Information Security and the Gaming Industry
Mitigating Controls for Risk Management
Physical Security and Its Role in Information Security Management Systems
With the recent increase in attacks against game developers, information security is making its way into the headlines more than ever. A quick Google search on the topic brings up a plethora blogs about these incidents. The blogs which caught our attention were those questioning the compliance of the game developers to international standards that specifically protect consumer information.
Two key standards that find their way into the “blogversation” are the ISO 27001 and PCI-DSS. ISO 27001 is a management standard that focuses on information security. ISO 27001 defines conditions for the formation, implementation, monitoring and appraisal, maintenance and enhancement of a management system for managing an organization’s information security risk (read more about ISO 27001 Certification and RM Studio). While the Payment Card Industry Data Security Standard (PCI DSS) is an information standard defined by the Payment Card Industry Security Standards Council for organizations that possess and process cardholder information for major credit, prepaid, debit, ATM, POS and e-purse cards. PCI DSS was developed in order to implement controls around cardholder information to reduce fraud as a result of disclosure of the information.
The question regarding the game developer’s level of compliance raises another question, one of higher concern. Are the game developers responsible to the consumers to protect their information? It is our belief that organizations from healthcare providers, to telecommunication companies, to game developers all should handle consumer information in the same manner, one that protects consumer information.
As the gaming industry develops more and more, financial transaction and the transferring of personal information increases. Past business models in the gaming industry included a one-time purchase with little personal information exchanged. In recent years, the industry has introduced other business models, including monthly services and in-game purchases (PA-DSS). With these new models in place, transactions can vary from one total to multiple micro-transactions. With the increase in transactions comes the need to further secure information and data transmission.
The question of why these attacks occur must be considered as well. The motive behind the attacks varies by the amount of attackers there are. Reasons could include financial gain, hacking fame, disgruntled users, or even as a vendetta against an enemy who enjoys playing the game. With the broad range of motives comes the inability to predict why an attack may occur. This leads to one option for game developers. They must limit the impact and likelihood of attacks, no matter the reasoning behind them. The goal of the attacks may not be to obtain personal data of the users. Even if that is the case, efforts must be made to protect the users and their data.
Beyond the protection of the users, game developers must consider the financial impact of an attack, the impact on its reputation, as well as the consumer abandoning the company for a similar product. Considering the depth of impact from an attack, loss of user confidence, financial loss, etc., game developers would be better off to put efforts forth that increase the probability that an attack can be stopped or damage can be minimized. The investment into a successful ISMS is small in relative terms in comparison to the cost of a successful attack.
The recent attacks on the Sony Network are a prime example. Though actual total cost may never be realized, current estimates of the financial loss are over $120 million. Putting a quantifiable estimate to the loss of reputation is impossible, but with current trends in social networking and social engineering, damages in today‘s society in regards to reputation are far greater and spread much faster than in the past. The old adage that one unsatisfied customer will tell ten of their friends is no longer true. Now one unsatisfied customer, depending on their social influence could mean they tell hundreds to even thousands of “friends” within a matter of seconds.
