Rob Dodson is preparing his cybersecurity students to enter the Matrix, but instead of a red or blue pill, their method of transportation is a virtual-reality headset.
Dodson and co-collaborator Jonathan Perry, CEO of local virtual-reality startup Ractive, are creating VR training that simulates real-life cyber threats – corrupted files, missing documents, and compromised networks – and places students in lockstep with infiltrators.
“It’s very hard to demonstrate in a network what a threat actor can do and how he does it without being able to see him move,” said Dodson, a course developer and senior instructor at DC Industries, a global company that helps future cyberwarriors develop their skills. “If you’ve seen the movie The Matrix, … our ultimate goal is to get you down into the system itself where you’re moving around through the components of the system, and you’re actually seeing how a threat actor … changes direction and goes somewhere else – actually being able to do what the threat actor is doing.”
DC Industries and Ractive demonstrated the virtual-reality training for media at DC Industries’ Port San Antonio facility on Wednesday. Class sizes are small because of the intensity of the VR experience, which immerses cybersecurity trainees in a digital environment – like a video game from a first-person perspective, Dodson said.
Dodson wrote the scenario for the cybersecurity training and Perry developed the software to create the VR experience. Together they’ve created a new kind of instructional platform for cyberwarriors-in-training.
When trainees put on the VR headset and initiate the cybersecurity scenario, they are presented with a map with several pins representing all of the computer systems at a fictional global corporation, which has offices in cities such as New York and Toronto as well as countries such as Botswana. The trainee clicks each site to see its network infrastructure, which presents a visualization of each network device. A red glow indicates a device has been hacked.
The students then must determine how the cyber threat started and what information was taken.
Dodson said the training is designed for people entering the cybersecurity profession but also is a useful exercise for any cyber professional because it provokes critical thought.
“Obviously the more experienced you are the more you’re going to be able to put to it, but if you don’t have any experience, it’s going to teach you the basics of security fundamentals,” he said. “What we like is there are no wrong answers. It’s a training environment; we’re not testing you on anything. We’re trying to [stimulate] … how you think about security.”
Perry, whose company develops VR training for firefighters and other emergency response personnel, said he was surprised when Dodson approached him about developing a cyberattack simulation. He hadn’t previously envisioned using his exercises in cybersecurity. But as he and Dodson discussed it, Perry realized the value it could bring.
He said cybersecurity instruction largely involves reading textbooks and presenting slideshows, so adding VR to the toolbox could help “increase engagement and visualize these really complex things.”
“They’re still going to go through that PowerPoint presentation, that lecture, and they’re going to get that information,” Perry said. “Once they put that VR headset on it’s like ‘Okay, now that it’s a real threat,’ and you don’t have access to your notes. Do you remember what you’re supposed to do in this situation?’”
The training is still in the early stages of development, but Dodson believes VR is the next step for cybersecurity education.
“We believe you have to stay one step ahead of everybody else, especially the threat actors, and this looked like the best way to reinforce the training we give people,” he said. “It looks like it’s going to be very beneficial for everybody.”