Security Games

Air Force puts software in play to reinforce training

We think this game can help organizations meet training and awareness requirements better than yet another set of dreary PowerPoint slides. ' Cynthia Irvine, NPS

Naval Postgraduate School

When Jackie Hoover tells her security classes that they have to be commercially certified in the next five years, 'their eyes get really big' ' and not in a good way, she said.

The new policy, DOD Directive 8570.1, mandates that all Defense Department information assurance technicians and managers ' that's about 110,000 military, civilian and contractor employees ' be certified to meet DOD requirements within five years.

The directive 'has shocked everybody I've worked with,' said Hoover, director of the Technical Education College next to Peterson Air Force Base in Colorado Springs, Colo. The college offers technology classes to personnel at the Air Force Space Command and other Air Force bases.

'You have to get these commercial certifications or you may lose your job,' she said. 'And they're not easy tests.'

Hoover teaches Security+, one of a series of classes that count toward the requirement.

With so many students to teach so quickly ' as many as 300 students in the last quarter ' Hoover looked for an easy-to-use training tool that would reinforce what students learn in the classroom.

She discovered Cyberciege, an online simulation game that lets students role-play aspects of network management. Students can hire and fire employees and ' using virtual money ' buy and configure computers, servers, operating systems and network devices.

'Our main goal is to get people ready for deployment to places like Iraq,' Hoover said. 'They have to set up networks securely there but don't have contractor help like they do here. Our school is the last place to reinforce what they've learned before they go.'

Cyberciege was developed by the Center for Information Systems Security Studies and Research at the Naval Postgraduate School in Monterey, Calif., working with Rivermind, a game development company.

'Students say it's a lot more entertaining and informative than they thought it would be,' said Mike Thompson, a research associate at the Naval Postgraduate School. Network security can 'be pretty mundane stuff. We spice it up.'

For example, one game scenario includes what happens when a person with pinkeye gets an iris scan.

'We knew about information assurance,' said Cynthia Irvine, a professor at the Naval Postgraduate School. 'Rivermind knew about graphics and games.'

The school wanted to develop a resource management game, Irvine said. The question was how they could infuse the dry routine of information assurance with the drama of game playing.

We had to give players an emotional investment in what was happening, she said. 'They had to be invested in the success of the virtual company and keep the virtual users of the enterprise happy and productive. We think this game can help organizations meet training and awareness requirements better than yet another set of dreary PowerPoint slides.'

Cyberciege shows them why 'you can't just leave your passwords posted underneath your drawer,' Irvine said.

Cyberciege comes with a motley cast of characters. There's Typical User, who just wants to do the job; Angry User, who is looking for ways to harm the enterprise; and Vandal, who's motivated by boredom, desire for attention or just plain technical curiosity.

Unlike in the real world, where mind reading is reserved for psychics and magicians, Cyberciege players can query characters' thoughts. 'I sure would like more convenient Internet access,' one character might think. Players can then help the characters meet their goals.

Written in C++, Cyberciege uses Rivermind's 3-D graphics engine and Java. It will run on machines with Windows 2000 through Vista with 64M of RAM, Thompson said.

Cyberciege is available at no cost to federal agencies by contacting cyberciege@

About the Authors

Trudy Walsh is a senior writer for GCN.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.