Catch Me If You Can

The annual security risk assessment doesn't have to be a drag.

Catch Me If You Can is this year's themed Information Security Risk Management Program (RMaP) which the Information Security Office (ISO) has gamified in recent years to make the process of assessing risk interesting and fun for all academic and administrative units across campus.

The mandatory risk assessment program happens each year from March until June, helping units—including those in UITS— assess their security risks for all of their systems and processes. The program's goal is to have all University units complete at least one security plan, which are used to inform units on where their highest risks are and what can be done in the coming year to mitigate them.

Risk management is important to all levels of the University. Identifying threats before they are realized so risk-handling activities can be planned and invoked as needed across the life of a product or project is a central tenet of the RMaP program.

To make the assessment process fun, Catch Me If You Can uses a point system to encourage friendly competition to complete security plans in UASecure by the end of June. Units can earn bonus points by completing assessments early in the program. The more assessments a unit completes, the more points they receive.

In addition, Information Security Risk Managers (ISRMs) can earn additional bonus points. The ISRM point system nods to Leonardo DiCaprio's character (and real-life con artist, Frank Abagnale) in Steven Spielberg’s 2002 film. ISRMs can receive a "Pilot's License" and "Passing the Bar" points by driving projects to completion or providing constructive feedback to improve the new UASecure platform.

"Catch Me If You Can is a lot of fun," beamed Teresa Banks, Manager for Information Security and Compliance Programs in ISO. "Setting up a game structure for risk management helps bring people in. We try to promote it every way we can—using Zoom backgrounds, talking about it during campus coordination meetings—anything we can do to get it in front of people. We are really trying to up the game to let everyone understand risk management better."

This is the third year ISO has used games to inspire units to complete the assessments.  Last year, ISO promoted a treasure hunt with a pirate theme starring Johnny Depp, while 2021 was a Candyland theme. Points were awarded for people attending workshops.

Points are distributed to Campus IT Units and Top "Pilots" while UITS is scored separately. Banks explained, "The ISO will have probably six assessments that we complete in this cycle ourselves. It's important for UITS to assess more than anyone. We have to set the example for campus."

As of this writing, the College of Medicine-Tucson leads with the most points—2,750, with Infrastructure & Foundational Tech and Research Technologies in UITS are nearly tied at 260 and 250 points. As the game progresses through June, the number of players and points will continue to grow.

Lorenso Trevino, Senior Manager for Information Security and Risk Management in the College of Medicine leads in the "Pilot" category with 950 points.

"Most people think of risk management as boring, and I don’t blame them," observed Trevino. "However, the Catch Me If You Can gamification adds a little flavor and can spark competition.  At the end of the day though, we all benefit by working through risk planning to improve the security of our IT resources. I'm a competitive person, so it’s always fun to be in the lead in any competition!"

Read more about Catch Me If You Can on the ISO website and return here to this article for updates in June.