Series Introduction
Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
Introduction:
My first "official" corporate training experience came some time in the early 1970s and, frankly, I was as bored then as I was the last time I got the same old talk on computer security from our local computer security guru. Even the most exciting briefings on computer security are hard to remember in much detail. And for the most part, they don’t translate into my day-to-day decisions. Perhaps even more importantly, many of my co-workers over the years who are not computer security experts could never get to a level of understanding necessary to put the words into actions. Unless the exact circumstance discussed in the lecture came up, there was almost no chance that any of them would know the right thing to do.
In the eternal quest for better ways to teach and learn corporate security policy and practices, many different techniques have been tried. "Loose lips sink ships" and similar posters were popular for a while, and I have to say they keep awareness high as long as we create new and interesting posters on a periodic basis (once a month is about right). Cartoons are also effective awareness tools, but like posters, they only increase a little bit of awareness for a short time period and they only give the reader a small amount of specific information. As awareness tools, they are fine, but as teaching and learning tools, they are poor at best.
Short courses are too expensive for teaching every employee what they need to know, reading policy statements almost always makes employee eyes glaze over, and computer assisted learning about corporate policy always seemed to me more like punishment than learning.
It was, therefore, with great hesitation, that I agreed to get yet another round of ethics training at 7:30 in the morning when my boss stopped by the office and asked if I wanted to come with him. In my mind, it was going to be another early morning of progress interrupted by mindless drivel.
On the way to the training center we discussed various program issues – time is precious in our office and we don’t waste it if we don’t have to. Upon arrival at the training center, we said hello to the other folks who would also be trained, but to my surprise, the room was set up more like a bridge tournament than like a lecture hall. On each table there was a board set up, there were score cards, tokens of some sort, and other such items reminiscent of a game. But most bizarre of all, there were Dilbert cartoons on all of this paraphernalia.
Dilbert is a very funny cartoon series, but when it comes to ethics, the characters in Dilbert don’t seem to have any. One of my favorite Dilbert cartoons starts with Dilbert asking his boss whether he really has to go to ethics training. The boss answers that Dilbert should just sign the sheet indicating that the training was done, asserting: "That’s what I did." or some such thing.
As the training began, it turned out to be a game in which teams of players worked together to decide on their solutions to ethics issues. Through the process, much of the corporate ethics policy was discussed with specific discussion of examples from the work-lives of the participants. In my view, it worked very well.
Why the game worked:
One of the reasons this training worked so well is that it used active learning – learning where the learner is involved in an engaging activity and applying the knowledge in a way that interests them. Active learning is widely considered the most effective educational technique we have available. Starting in the 1800s when Maria Montessori introduced active learning to the classroom, there has been a slowly growing consensus that people learn faster, retain their knowledge longer, and use their knowledge more effectively when they play an active role in learning it. My children are taught with active learning in their schools and, although I didn’t know it at the time, most of my best learning experiences were in active learning situations.
Another reason this activity is effective is that trainees consider a range of possibilities and come to understand not only the letter of the law but also how the policy is applied within the organization. Since it is impossible to write down every possibility, the written word can only go so far in explaining the issues. The goal of the training should be to explore a range of scenarios within the culture of the company to help people think about issues in the right way. This cannot be done effectively by computers or by strangers. It must be done with people in your organization involved in the process at every step. It works even better when employees work together with their managers, and still better when this happens at every level of the organization.
This situation ethics approach to training policy:
All of these contribute to the learning activity and help to bring the lessons home.
In an interactive and cooperative environment, there are rewards for doing the right thing, but there are also chances to explore many possibilities that you couldn’t learn about in a lecture. There is the chance to learn from your fellow employees and find out about new and better methods.
Translation:
Once I saw how effective this method of training was in ethics policy training, I decided to try to translate it into information protection policy development and training.
For many years, we have used strategic games to help develop people and policies, but these games have rarely involved board-game technology. Rather, they involved scenario development by specialists, scenario review by the players, play of the game by policy makers and experts, and write-up of game results by observers in conjunction with specialists. Board games are more commonly used for tactical games because they tend to show relative positions in a competitive situation.
Another important consideration in creating board games for this sort of training is that the way the game works may lead players to get rewarded or punished inappropriately. For example, the scoring system might lead players to take chances that would not be prudent in a real situation.
Another concern is that each company has a unique information protection policy. A standard board game would not really be suited to any specific company, but the development of a completely customized game for each company would be expensive. Unlike a game for ethics or harassment policy training, almost none of the policy elements used in information protection are fixed by laws or well-defined standards. Each organization makes its own rules and lives by them.
We decided that a proper tradeoff could be achieved by designing a semi-custom board game. We invested development funds to create a customizable game-board, a set of flexible reward and punishment features, and a range of subject matter suitable to a wide range of organizations. We then customize the game for client policies, creating a semi-custom board game tuned to specific policies within each organization we serve. By tuning the scoring system, the subject matter, and the board itself, we are able to serve each client with a game suited to their need while keeping costs relatively low (on the order of US$10 or less per employee trained).
Another benefit of this approach is that it allows us to use the same game to help clients develop security policies. In its role as a policy development tool, the game is played with top management. If a policy is in place, we score top management according to the policy. If they don’t agree on the scores, we help update their policy by reflecting their view of the proper score in updated policies. If no policy is in place, we undertake some preliminary policy development and use those results as a starting point for finalizing their new policy. The results of this process are then reflected in the game so that employees can be trained with the same method used to develop the policy.
Application:
In application, these sorts of policy training games are facilitated activities. When a training game is first introduced to an organization, expert facilitators facilitate a game for managers – typically at one level below a vice president. The vice president is normally in attendance to help answer any organizational questions that come up. From that point on, each level of management facilitates the game for the next level or two within the organizational hierarchy. In this way, managers get trained twice – once by their supervisor and once when they have to facilitate the game for their employees.
As part of the game, responses are collected from participants. This feedback is then used to provide the organization with details on how well employees understand policy issues and what elements of policy are misunderstood and in what way. It is also important for those who facilitate the game to listen to feedback they get during the game and to report this up the management chain. Management can then respond to organizational issues that are not covered by current policy or are poorly reflected in the game and make policy and game improvements over time.
Test market:
In order to test out these ideas, we engaged in a test market with some of our better clients. In exchange for testing the game, we offered a substantial discount if they chose to use the game for their training program. Semi-custom games were created based on each company’s policy and delivered to the customers for a limited time.
People who have played these games have told us how much they enjoyed the experience and how much more pleasant it was than other training experiences they have had. And the element of chance introduced by the gaming environment keeps things interesting even for the most die-hard curmudgeon.
The board-game technology has proven itself very useful and effective in training people who work for organizations in organizational protection policy, but it is not a panacea nor is it the only or final solution to the protection training challenge.
Conclusions:
The use of board game technology appears to be a viable and effective training tool that should be considered another arrow in the computer security manager’s quiver. It appears that this technology will have a bright commercial future as well because it is quite cost effective and has a high acceptance rate among employers and employees.
For interested readers, a demonstration training session using a board game technology will be presented at the 1997 Computer Security Institute annual conference in Washington D.C. In this session, a limited number of attendees will have the opportunity to experience a mini-game for themselves and hear about its advantages and limitations. There are only a few chairs available and the conference is expected to be quite crowded, so please sign up early if you are interested in experiencing a game.
Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.