Play a video game, learn cybersecurity skills

Daniel Tkacik

Dec 17, 2021

To anyone wanting to dip their toes into the world of cybersecurity, a team at Carnegie Mellon University extends an invitation to play a video game.

The game, named “Katalyst,” gives players an introduction to command line operations, password hashing, and coding in Python—a very common programming language among cybersecurity professionals.

“Games do a really good job of slowly acclimating you to a certain mindset and allowing you to learn how things work and how things fit together,” said Heather Kelley, a professor in Carnegie Mellon’s Entertainment Technology Center (ETC). “If you’re trying to teach systems thinking, and you’re trying to do it gradually such that the person stays motivated to learn more and understand deeper, you really can’t do better than a game.”

Alongside ETC Professor Scott Stevens, Kelley advised a group of students this fall in a project where they were tasked with producing a video game to house a collection of cybersecurity challenges.

“Katalyst” will be featured in this year’s picoCTF, an annual cybersecurity competition for middle and high school students created and run by Carnegie Mellon’s CyLab Security and Privacy Institute.

If you’re trying to teach systems thinking ... you really can’t do better than a game.

Heather Kelley, professor, Entertainment Technology Center

CyLab has been tapping the ETC for its students’ creativity since 2013, when picoCTF began. Each year, competition participants have earned points by solving cybersecurity challenges within ETC-created video games. In the first picoCTF, a video game called “Toaster Wars” had players learning and using hacking skills to fix a robot from outer space. In another picoCTF, gamers learned hacking skills and used them against the infamous “Dr. X” who was trying to take over the world using evil robots.

This year’s ETC team aimed to set themselves apart.

Cybersecurity meets steampunk

“‘Katalyst’ is a bit fantasy, a bit steampunk, a bit magical,” said Lewis Koh, one of five second-year master’s students in entertainment technology on team 404 productions. Their project name is a nod to a common error code for websites. “We wanted to be a bit fantastical because we’re trying to bridge the gap for beginners who feel that cybersecurity is a bit incomprehensible, like magic. We are trying to make cybersecurity approachable for those who feel that it’s impossible to comprehend.”

Upon starting the game, players of Katalyst receive a message welcoming them to the “Plucotas’ Cyber Magical University.”

“Once upon the future,” the message reads, “… there was a school where magic and cybersecurity were one and the same.”

Players can then navigate the virtual university, solving various challenges in different rooms and earning points. The look and feel of the game could be described as cutout animation meets Steampunk.

“Players get to try out various activities and experience a new world of wonder and excitement,” Koh said. “Along the way, they will discover many cool innovations that cybermagicians use in real life and will make the first step toward unveiling the mysteries behind what makes our interconnected world work.”

The game design was inspired by conversations the team had with local high school teachers about their students’ current interests, including what works in terms of learning and what doesn’t. Later in the semester, the team tested a prototype of the game with a class of Advanced Placement computer science students. The students provided feedback of their experience, which allowed the team to tweak its product.

In order to form a more (cybersecure) union…

CMU’s picoCTF was created to help address the growing shortage of cybersecurity talent in the U.S. workforce. According to Lorrie Cranor, the director of CyLab and a faculty advisor to picoCTF, most students do not learn about cybersecurity—let alone that it is a highly engaging and lucrative career path—until college, when most students have already decided on a particular career path. Cash prizes are awarded to each competition’s top-performing U.S.-based middle and high school students.

“Not only is picoCTF useful for young students’ general cybersecurity knowledge, but it also works to interest them in cybersecurity careers before they even get to college,” said Cranor, a professor in the Institute for Software Research and the Department of Engineering and Public Policy.

The idea of motivating students to enter the cybersecurity workforce using competitions and video games seems to be working, Cranor said. Post-competition survey results each year show that roughly two-thirds of participants say they are “more interested” in pursuing cybersecurity as a career after participating in picoCTF.

As the gap between available, skilled cybersecurity experts and the number of open cyber positions continues to grow, the ETC and CyLab will keep adjusting the competition in hopes that a positive turning point—evidence that the gap is shrinking—is on the horizon.

“We hope players will feel a bit more comfortable with cybersecurity and will be able to go out on their own and start researching it,” Koh said.