CyberCIEGE: Gaming for Information Assurance

to apply them. Unfortunately, a disconnect often exists between principles and practice. Students sometimes feel that principles are boring or irrelevant, but without them, they can't go beyond " cookbook " remedies. In contrast, the competitive nature of matching wits with cyber-adversaries can be stimulating, but with perceptions molded by hyper-bolic news accounts, students can find critical conceptual issues elusive. As in many disciplines, effective information security requires both a practical and tacit understanding of the science and art of security engineering. Laboratory experiments can help convey these concepts, but a wide range of large-scale, realistic experiments would be too costly for most classrooms. Simulations thus provide a helpful alternative. To address the need for realistic laboratory simulations, educators and researchers have begun exploring the use of games for purposes other than entertainment, such as for education. By capturing students' imaginations and generating a sense of competition , games provide a stimulating environment in which the participant has a stake in the outcome. This emotional investment makes the student an active learner, and the visualization associated with a game can often help to teach or reinforce concepts. CyberCIEGE is a high-end, commercial-quality video game developed jointly by Rivermind and the Naval Postgraduate School's Center for Information Systems Security Studies and Research. 1–3 This dynamic, extensible game adheres to IA principles to help teach key concepts and practices. CyberCIEGE is a resource-management simulation in which the player assumes the role of a decision maker for an IT-dependent organization. The objective is to keep the organization's virtual users happy and productive while providing the necessary security measures to protect valuable information assets. Players face a limitless number of potential scenarios in which they have budgets and must make choices regarding procedural, technical , and physical security. With good choices, the organization prospers and the scenario advances; poor choices often result in disaster. Using the potential tension between strong security and user productivity , CyberCIEGE illustrates that many security choices involve risk management. Games such as Electronic Arts' The Sims and Atari's Roller-Coaster Tycoon illustrate the potential for resource-simulation tools to capture users' attention. They let players engage in planning and construction and observe the results of their choices. Cyber-CIEGE has a similar goal: players build and configure networks of computers, and their choices have visible effects on virtual users' ability to perform productive work and on attackers' ability to compromise assets. The …