Women in CyberSecurity (WiCyS) 2023 - Denver, Colorado

My submission to WiCyS 2023 was accepted under the Lightning Talk category, with the session title:

"Exploring Systems Thinking Through Gamification for Cybersecurity Training and Education".

Session Abstract

"People begin playing games in early childhood and continue playing them throughout their lives. These games, whether digital or analog, engage individuals physically and/or mentally at home or elsewhere. Some games focus more on universal patterns of recognition while others are designed for a specific culture. However, almost all games are environments that function as larger systems, model real-world interconnections and contain microcosms for learning. In these structured playing environments, players acclimate to their surroundings and develop certain mindsets for how gameworld objects interact and fit together. In the cybersecurity realm, software games have been used to increase employee awareness while gamified exercises like capture the flag (CTF) are used to test players' cybersecurity skills. For both of these applications, games or game elements were used as exercises in systems thinking. Players are encouraged to think about relationships rather than isolated information and give thought to how their actions might be influential or impact the actions of other players/AI who are attacking them. This mode of thinking, to analyze how parts of a whole interact to produce an outcome, supports systems thinking and the status of games as rule-based, dynamic systems of learning. While the rules of cyberspace are different from the physical world, the video game realm offers a unique bridge between both; it is a space where players can take real-world models and experiment in a safe, inconsequential environment to try to understand and tackle the unpredictable outside world. This talk will discuss how games and their elements are ideal mechanisms for solving real-world cybersecurity problems and deliver complex system design models as well as best practices for designing gamified learning environments that accomplish systems thinking."

Presentation Script

Imagine a world where your entire life is situated around digital imaginaries. Before your commute to work, you engage in virtual combat to gain experience points and level up your character for the day ahead. On your lunch break, you decide to participate in a quick raid with nearby players to battle against a powerful opponent and potentially earn rare rewards. By the end of the day, you’ve sat down at a table with your team to engage in political intrigue and plan to strike down enemy factions from a rival territory.

Although these scenarios sound fantastical, they have become a reality, simulated in the devices with which we are chronically engaging. A multitude of games can be applied to the scenarios above, which lends itself to how deeply permeated electronic media has become in our lives, and how games have an almost utopian dimension to them - where players can temporarily escape from the real-world and tune into more intrinsic forms of motivation: pleasure, curiosity, and adventure.

This ‘playful mindset’ is what the corporate world has recently sought to tap into – ‘gamification’ is part of the mainstream vernacular. Undoubtedly, games have proven themselves as a remarkable medium, capable of captivating the attention of millions of players and motivating them to carry out tasks that would otherwise be tedious to perform in the workplace. To traditional organizations, games are a kind of dichotomous flux between unsettling and appealing; employers don’t quite understand why they’re so engaging but still want to reap the benefits of their design.

A game is not worth our time for its secondary benefits, like gamification - it is via what they offer as a whole. Good, successful games are not designed arbitrarily, with rules and goals for the player to merely adopt and idle away the time. The art of game design is to define the environments and obstacles, shape the abilities and objectives, and inscribe new player agency. Game designers are the digital deities who mold our experience of what is important and not important in a game space - what subsystems we pay the most attention to in relation to its larger information architecture. Through games, we can "write" the parameters for players' experience, and design them in such a way as to make arguments about systems in the real world.

While the rules of cyberspace are different from the physical world, the video game realm offers a unique bridge between both – players are constantly interacting with simplifications of the real world, but can experiment in a safe, inconsequential environment to try to understand and tackle the complex, unpredictable systems of the outside world. Thus, game design involves two important acts: a critical analysis of real-world situations and systems and a thoughtful reframing of those existing systems into persuasive engines of experience, that is, a game and its mechanics.

The very definition of a system implies the presence of several interdependent pieces that work together to achieve a common goal. In the context of games, these are the mechanics through which the player’s inputs are processed and the intended outcomes are realized. Each game component influences the overall state of the system; players are required to think critically and strategically, considering not only their own actions but also the actions of others and the larger system in which the game is situated. The game designer has afforded players a perceived sense of control over their choices so that players make meaning from the feedback of the consequences of their actions.

The goal here is to encourage players to see the digital game, and eventually the outside world, dynamically - as interconnected with interrelated components. To pause and reflect on mental model assumptions of causes and effects in the world, and then rethink how each element of that mental model might be a component of a larger system. In the past month, we’ve been working with a team of game design students at the University of Central Florida to develop a K-12 educational cybersecurity game with this very purpose. Through recursive cycles of interacting, tinkering, and experimenting, players in our game are able to tackle complex cybersecurity concepts like encapsulation, networks, and encryption algorithms from an abstracted, top-down perspective. We want to encourage players to look at the rules of our game and try to figure out how to subvert them, break them down, and, most importantly, understand how these rules relate to the larger system of cybersecurity and how different components of that system can be manipulated or exploited.

Cybersecurity skills are a constantly moving target; the field requires tools designed for its dynamic and nonlinear nature. Games present themselves as an ideal mechanism for teaching this ever-expanding register of cybersecurity knowledge because they precisely accomplish fostering the mindset - the systems thinking mindset - which is needed for identifying and tackling the risks of tomorrow. In cybersecurity education and curricula, thinking approaches such as adversarial and systems thinking will become more vital in an increasingly complex landscape that requires outthinking adversaries, reframing problems, and challenging assumptions.