We did it! Another cybersecurity awareness month in the rearview mirror. Before completely turning the page, I wanted to share some thoughts on the month and look back on what worked and what didn’t.
First, let me talk about cybersecurity awareness month in general. Any reason to engage people on how to be safer on the Internet is a good idea. Not because I say so but because every day, our friends and family are inundated with attacks and scams of all types. I’m sure we can all think of a recent example where a friend or family member had a social media account compromised or fell victim to a successful phishing or smishing message. The risks aren’t hypothetical: they’re real and on our doorstep, regardless of whether you’re at work or at home. As a cybersecurity professional, I think it’s an important part of my job to use this month as a way to make cybersecurity accessible and real for the people in my orbit. In many cases, if I don’t say something, they may not hear it from anyone else (that means you, Mom).
So all joking aside, cybersecurity awareness month is a can’t-miss opportunity to have these conversations.
There are some common ways of engaging people in these conversations. You can bring on guest speakers, hold a lunch and learn, hold training sessions, and write articles/newsletters. All of these things are effective to a degree. This year, my team and I wanted to try something new and a little crazy. Taking a page from Living Security and their “virtual escape room,” my team and I created a real escape room, right in our office. The purpose of the escape room was to engage employees in an immersive way: putting them in the driver’s seat of an actual cyber investigation.
In our scenario, a fictional character named Mike Silver has been selling intellectual property to a foreign government. Mike has been a system administrator at Woodley College for 25 years. He and his office were created in the spirit of Dennis Nedry from Jurassic Park: crushed soda cans, Christmas lights, O’Reilly books, and other assorted nerd stuff. The purpose of the escape room was for the investigation team to find a piece of evidence in his office and use that evidence as their “exit ticket.” Each team would be timed and the best time would get a prize.
In addition to solving puzzles, participants had to take advantage of sloppy security practices to access Mike’s email and acquire the evidence. Central to the story was that Mike’s criminal handlers had asked him to use a Raspberry Pi for their “work” together. Teams had to unlock Pelican cases to reveal parts of the Raspberry Pi and assemble these parts to acquire the final piece of evidence.
The response was overwhelmingly positive. We had 27 teams compete in the escape room; over 100 people. Our surveys indicated that 100% of our participants had fun and 67% reported that they learned something new. Most teams were able to successfully “escape” and the fastest team finished in under 15 minutes (they told us that we needed to make the room harder next year and to that I say be careful what you wish for 😈).
How much did we spend? Other than the time to build it, tear it down, and administer it in between, we spent less than $300 on the room itself. We were able to source a lot of the props and technology from ourselves. New purchases included locks, a cryptex, and posters. It was fairly cheap especially when compared to online training or bringing in a guest speaker.
While the room was fun for both the participants and for our team, we definitely learned some things. The following come to mind:
- Raspberry Pis and SD cards don’t always work as expected, so have a backup ready to go.
- People are going to go down rabbit holes and spend a lot of time over analyzing little things in the room. Many teams felt the need to set up Mike’s email in the Outlook client, rather than just use GSuite on the web. This cost them time. They also tried to find clues in things that were not intended to be clues. We didn’t intentionally try to create dead ends but people found some anyway.
- Have a reliable, visible clock. We ended up buying one that would typically be used for a 5K race.
- Some teams sabotaged the room (I have no idea if it was intentional or accidental so let’s go with accidental). This included deleting emails and files and changing passwords. This made clean-up more challenging after each session.
What I learned the most about this activity was that if you come up with something new and creative, people will get onboard. Tried and true methods for engagement still have a place but giving people something unexpected that they can enjoy with their friends and colleagues makes for a truly unique learning experience. The event went so well that I am not sure how we build upon it for next year but we’ve got 11 months to figure it out.
If you’re in the security awareness game and want more detailed information about our scripting, materials, puzzles, and overall format, let me know. I’m happy to share what we created to help other orgs develop engaging security awareness programming.
