EDUCAUSE
HuskyHunt: Gamifying Security Awareness for Students
Good morning, everybody. Good morning, everybody, who is virtually attending. My name is Jason Pufahl; I'm the CISO for the University of Connecticut. As I go through this --I've done this presentation a few times. We've been doing this program for the better part of two years now.
So if you've got questions as we progress, feel free to raise your hand. I'm happy to engage in more of a dialog than just talk for an hour; so feel free. I'll set the stage of why we started this. About two years ago, the University Foundation approached me and said that they had about $5,000 in a fund that was donated with the express purpose of training students in some fashion as it relates to information security.
So I had a funding source to kick this off and a really specific directive. I sat down with a few people, Student Affairs primarily, and started brainstorming about what we may want to do. And it was pretty quick for us all to decide that we didn't want to just send out e-mail and do a couple of videos and some of the things that I think we've traditionally done with fairly mixed success.
So we said, "In what way do the students engage most regularly?" And social media certainly seemed to be the most obvious.
So what we decided was we would try to build something that at least took advantage of that and leverage social media to get our message out more effectively. But at the same time, we wanted that to be meaningful. We wanted this experience to be as interactive as possible. If we were going to put the effort into it, we wanted it to be something that we we could repeat.
So to this point, we have done it three times in total. We've done it a variety of times, and we're trying to actually try different ways to see which is the most successful. And I'll go through that as I work through the presentation. I think one of the things that does make this unique is that it's fairly innovative. We're trying to educate people through an online game that can actually assess, to a degree, what they've learned; leverage social media to get the word out into a broader audience; but then also bring this into the physical space and have the students engage in an actual scavenger hunt. The game is primarily held online. We have not developed a mobile app, but it's mobile friendly.
So any device works fairly well with it. And we have a variety of what we call incentives. We weren't officially allowed to call them prizes for whatever reason, so we've got a variety of incentives that we have. First, the grand incentive or the first prize is a $500 gift certificate to the UConn Co-op; typically our thought would be to use it for books with some hope. Then there is a second and third place and then a variety of other giveaways throughout the contest. That's just a look at the front page of the website. It has improved over time. We've engaged a group on campus; we've got a Digital Media program on campus.
So we've actually engaged the students in that program to help us with some of the marketing, some of the website design. I'm hopeful that in the upcoming semester, they'll be more heavily involved as it relates to the game design itself. I think the game, while it works fairly well, has a few flaws that I think we need to work out. And I'll speak to those as we go through it. This is an overview on what the game looks like in really simple steps. You want to picture the game itself essentially as two stages. There is the initial question and answer piece that's done online. We send out a message to all the students who have actually enrolled. We've got all that information because we leverage our university Net IDEA for access.
So we've got the people who play. We send out e-mail; if they actually provide us their social media identifier, we'll communicate with them through that as well. But typically, that's probably 50/50. Not everybody wants to do that right out of the gates. We'll send them information that that week's question has started or that day's question has started. Give them an opportunity to read through it, do the question and answer, and then they'll have an opportunity to essentially post or tweet or whatever to Facebook or twitter a pre-canned message that we'll set up.
So if the module that week is related to password management, after they complete their initial question and answer, they'll be presented with a dialog box that will say, "Please create strong passwords." That will get posted out. And ideally, our hope here is that those people who aren't playing the game actually have an opportunity to see some basic security-awareness messages. Once they get that, they'll be presented essentially with the second stage of that module, which is the scavenger portion -- an actual on campus scavenger hunt. And the hope there -- and quite honestly, I don't think it's truly materialized this way -- but the hope is that we'll have hoards of kids running around looking for things creatively placed on campus. "Hoards" might be a little bit aggressive; I think we have a couple of people strolling about looking for things. But I certainly wouldn't say our engagement has been that significant yet. And then they find the location that we ask them to go to. They'll then locate whatever the poster is -- we put a poster everywhere. They can use a QR code to either scan in to verify that they've been there, or they can actually type in the message there. And again, another opportunity for them to tweet or post to Facebook what the security message will be.
So that's the high-level concept of the game. You'll see at the bottom there we've got a variety of vendors. What we've done is partnered now with some of the local businesses to draw them in, and I'll speak to why we've done that and how that has gone over time. That's just a picture of somebody standing in front of, I think, Husky Pizza if I recall, having found the poster and preparing to scan it in. To date, we've covered topics generally around this. We just ran another week's version of the game in April; I think it was April 14th that it started. We've actually added a couple here. But the focus for us really specifically was identify topics that were relevant and useful to students in their everyday lives.
So it wasn't about me as the CISO trying to find things that I felt the University would be beneficial in teaching. I really wanted to make this as practical as I could for the students.
So a lot of it really is behavior as it relates to social media -- what to post, what not to post. The understanding that when you take pictures and you put them up there, that gives you location-based information; How to do some basic password management; how to understand how to interact with the financial websites that they may or may not be going to; how to identify fishing -- things that are relevant in everyday life. The feedback has been pretty good, I would say, so far. Honestly, the criticism that we've had has been that our questions probably typically have been too easy.
So we really went down the road initially of a True and False style of question and answer. I think the questions were just too easy. And we've got designs on making them more complicated, but we really wanted to go through a couple of iterations of this to see what our engagement would be and get a sense. But it was really interesting when people were saying that they wanted the game to be more challenging. And I think what it was is your top people really want a way to differentiate themselves from the people that they're actually competing with, rather than make this as easy as we have done so far.
So that's really going to be a key for us going forward is trying to make this game more challenging, make the locations that they need to find probably more challenging if possible; and go from there. And the reason I put this up here is every time I've spoken about this is one of the questions we do get is, "What are you training people on, and how did you identify what the questions were?" We reached out to students for a lot of these.
So we've got a fairly significant student staff for just student-based technical support. We've got a Student Affairs-run organization. I think they've got almost 130 students who work for them who specifically do technical support..
So they're the ones who are engaged with students every day. They're the ones who have a sense for where their challenges.
So we really reached out to them. Certainly we guided them; there are some things that I specifically wanted to include . But the reality is a lot of this was generated specifically from student engagement. This is really a framework. The application itself allows us to embed essentially whatever content we want in it
So we've developed some of our own videos that we've created. I think we have maybe four or five videos that we've created inhouse that are very specific and relevant to the content that we want to train on, that references and leverages the UConn and the store's location so that it drives it home that we've actually done it. We've certainly leveraged content that we found online. There is tons of stuff out there. Some of it is fun and engaging; some of it is dry and boring. We've leveraged both. But it's a really good framework for us to be able to embed information and actually distribute that. I think I took the slide out, so I'm going to go back up one more. One of the things that actually was handy for this was there was a Zero Day Internet Explorer issue at one point. And we were running the game while that was going on, and we actually leveraged that as an opportunity for at least those individuals who were playing it to basically have a question and answer around Zero Day and some things specific to that actual vulnerability.
So wherever we can, we leverage this as an opportunity to get even additional information out. And that has actually worked fairly a couple of different times. Another nice thing that we did -- and I don't believe I have it up here anymore -- VPC -- oh, yea, up top there. We've got a pretty large deployment -- VDI, Virtual Desktop deployment -- for students to use so they have access to course-specific software. And as that organization -- there are a half dozen people, and they're responsible for delivering that service -- they leveraged HuskyHunt to actually get more access to students so they could actually distribute their message out as well, with some basic Q&A about how do you interact with it, how do you download the client to install it.
So as much as this is a security framework, as we've gone through the last couple of years, we've had people ask us to use our medium as a way to deliver their message. And quite honestly, I'm perfectly happy to do that. If I can increase engagement, and if I can increase people's interest in this game, then I have a better opportunity to deliver my message ultimately anyway.
So it's completely worthwhile. I talk fairly quickly sometimes, so does anybody have any questions so far? We've also partnered with the ATION group, which is that digital media group on campus. I think there are about 50 students in that program right now. And as you would expect, 10 of them are incredibly engaged and 40 of them aren't so much. But the reality is it's ten people who are actually looking to try and improve upon the design that we've created to date.
So it's really been great for us. Where I think the Security Office fell short the first year was really in the scavenger hunt portion. It's a lot of work to manage. It takes a fair amount of time to walk around to put your posters up, to create the locations that you want, and then all the associated clues to get people there. And I think what we found was that it didn't really aid that much in delivering our message. Quite honestly, my original thought was, "This is going to be the coolest part of the game. Everybody is going to want to run around and do the scavenger hunt. They'll go out Thursday night before they go out drinking, and they're going to want to do this scavenger hunt and it's going to be great. And they didn't. And we also -- which you don't expect -- we had a hurricane on one of them which promptly blew all of our posters off of everywhere we put them.
So students would walk around and they'd find a poster on the ground and scan it there. And they'd find one somewhere else on campus and scan it there. And the people who didn't find it were all angry because they didn't get their points.
So you kind of realize that was more work than I think we had initially anticipated. But the great news was after we ran this the first year, our Husky One Card Office approached us and said, "We're really trying to drive people out to the businesses that accept the Husky Bucks Program. They've got their student ID, they're going to essentially add money to it, and they can go buy pizza and things like that.
So they said, "Can we be the people who actually leverage your scavenger hunt portion and drive people out?"
So they now manage that fully.
So all I'm responsible for at this point really is the security content for that first part of the program. They deal with all of the vendor relationships. They deal with identifying who actually wants to participate. They'll manage, whenever possible, to get the posters out there. We certainly work with them if they need help. But typically, once they arrive at the location, we'll still have the security message. But largely, that part of the program really is designed to teach students what's available to them both on campus and off campus; where they can use some of the features of the card; what the card does. That's really been helpful to us for two reasons. The first is it took that second half of the game -- it allowed us to keep doing the scavenger hunt, but it also took the burden off of us. And they were actually looking to do essentially a scavenger hunt style program. There's an app that allows you to do some scavenger hunt stuff.