justinkendra - Fotolia

Manage Learn to apply best practices and optimize your operations.

Are cyberwar games beneficial to test enterprise security?

Traditional security testing is always recommended, but what about cyberwar games? Expert Mike O. Villegas discusses the best ways to test a security program.

My organization is considering conducting a security fire drill or even a cyberwar game to test our information security program. This seems like a big undertaking, but are cyberwar games beneficial to organizations?

Testing the information security program should be a continuous process. For example, once hardened, devices should be monitored by SIEM or federated identity management tools to be alerted of any changes that could affect the information security posture of an enterprise. Additionally, enterprises hire pen testers to validate the control structure is working effectively. Then there is the incident response plan. In the event of a breach or incident that affects security, the enterprise needs to ensure it is ready and knows what steps need to be taken to recover back to normal processing.

One of the ways to test the IRP is to exercise across the table incident scenarios with all affected parties involved. Occasional social engineering tests, such as emails to employees to test their ability to detect phishing emails, are always enlightening.

The use of cyberwar games is a method used by some organizations to accomplish the same; however, the operative word is games, and there isn't much value in testing the information security program as a game. Cybersecurity is not a game. Security awareness can include contests, such as cybersecurity-related puzzles on company newsletters or intranets, naming a cybersecurity mascot professionally developed by marketing for the information security group, free cybersecurity videos offered to employees during lunch periods in the company food court, and many other innovative and fun events can go a long way in increasing awareness. But to make them cyberwar games might marginalize the seriousness of cybersecurity. It might also affect employee productivity if they begin to question real work for a game.

If the purpose of cyberwar games is to test the information security program, there are more tactical and pragmatic methods that prove to be much more productive. These include vulnerability scans, penetration testing, monitoring, remediations, secure code reviews, DLP scans and blocks, FIM alerts and follow-up, SIEM alerts and follow-up, system configuration certifications and many more. Cyberwar games would be best served as an awareness tool rather than testing the information security program.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn about the latest advances in SIEM products

Find out if a security pledge could replace awareness training

Discover the most important parts of basic security testing

This was last published in July 2016

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments