Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Why Gaming Companies Should Follow the MPA’s Lead

Published 10/18/2022

Why Gaming Companies Should Follow the MPA’s Lead

Originally published by Ericom here.

Written by Tova Osofsky, Ericom.

Grand Theft Auto 6 Leaks Hit Rockstar Hard

In the wake of what they characterized as a “network intrusion in which an unauthorized third party illegally accessed and downloaded… early development footage for the next Grand Theft Auto,” Rockstar Games wrote that they were “extremely disappointed” that details of their next game, Grand Theft Auto 6 (GTA 6), were shared. While few details are available about the attack, it seems that a hacker breached Rockstar Game’s Slack server and their Confluence wiki.

We’d guess that there’s more than just “disappointment” behind their announcement. When Grand Theft Auto V was introduced almost a decade ago, 11 million copies were sold on the first day of release, generating sales of $1 billion in just the first 3 days following release and instantly recouping the $250 million it cost to make it several times over. GTA V still stands out as the most successful game launch in history and serves as a case study of a successful game launch.

What’s So Bad About Gaming Leaks?

Here's an analysis of Rockstar’s GTA V marketing strategy from a blog post entitled “Criminally Successful Marketing”:

Rockstar released their first trailer for GTA V 2 years before launch. How many of us would struggle to get sign off for communications that far in advance of a product launch! They understand the power of anticipation and have spent time and money building sizzle slowly. They released a second trailer in November 2012, three more in 2013 accompanied by a TV spot and giant outdoor at trend spots in LA and New York.

They also held an online casting to find five fans to appear in the game. This created a lot of buzz among the die-hard fans and poured fuel on the social media fire already burning… the principle of pre-marketing is important: build desire amongst your earliest adopters to ensure that they a) buy early and b) spread the word.

Given the fact that film studios and gaming companies use pre-release glimpses of content to generate the consumer “buzz” that is so crucial for driving customer interest, why should content leaks, like the one recently experienced by Rockstar, be such a problem? Especially in the run-up to a product release, wouldn’t leaks simply function to enhance buzz, similarly to producer-initiated communications?

The Role of Buzz

To answer that question, let’s take a quick, slightly geeky side trip into what exactly “buzz” is, the role that it plays, and the mechanics of pre-release consumer buzz – PRCB for short. Here’s how it works:

Before a new film or game (or even a device associated with positive social capital, like iPhones) is released, only three types of information are typically available to people who might potentially purchase or engage with the product:

  1. Signals of quality that potential adopters can infer from producer and distributor actions.
  2. Speculation regarding quality that is shared by the media, critics, and other consumers.
  3. Signals of the social salience of the product provided by buzz and by the intensity of media coverage.

The first type of information is easiest for gaming and film studios to control. They painstakingly create trailers to convey the impressions, images and most importantly, feelings they want to project.

Media, critical and consumer speculation cannot be controlled by the studios, but it can certainly be influenced significantly. Star actors or artists are deployed to fan the flames of anticipation in carefully scripted appearances and interviews on both traditional and specialized gaming media, which are further promoted and excerpted on social media. All these elements are carefully crafted and coordinated to shape the story and – especially – to keep key elements dark and build suspense.

Signals of social salience, the final type of information that’s available to consumers pre-release, are hardest to control, since they depend on, in the words of our academics, “the anticipation that customers experience creating a state of enjoyable discomfort which in turn motivates consumers to pursue vicarious experiences that may provide temporary fulfillment.” In plain English, the activities described above must generate enough excitement, curiosity and anticipation among gamers to motivate them to continue the work that the studios started.

This last step – signaling social salience – is most important since it is most influential. The most active generators of pre-release buzz tend to be innovators that purchase new products immediately upon their release, and who are followed carefully by “imitators,” who base their purchase decisions on innovators’ recommendations.

Protecting the carefully orchestrated sequence of actions that builds anticipation among innovators, and encourages them to create their own buzz around a release, is essential for robust sales both upon release and into the future.

Three Ways to Kill the Buzz

With all this in mind, let’s get back to the question about leaks. There are three primary ways that illicit, uncontrolled leaks can harm gaming studios, reducing revenues and damaging their brands.

  1. Released content is disappointing. The GTA 6 network intrusion entailed a “massive leak of… early development version.” Game development entails successive refinement of images, action and effects. By definition, the quality of “early development versions” will be significantly inferior to the quality of the final game, as well as promotional clips that a studio creates to build buzz. Although rationally gamers may understand this, release of poor-quality material is likely to dampen buzz.
  2. Released content reveals too much information. For expert gamers, a good deal of anticipatory engagement is wrapped up in speculation and educated guesswork. Similar to rabid sports fans who come to feel (if not actually believe) that their actions may impact “their” team’s performance, gamers grow to feel that they are active participants in the creation of the games that they play. Release of any clips lessens the discomfort of being in the dark and reduces buzz centered on speculation about plotlines, since actual information is available.
  3. Release timing is poor. Buzz must be maintained by carefully timed information and engagement, as Rockstar demonstrated so well in the GTA V release. If the information is released too early, studio efforts closer to the release date will be perceived as old and unexciting news.

Regardless of how a leak kills pre-release buzz, there is no question that the Rockstar cyberattack will do significant – potentially irreparable – harm to the GTA franchise.

Following the MPA's Lead

In many ways, some obvious and other less so, gaming has built upon the know-how and success of the film industry and in many ways, been more successful. Beyond leveraging IP that film studios develop, the gaming industry has succeeded in creating gripping marketing campaigns and entertainment experiences that engage users for extended periods of time. Especially with new cloud-based business models, the gaming industry generates ongoing revenue streams that film studios can barely match with only their most profitable, licensable franchises.

Yet bafflingly, despite the vulnerabilities to which they’re exposed via online gaming platforms, the gaming industry has failed to adopt – or adapt – the film industry’s tough security stance. For almost half a century, the MPA has pursued initiatives to protect industry content against leaks, copyright infringement, illegal distribution and more recently, cybertheft.

Among the most rigorous requirements of the MPA Best Practices Common Guidelines is their requirement for internet separation. The relevant best practice requires that studios, “Prohibit production network and all systems that process or store digital content from directly accessing the internet, including email.”

In the past, this requirement dictated that creative staff work on workstations that were not internet-connected. In recent years, however, the MPA and its Trusted Partner Network, which is responsible for benchmarking security preparedness, have adopted remote browser isolation (RBI) to keep production content secure from internet-based threats – and threat actors.

RBI protects valuable content by air-gapping user devices from the internet, while liberating creative staff to browse and use email freely. Websites are opened in virtual, cloud-based browsers, and only safe rendering data is sent to users’ regular browsers, where they interact with it just as they would with the native content. No active code from the internet ever reaches user endpoints. Any malicious content, such as data-stealing malware or ransomware within websites that users visit remains in the isolated browser and is destroyed once the user stops interacting with the site, so endpoints are protected.

RBI also safeguards valuable content with policy-based control of which sites can be accessed and what content can (and especially, cannot) be shared on specific types of websites or via email. It also protects users against common phishing techniques by opening suspicious or uncategorized websites in read-only mode, preventing theft of unwitting users’ credentials which enable breaches of cloud-based application accounts and data theft.

Protecting the Buzz

As the recent GTA6 attack amply demonstrates, insufficient cybersecurity protection can cost gaming studios dearly. To maintain control of their critical marketing programs as well as protecting their valuable content, it is imperative for studios to implement modern, proactive protections like RBI.

Share this content on your favorite social network today!