Introduction
Get Security is a point and click adventure game which seeks to teach the player and raise awareness about small business management and IT security. You play as Nicole Hernandez, a small business owner who recently fired her security employee.
Below is a detailed analysis of this game roughly following Brian Winn's1 Design/Play/Experience framework, including:
Learning
-Learn to practice security
-Training in the use of virus and spyware scanners
-Learning about IT security vocabulary
-Learn to be aware of threats even in trusted correspondence
-Training management to communicate with employees about security concerns
Storytelling
The game takes place in a small fictional city where the player works. The character Nicole is a small business owner who interacts with other business owners and clients in the course of the game. Nicole has recently fired her IT
security employee Graham and must now handle her normal tasks as well as security concerns. She is always occupied and there is a short amount of time to accomplish these tasks which makes the security problems easier to overlook in the course of a day. The
story is a plausible and realistic scenario because ordinary people often have the same problem balancing security with their normal business concerns. The story interferes with learning about security as intended, the tasks often focus on business management
and not security allowing the player to lapse in awareness and potentially fail the security sections of the tasks.
Gameplay
The player only rarely makes choices between multiple acceptable options and usually can only fail by ommiting their security oriented options, which includes scanning email attachments, backing up information, and purchasing additional security software. The player is given a task list and a set period of time in which to accomplish their tasks, for each of the tasks the player must make a series of choices, interact with NPC's, and evaluate data from multiple sources. Over time the tasks become repetitive and the player can recognize how to solve each problem, thereby giving them more time to be aware of security. The game is not very engaging and can leave the player bored at times since the challenges are not very difficult and there are little to no consequences to failure. The gameplay in many ways interferes with the intended purpose of learning security in that there is very little transference of learning outcomes. There are few elements in this game to balance as it is for the most part strictly pass/fail.
User Experience
The player is given a number of menus that correspond to various electronic devices such as a PDA, laptop, and GPS. These menus convey the information needed to interact with the other characters in the narrative. Only a mouse is used throughout the game, by pointing and clicking on the various interfaces the player advances through the game. The interface allows the player to accomplish their tasks with minimal difficulty and there is rarely any "noise" with the exception of spam mail that increases as the player performs poorly. The UI doesn't allow for experimentation or failure outside of the specified failure conditions. The most valuable learning comes from the glossary which is not required at any point in the game, only being referred to when the player fails some security task.
Technology
Get Security is a web based flash game that is played on a computer using a mouse and keyboard. The technology was not limiting in any respects and flash was easily the best choice they could make. Flash allows for an entertaining visual interface and widespread use through the Internet.
Assessment
There doesn't appear to be any formal or informal assessments of the game. A formal experiment with a control group that reads from security textbooks about the topics covered in the game and a pre and post test questionaire for both groups to evaluate how much was learned in the course of the game.
Conclusion
Overall the game does a poor job of teaching and reinforcing security principles. A more detailed scoring system to properly evaluate how successful players are in performing security related tasks. Additional security tasks with more complex metrics for success rather than simply scanning or not scanning, backing up or not backing up files. The narrative could be more responsive to the players choices, specifically in the case of the fashion show, the players actions have little to no impact on the way the show will turn out. The game accomplishes its goal of raising awareness about IT security but does poorly in teaching the player about actual IT security principles.