Game Analysis

  1. Title of the Game: CyberCIEGE

  2. Game Developer/Studio: Center for Information Systems Security Studies and Research (CISR) at NPS, and Rivermind, Inc., of San Mateo, CA.

  3. Game Genre: Simulations

  4. Audience:
    • Cyber Security Professionals: The game is intended to teach information assurance concepts to students within information assurance or computer science curriculum.
    • General Computer Users: The game also includes a number of “training and awareness” scenarios that are targeted toward general computer users.
    • The game is being used in universities, community colleges, high schools and a variety of government and DoD training environments.
  5. Learning Objectives and Standards Addressed:
    • Introduction to Information Assurance and Security Policies
    • Identification and Authentication
    • Access Control and Malicious Software
    • Basic Network Security
    • System Assurance, certification, and accreditation
    • Applied Cryptography
    • Public Key Infrastructure and Identify Management
  6. Context:
    • The game was released in 2004.
    • It was originally used as a training tool by agencies of the U.S. government, universities, and community colleges.
    • It is available on the Windows platform.
  7. Goals and Rules of the Game:
    • The rules of CyberCIEGE are basic:
      • Actions cost money, and good results yield more money/profit.
    • The principal of CyberCIEGE include:
      • Balance the minimization of risk to the enterprise while allowing users to accomplish their goals.
        • Ensure users have the tools they need to do their job.
        • Ensure risks to the enterprise are minimal.
      • Maintain the bottom-line; do not spend too much money while trying to make things secure.
  8. Storyline/Narrative:
    • The player assumes the role of an Information Security Decision Maker of a corporation, military command, or a secret headquarters.
  9. Number of Players & Player Interaction:
    • Single player.
    • There is no option for multiplayer.
  10. Spaces or Environments:
    • Spaces include a small corporation, government, and secret hideout.
    • The player is placed into new spaces as the challenges increase in complexity.
  11. Core Mechanics:
    • The main verbs in the game are click, select, evaluate, and buy.
    • These actions allow the players to adapt to employees, equipment, and configurations to the changes in the environment.
At the start of the scenario, check your objectives. Remaining objectives will be listed. Buy equipment needed by your employees. Hook the computers up to the network. The network configuration looks complicated to a novice. However, it's really just teaching the concepts of LAN vs. WAN.
Can you keep the network alive?
  1. Description of Gameplay:
    • CyberCIEGE has artificial intelligence that assesses the devices and configurations that are in place.
    • Based on the analysis, the malicious entity’s attack vector is chosen and you must adapt.
    • Attack vectors also include malicious software, vulnerability exploitation, physical security weaknesses, and internal leaks such as bribed employees with weak background checks and espionage. - The game engine notifies the player of changes to the environment via a defined set of conditions and resultant triggers. - Players are given immediate feedback to their actions through a variety of mechanisms (e.g., bubble speech from characters, screen tickers, pop-up messages, etc.).
  2. Audiovisuals:
    • The graphics and audio are very rudimentary, but that’s a given considering the release date of the game.
    • The interface is a bit clunky by today’s standards.
  3. Progression & Levels:
    • The game forces players to play the scenarios in order. More difficult scenarios are not unlocked until easier ones are completed successfully.
    • New scenarios introduce new concepts and new needs for protecting the enterprise. This adds to the complexity of the environment and requires more time to evaluate.
    • Pop-up messages guide the player to the next actions that are needed to complete the objectives.
  4. Academic Content:
    • The game provides a tutorial for new content so that self-discovery is not required. However, recalling previously introduced concepts is required; the player is not guided during every step of every objective.
  5. Cognitive Processes Required:
    • The player prepares the environment for work.
    • The player must consider security concerns while prioritizing risk and productivity.
    • The player must evaluate possible solutions and consider budget restraints.
    • The player must plan and develop the enterprise’s defensive poster.
    • The player chooses appropriate configurations that need to be applied.
  6. Learning Theories Embodied:
    • Constructivism: players are placed in arranged scenarios and are asked to actively create/construct knowledge by doing things to adapt to the protagonist.
  7. Instructional Strategies Incorporated:
    • The player was given carte blanche control over the infrastructure implementations in the environment, aside from the budget. This allows for discovery and several paths to get the desired objective resolution.
    • Students can export their logs for turn-in to a grader. The grader can import the logs and evaluate the strategies that were used to come to a resolution.
    • Scaffolding was provided for educators to design their own scenarios and learning objectives to address ever-changing teaching needs.
  8. Overall Evaluation:
    • Overall, I felt the game was useful and educational, but it is a bit dry.
    • While I felt it was very educational, the scenarios needed to be more drawn out and feed into each other to allow for a storyline to occur.
    • Most of the game was reactionary. I would have liked to see more proactive scenarios addressed.
    • The game was lacking modern concerns: wireless networks, social networking, privacy (e.g. HIPPA, FERPA), nuclear missile strikes, etc.
    • The game would benefit from a little modernization.
      • Using the Unity engine would make it cross-platform.
      • Adding a forum for people to post and share content for a modern version of this game would be helpful.
      • Integrated into a reward system and possibly a leader board to allow for social interactions to take place.

  9. Reflection:

    I chose this game because I have been an IT professional for over 20 years. As such, I knew I would be able to be critical and judgemental about this game.

    I had to remind myself several times that his game was not designed for veterans in the field. As such, the game’s fidelity has to be high enough to make meaningful choices, but not be so high that the intent (which I believe is concept familiarization) is lost in the details.

    Although I did not enjoy this game as much as I hoped, it stirred a lot of thoughts in me. I learned a ton. Not about network security, but about how to design and educational game for the IT professional. Allowing the teaching of concepts without overwhelming new professionals with the monotony of the details.