PODCAST: Can ‘gamification’ of cyber training help shrink the human attack vector?

By Byron V. Acohido

The human attack vector remains the most pervasively probed path for malicious hackers looking to gain a foothold inside a company’s firewall.

And yet, somehow, cyber awareness training has not kept pace. Circadence hopes to change that. The Boulder, Colo.-based company got its start in the gaming industry 20 years ago, shifted to supplying cyber warfare training ranges to the military, and now is making a push to help companies add truly effective employee cyber awareness training as a key component to keeping their networks safe.

Related article: Why employee cyber training needs an overhaul

For years, teachers told us that learning can be fun. Circadence is taking that philosophy and running with it. The company is seeking to adapt “gamification” technologies to employee cyber awareness training. If it succeeds, it could help set a new paradigm for addressing the “people” component of defending networks.

I had the chance to converse with Keenan Skelly, Circadence vice president of global partnerships and security evangelist, at RSA Conference 2018 in San Francisco. For a drill down on our discussion, give a listen to the accompanying podcast. Here are a few high-level takeaways:

Gamers’ edge

Circadence got its start in the early 1990s as a publisher of one of the earliest massively multiplayer games. It turned out that the company’s expertise in generating and displaying complex graphics and getting high fidelity data from point A to point B in fantasy landscapes had a very useful real-world application – helping U.S. military operatives maintain an edge while engaging in ongoing cyber warfare.


The company subsequently sold off its gaming business to direct its full attention towards helping the military carry out cyber war games via Regional Service Delivery Points, by providing cyber range environments used across the Department of Defense. On these ranges, which replicate real-world networks, trainees can launch and react to cutting edge hacking assaults.

Then one day inspiration hit. “Some of our cofounders were watching these high-level cyber exercises and noticed that some of the gamification techniques and technologies they were using seemed pretty far behind,” Skelly says. “So, they came up with this idea to use true gamification as part of cyber preparation and cyber training.”

Training extremes

Cyber awareness training in the corporate sector today generally comes in two extremes. At one end, general staff training often boils down to employees being required to periodically sit through a PowerPoint session. At the other, if you happen to be a tech specialist, you might be sent off campus for a few days of deep-dive training at a SANS Institute course, or something equivalent. The effectiveness of the former is limited, while the scalability of the latter is non-existent.

Circadence has developed training exercises that leverage elements from online games that should be familiar to a broad cross section of employees — from anyone who has played solitaire on a smartphone to aficionados of World of Warcraft or Call of Duty.

Circadence training models incorporate gamification elements such as the ability to earn skill badges or challenges to up-level to a higher status. “We’ve successfully applied gamification techniques to a very technical training process that’s now more like Call of Duty than like running through a cyber exercise,” Skelly says. “We have other products that are focused on the entire enterprise. Games that you can play on your mobile phone to teach you more about enterprise security risks and how to protect yourself.”

Building judgment

Circadence is currently beta testing a new product, called InCyt, which takes the form of a multi-player role-playing game and goes beyond reinforcing awareness to actually striving to instill improved judgment through the workforce. Not surprisingly it’s a corporate version of the military cyber training exercises Circadence helped pioneer.

The starting point: adopting online personas. A human resource specialist might become a CISO; an accounts payable clerk might become a security engineer; a marketing product manager might become a malicious nation-state attacker.

“You each get dealt a hand of tools to start off with and then you have to attack and defend your respective networks using a variety of techniques,” Skelly says. “The idea is to introduce complex security concepts in a way that builds judgment.”

Circadence may be onto something. Gamification has proven its worth in military cyber training grounds. It seems like a natural progression to adopt it to enterprise settings. After all, youthful personnel, for whom online personas and cyber competitiveness are second nature, occupy both. And more are in the wings.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone