Artwork for podcast Security by Default
The Role of Game Design in Cybersecurity Training with Peadar
Episode 138th October 2025 • Security by Default • Joseph Carson
00:00:00 00:41:38

Share Episode

Shownotes

This podcast episode elucidates the pivotal role of game design in enhancing cybersecurity training, presented through an engaging dialogue between the host, Joe Carson, and guest Peadar. The discussion commences with Peadar's fascinating transition from education to game design, highlighting the necessity of bridging the gap between technical and non-technical audiences in the cybersecurity sphere. We delve into the essential components of effective games, which encompass goals, rules, feedback systems, and voluntary participation—elements critical for fostering engagement and retention of knowledge. The conversation further explores how games can serve as metaphors for complex concepts, enabling participants to internalize essential cybersecurity principles while navigating the intricacies of communication between diverse stakeholders. Ultimately, this episode underscores the transformative potential of integrating game mechanics into cybersecurity training, advocating for an approach that prioritizes understanding over mere rote learning.

In this episode of the Security by Default podcast, host Joe Carson engages with game designer Peadar, Gamification Lecturer at Tallinn University to explore the intersection of game design and cybersecurity training. Peadar shares his journey from teaching to game design, emphasizing the importance of using games to facilitate learning in complex subjects like cybersecurity. The conversation delves into the fundamental elements of games, the challenges of creating effective training games, and the need for conceptual transfer games that bridge the gap between technical and non-technical audiences. Peadar also discusses the future of cybersecurity training, the significance of soft skills, and the different player types in game design. The episode concludes with recommended resources for those interested in game design and cybersecurity.

Peadar Callaghan, Gamification Lecturer at Tallinn University, Digital Learning Games Lab, Digital Technologies Institute, Tallinn University.

Lecturer in Gamification, Learning Game Design, and Fundamentals of Game Design in the Digital Learning Games Master's program.

Key Takeaways

  • Games can help people understand complex subjects.
  • Cybersecurity is a business problem, not just an IT problem.
  • Effective training requires engaging and simple game mechanics.
  • Checkbox training is ineffective for real learning.
  • Conceptual transfer games are essential for non-technical audiences.
  • The average age of gamers is increasing, indicating a shift in demographics.
  • Soft skills are crucial for effective communication in cybersecurity.
  • Games can create a safe space for learning from failure.
  • Understanding player types can enhance game design for training.
  • The future of cybersecurity training lies in small-scale, experiential games.

Chapters

  • 00:00 Introduction to Cybersecurity and Game Design
  • 02:45 The Role of Games in Learning and Cybersecurity
  • 05:52 Fundamental Elements of Game Design
  • 09:00 Applying Game Mechanics to Cybersecurity Training
  • 11:46 Challenges in Cybersecurity Training Games
  • 14:38 Conceptual Transfer Games for Non-Technical Audiences
  • 17:44 The Future of Cybersecurity Training
  • 20:52 Understanding Player Types in Game Design
  • 23:47 The Importance of Soft Skills in Cybersecurity
  • 26:28 Recommended Resources for Game Design and Cybersecurity
  • 29:24 Conclusion and Future Directions

Resources:

https://www.linkedin.com/in/peadar-callaghan-a218721a/

https://www.linkedin.com/school/tallinn-university/

https://www.tlu.ee/

Book - Reality Is Broken: Why Games Make Us Better and How They Can Change the World - https://a.co/d/hzvwYtf

Book - Game Design Workshop: A Playcentric Approach to Creating Innovative Games by Tracey Fullerton- https://a.co/d/5jnbDg6

The discourse encapsulated within the latest installment of the Security By Default podcast illuminates the intersection of gaming and cybersecurity, as host Joe Carson engages in a profound dialogue with Peadar, a distinguished game designer whose journey from education to cybersecurity amalgamates two seemingly disparate realms into a cohesive narrative. Peadar's evolution into the cybersecurity domain stems from his profound interest in how games facilitate learning and comprehension of complex topics, specifically within the cybersecurity landscape. Their conversation traverses the pivotal role of communication between technical experts and non-technical stakeholders, emphasizing the necessity for a shared lexicon that bridges the gap between these divergent groups. Peadar elucidates his belief that security has transcended its traditional confines as merely an IT concern, asserting its emergence as a fundamental business issue that necessitates collective understanding and collaboration across organizational hierarchies. Furthermore, the discussion delves into the fundamental components of game design, wherein Peadar asserts that a game is defined by its objectives, rules, feedback systems, and voluntary participation. He critiques the prevalent practices within cybersecurity training, advocating for the incorporation of engaging and accessible game mechanics that foster genuine understanding and behavioral change rather than rote memorization. Through the lens of his doctoral research, Peadar advocates for the development of conceptual transfer games that align technical knowledge with business implications, elucidating the significance of understanding the repercussions of cybersecurity threats on organizational operations. This episode lays bare the transformative potential of integrating game mechanics into training methodologies, positing that such an approach not only enhances engagement but also facilitates a deeper grasp of cybersecurity's critical nature. The conversation further unfolds as Peadar discusses various game dynamics and their implications for cybersecurity training. He critiques the tendency for training games to become overly complex, thereby hindering their effectiveness in engaging learners. By drawing on the principles of successful game design, Peadar emphasizes the need for simplicity and clarity, allowing participants to focus on the learning objectives without being overwhelmed by convoluted mechanics. He shares his perspective on the importance of experiential learning through games, advocating for smaller-scale games that serve as effective icebreakers, fostering receptiveness to deeper educational content. This notion resonates throughout the dialogue, highlighting the necessity for organizations to adopt a more nuanced and thoughtful approach to training that transcends traditional methodologies. In summation, this episode serves as a clarion call for the cybersecurity domain to embrace innovative pedagogical strategies through the lens of game design. By recognizing the multifaceted nature of cybersecurity as both a technical and business challenge, practitioners can cultivate an environment where learning is not merely a checkbox exercise but a dynamic, engaging experience that empowers individuals across all levels of an organization. Peadar's insights challenge the status quo, urging a reimagining of how we approach training and education within the cybersecurity landscape, making a compelling case for the integration of gaming principles to foster greater understanding and collaboration in an increasingly complex digital world.

Transcripts

Joseph:

Hi everyone. Welcome back to another episode of the Security By Default podcast.

I'm the host, Joe Carson and it's a pleasure to always bring you thought provoking ideas, creative, innovative discussions in order to keep you up to date with all the hot trends and topics around cybersecurity.

And I've been waiting for this type of episode for quite a long time and I'm really excited to have an amazing guest, a fellow countryman from Ireland. So it's always great.

Hopefully we won't have to do too much translation and subtitles in this episode if I get into my natural local language, but we'll try to keep it as clear as possible. So, Peadar, welcome to the episode.

You want to give the audience a bit of background about yourself, what you do, and maybe how you got into the industry as well. So that was an interesting origin story.

Peadar:

So I'm actually a game designer by trade, so.

Well, originally I was a teacher and I became very, very interested in how we could get people to learn very difficult and complicated subjects, how we could get people to engage with things that are hard to understand, hard to conceptualize, hard to work with.

So I went from being a teacher to studying how games help learning and how does this impact with, with situations like that, how I got into cybersecurity? Well, I met a friend at a.

Joseph:

Bar, typically where it all starts, and.

Peadar:

The pub where it all starts. I met a friend at a bar and we were chatting away and I was like, so what brings you to Talon? I'm here studying to be a learning game designer.

And their response was, oh, I do cybersecurity. Do you want to take a look at a game that I developed to help people understand cybersec? And I went, sure, I'll take a look at it.

It sounds interesting. I went and took a little bit of a look and went, okay, you could improve it by maybe doing this or maybe doing that.

Or is this really the message that you're wanting to send or is this how you want to work this out? Had a long discussion with them and then published a couple of white papers together.

And when I started to look around for projects to pursue my PhD, I decided that I would incorporate cybersecurity into it.

Joseph:

Awesome.

Peadar:

So I'm, I'm very much a Luddite in some regards when it comes to the technical side of things, but what I do is I bring the understanding of the gameplay and the psychology to the space. And this is actually really quite an important thing to do because you get a lot of technical people Getting trained up via the technical skills.

But the issue with cybersecurity isn't just the technical.

It's getting the technical to talk with the non technical, getting the management to understand what it is that the technical is saying and finding a commonality and a common language to link those all together.

Joseph:

Absolutely. So yeah, and we've created, we've had that. I mean, that's been a problem, that's been, it's challenged many times over the years.

You know, we go back into the 90s and we actually created the whole IT service desk that was just to solve that problem. They were meant to be the intersection between technical and the business. So the whole industry was created out of that problem.

But we've got into where I think the massive change in this, you know, industry is that it's no longer just an IT problem and it's no longer security, is just an IT problem, is bug become that security and it is now very much a business problem. So the people that historically support were talking to, which was, you know, tends to be more technical users.

Now we're getting into where it's not just technical users, it's the business. And they speak a very different language, which is typically lost in translation at many times.

Peadar:

And one of the things that games do that are absolutely fabulous is they teach you a new language.

You start to form a shorthand to communicate with each other and you start to be able to empathize with each other and empathize with how the other person's role is going. So the thing that I've looked at in my PhD research is how are games used in cybersecurity training?

And there is that differentiation and we have to make that differentiation between the ones that are being used primarily by the technical audience and the people with the master's degrees in cybersec or in information technology or whatever, and the games that then act as bridges and help the understanding between those two, the disparate groups.

Joseph:

Can you share some, what's some of the fundamentals of a game? What's the.

Let's, let's start with, you know, typically for me, when I get into learning a new game, like the game that you created, which is the one that I'm showing with the audience here, which for me was very interesting. And I've came across, you know, different card games over the years.

For me, you know, some of the game elements when I'm playing games with the kids, we do a lot of escape rooms and typically you've got some type of, you know, basis of the rules, the rule book and stuff. So what, what is the, the fundamental elements of a game? And then we can get into some of that. The kind of crossover section.

Peadar:

A very deep question that could take about three hours. So I'll, I'll go, go with my personal favorite definition.

Joseph:

Okay.

Peadar:

Which is taken from the philosopher Bernard Sweets and Adapted by Jane McGonagall, who wrote Reality is Broken. If you ever get a chance, read Reality is Broken.

Joseph:

It's now on my list of books to read.

Peadar:

Absolutely amazing book. A game has four. Consist consists of four discrete elements or four things that make a game.

So a game has a goal, something that you're attempting to achieve. It has rules which make achieving the goal more difficult, not easier.

Joseph:

Okay.

Peadar:

And this is really important.

It has a feedback system, a method for us to see that we're moving towards our goal, the progress, that progress is being made and we can see that it's going in that direction. And finally it is voluntarily entered into. You can't force somebody to play a game.

And this is one of the problems that I have with a lot of people who end up doing work in the area of serious games or security training games. They try to grab the player by the scruff of the neck and force them into the training environment.

Joseph:

You have to want to do it.

Peadar:

You have to want to do it,.

Joseph:

Otherwise you won't meet. The fundamental of what you're saying is if you're not willingly participating, you're not gone to meet the goal.

Peadar:

Yes, this is, this is kind of fundamental to it. Other, the other aspect of it is the old adage of you can lead a horse to water, but you can't make them drink.

Joseph:

Exactly.

Peadar:

In this case, you can lead players to information, but you can't make them think, consume it.

Joseph:

And you want it. Also, you know, you don't want it to sit in their short term memory. It's just a moment of the game. You want this to be something that gets ingrained.

It becomes permanent memories.

Peadar:

Well, not just permanent memory. You want it to impact behavior. And if you're looking to impact behavior, then we have to look at how it works that way.

But to go back to the four components, let's take an example of a game. Would you care to throw one out there?

Joseph:

Let's do Risk. Risk, that's one of my, one of my kind of favorites. And Monopoly as well is pretty much.

Peadar:

Well, let's go with Risk because I personally believe that the best way to play Monopoly is by throwing it out a window while it is set on fire.

Joseph:

But we quick run Monopoly, which is the fun part. But let's stick with Risk.

Peadar:

Okay, so the goal of Risk is to take over the world. However, you can't just do it by putting your pieces on everywhere and just brushing everybody's pieces aside.

Then you're not playing Risk, you're just putting pieces on a map. The rules make achieving the goal more difficult. You have to roll a certain amount of dice, you have to move your components in the various places.

You get a feedback, you get the game state to show you where you are and what's going on. And then of course, you have voluntary. You can't force somebody to play Risk. You put a gun to my head and tell me to play Risk.

I'm no longer playing Risk. I'm playing Please don't shoot me.

Joseph:

Yes, it's a different, different goal and motive.

Peadar:

Yeah, but the, the thing is that that model, that, that four step model or that four components. The. Sorry, the, the word is defeating me for a second.

Joseph:

The rules, the rules that we have.

Peadar:

Yeah, it's a structuralist view. This can be applied to training, this can be applied to training, this can be applied to education.

This can be applied to all manner of different environments.

And if you want to make the environment more engaging, applying those ideas and those concepts to it will really make the situation much more interesting and engaging for your audience from the start.

If you just want somebody to do something again and again and again and again and again, adding constraints and rules into it with a feedback system is going to encourage them to do it. If we take a look from the cybersecurity perspective, the classic example of this would be the capture the flag exercises.

Joseph:

Yep, that's what I'm pretty familiar with. That's one of my favorite, favorite things to do. If I have enough time, I'd be playing CTFS all day long.

Peadar:

Yeah, but the thing is that that's the exact, the exact word there. You'd be playing CTFS the whole day long. The CTF is by its very nature a game that has a goal.

It has rules that are encoded into the system and also social rules that make achieving that goal more difficult. It has a feedback system that you're aware of and you can't force yourself to play.

You can decide you can be encouraged to play, but you can't be forced to.

And the cyber ranges, CTFs, all of those activities that are commonly used for training technical, technical workers are at their very essence, games. And that's part of what makes them engaging.

The Issue that I have with a lot of the games that are used in, in the cybersecurity training space is that they tend to suffer from feature creep and bloat. So they may start off very small, simple, clean, crisp and everything like that.

But somebody goes, yes, but can't we add, can't we add another element here and another element here and suddenly you're ending up with. That has slowly expanded out to the point where it becomes difficult to set up.

Joseph:

It's overly complex.

Peadar:

Overly complex to explain. I don't know if you've ever played any major war games like Axis Allies or games like that.

Joseph:

Not, not, not that I recall. Not in a long time.

Peadar:

Well, the, the thing with axes and allies is it takes several hours and a rulebook about this thick that you have to read to be able to play the game. The cost of entry starts to go up.

Joseph:

Yeah. Even I think one game that, that reminds me of is this Scythe, the bird game that we have it at home.

And I remember, you know, sitting down, I was like, okay, how do we play this game? And I was just like, oh my goodness, I had to watch hours of videos.

Peadar:

Yeah.

Joseph:

Just for the entry and to, you know, I understand that when you start playing the game and you start understanding it that it becomes very, very exciting and intriguing and you know, the progress and the goals and that feedback loop is there, but the entry level, it's, it just becomes way too much for the average person who wants to just play a game. It's just, you know, the rule book has to be something that very simple, quick to, to, to get started.

But when that becomes almost like a game in itself, to learn how to play the game.

Peadar:

Yeah.

Joseph:

It becomes a blocker.

Peadar:

Yeah. And this is, this is an issue, we have a tendency, especially in training games of them being there being a.

To complexity and there being a pressure to build more and more and add new elements to it when sometimes what you should be doing is producing something smaller scale that is quick and easy and gets people onto the same page. And this is a, a gap in the marketplace for those types of training games and those types of training experiences. Yeah, yeah.

Joseph:

Just thinking about some of the platforms out there, I absolutely didn't know that. You know, even just a, the technical requirements that get onto those environments also becomes a constraint as well.

Peadar:

Well, the, the thing is, if you're trying to get people to. Games can serve multiple purposes, even within training.

In fact, my current article that I'm working on in my PhD is looking at all the different Ways that games can be used in a training modality. I'm presenting a framework to understand how learning happens in games.

And understanding this also makes you realize that a game that does this thing is not the same and is not as. Is not the same as a game that does this.

And the constraints and the design decisions that you make to focus it in this direction are different from the design constraints and decisions you make to focus in this direction. So for example, the CTFS and the cyber ranges, they're very practice orientated but there's a high cost of entry.

Joseph:

Yeah, they're very focused on getting habit, is getting, getting the nature natural. Kind of like, you know, you practice, practice, practice, practice. For me it's almost like playing sports. I play football on a regular basis.

Hopefully back on Wednesday this week, which I'm excited about because you've seen me, you've seen me in crutches in the past. I'm hoping that, you know, my injuries are now behind me. But for me it's that word, the practice side of things.

And I think that's a lot of where the hacking gamification platforms today are to have that element of practice and simulate. But I agree entry level is way too high. It's too high and it ticks.

I've even myself, I created a training course to get started, an introduction into hacking gamification because for people to get started you can get lost very, very quickly.

Peadar:

And the other thing is that this isn't actually the gap as we talked about earlier. The gap isn't getting people to practice technically. There, there's solutions available for that.

The gap is getting the non technical people to be able to interface with the technical people. And it turns out that we don't need practice games for that. What we need are what I call conceptual transfer games.

Joseph:

Yep.

Peadar:

And they're more communications.

Joseph:

It's like, you know, one side of the card is. Here's, I think I remember the game is, you know, that you created the card game.

One side's the technical aspect and the other side is the business aspect of things is the impact. So what's the, you know, what's the risk and what's the impact of the business? And that's what we need to absolutely need to translate.

It's all, it's about training the business into that. What does a ransomware mean to the business? What does a phishing compromise mean to the business? And having those translations and overlap.

It's about a game that has a minimal, you know, a minimal entry level barrier for Everyone to get started.

Peadar:

And oddly enough, there are good models for this. There are really good game models for this. A lot of role playing games are great examples. We can see from the history of wargaming.

We can see the movement from the rigid wargaming, the practice, rigid wargaming, towards more open, fluid models with Matrix War gaming and with seminar gaming and Paul Mill gaming. So there are ways of doing it.

We just have to not get stuck in the idea that there is but one type of game, and this one type fits all of the situations that we have or that we want.

The other fun one that I promised I would bring up because I. I was thinking about is to just talk a little bit about the link between the very first computer game and security. So the very first computer game out there, it was a thing called Space War. And in Space War, the object of it was to shoot down incoming missiles.

Joseph:

Yep. It was a little like it was with a little. I wrote the. Wrote the book or not wrote. I read. I didn't know. I wish I wrote the book. I did not. But I wrote.

I read the book a while back on the history of games, which was fascinating and it tells you the whole journey. But, yeah, absolutely. The first. The space war. Well, it was.

Peadar:

Did they mention where it was, where it was coded?

Joseph:

If I remember, it was mit.

Peadar:

It was.

Joseph:

Or Berkeley.

Peadar:

It was a security studies group.

Joseph:

Okay.

Peadar:

And the reason why they had access to the computer to code it was that they were using the computer to look at missile flights for security studies. So they stole time on the machine.

Joseph:

Yeah.

Peadar:

To write a game. And this was. This is the first computer game that we have that we can trace back. So there is a fundamental desire to play.

There is a desire to play, a need to play. And the average gamer age is now about 36, 37.

Joseph:

Shocking. It is shocking that. That's because I think. I mean, my childhood was spent playing lots of games.

ing in the house had an Atari:

. I was like, I want an Atari:

Unfortunately, what arrived was an Atari 800ST XL, which is not a games console, it was a computer.

But it meant that I saw a funny post the other day of somebody saying, you know, that about all of the code they got in the magazines every month and you had to type that in a basic. And then you hope that when you compile, it actually worked, but half the time it didn't.

Then it was a correction in the month later saying, the code that we published last. Last month there was a mistake in line 200 and something. So for me, that's actually shocking that the average age is that old.

I guess the methodology is changing that people are just watching other people play games. Yeah, well, it's more of a consumption than it is of a participation.

Peadar:

The thing is that the window is shifting, so you have more older people now playing and playing regularly. You have people.

They started to introduce the Nintendo Wii into people care homes for the elderly homes because it encouraged them to do minor activity and action. Yeah, have, oddly enough, one of the most prominent places where Dungeons and Dragons is played in death row inmates, the United States.

Joseph:

That's unbelievable. Because Dungeons and Dragons, though, that's a very mentally, like, you know, kind of engagement.

Yeah, you have to storytelling and you have to be mentally there and you have to kind of really think, you know, about the entire kind of landscape.

Peadar:

But you can imagine how that would be incredibly useful if you were in prison. Suddenly you have a method of not being restrained. So gameplay.

One of the great books out there, or one of the great books that is constantly referenced but is a nightmare to read, so I'm not going to recommend it for reading, is Homo Ludens by Hunsinger. And in that he argues that all of human society is predicated or based on playing games. He argues that our law system is a game.

Our religious systems are games that in fact the entirety. The reason why humans are humans is that we play games and we are. We appear to be the only species that codify games and deliberately play games.

Joseph:

That's interesting when you. When you think about your four kind of components. Components. Definitely applies to all of those. Applies to everything.

Peadar:

Well, well, my. My heretical question is how is learning not a game? And I have yet to find somebody to give me a good answer on that one. But to.

To go back to that one, there are things that are not games. Tying your shoelaces, not a game. However, it can become a game very easily. Tying your shoelace if you just.

Just tie it automatically as quickly as possible. It's not a game. If, however, I hand you two Pairs of chopsticks and say you're not allowed to touch the shoelace. Now it's a game.

Joseph:

Once you make the complexity or you add some type of challenge.

Peadar:

Yeah, once you make it a little bit more difficult. In many regards, cybersecurity can be looked at in this way.

Are we deliberately solving the problem as quickly and efficiently as possible or are we deliberately exploring, Are we deliberately making it more difficult so that we increase the interest of the person who's engaged with it?

Joseph:

So, so what's, what's, what's the kind of future look like for this from your research and you know, the, the doctor you're doing. Where does the future look like we're going?

What would be the, in your mind, the ideal kind of scenario about how do we make sure that we apply the, the components to training? What, what's going to, where's the direction of path we're going?

Peadar:

Well, there are a couple of different paths. The first path, as I said, is the practice route and that's fairly well understood and fairly well sorted out and kept in order.

The second one is the one that we talked about a fair bit, which is the connections making the connections between the different either subject matter experts or the different stakeholders getting them to actually work together. An area that I think is primarily missing is small scale games that can be brought into a cyber training classroom.

Games that act as metaphors for the thing that is being done so that people can. The beautiful term from game design that has been adopted in game design, grokking.

When you grok something, don't just understand it, you understand it to a level that it has become part of who you are and part of your identity.

Joseph:

Okay.

Peadar:

And games are a really great way to get people to grok system systems to understand and internalize them. So we need more of those sort of small scale experiential games. The little cyber rats one that you have. There is an example of this.

It's not designed to go in depth into anything.

It's just designed to familiarize the people with some terminology and get them to go and go over it and be able to go, yes, no, okay, hey, why does that work with that? Why does this work with this?

And then that's the point where we have made them receptive to the education and having those sort of small scale icebreakers or receptive builders are really important when it comes to the more large scale military and games like that. There is a nightmare with attempting to integrate cyber into a large scale military style training game.

And the nightmare is that it works on different timelines. So you have to. Ever since the 17, we've been able to just take a new weapon system and drop it into it and just go, okay, here's a new weapon system.

Here's the, here's the stat line on it. Here's the stat Brock.

Joseph:

Yep.

Peadar:

Okay. And go cyber.

Because it's a completely artificial domain with incredible changeability inside of it, makes it really, really difficult to drop directly into it. I wrote A small article 2, 3 years ago about why it's really difficult to do this, which is, I think it's a good read, but I'm a.

Joseph:

Little biased on that one.

Peadar:

So. Yeah, so there, there are areas to go to on here.

In terms of training, I would say that the most important thing for training audiences to realize is to get the management to realize that they, they need to do active training. Checkbox training is ineffective.

Joseph:

It's. Yeah, it's for me, absolutely. I mean, I remember I've had a couple of scissors on in the past and they said, you know, the only way to get people.

It's, it's, it's a couple of, you know, used an example of going onto a soccer field or a football field. If you have not practiced, you will not be ready to participate and contribute to the team.

And even to the point, for me, I've been, you know, out of action with an injury for the past couple of months.

And for me, even in order for me to prepare my comeback, which is tomorrow, we'll see how that goes, I've had to go and do simulations of alternative training, running sprints, just to build up my stamina. Because if I think that tomorrow, if I go on the pitch and contribute to the same level I was before, it's not going to happen.

It's the same with tabletop exercises that you have to make sure in order to do it, you have to do it in such a frequency that it does become a habit.

You know, to your point, it does become part of your DNA, part of your yourself that becomes second nature, that, you know, becomes that muscle memory. And that's the.

You have to think about how often do you need to do it and is it the same thing that you do all the time or is it just augmented, you know, different perspectives at.

Peadar:

The exact same time?

You're not going to get that by, to take your analogy, I'm not going to get you trained up and ready to go back on the pitch by taking you into a classroom and getting you to answer a multi, multi, multiple Points, questions.

Joseph:

Correct.

Peadar:

There, There is a fundamental difference between declarative knowledge and procedural knowledge. And there is a fundamental difference even still from procedural knowledge to application declarative knowledge.

I'm able to, I can tell you exactly what you should do on a football pitch. I, I know the, the theory behind it very, very well. I even know some of the procedures of if this, then this, then this, then this.

But there's no way in hell I can play. I haven't, I have after a ball in 30 years.

Joseph:

So it'd be interesting.

One of the things, you know, to that, to that point, you know, we talk about what was the, you know, the, the Chinese whispers, you know, scenarios and all of those things about, you know, AI systems as well we can think about is that if we give them the rule book, can they come up with what the game would look like in real, in that type of, you know, kind of scenario, if you give them the rules, can they really visualize and see what it would look like in practice?

Because to your point, reading a documentation, I can go through a document, I can understand how things are done procedural wise there, but it doesn't mean when I actually get into the application itself, I'm actually going to know exactly what to do.

I know roughly kind of where things are, but I'm not going to be effective right away until I go through and do some practice workflows that simulate the things I've been learning in the documentation. Similar to football. I can read the rule book and I can know what an offset is, the drill.

I know what a penalty is, I know what a goal kick is, all of those rules. I know when yellow cards, red cards, roughly. That's not a true science. It's always up for debate in an interpretation.

But I can read the rulebook and understand about what it is. But until you actually get into the real gameplay itself, then you're not going to know how those interact with each other.

It's the interactions that you do not get in documentation or other rules.

Peadar:

In game design terms, it's called the dynamics. So you can know how all the mechanics work, but the dynamics are emergent. They tend to come out of new and interesting situations.

And these new and interesting situations only come about when you are managing to get people to play, get people to engage. The other great advantage of games is that they offer a space in which normal failure is reduced. The cost of normal failure is reduced.

I don't feel bad if I lose all my money in Monopoly. I would feel pretty bad if I lost all my money in the stock market.

Joseph:

Yes.

Peadar:

Okay.

Joseph:

Very similar approaches to the rules.

Peadar:

Yeah, similar rules, but there's a lower cost associated with them. And when there's a lower cost associated with them, people have a tendency to respond more creatively.

Honestly, I think one of the problems or one of the potential problems that can happen with capture the Flag exercises is when players get too focused on achieving the goal rather than can you achieve it in a weird and wacky way.

Joseph:

That's one of my favorite things during Capture the Flags is that my purpose of capture the flag is not to get the flag, it's the journey to getting the flag.

Peadar:

Yes.

Joseph:

And what I look at is that during that journey, what did I learn? What did I learn?

Peadar:

Yes.

Joseph:

What was the interactions I had along the way, what was new?

And then what I tried to do is I remember doing my introduction to gamification a couple of months ago, and as I was going through that process, somebody asked, asked the question in the audience was like, can you do it this way? I was like, actually, I never thought of that, but I'm interested now in seeing if it's even possible.

So now I go back and I've been trying to see, can I do it in different methods than what was the intention or the way that I've been taught. I want to see if there's ways that you can do that has never been thought of.

Peadar:

Find the ways to break it.

Joseph:

Yes. The jailbreaking is. And that's the true nature of hackers in general, is that's the mindset.

Peadar:

You want to poke the system. You want to poke the system and figure out how it works and why it works that way. And wait a second, what would happen if I kicked it this way?

Joseph:

Which is always fun. The friend of mine, Sickcodes, he was the one that got doomed to play basically on a John Deere tracker just to see if it's even possible.

Because it's got the same processors and the same computational capability. Is it even possible?

Peadar:

Yes. My other favorite one is the person who managed to tweet via their Samsung smartphone. An interesting area of study is Bartles player typologies.

And this, if you're doing gamification, this is something or game design for training. This is something that you should take a look at, really.

It's designed for multiplayer games, but even then it's been widely applied and Bartle would probably say misapplied to every game out there. But the idea of it is, is that there are different ways that people find enjoyment in games. And we find a pattern of, for distinct types.

So we find our achievers. The people who want to get the goal, collect the points, get everything they complete 100% of the game and everything like that.

You have your explorers who aren't necessarily interested in the points but they're interested in how does the system work. Yes, how do they know everything and every route through the game possible. Then you have your socializers.

And your socializers aren't actually there to play the game. They're there to hang out with their friends. They're here to have a little bit of the crack and a little bit of the joy. Sorry.

For any American audiences for the international.

Joseph:

Fun crack means fun.

Peadar:

Yeah.

Joseph:

Okay.

Peadar:

Just for the American audiences there for a second. So a little bit of the fun and everything like that. They're there for the social aspects of it. And then we have the killers.

And the killers are interested in winning but they're more interested in not so much them winning as somebody else losing, losing, beating somebody else. So hyper competitive, goal orientated but goal orientated to beat someone.

And the problem, the thing is that we find all of these behavior patterns in a classroom. We find all of these people in the classroom.

But almost all of the training out there, almost all of the method of designing courses and gamified systems only speak to the achievers. They tend to be over designed for for. And we leave all of the others to the side and we tend to devalue the explorers and the socializers.

Whereas actually in a business the explorers are the people who know the system so backwards and forwards that there's nothing that can happen that is going to shock them. And the socializers know exactly which explorer point you to to solve the problem.

Joseph:

They make the connections.

Peadar:

They make the connections between the people, the hard skills. The hard skills that are. I'm not going to devalue them or anything like that. They're really important especially in security.

Are easy enough to train.

But the soft skills we need to give spaces and areas to train the soft skills and to get the technical people familiar with the soft skills to be able to communicate throughout the entire.

Joseph:

Organization as a whole to explain it so that everyone understands not just themselves. How do you save the day? What's the things? What game do you play? What's, what's your go to game?

Peadar:

One of the classic problems with studying games is you never get enough time to actually play them. But in games that I play I have tended to move from digital games to more board games. Hence the stuff behind me but digital games.

The most recent one that I've been playing a lot of was Space Marine 2 because I'm a huge Warhammer nerd. The other one that I played quite a lot of was Sniper Elite because I enjoy the T, the sneaking and the stealthy. Stealthy planning element to it.

I'm not very good at first person shooters, but. Yeah, well.

But in terms of games that I play most regularly, I have a weekly session of Dungeons and Dragons that I run for my partner and her friends. Also I. Unfortunately my partner is better. I'm better at understanding games and knowing how them. And my partner kicks my ass every single time.

Joseph:

I know that.

Peadar:

Yeah. So I understand exactly how the system works and where the system. And she just seems to grok them really quickly and easily and just kicks my ass.

So I got her a copy of Azul if you ever get a chance. Azul is a beautiful game for I'd say to 60 year old players because it's just tile matching. But it is just a beautiful, lovely game.

Joseph:

Yeah, we played, we played the color game recently. That's the Anton cues and clues, which is the color. Like you've got the whole aspect of color and you have to try and then determine by explaining.

Explaining something what color it is. It's a fun, it's a fun game to do.

It's more of the social type of game that it is that there's, you know, there is an element of scoring and progress, but it's more of kind of how to explain colors. Yeah, in a way.

Peadar:

Concept is another beautiful game like that pandemic. This one here is a really great game because it's cooperative.

design starting in the early:

You have games with the Traitor Traitor mechanic games which are beautiful models if you're ever looking to get somebody to understand insider attacks. They're absolutely fabulous there.

Joseph:

Yeah, there's a couple of even. Even messing the games up is always fun. We used to play the ones where, you know, you have a progress and all of a sudden something changes the game.

You either had to change cards to the person left or right or that the purpose of the game is actually to lose. Flux is one of my flux.

Peadar:

I love the concept of flux. I absolutely hate playing it because I'm like Now the rules are.

Joseph:

Everything has changed. The rules, which is it. It's a very creative method. So it is one of the things for the audience, definitely.

If they're interested in learning more, what would you point them to? Let's say what type of resource.

If they want to learn more about game dynamics and other concepts, what would you recommend for the audience to go and find them?

Peadar:

The most approachable one for game dynamics. Where I started was Jane McGonagall's book Reality is Broken.

Joseph:

Okay.

Peadar:

And that's a good prime and a good. It's a lovely argument piece that games have the potential to actually change the world and make it better.

And it's a beautiful antidote to the traditional narratives that we hear of. Games are addictive. Games are addictive. Games are addictive. Well, yes, but how can we leverage that to do make the world better?

Joseph:

How can we make us better people from.

Peadar:

In terms of game design, there are some beautiful books out there I recommend to my students because I do teach game design and gamification. One of the books I recommend to my my students is A Play Centric Approach to Game Design by Tracy Fullerton.

When it comes to cyber security games specifically there is the Cyber Security War Game Handbook, Cyber Wargaming Handbook, which is interesting but I have chatted with the the authors and muttered that a couple of the things that they talk about are they a couple of misinterpretations of some of the things they might mind. But it will give you a primer of how wargaming training happens. Let's see if you're looking for just what board games and things to do.

Board Game Geek is a wonderful resource and the other thing is everybody should have my name at this. Take a look at the things that I've published.

I've published several articles on game design and different uses of game design for a range of security studies. These were not just cybersecurity.

Joseph:

I'll make sure that we add them to the show notes as well so that people can easily find them. So wonderful. And if the audience really want to reach out and connect with you, what's the best way? What's the best place to do that?

Peadar:

Via email is the best way to do to get a hold of me either email or LinkedIn and I'm more than happy to sit and talk about games and security studies and everything like that for hours upon hours upon hours.

Joseph:

But maybe we do an episode on actually doing a game.

Peadar:

Sure, that would be. That would be a fun one to do.

Joseph:

I'll Bring some of my, my peers in as well. We can actually have a, like a proper live podcast game itself.

Peadar:

Well, this is, this isn't a thing. I mean, one of the models that I use is playing Jenga to get people to understand the CIA tribe.

Joseph:

Yes.

Peadar:

So the thing is that the tower itself represents availability, but you want to keep pushing the availability more and more and more and unfortunately as you do that, you end up compromises into the system every time you're trying to push up availability. So again.

Or I could start talking about Rock Paper Ransomware, which is just a very simple game, but it asks the question of why are we assuming that ransomware attacks are symmetric? Because they're not. But from a defender's perspective, they appear symmetric.

From the attacker's perspective, being symmetrical is a way to waste time and resources.

Joseph:

So yeah, having those screens, we'll figure out another, another episode that we can go through and do the live, maybe even make it a live show when we do it. Gaming lives.

Peadar:

Sure.

Joseph:

So it's fantastic having you on the show and really enjoy it. And for me, I've definitely got now a new list of books that I need to go and read, which is always after every episode. My to do reading list gets.

Goes bigger, but definitely going to take the time to have that as the.

Peadar:

Reality reality is broken.

Joseph:

Is broken broken. So I'm going to make sure that that's on my, my summer read of what I kind of I will complete over the summer.

So it's fantastic having you on and really looking forward to catching up with you again soon. And for the audience, make sure that if you're interested more, I'm going to put all of the links and all of the details in the show notes.

Go look at the show notes for any of the links and the references and the books and also how to contact Pedro as well. So thank you for being on the show for everyone. Stay tuned for the security by default podcast.

Really here to bring ideas and also make security is not just for the few, but for everybody. Security shouldn't be just by design, it should also be by default. And that's what this podcast is all about.

To make sure that everybody gets the benefit of having security and tune in, subscribe, share with your friends, share with your peers and look forward to chatting with you all again in the near future. Thank you and stay safe and take care. Thank you.

Links

Chapters

Video

More from YouTube