Gamifying information security: Adversarial risk exploration for IT/OT infrastructures

Today's interconnected IT and OT infrastructure faces an array of cyber threats from diverse actors with varying motivations and capabilities. The increasing complexity of exposed systems, coupled with adversaries' sophisticated technical arsenals, poses significant challenges for organizations seeking to defend against these attacks. Understanding the relationship between specific attack techniques and effective technical, organizational and human-centric mitigation measures remains elusive, as does grasping the underlying principles of information security and how they maybe applied to cyber defense. In response to these challenges, we propose a gamified metamodel that combines well-established frameworks, including MITRE ATT&CK, D3FEND, CAPEC, and the NIST SP 800-53 security standard. The programmatic implementation of the model, "PenQuest", combines elements of game theory with cybersecurity concepts to enhance risk assessment and training for IT practitioners and security engineers. In PenQuest, participants engage in a digital battle - attackers attempt to compromise an abstracted IT infrastructure, while defenders work to prevent or mitigate the threat. Bot opponents and the technical foundation for reinforcement learning enable future automated strategy inference. This paper provides an in-depth exploration of the metamodel, the game's components and features built to translate cybersecurity principles into strategy game rules, and the technical implementation of a mature, ready-to-use education and risk exploration solution. Future work will focus on further improving the attack likelihood and detection chance algorithms for seamless risk assessment.