Simulating cyber security management: A gamified approach to executive decision making

Abstract

Executive managers are not all equipped with the cyber security expertise necessary to enable them to make business decisions that accurately represent the status and needs of the cyber security side of the business. Unfortunately, the lack of understanding between the business and cyber security domains contribute to structurally endorsed vulnerabilities within a business context, where either the business needs were considered without understanding the impact on cyber security, or alternatively, the cyber security needs were considered without fully understanding the impact this would have on the business strategy and financial stability. To combat this dilemma, a gamified approach to cyber security training for executives is proposed as a solution to not only minimise the realisation of cyber vulnerabilities within a business context, but also to improve business outcomes that are supported by cyber security measures. We developed a serious game software platform, Aurelius, to simulate an executive decision maker's role in managing the everyday cyber security investment decisions, and linking that to business metrics to incorporate the business and cyber security understanding. Our game includes simulated cyber security attacks that would require the executive decision maker (the player) to respond appropriately. The algorithms underpinning our simulated cyber security game are a product of a complex systems approach, as this most accurately models an executive's experience. In our design, we set up Aurelius to fulfil eight of the nine criteria specified for a state of the art serious game in the cyber security domain.