said. “So we have to up our game, too.”
In recent months, he said, attackers conducted a phishing campaign against the state that diverted those who clicked on a malicious link to a convincing replica of the state’s log-in screen. Hussey said about 10 state employees fell for the trick, which had them reroute their paycheck direct deposits to an outside account. A confirmation system caught most of these before it was too late, but three of the payments went through, he said.
Like other organizations, Utah’s state IT department phishes its own employees to ensure their training is sinking in. It’s getting more sophisticated in other ways too, dangling rewards in front of its employees that management knows will be tantalizing enough to make them forego some of their better judgement. Promises of tickets for the musical “Hamilton” and better parking spaces have each been successfully used in the state’s phony phishing campaigns.
But Hussey said it’s worrying that of these campaigns yielded far more clicks than he expected. Utah’s own training isn’t a mere PowerPoint, though. Hussey said it includes videos and other elements to make it more engaging, but that his office is continuing to look for something more effective. Utah explored the possibility of a mobile game for security training, which was ultimately ruled out, but an escape room, Hussey said, “might provide an interesting opportunity.”