CyberCIEGE: An Interactive Tool for Information Assurance Training and

Education

Presented to FISSEA22-23 March 2005, North Bethesda, MD

Dr. Cynthia IrvineNaval Postgraduate School

22-23 March 2005 2

CyberCIEGE Team

• Naval Postgraduate School– Cynthia Irvine– Michael Thompson– Albert Wong– Matthew Rose– Naomi Falby– Students

• Klaus Fielk• Ken Johns• Rob Lamore• Justin Lamoire• Marc Meyer• Tait Leng Teo

• Rivermind– Ken Allen– Bill Chinn– Scott Gallardo– Brian Morgan

• Sponsors– US Navy

• NETC• ONR

– OSD

22-23 March 2005 3

CyberCIEGE Solution

• Teaching tool that engages the imagination• Virtual world shows consequences of security choices• Student responsible for organization IT

– Keep organization virtual users happy• Purchase hardware and software components• Design networks• Configure components• Manage IT staff• Ensure physical security• Require background checks for certain information access• Provide IA training• Ensure that security does not get in the way of productivity

– Protect organization information assets from cyber threats

• Greater asset value greater attacker motivation

22-23 March 2005 4

Motivation

• Information Assurance is implicit in everyone’s job– Personnel need to understand their important role in

IA– Administrators must know security impact of choices– Managers must understand how IT infrastructure can

support (or detract) from security policy enforcement– Certifiers must appreciate big-picture security

• Problem: – Training and Awareness can be boring– Good security practice is not “automatic”

• Should be like washing hands and using seat belts

– Many security measures combine for overall security• Complexity is hard to convey and hard to internalize

22-23 March 2005 5

Elements of CyberCIEGE

• Simulation Engine– All security policies & wide variety of security

mechanisms– Graphics easily added

• Scenario Definition Language– Describes how Simulation Engine runs– Rich semantics– Triggers for “plot twists” and to log student

progress• Scenario Definition Tool

– Supports scenario creation using a GUI• Encyclopedia

– How to use the game, security facts, why you lost• Movies

– Supplements encyclopedia

22-23 March 2005 6

Scenario Definition Tool

22-23 March 2005 7

CyberCIEGE Use

• Student presented with objectives• Scenario includes

– Physical setting– Virtual users, each with work goals

• Also have happiness factors– Enterprise assets, each with two values

• Value to enterprise• Value to attackers

• Student must meet objective– Secure physical environment– Keep users happy and productive– Apply enough security to keep attackers away

• But do not interfer with user productivity!• Complex scenarios may have phases• Logs record student success or failure

22-23 March 2005 8

CyberCIEGE Screen

22-23 March 2005 9

Example: DoD Directive 8570.1

• Create Scenario(s) to depict your organization– Can be run in stages– Emphasize security policy and procedures key for

your organization– Logs show student progress and success– Scenarios for different user populations

• Awareness for typical users• Training for key personnel

– CyberCIEGE does not replace specific HW/SW training

• Education, Training and Awareness– Supplement existing classes– Create new scenarios for classes

• Example: Certifier Case Study Scenarios

22-23 March 2005 10

Meeting Mandates for IA ETA

• Mandates for IA Education, Training & Awareness• More ETA requirements• Resources for achieving goals limited• How can you ensure that

– All personnel have annual IA awareness training?– Personnel put training into daily practice?– Make system administrators &certifiers aware of

complex issues?• Interdependencies• Impact on organizational productivity

• CyberCIEGE is fun– Contains hooks for student assessment– Can be tailored to your organization

22-23 March 2005 11

CyberCIEGE Opportunities

• Tailor CyberCIEGE for your organization– Example: Medical/Health

• Create artwork for clinic or hospital• Develop scenarios for HIPPA and health-specific topics

• Develop tools for automated student assessment• Develop tools for progressive scenarios• CyberCIEGE website for sharing• Advanced versions of CyberCIEGE

– Wireless• Mobile ad hoc presents changing topology and

devices– Multiplayer

• Students attack others and defend their organization• Want something big? Combine forces!

NPS and Rivermind Seeking Partners

22-23 March 2005 12

More Information

• Available to US Government at no cost – Sim. Engine, Current Scenarios, SDT, Encyclopedia,

Movies• Non-government availability

– Contact Rivermind for a pre-release license– First Rivermind commercial release: April 2005

• CyberCIEGE Websitehttp://cisr.nps.navy.mil/cyberciege.html

• CyberCIEGE Emailcyberciege@nps.edu

• Naval Postgraduate School– Cynthia Irvine

irvine@nps.edu

• Rivermind, Inc– Ken Allen

kallen@rivermind.com