Story image

Gamification: Cybersecurity's secret spice for effective employee training

23 May 17

Security is only as strong as its weakest link, and for many organisations human fallibility is that weakest link. Whether by accident or by malicious intent, employees are often targeted because they have access to sensitive information - at least according to Palo Alto Networks.

“Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats," comments Sean Duca, Palo Alto Networks' VP and regional chief security officer for Asia Pacific.

He believes it's a matter of engaging employees through education - and that education must be much more than pure compliance-driven approaches.Those approaches are not interesting or personal enough, he says.

“Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace," he explains.

So how do organisations engage employees more with the education process? The company suggests gamification is a good way to get employees on board.

Gamification, in which security education programs can use gaming mechanics in a non-gaming context, combine the 'excitement of games' with other activities that traditionally might not be as entertaining. Palo Alto Networks says that competition and rewards are also helping to make gamification popular across a wide range of industries.

The company suggests there are two main ways to use gamification to address cybersecurity in their organisation:

1. Develop exciting and engaging training exercises for employees

Gamification can help businesses show their employees how to avoid cyber attacks and also to learn about software vulnerabilities.

“Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly," Duca says.

PwC is one organisation that uses gamification in its security programs. It launched 'Game of Threats', in which executives compete against each other in real-world cybersecurity scenarios. As attackers, they can choose the tactics, methods and skills of attack, while defenders can develop defence strategies, technology investment and talent investment to respond to the attack

According to PwC, the game shows training, company preparedness and what security teams face every day.

2. Include incentives and rewards

Working under pressure and deadlines can make employees more prone to overlooking their company's security policies. Sometimes those employees make mistakes. According to Palo Alto, organisations can lighten the load by including rewards.

“Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with material rewards such as a gift voucher," Duca explains.

One way to do this is by running fake phishing exercises, known as 'PhishMe' campaigns. Phishing emails can be regularly sent across the organisation, testing employees' responses and actions. According to Palo Alto, this can be an effective way to train employees on better email security.

“This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber secure working environment," Duca concludes.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
GCSB welcomes Inspector-General's report on intelligence warrants
Intelligence warrants can include surveillance, private communications interception, searches of physical places and things, and the seizure of communications, information and things.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."