Let's play a game

 

Image from Pixabay

"Let's play a game." The year was 1983, I was a freshman computer science student, and the movie War Games felt like professional literature: we just had to see this movie about the hacking of the Pentagon's computer that powers US nuclear bombs.

<spoiler alert>

In the film, a young hacker avant la lettre manages to make contact with that Pentagon computer via his modem (you had to push in the telephone handset at the time) – not deliberately, but simply by having his modem dial random numbers. Without wanting to, he is about to unleash a nuclear war, partly because the computer follows its pre-programmed path. The hacker frantically searches for a way to stop the computer. In the end a game of tic-tac-toe saves the day: the computer realizes that you cannot win that game, just like a nuclear war. A happy ending in the nick of time.

</spoiler alert>

A simple game was suitable for teaching a computer something. It is also well known that people learn well through play. It will therefore come as no surprise that games are also used to teach people about information security. We had such a game developed back in the early 1990s. It was on a 3.5 inch floppy disk and came in a CD case – that was very hip at the time. You let a character walk through a building to expose all kinds of abuses there. I remember that when you clicked on the trash can, there turned out to be a carelessly discarded confidential document in it. The game was entertaining, graphic (albeit 2D) but above all educational.

Nowadays we also have a game to boost our employees' security awareness: the Online Security Awareness Game (OSAG). Now I'm not a gamer for a long time, but one thing you can't ignore: this is not a game. You have to drag cards containing statements or facts to the right place on the screen. You will then receive the status of National Protector. Those are the only playful elements. So, dear creators, please change the name to Online Security Awareness Program (OSAP) or something alike. Well, I had to get that out.

Apart from that, I hear quite positive things about OSAG. That may have to do with the phasing of it: first we had level bronze and a while later silver. The appearance of silver was a trigger to pay attention to your information security awareness again. You were prompted to go through a pile of questions again and test how well you are informed. Each level is also divided into a number of steps, so that you can consume the material presented to you prior to a set of questions in pleasant portions.

In level bronze you learn, for example, about the confidentiality of data, the GDPR, data leaks and information security incidents. Phishing, password hygiene and physical security are also discussed. Level silver completes the basic knowledge with topics such as incident reporting, specific GDPR topics and two-factor authentication. This includes questions such as: what does 'processing' data mean (update/save/send/delete/everything), is the example shown phishing or legitimate mail, is it bad if someone on the train can read public information from your laptop screen?

The designations 'bronze' and 'silver' suggest that there could also be a gold level. And yes, dear colleague: if you are reading this on a Friday, then you have to do something else for a weekend. If you read this after the weekend, you can - if all goes well - get started with level gold right away! This includes access rights, physical security and the GDPR (you can see how important privacy is to us!).

Don't you work for us? Well, your organization probably also pays attention to information security in one way or another. Look for it or ask for it.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Dutch civil servants are now also no longer allowed to use TikTok on their work phone. [DUTCH]
• Banning TikTok won't solve the problem.
• trackers can be used to stalk someone.
• a Stanford University ChatGPT clone has been taken offline because it was hallucinating.
• the British NCSC blogged about ChatGPT.
• artificial intelligence also generates disinformation.
• the Windows snipping tool saves the cut pieces. [DUTCH]
• DigiD loses its monopoly with the introduction of the Digital Government Act. [DUTCH]
• ENISA expects ransomware attacks on the transport sector.
• a committee will test the algorithms used at the Ministry of Finance and its agencies for privacy and ethics. [DUTCH]
• the Chinese Navy interferes with passenger aircraft communications and navigation systems.
• this (American) article advocates restraint in collecting data for monitoring purposes.