How cybersecurity specialists can use the famous game to train employees
It can be difficult to talk to employees about security, especially if the company has high risks of insider threats. Can social deduction games break this ice? They can, according to the authors of the Security through education blog. And they tell you how to do it, drawing conclusions on the example of the game Among Us. Here is the translation of the article.
It is believed that the first game of social deduction was created by Russian Dmitry Davydov at the Faculty of Psychology of Moscow State University in 1986. This is the “Mafia”, later known as the “Werewolf”. In developing it, Davydov tried to combine psychological research with teaching duties.
The concept was developed in numerous “board games”, card and role-playing games (for trainings and just parties). The translation of the hobby into video and online formats has led to the worldwide popularity of games. And Among Us completely blew up the Internet.
In Among Us, “good” participants try to complete a game task (return home in a spaceship). But some of the team members are imposters-saboteurs (in terms of the game “imposters” from the English imposter). Their goal is to take the rest out of the game. To avoid being discovered, impostors need to intrigue and sabotage.
Inside the game, communication is carried out using voice chat. Every time the players “find the body”, they call an “emergency meeting” to chat and vote which one is the impostor.
These meetings are one of the few ways for respectable players to gather information about who the impostor is. And for the latter – to spread lies and ward off distrust from oneself.
The game, viewed from a psychological point of view, is a demonstration of the principles of social engineering that we face every day.
The researchers conducted several games with different groups of people: familiar with each other and strangers. They were asked to pay attention to what influenced winning or losing, the most effective ways to test suspects, and what social engineering techniques of the impostor were the most effective.
So, the most effective thing for an impostor was to pretend to be a novice who needed help or didn’t know what to do. Thus, he deliberately made mistakes and gratefully accepted help in order to gain trust. He tried to look as harmless as possible, he always had a fake or real alibi. They kept their mouths shut when needed. Thus, they allowed other players of even higher game status to raise suspicion.
The researchers drew some interesting insights from the game. The most effective players – both good people and impostors – know the rules and the playing field well. Those. imagine where it is better to move, what are the secret routes, what is the time to complete this or that game task, how to complete it. Moreover, they used this knowledge skillfully and creatively, both to identify people who behaved abnormally and aroused suspicion, and in the “interrogation” phase.
However, information gives more advantage to “respectable” players, so the most effective technique of an impostor to deprive other players of information is sabotage. He turns off the lights to distract the players. Some of them leave to “fix the lighting” and do not know what is happening at the other end of the field, where the impostor continues to commit atrocities in the game, and then blames someone else.
So what lessons from this childish social deduction game can security professionals apply to real-life corporate life? For example, it’s almost impossible to find a liar instinctively. Numerous studies with more than 24,000 participants showed that the average accuracy of detecting a traitor was 54%.
Keep these statistics in mind if you are used to trusting your “see the cheater behind the layout” instinct.
So what can be done to reduce the risk of insider incidents?
1) Information is everything. Your employees, especially management, need to know the company’s security policies very well. All team members should be aware of what other departments are doing, what is “normal” behavior for them and what is not. Employees need to be trained to share their doubts.
2) Trust but verify. The impostors won very quickly if the players did not agree with each other and did not try to check the lies. The same thing can happen in a company. When something suspicious happens, communication between departments should be open. In addition, there should be clear feedback so that people are not afraid to report security concerns and threats.
3) Differentiation of access and information monitoring. Yes, information is everything. And we were just saying that a team (read, employees) needs information to spot imposters (read, insiders). But there are limits to awareness. Thus, employees do not need to know in detail the specifics of organizing the company’s technical infrastructure. Access control is very important, but even so, access to critical information should be controlled.
It is often difficult for information security specialists to explain to non-professionals why security is important. Therefore, references to famous social deduction games such as Among Us make it more accessible. You can even gather employees and play a few rounds so that they see how easy it is to be deceived and not see an impostor in the team. This way you can still enjoy teaching the team, and people will be happy to communicate.