Filling the cybersecurity skill gap with bottom up initiatives - the case study of CYBERSEC League.


The demand for cybersecurity professionals is growing exponentially, with predictions of up to 6 million workplaces and between 1.5 and 2  million unfilled vacancies globally by 2019[1].  Market is also eager for talents from this sector, with 68% companies acknowledging that demand for cybersecurity specialists is high in their organization[2]. Institutionalized education on all levels is lagging behind the fast evolving IT security field, which creates a need for other stakeholders to actively engage. On the one hand businesses are doing their best to train employees internally or to attract perspective candidates. On the other administration and third sector institutions are launching number of initiatives aiming to raise the level of digital and cyber skills. In Lesser Poland we created a coalition of stakeholders and launched the CYBERSEC League project, with the goal of attracting youngsters and students into cybersecurity professions.

CYBERSEC League was organized by the Kosciuszko Institute and Krakow Technology Park in cooperation with Cracow University of Technology and AGH University of Science and Technology. The idea is to create a new formula of events for IT-oriented students and young professionals, to influence their career decisions. In order to achieve that, we mixed the standard formats such as hackathon, capture the flag, escape room, city game - and created “Play the hack”. Players are taking part in 24 hour gamified challenge during which they have to solve cybersecurity riddles, logical quests and even do physical exercises. Everything embedded in the main plot, and enriched by multiple side quests hidden in the open world. This year edition took place on 19th-20th May in the Krakow Technology Park. Gameplay moved participants to year 2045, where global corporation Adui Industies have been planning to evilly use their computerized system based on Artificial and Human Intelligence. Participants have been warned about that plans by the whistleblower from the resistance movement called The League. And then the game began…

One hundred twenty participants in 28 teams registered to the event. During the game they had to face technical tasks with analysis of the network traffic, decryption of HTTP/HTTPS connections, RSA algorithms, Vernam ciphers and visual cryptography. Apart from the main plot of the game concentrated on ICT related  assignments, participants have been exploring open world with hidden QR Codes which gave them clues about possible optional tasks. Those additional tasks included geocaching game, logical riddles, escape room and even workouts with pushups and squats. Teams have been collecting points for both solving the main assignments as well as minor tasks. All participants owned also varied “assets” cards, like in Role-playing-games (RPG), which they used to disturb the work of rivals, help their own team, win additional time, and others. After 24 hours and the final assignment, the “Sparrows” team scored the highest number of points and won the competition. All participants received medals certifying their role in rescuing 2045 humanity from evil plans of the Adui Industries corporation.

The innovative formula for cybersecurity event that we created have been based on 5 main principles:

  1. Gamification – stimulate young people by allowing them to be players;
  2. Plot – tell the story which will create additional value for your audience;
  3. Everyone is a winner – show appreciation to every participants and give them “cool” awards;
  4. Engage before the event – communicate with the audience before, start the storytelling, give them introductory tasks, ask them about their preferences;
  5. Cooperate with the industry – include experts from cybersecurity companies, make them mentors and partners for young participants.

When it comes to participants experience and satisfaction, according to evaluation forms  filled by players, 100% of them would take part in the event one more time and 100% would recommend Cybersec League to their colleagues. On the scale from 1 to 5 almost 90% of respondents rated their experience during the event as 4 or 5. Results clearly shows that by mixing the formulas and engaging participants on different layers created by technology, plot and gamification, we have been able to attract to cybersecurity young people outside from the sector. And that is our goal.

[1] UK House of Lords Digital Skills Commitee, ; CSO, Cybersecurity job market to suffer severe workforce shortage, 2015, [online] www. to-2019-indicate-severe-workforce-shortage.html (access: 12/05/2017).

[2] , s.4