Hacking the Gaming Experience: The (Non-Virtual) Reality of Cybersecurity Video Gamification

min read

Video games are an underused mechanism for transforming a narrative into a valuable learning experience. Members of multiple generations have grown up playing fun and memorable game titles on the latest console of their time. Moreover, I suspect that many gamers can remember the levels, controls, characters, and experiences from their favorite titles as distinctly as I remember the games of my youth. Almost two decades later, I am confident that I could still pick up a Nintendo 64 controller and flawlessly play Legend of Zelda: Ocarina of Time as if no time had passed. Video games have a strong impact on the human learning process because they impart a strong sensory experience. Gamers are immersed in the projected worlds through the graphics they see, the sounds they hear, the controller gripped tightly in their perspiring hands, and whatever they shout at the screen in their moments of frustration.

Video games enable players to solve problems in creative ways. Through this problem-based learning experience, players learn critical thinking, problem solving, collaboration, effective communication skills, motivation, persistence, and the ability to learn how to learn. Some games, such as Bethesda's The Elder Scrolls series, even offer resources that allow players to learn how to code their own content to incorporate into the digital world. As a result, vibrant user-driven content creation communities exist for a number of games.

Mandatory mundane tasks or "boring" information absorption can be transformed into enjoyable and voluntary experiences through video gamification. In fact, a well-designed video game can "improve learning between 7 and 40 percent over a lecture." Video games are not just for children. Many of the more popular games are specifically designed for an older audience. These games are usually more difficult and more stressful than other games; however, adults continue to play them because the games offer a sense of righteous accomplishment [https://news.ycombinator.com/item?id=9495141] and because games ultimately lack the stressful urgency and consequence of the real-world work environment. If you fail in a videogame, you just restore the game to a previous save point or continue on to the next challenge.

Players love games because they are effective, memorable, and fun; as a result, games may be the perfect mechanism for teaching any generation both cybersecurity concepts and cybersecurity skills. Many respectable institutions and businesses have already embraced cybersecurity gamification for different audiences. For example, Carnegie Mellon University has cyber-awareness training games in their Carnegie Cyber Academy, PBS has a Cybersecurity Lab game on their NOVA Labs website, and PwC offers a breach simulation game called Game of Threats, a cyber-threat simulation. These games are great for targeted training, and they serve their audiences well; however, games developed by major studios may serve as a better avenue for raising interest and awareness in cybersecurity while training users to become cybersecurity professionals.

In May 2014, the video game Watch Dogs generated media buzz because critics argued that it "taught children to hack." In actuality, while Watch Dogs does a great job of teaching players about the ubiquity of the Internet of Things, it failed to teach anyone tangible skills because the hacking system built into its gameplay was simplified to pressing a button or two. Over the past decade, major titles such as the Deus Ex series, the Bioshock series, and the Fallout series of games have incorporated hacking into games as a concept, but have simplified the techniques and procedures down to a mashable button or an unrelated mini-game. Most game developers fail to realize that if they incorporated real commands and real techniques into their games, then they would increase player immersion. I remember playing Activision's Vampire the Masquerade: Bloodlines (2001), which often required the player to access computer terminals in-game. The player had to type commands to navigate the in-game terminal screens. In order to learn the password to locked computers, the player had to use social engineering, brute force, or observational skills in the game environment. The experience solidified the game in my memory.

A few games have admirably attempted to educate their audience about cybersecurity. Hacknet is a hacking simulation game released in August 2015. The game propels the user through a narrative using a compelling terminal-based story. As the story progresses, Hacknet gradually teaches users basic hacking skills. Gameplay relies on real UNIX commands, and it requires the user to conduct simulated attacks, which train the user to think like an attacker.

Game developers, like any other software developer, rarely fix all the bugs in the game code prior to release. Game publishers typically release massive patches in the weeks following launch. Using this premise, two former Raytheon Security Researchers, Jordan Wiens and Rusty Wagner, developed another game, the Pwn Adventure series, which simulates a massive multiplayer online role-playing game (MMORPG). Pwn Adventure plays like a bug-ridden MMORPG unless players exploit security vulnerabilities that Wiens and Wagner intentionally worked into the code. Players are rewarded for seeking out and exploiting noticeable vulnerabilities in the code and inferred vulnerabilities in the design. Some scenarios cannot be passed unless players exploit a vulnerability in the code. One area of the game sends an unending slew of angry zombie bears at the player unless the player hacks the game code. If the player does, then the bears become passive and the player is able to open a nearby treasure chest. Different portions of the game pit the player against invincible bosses which can only be defeated with a combination of in-game and out-of game deduction. One boss, who is made of fire, can be damaged by ice attacks, but is healed if attacked with fire. No matter how much damage the player does to the creature, it instantly heals back to maximum health after a little time. The only way a player can defeat the beast is to first attack it with fire, and overflow the buffer of its health/life bar, before continuing with conventional attacks. In scenarios like those mentioned, players intuitively learn how to search for code vulnerabilities, how to think like attackers, and how to infer vulnerabilities in software design and code

Cybersecurity video gamification is possible and disappointingly underused. If cybersecurity professionals collaborate with game developers to bring cybersecurity concepts into the narratives of popular titles and work cybersecurity techniques into the gameplay, then the next generation of blockbuster video games can serve as an unmatched educational platform.

Drew Spaniel is a second-year Master's of Information Security Policy and Management student at the Heinz College of Carnegie Mellon University. He is also the visiting scholar to the Institute of Critical Infrastructure Technology, where he writes about cybersecurity.

© 2015 Drew Spaniel. This EDUCAUSE Review article is licensed under the Creative Commons BY-NC-SA 4.0 International license.