When we were kids there were numerous ways to play a ‘goodie’ or a ‘baddie’ but we quickly learnt that heroes and villains were co-dependent. There was no earthly point in wandering around being evil if a group of co-operative saps weren’t available to receive the fruits of your dastardly plots. Likewise, being good (always the less favoured and less interesting role) gets a whole lot more boring if the villains don’t show up.
The Relative Merits of ‘Good’ and ‘Bad’
We played these games to learn the rules; of course, villains had all the fun because they broke every rule, but they tended to end up loners with everyone reviling them and nowhere to call home but a lonely lair. The ‘goodies’ maintained the rules – and felt the utter frustration of having to do so – but beyond all else, they held the moral high ground, even if the battle was lost, and returned as a group to their loving homes.
You Be the Hacker and I’ll Be the Weakest Link…
So, are kids now playing ‘hackers and users’? I doubt it. The shadowy figure of the cyber-villain has still to enter our popular imagination, and the range of dastardly deeds enacted upon victims will need to extend beyond frantic tapping on a keyboard to make the role attractive. Does it matter that the most potent image we have of the hacker is a spotty youth, wearing a hoodie and living a nocturnal existence in his mom’s basement?
There’s a Villain-Shaped Hole in Our Heads That Needs Filling
Yes, it does – because it leaves a villain-shaped hole in users’ heads where the hacker should reside. A recent study conducted by US academics discovered that employees being required to learn about security at work are frustrated by the lack of a ‘villain’ when it comes to the information available to them. Presented with the contemporary world of cybercrime, employees are asked to act as frontline defenders in the workplace; they have a crime to stop but very little information about the potential villains or their motives.
Seeing the World Through the Eyes of Our Opponents is a Strength
We make the world we reside in by trying out different perspectives and shuffling them like cards to see what we’ll adopt and what we’ll reject. Making rules and having moral convictions is all part of this process; the rules are the framework that define the kind of person we are, but – crucially – we only know that by trying out the villain’s view of the world and making a personal decision about where we stand in relation to it.
The Hacker’s Perspective
Try out something simple: get your employees to take on the role of the villain and, working in small teams, plan an attack on your own business. Give them permission to wreak havoc – on paper – and even promise to award a prize to the best ‘hack’.
We’ve run this activity numerous times with large and small businesses and it never fails, so long as it’s playful, fun and not about ‘teaching’.
Benefits of Adopting ‘The Hacker’s Perspective’
- The mixture of ‘dare’ and ‘challenge’ brings the kind of focus and energy to cybersecurity that CISOs dream of.
- Participants discover what they don’t know, such as what data is valuable to a hacker and why. This leads to questions, sharing of knowledge, and fevered internet searches.
- Vulnerabilities start to make sense. The ‘hackers’ are able to look at themselves as users from a different perspective and begin to understand why certain behaviours are so dangerous.
- Once there’s a villain, heroes are born, giving the role of frontline defender new weight and moral integrity.
- Playful hackers are a CISO’s best friend. Planning an attack gives clarity of vision; the ‘villain’ can critique the business with a professional eye and provide clear feedback on what needs to be sharpened up.
For a more detailed discussion of this approach, and case studies, register for our free webinar: The Hacker’s Perspective: Helping Employees Identify Security Vulnerabilities https://attendee.gotowebinar.com/register/1148828402759529729