October is cybersecurity month and this did not go unnoticed within Belnet either. To make our colleagues aware of the dangers of social engineering, we have already organised the 'Piece of Cake' role-playing game developed by our colleagues from the Swiss research and education network SWITCH several times in recent months.
Cybercriminals have known for a good while that it is often easier to hack people rather than heavily secured systems. They use various techniques, such as CEO fraud, to manipulate users into unwittingly giving confidential information or money. Figures from CERT.be show that a total of 39.8 million euros was captured in 2022 as a result of phishing – an increase of nearly 60% compared to 2021. So it is clear that we need not only professional security services that protect our infrastructure and data, but also experts in communication, training and behavioural change that make our users the 'strongest link'.
But how should you make users aware of security risks? How do you manage to motivate them to modify their behaviour – which is often based on habits? Traditional training methods are certainly useful, but sometimes lack interaction and creativity. Enter gamification: the use of game elements to enthuse users to solve problems and motivate them by incorporating elements of competition and reward into training. Moreover, training methods based on gamification have been shown not only to increase the knowledge gained, but also to retain it for longer.
Piece of Cake
Our colleagues at SWITCH, the Swiss research and education network, understood this well and developed a series of hands-on training courses for their community called 'SWITCH Security Awareness Adventures'. Each 'adventure' consists of a mix of theory and practice, with teamwork at its core.
At Belnet, we recently got to work with the tabletop role-playing game 'Piece of Cake'. Led by a game master, our colleagues were challenged in groups of five to think outside the box. Their mission: to recover the stolen recipe from their (fictional) bakery by deceiving the competition and using various social engineering techniques.
A debriefing followed after the role-play, where we went over the various social engineering techniques used by the group. Someone sniffing around in trash cans searching for sensitive information? A good example of 'dumpster diving'. Or one of the players posing as a supplier to gain access to the competing bakery? A typical example of psychological manipulation employed by cybercriminals to deceive their victims.
Piece of Cake demonstrates the importance of protecting personal and sensitive information from unauthorised access. The game requires no preparation on the part of the participants – only a good team spirit and a hefty dose of creativity. Afterwards, you will go home with insight into the techniques of cybercriminals.
The 'Piece of Cake' game can be used free of charge for all purposes (Creative Commons). Moreover, the game materials have also been translated into Dutch and French.