I will never watch “The Little Mermaid” again without thinking about ransomware and cyberattacks.
Although Ariel agrees to the arrangement with Ursula, the sea witch hijacks the mermaid’s voice, but with a catch. Ariel has to kiss the prince by a predetermined deadline. If she does, her voice is returned. If she doesn’t, Ursula keeps the voice, which you know she plans to use for her own nefarious behavior. Ariel’s voice is like valuable company data, stolen and held for ransom.
During her keynote speech at CPX360 in Las Vegas earlier this year, Maya Horowitz, director of threat intelligence and research at Check Point, used Disney villains to illustrate cyberattacks and add a more relatable touch to security awareness training.
Cybersecurity is like these famous cartoon villains, Horowitz told the audience. Maybe we aren’t being given a poisoned apple by an evil queen disguised as a friendly old woman, but we are getting phishing emails disguised as familiar companies or celebrities offering free iPhones.
In the business world — and in personal life — it can be difficult to tell when those bearing gifts are disguised wrongdoers tricking us into making mistakes so that they can do us harm. Similarly, we may not realize when deceptive cyberattacks are occurring or recognize vulnerabilities within our systems until it’s too late. But perhaps we can improve security awareness training by using pop culture references and gamification techniques to make the critical concepts more relatable.
Cartoons Stick in Our Memory
“The human memory works in a way that new data needs to be ‘glued’ to existing data in order to be processed,” Omer Taran, co-founder and CTO at CybeReady, explained in an email comment.
Using a cartoon or a familiar icon can leverage the power of familiar images, allowing new data to be better absorbed. “The more the existing cartoon has relevant properties that interact with the required new data, the stronger is the impact,” Taran added.
Want your employees to understand how a distributed denial-of-service (DDoS) attack works? Watch the stampede scene from “The Lion King” — and fight to hold back the tears, of course. Wildebeests may not be the perfect analog for botnets, but when you send millions of botnets streaming toward a network, they too can easily strike down a target for as long as they like.
Sleeping Beauty provides a good example of what can happen if your organization isn’t diligent about patching known vulnerabilities. The king and queen were warned that if their infant daughter pricked her finger on a spinning wheel before she turned a certain age, the entire kingdom would fall into a deep sleep. While the royals thought they had found every spinning wheel, one was forgotten and discovered by the princess, and the rest is (fictional) history.
In a similar fashion, one unpatched machine could lead to the takedown of a whole network. It could also be used for advanced persistent threat (APT) attacks. Like the sleeping spell, these attacks are designed to trigger at a later date, and the threat actor disappears long before the damage is done.
Of course, you can move the cartoon analogies away from Disney movies and find cyberattack lessons in virtually any cartoon you enjoy. A day in the life of Bart Simpson, for instance, is like the man-in-the-middle attack; he eavesdrops on his victims and then wreaks havoc.
Security decision-makers may even relate to the story of Wile E. Coyote and Road Runner. Road Runner is always one step ahead of Coyote — the bird sometimes even mocks him after another attempt at containment fails. Cybersecurity sometimes feels like this. Even if all of the elaborate tools and strategies are deployed to catch threat actors before they attack, they sometimes elide our efforts regardless and stick out their tongues when they’re finished. Still, we must carry on and do our best next time.
The Hero Saves the Day
Using Disney villains (or any cartoon or pop reference) as a way to engage and teach people about cyberattacks is part of a greater movement looking to use fun methods to improve training retention and attention. Gamification is growing increasingly popular in security awareness training. People who play video games love competition and earning rewards, so gamifying security education can bring that sense of healthy competition into the workplace for the better.
But as fun as the gaming and competition can be, it’s not for everyone. All employees retain information through different methods. For some, it takes hands-on action and competition for rewards. For others, it takes a visual connection or drawing comparisons between favorite movie scenes and specific real-life scenarios. It may take a combination of these methods to address cyberthreat mitigation across the board.
For example, Vectra, an AI-driven threat detection platform, created its own cartoon characters (to avoid any copyright issues) and uses them as a security teaching tool. It employs villains to personify the phases of the attack life cycle — command and control, internal recon, lateral movement, data exfiltration and botnet monetization. Of course, the superhero, Cognito, comes in to save the day.
This point is perhaps the most important takeaway regarding the ongoing fight for cybersecurity: While the villains are driving the bad action and causing the cyberattacks, in the end, the hero must always come through to save the day. The more your employees know about cyberthreats, the more heroes your organization will have.