What if we turned cybersecurity into a game?

«The initiative was created as part of the Cybersecurity Awareness programme aimed at promoting a culture of IT security within the company. As an organisation - comprising our personnel, processes and actions - we have established a specific department responsible for preparing, training, alerting, raising awareness - effectively informing our resources about IT security, or rather the risks associated with the use of IT devices. In fact, the misuse of these kinds of devices can lead to problems that impact the operation of the entire company, threatening its operational continuity. We began to develop this programme in 2021, highlighting how we needed to integrate a gamification-style system into our tool kit. The term “gamification” means using typical game-playing elements, particularly those associated with videogames (points, levels, awards, virtual assets, rankings) to engage users in a certain area of activity. Terna came up with this solution after a meeting with a start-up within the Open Italy system. A working group was set up to design and develop a prototype in 12 weeks, which was then tested and assessed».

«We began with the idea of creating an escape room because it represented an established form of gameplay used in other fields. We've all heard of escape rooms as a form of entertainment. Next, we began to focus on certain specific aspects of cybersecurity. For example, the main threats include ransomware (one of the topics of European Cybersecurity Month), a type of malicious software that attacks an organisation by encrypting its data, which is mainly transmitted via email. This is the topic we decided to focus on in our videogame storytelling, along with online fraud, transferring them into a context that reflects the company. Which departments are more susceptible to ransomware? Technically all of them, but in a context like the one in which Terna operates, the most vulnerable departments may be those focused more on the operating side of things that handle aspects of our core business. Likewise, the topic of commercial fraud is most relevant to the procurement department, which receives thousands of emails from external sources and consequently could present quite an obvious victim».

«Like in all escape rooms, the aim of Terna Cyber Palace is to escape from the palace in as short a time as possible, taking it in turns to play on the red team, to use computer jargon, which makes the attack, and the blue team, which studies and uses all of the possible moves to defend against the attacks. The game is played in teams but gameplay is asynchronous: the game can be accessed at any time and there is no need for players of the same team to all play at the same time. This means everyone can contribute to the team at any moment».

«The aim is, quite simply, to escape. We’ve designed the Terna palace, which represents our head offices, across three floors: the players enter the game on the third floor and must work their way down to the ground floor to escape. Users can represent both the defending team (blue team) and the attacking team (red team), so each floor is played out as both teams. The difficulty level doesn't increase; instead, the different levels (or floors) focus on different aspects of cybersecurity. In the game, players enter different rooms which represent Terna’s offices, and each door must be unlocked by answering a question about cybersecurity. For example: “What is phishing?” Once the players enter the room the game begins in earnest, with different scenarios depending on which team they're on. A virtual colleague describes the scenario and the user must play using their cards: these can be intelligence cards or defence/attack cards, depending on the role being played at that moment».

«Gamification is a new but very popular approach that enables businesses to introduce colleagues to new information and training in a lighter way. Users are playing a game, but in fact they are learning. The whole concept of training is changing and in this sense it's the perfect example of how innovative methods can be more effective than traditional ones. And when it comes to cybersecurity it's even more useful, because full-immersion approaches are less important than continuous training: we need to stay “on alert” and so our colleagues need to receive constant input. This is what the Terna programme does».

«The programme is based on a series of tools that we use to raise awareness. These include the various notifications posted on our Intranet, such as the alerts about malicious campaigns that are circulating and targeting end users. We've also introduced a training platform to provide continuous input, consisting of bitesize monthly content sent to users that covers a different topic each month: there are 36 topics in total, covered in short 4-5 minute training videos and followed by a questionnaire. As well as the training modules, there is also a section with monthly training capsules in the form of a TV series, with each episode reconstructing a typical cybersecurity incident, often based on real-life events. Each month we publish an internal cybersecurity bulletin with an informal, non-technical tone, which includes more information and interviews».

«Cybersecurity is no longer a topic just for experts. We all need to be more aware of the internet and ready to adopt a correct approach in the use of IT devices. This is one of the most important priorities for companies like Terna. These days it's essential to stay informed to protect not only the organisation but, above all, our own personal domain».