Gamification Project

The company’s owners developed a unique algorithm that modifies its’ instruction based on the social and psychological background of the learner. Parents buy a subscription to the software and then let their children use it to prepare for the SAT. The algorithm and the software code for the app that uses the algorithm are becoming valuable properties. The company has grown in four years from two employees to sixty. There are rumors that the company will be sold to a multi-billion dollar corporation in the near future. The team consists of you, Dana - a coworker who specializes in installing and configuring hardware, and Jodie - your immediate supervisor who oversees the IT team. You were hired primarily to manage the company’s data security procedures. Jodie is your primary contact. (align:"=><=")+(box:"XXX==")[<img src="https://cybercrimegamification.files.wordpress.com/2023/04/jodi_2.jpeg" width="500" alt="Jodi Image">] [[Continue->S1.P1.1.2]]

On your first day, Jodie explains what you were hired to do: “I want you to do some data classification for us, and then help us build a cybersecurity plan. Data classification, as you know, is used to decide who gets to see or manipulate data, and how data is protected. Proper classification of data can prevent cyberfraud. We have information on employees and customers that we need to protect. We also have a valuable application that is becoming more popular, and we don’t want people getting their hands on it. So that is your task - give us a cybersecurity plan for protecting our data from cyberfraud. I know it’ll take some time, so ask as many questions of me as you like.” ''What do you want to do next?'' - [[Ask Jodie to tell you about the organizational structure of the company->S1.P1.2]] - [[Ask Jodie to give you a breakdown of the types of data in the company->S1.P1.3]] - [[Ask Jodie to tell you about the company’s finances->S1.P1.4]] - [[Ask Jodie to tell you what cybersecurity services the company has purchased->S1.P1.5]] - (text-colour:green)[[[Give Jodie your plan to protect the company’s data from cyberfraud->S1.P1.Q]]] --- Your notes for reference: (text-style:"underline")[Lecture] <iframe width="560" height="315" src="https://www.youtube.com/embed/tNSdM1ffoL0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> (text-style:"underline")[And here are some key documents (opens in new window):] <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_1_data_classification.png" target="_blank">Data Classification Scheme</a> <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_2_securing_data.png" target="_blank">Methods of Securing Data</a>

Jodie: “The easiest way to think about it is that there are three groups of employees. First, there is ownership - a sister and brother team of Alexis and Shawn. That’s the two folks who designed the software and business plan we are using. Then there are the people like me - management. It’s three of us and we are on salary. Keiran supervises the sales team. Sloane handles human resources. I handle you guys - the tech team And third are the team members in management, sales, and tech. These are folks working hourly and really are getting their tasks from management. I guess you are in the third group.” (align:"=><=")+(box:"XXX==")[<img src="https://cybercrimegamification.files.wordpress.com/2023/04/jodi_2.jpeg" width="500" alt="Jodi Image">] ''What do you want to do next? '' - [[Ask Jodie for more details about the organizational structure of the company->S1.P1.2.1]] - [[Ask Jodie another question->S1.P1.H]]

Jodie: “Well...let’s see. Oh, first is the (text-colour:orange)[''source code''] for our application. Nothing is possible without that! There is a pretty big database of information that all the teams use. It’s about our customers. It has (text-colour:orange)[''client contact information''] - names, addresses, and phone numbers plus their interactions with us, mainly (text-colour:orange)[''customer software usage logs''.] A second contains all the (text-colour:orange)[''public-facing website text''] for potential customers to see. Keiran’s team did a good job with that. I think it is one of the things that makes us stand out from the competition. You know, like logos, the “who we are” text on the homepage...stuff like that. And there is the personal stuff about our customers and us. You might know this as PII. That’s like our (text-colour:orange)[''social security numbers''] and (text-colour:orange)[''bank account information'' ]- for direct deposit and payments. Can you imagine what could happen if someone outside the company - heck, even inside the company got ahold of that info?! I guess our company’s (text-colour:orange)[''financial reports''] are data as well. I know last year we made a profit. I got a raise! Wow, that’s a lot of stuff. Never realized it! Let me see if there is anything I’m missing. Oh! How could I forget - our(text-colour:orange)[ ''network credentials''] (password and ID) for accessing the company’s network. This is the PII for all the companies employees. That's eight types of data. You might want to record this info so you don’t forget it.” ''What do you want to do next?'' - [[Ask Jodie to tell you more about the data in the company->S1.P1.3.1]] - [[Ask Jodie another question->S1.P1.H]]

Jodie: “I don’t know much about that. I know we made a profit last year, and I got a raise, but that’s the most I know. Even Sloane in human resources is not entirely clear. I guess it’s because Shawn and Alexis are planning some kind of merger or acquisition or something, and they want to keep everything close to the vest. <img src="https://cybercrimegamification.files.wordpress.com/2023/04/shhh.jpg" width="400" alt="Top Secret"> It's all hush-hush around here." ''What do you want to do next?'' - [[Ask Jodie to tell you more about the company's finances->S1.P4.1]] - [[Ask Jodie another question->S1.P1.H]]

Jodie: “I have to hand it to the ownership. They were proactive early on in allocating money for cybersecurity. So they asked me to recommend some things a year or so ago to help protect our data. I recommended things, and they bought or reserved money for it. But then there was a problem. I just started encrypting everything and ignored the other tools we purchased. Encrypting everything actually slowed down the workflow. There are so many files on our servers and company laptops, that a blanket policy of constant encryption just slowed the computers down. <img src="https://cybercrimegamification.files.wordpress.com/2023/04/angry_employees.jpg" alt="Frustrated Office Workers"> And then Shawn and Alexis were a little annoyed that they had bought this stuff and we weren’t using it all. They told me that I needed to use all of these tools most efficiently. I told them my strength is more in IT, not cybersecurity, and they should hire a new person. And that’s how you got here. You can say you got this job because of me.” ''What do you want to do next?'' - [[Ask Jodie to tell you more about the cybersecurity services->S1.P1.5.1]] - [[Ask Jodie another question->S1.P1.H]]

Jodie: “Ok you are ready to give us your plan! I am excited. I have brought in some team members so we can all listen in. Of course, if you are not ready, you can ask me more questions." <img src="https://cybercrimegamification.files.wordpress.com/2023/04/pexels-fauxels-3182834.jpg" height="500" alt="Team"> ''What do you want to do next? '' - [[Go back to asking Jodie questions->S1.P1.H]] (text-colour:green)[- [[Give Jodie a plan on how to classify the data->S1.P2.1]]] --- Your notes for reference. (text-style:"underline")[Lecture:] <iframe width="560" height="315" src="https://www.youtube.com/embed/tNSdM1ffoL0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> (text-style:"underline")[Key documents:] <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_1_data_classification.png" target="_blank">Data Classification Scheme</a> <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_2_securing_data.png" target="_blank">Methods of Securing Data</a>

Jodie: “Ok, let me bring in Sloan to help you.” Sloan: “The ownership used to be really involved in the day-to-day activities of the company. But now, they spend most of their time working with the source code for the application and making updates to our software. They also handle the company finances - you know, profit and losses. They check in on us from time to time, but they pretty much leave the rest of us alone. Keiran’s team in sales develops the sales pitches, writes the content for our website, finds leads, and reach out to schools and parents. Jodie’s team in IT - that includes you - handles all the tech stuff like installing hardware and software, cybersecurity, and helping customers and employees with tech issues. And then finally, my team in HR the hiring, payroll, and insurance stuff. We are also the ones who pay for services our company uses and receives payment from schools and parents." Sloan then shows you a chart with the organizational structure of the company. (align:"=><=")+(box:"XXX==")[<img src="https://cybercrimegamification.files.wordpress.com/2023/04/sloan_1.jpg" width="500" alt="Sloan's Chart">] ''What do you want to do next?'' - [[Examine the chart->S1.P1.2.2]] - [[Ask Jodie another question->S1.P1.H]]

''What do you want to do next?'' - [[Ask Jodie to tell you about the organizational structure of the company->S1.P1.2]] - [[Ask Jodie to give you a breakdown of the types of data in the company->S1.P1.3]] - [[Ask Jodie to tell you about the company’s finances->S1.P1.4]] - [[Ask Jodie to tell you what cybersecurity services the company has purchased->S1.P1.5]] (text-colour:green)[- [[Give Jodie your plan to protect the company’s data from cyberfraud->S1.P1.Q]]] --- Your notes for reference (text-style:"underline")[Lecture:] <iframe width="560" height="315" src="https://www.youtube.com/embed/tNSdM1ffoL0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> (text-style:"underline")[Key Documents:] <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_1_data_classification.png" target="_blank">Data Classification Scheme</a> <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_2_securing_data.png" target="_blank">Methods of Securing Data</a>

<img src="https://cybercrimegamification.files.wordpress.com/2023/04/org_chart.png"> [[Ask Jodie another question->S1.P1.H]]

Jodie: “I don’t have much, really. Last year we tried to protect everything by just encrypting it all - and that sucked. It just slowed everything down - encrypting, and decrypting all the time. I don’t envy you! Some data we all need access to in the company, and some we don’t, and some only ownership need access to.” (align:"=><=")+(box:"XXX==")[<img src="https://cybercrimegamification.files.wordpress.com/2023/04/angry_employees.jpg" alt="Angry Employees"> ] [[Ask Jodie another question->S1.P1.H]]

Jodie: “I got nothing. I hope you can develop the plan without this info.” <img src="https://cybercrimegamification.files.wordpress.com/2023/04/jodi_1.jpeg" alt="Jodi Image 2"> [[Ask Jodie another question->S1.P1.H]]

Jodie: "Oh, sure. In fact, I have this handy chart given to me by Shawn." <img src="https://cybercrimegamification.files.wordpress.com/2023/04/sat_gpt_purchased-tools.png" alt="Tools Purchased"> [[Ask Jodie another question->S1.P1.H]]

Jodie: “OK, I think I mentioned eight types of data to you. Which ones should we select for classification? I have already thought about this a little bit. Which one do you think is the best?” <img src="https://cybercrimegamification.files.wordpress.com/2023/04/what_data_to_classify.png" alt="Three Options for What Data to Classify"> (checkbox: bind $S1Q1A, " ''Option A''") (checkbox: bind $S1Q1B, " ''Option B''") (checkbox: bind $S1Q1C, " ''Option C''") [[Evaluate your answer->S1.P2.1.A]]

(if:$S1Q1A)[(if:visits is 1)[(set:$S1Q1Pass to "A1")]\ Excellent work! You included all the data mentioned by Jodie for classification. Don't make the mistake of not including data that is public - such as the contents of a website. Even information meant for everyone to see should be part of your classification scheme.](else-if:$S1Q1B)[(if:visits is 1)[(set:$S1Q1Pass to "F8")]\ This is a good choice, but not the best. You chose to classify all data except the information for the website. Even though this information is meant for everyone to see, you want to include all data in the organization in your classification scheme.](else:)[(if:visits is 1)[(set:$S1Q1Pass to "C5")]\ This is a poor choice. Ownership is certainly concerned with protecting its source code and its financial reports. These are clearly the most important to this company. Their app is wildly successful, and they look to be planning a merger of some kind. But you need to classify as much, if not all, the data in a company that is possible.] ''What do you want to do next?'' - [[Go back to asking Jodie questions->S1.P1.H]] - [[Try identifying the data to classify again->S1.P2.1]] - [[Continue to the next question->S1.P2.2]]

Sloan: “OK, this will be interesting for me, since I am always thinking about the best way to organize our company. Who gets access to what? I've prepared three organization schemes for you to review and choose from.” <img src="https://cybercrimegamification.files.wordpress.com/2023/04/classification_scheme_questions.png" alt="Classification Schemes"> ''Which organization scheme do you choose?'' (link: "Choose Scheme A")[(set:$S1Q2Ans to 'A')(goto: "S1.P2.2.A")] (link: "Choose Scheme B")[(set:$S1Q2Ans to 'B')(goto: "S1.P2.2.A")] (link: "Choose Scheme C")[(set:$S1Q2Ans to 'C')(goto: "S1.P2.2.A")]

(if:$S1Q2Ans is 'A')[(if:visits is 1)[(set:$S1Q2Pass to "E2")]\ This is the best choice of the three. The most important information - financial records and the source code for the application, are secret. Information that should not be widely shared within the business - social security numbers, bank account information, and network credentials, is marked as confidential. Information that must be widely accessed throughout the company - customer contact info and usage logs, are marked as business only. And finally, the information for the website is public. ]\ (if:$S1Q2Ans is 'B')[(if:visits is 1)[(set:$S1Q2Pass to "M9")]\ This is a good, safe choice. But a bit too restrictive. People within the company - specifically human resources - need access to social security numbers and bank account info. Categorizing that secret means that you plan on applying your strongest cybersecurity measures. But that may then make it hard for HR to easily access the information.]\ (if:$S1Q2Ans is 'C')[(if:visits is 1)[(set:$S1Q2Pass to "L4")]\ This is a poor choice. Network credentials should not be business only, and shared widely within a company. Only a few individuals should have access to everyone’s network credentials - usually members of the IT team and of course ownership.]\ ''What do you want to do next?'' - [[Go back to asking Jodie questions->S1.P1.H]] - [[Choose another classification scheme->S1.P2.2]] - [[Continue to the next question->S1.P2.3]]

Sloan: “Ok, now to decide who gets access to what data. Of course, my team and I should get access to all the data! Just remember, you have five parties here - the public, ownership, and the three management teams - HR, Sales, and IT. Here's another list of three options to choose from.” <img src="https://cybercrimegamification.files.wordpress.com/2023/04/data_access_question.png" alt="Data Access Chart"> ''Which option do you choose?'' (link: "Choose Option A")[(set:$S1Q3Ans to 'A')(goto: "S1.P2.3.A")] (link: "Choose Option B")[(set:$S1Q3Ans to 'B')(goto: "S1.P2.3.A")] (link: "Choose Option C")[(set:$S1Q3Ans to 'C')(goto: "S1.P2.3.A")]

(if:$S1Q3Ans is 'A')[(if:visits is 1)[(set:$S1Q3Pass to "T7")]\ Not a bad choice. The Owners and IT have access to all data, and the other teams are restricted. However, in many situations, owners may not want IT to have access to sensitive data. And so even if IT helps them set up their cybersecurity – for example an encrypted hard drive, they will keep their passwords secret and not store it on a server that the IT team has access to. ]\ (if:$S1Q3Ans is 'B')[(if:visits is 1)[(set:$S1Q3Pass to "P1")]\ Not a bad choice. However, the owners of a company may want to have access to all data in that company.]\ (if:$S1Q3Ans is 'C')[(if:visits is 1)[(set:$S1Q3Pass to "V2")]\ This is the best answer. The owners have access to all data in their company. The separate teams have access to the data relevant to their job functions. Everyone in the company has access to the data needed by everyone.]\ ''What do you want to do next?'' - [[Go back to asking Jodie questions->S1.P1.H]] - [[Choose another data access option->S1.P2.3]] - [[Continue to the next question->S1.P2.4]]

Jodie: “OK, great! Now we just need to choose cybersecurity measures! Shawn and Alexis will be so happy we are using these tools. Here is a reminder of what cybersecurity tools we have available." (align:"=><=")+(box:"XXX==")[<img src="https://cybercrimegamification.files.wordpress.com/2023/04/sat_gpt_purchased-tools.png" width="600" alt="Tools Purchased"> ] Jodie: "I've got another three plans for you to choose from.” <img src="https://cybercrimegamification.files.wordpress.com/2023/04/classification_scheme_questions.png" height="700" alt="Tools Purchased"> ''Which plan do you choose?'' (link: "Choose Plan A")[(set:$S1Q4Ans to 'A')(goto: "S1.P2.4.A")] (link: "Choose Plan B")[(set:$S1Q4Ans to 'B')(goto: "S1.P2.4.A")] (link: "Choose Plan C")[(set:$S1Q4Ans to 'C')(goto: "S1.P2.4.A")]

(if:$S1Q4Ans is 'A')[(if:visits is 1)[(set:$S1Q4Pass to "Q8")]\ This not a bad choice. The secret data and the confidential data are the most secure, and everyone must use 2-factor authentication to access the network. However, applying an encryption scheme may slow down the accessing and manipulation of confidential data that employees use repeatedly. Encryption may be overkill for confidential data.]\ (if:$S1Q4Ans is 'B')[(if:visits is 1)[(set:$S1Q4Pass to "S3")]\ Not a bad choice. Anyone attempting to use the network will need 2-factors to authenticate. Moreover, the most sensitive data is protected with both encryption and a segmented network. However, it may be advisable to separate data accessibility between teams using network segmentation. There is no reason, for example, for HR to have access to the network credentials of everyone.]\ (if:$S1Q4Ans is 'C')[(if:visits is 1)[(set:$S1Q4Pass to "Y6")]\ This is the best answer. The most important data is given the most protection. Confidential data is segmented such that certain teams can only access certain data with their credentials. And everyone must use t-factor authentication to access any part of the network.]\ - [[Go back to asking Jodie questions->S1.P1.H]] - [[Choose another cybersecurity plan->S1.P2.4]] - [[Finish Scenario->S1.End]]

Congratulations! You've put together a cybersecurity plan for SAT-GPT, and they are happy! (align:"=><=")+(box:"XXX==")[ <img src="https://cybercrimegamification.files.wordpress.com/2023/04/pexels-rodnae-productions-7889209.jpg" width="400" alt="Happy People">] You are now given a passcode. Please record this passcode. In the form below, you will be asked to submit the passcode and to answer a series of questions on the exit survey. ''(text-colour:green)[<a href="https://forms.gle/XSj3T9orbmZPT3HU7" target="_blank">Exit Survey</a> ]'' Your passcode is: $S1Q1Pass\ $S1Q2Pass\ $S1Q3Pass\ $S1Q4Pass We thank the Association of Certified Fraud Examiners for funding this project. (align:"=><=")+(box:"XXX==")[ <img src="https://cybercrimegamification.files.wordpress.com/2023/04/association-of-certified-fraud-examiners-acfe-.jpg" width="200" alt="ACFE Logo">]

You are a new hire in a mid-sized SAT company called ''SAT-GPT''. (align:"=><=")+(box:"XXX==")[<img src="https://cybercrimegamification.files.wordpress.com/2023/04/logo.jpg" width="250" alt="Company Image">] The company is concerned about cyberfraud. Your job is to assess the types of data in the company, and build a data protection plan. You already have an idea of how to protect data from some of the classes you took at Old Dominion University. Before starting this job, you reviewed a lecture from one of your cyber instructors. (text-style:"underline")[Here is the lecture (this will be available to you throughout the tutorial):] (align:"=><=")+(box:"XXX==")[<iframe width="560" height="315" src="https://www.youtube.com/embed/tNSdM1ffoL0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>] (text-style:"underline")[And here are some key documents (opens in new window):] =|= <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_1_data_classification.png" target="_blank">Data Classification Scheme</a> =|= <a href="https://cybercrimegamification.files.wordpress.com/2023/04/table_2_securing_data.png" target="_blank">Methods of Securing Data</a> |==| OK good luck! Click the box below to get started. You will need to ask a lot of questions! (align:"=><=")+(box:"XXX==")[<button type="button" style="height: 150px; width: 200px">[[Begin Your First Day at SAT-GPT->S1.P1.1]]</button>]

You are about to play a tutorial designed to teach you the process of data classification and how it can combat cyberfraud. The tutoral is in the form of an interactive story. You choose how you navigate the story. For example, there is a video lecture from your instructor as a part of the story, and it is up to you if you want to view this lecture. This assignment is a part of a research project where the investigators are exploring how video game content can be included in classroom instruction. Your participation will help us in this task. Although you will be asked questions about what you learned, and we want you to answer them faithfully, you will be graded on participation. If you complete the assignment, you will receive full credit. Completing the assignment means finishing the tutorial, receiving a passcode, and then completing the survey at the end. This assignment is not timed. If at any time you do not want to continue with this project, you may stop by clicking out. You can then complete the alternate assignment on Canvas. The alternate assignment covers the same material, will also take about 1 hour, is not timed, and is also graded on participation. [[Start Scenario: Classifying Data in an SAT Test Prep Company->Introduction]] <img src="https://cybercrimegamification.files.wordpress.com/2023/04/odu_cybercrime.jpg" width="150" alt="ODU Cybercrime Logo">