The NGA Plans to Lock Employees In a Room Until They Learn Cyber Hygiene

Imagine: You and your colleagues are locked in an office at your agency’s headquarters with only your wits, teamwork and knowledge of cyber hygiene to get everyone to safety.

That’s the basis of the latest training exercises being developed for employees at the National Geospatial-Intelligence Agency, which recently signed a contract to hold two weeklong cyber escape room events at Campus East in Virginia and Campus West in Missouri.

NGA awarded the contract to Living Security, Inc., a woman-owned small business based in Texas that specializes in creating unique, immersive cybersecurity training.

“Over the last two decades, [training has been] PowerPoints and questions and answers and trivia-type things. And people cruise through it; they don’t pay attention to it,” Living Security co-founder Ashley Rose explained to Nextgov. “So, what we identified was this enormous gap of trying to build a training program that was relevant and spoke to the user, to the people who are taking that training, rather than just checking a compliance box.”

Living Security has been in operation for about 15 months. Rose co-founded the company with her husband Drew, who said the goal is to help improve security knowledge for everyone who touches the network, not just security professionals.

“For anybody who comes in and touches a machine or has access to the network, this is breaking down complex concepts like phishing and password security and things of that sort into a really digestible and understandable way,” Drew said.

The company has two standard scenarios: a black hat theme that shows players how easy it can be for bad guys when organizations and employees forget to reset default passwords or don’t use multifactor authentication; and a security-side scenario that focuses on finding and securing cyber hygiene violations. In each, players get keys as they solve problems and answer questions, enabling them to advance through the game.

The company starts with these scenarios, then builds organization-specific concepts into each game. For NGA, that will mean an escape room “customized to the tenets and risks that NGA focuses on,” according to a special notice on FedBizOpps announcing the sole-source award. “The training moments and challenge questions will be customized to NGA's Information Technology and Security policies and messaging to provide consistency with the cybersecurity program,” the synopsis states.

The NGA deal is Living Security’s first federal contract. The company has worked with large organizations in the past, Drew said, so “nothing was a big surprise,” but they did have to adjust somewhat for a federal user.

“We did have to think very specifically about the puzzles we include and the type of electronics we’re going to be bringing on site—in terms of no laptops, no USBs, no wireless access points,” he said. “But we have creative ways of showing those vulnerabilities without having those actual devices in person.”

The two events will take place between Sept. 4 and Oct. 19.

Last week, Living Security also launched a new product, Cyber Escape, which is an entirely digital cyber escape room environment. Individual trials start this week, Ashley said, with a full rollout planned for National Cybersecurity Awareness Month in October.