Gamification Impact Case Study
Ransomware attacks are one of the most significant cyber threats we face in our rapidly evolving digital world. They have been on the rise over the past several years, with businesses and critical infrastructure systems key targets. The impacts of these attacks can be crippling, threaten the way we live, and can be hard to recover from.
Ransomware attacks can be avoided. Awareness and education are key to protecting people and organisations from being targeted, but too many wrongly believe it won’t happen to them.
In a collaborative project, the Cyber Security Cooperative Research Centre, CSIRO’s Data61, WA’s Office of Digital Government with the support of Edith Cowan University, created an interactive game to present to executives of the Western Australian Government, with the aim of raising awareness and encouraging critical thinking about how they would prepare for and respond to a ransomware attack.
Sixty WA Government employees from 42 different organisations participated in the game. Eight were from a critical infrastructure sector, two from health care, five from education, one from local government and 26 from other Western Australian state government agencies.
Participants were faced with a realistic scenario of a cyber attack on a fictitious WA port and were asked to consider the cyber security risks associated with key systems and business processes that operate the port. As teams, in which participants played key executive roles, the game fostered discussion about risk, risk-mitigation and compliance considerations in relation to ransomware and critical infrastructure in Australia. Through role-play, the teams addressed pressing issues associated with the port’s ability to detect, respond and recover from the fictitious ransomware attack. Key factors, like governance processes, were tackled to help address adherence to existing compliance measures..
The fast-paced game provided participants with the opportunity to make decisions and engage with cyber security issues in a safe space. Through this experiential learning approach, the board game provided participants with the opportunity to broaden their understanding of cyber security risks and this knowledge back to their own agencies and departments.
Feedback was positive, with a satisfaction rate of 4.2 out of 5. Participants said they found the game educational and engaging.
Peter Bouhlas, WA’s Chief Information Security Officer at the Office of Digital Government Perth, said it was well received, with many enjoying the interactive element.
“It broke up the routine, it raised awareness, it got people engaged, there was good discussion amongst themselves and with us,” Mr Bouhlas explained.
Organisers of the event are confident it will likely lead to changed behaviours when it comes to cyber security.
“It would have raised some discussions about do we have plans, what do we do about ransomware, can we even pay one? What’s government’s policy? It certainly raised awareness, which is our principle objective of the game, to initiate those kinds of discussions that challenge people,” Mr Bouhlas said.
“It’s not to give them skills in dealing with cyber security matters and it may do, but ultimately it’s to raise discussion that hopefully they carry back to the agency.”
Dr Rachel Mahncke, the Cyber Security Project Coordinator at WA’s Department of Premier and Cabinet, said the game sparked quick thinking with realistic scenarios.
“It was so well managed that you slowly stepped participants up and put them through some pressure,” Dr Mahncke said.
“I think the pressure of the game really did facilitate that sharing of knowledge and reflection. I think the learning mostly happens afterwards.”
Given the increasing prevalence of ransomware attacks, organisers agreed it was also an ideal cyber issue to address in the game.
“I think the topic that we chose – ransomware - was a fantastically good opportunity to spend a little bit more time considering the seriousness of the topic, so I think bringing it to front of mind was really important,” Dr Mahncke said.
Not only has the game been considered a success, but new opportunities to increase its effectiveness and develop it further have been identified by stakeholders.
“There are a lot of opportunities to create better or more collaboration with agencies and raise awareness, so it’s not just purely the game that does that, but you can use that as a vehicle to have further discussions,” Mr Bouhlas said.
Since the initial presentation, several other agencies and external groups have shown interest in purchasing and using the game in their organisations.