Story image

Gamification: Cybersecurity's secret spice for effective employee training

23 May 17

Security is only as strong as its weakest link, and for many organisations human fallibility is that weakest link. Whether by accident or by malicious intent, employees are often targeted because they have access to sensitive information - at least according to Palo Alto Networks.

“Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats," comments Sean Duca, Palo Alto Networks' VP and regional chief security officer for Asia Pacific.

He believes it's a matter of engaging employees through education - and that education must be much more than pure compliance-driven approaches.Those approaches are not interesting or personal enough, he says.

“Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace," he explains.

So how do organisations engage employees more with the education process? The company suggests gamification is a good way to get employees on board.

Gamification, in which security education programs can use gaming mechanics in a non-gaming context, combine the 'excitement of games' with other activities that traditionally might not be as entertaining. Palo Alto Networks says that competition and rewards are also helping to make gamification popular across a wide range of industries.

The company suggests there are two main ways to use gamification to address cybersecurity in their organisation:

1. Develop exciting and engaging training exercises for employees

Gamification can help businesses show their employees how to avoid cyber attacks and also to learn about software vulnerabilities.

“Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly," Duca says.

PwC is one organisation that uses gamification in its security programs. It launched 'Game of Threats', in which executives compete against each other in real-world cybersecurity scenarios. As attackers, they can choose the tactics, methods and skills of attack, while defenders can develop defence strategies, technology investment and talent investment to respond to the attack

According to PwC, the game shows training, company preparedness and what security teams face every day.

2. Include incentives and rewards

Working under pressure and deadlines can make employees more prone to overlooking their company's security policies. Sometimes those employees make mistakes. According to Palo Alto, organisations can lighten the load by including rewards.

“Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with material rewards such as a gift voucher," Duca explains.

One way to do this is by running fake phishing exercises, known as 'PhishMe' campaigns. Phishing emails can be regularly sent across the organisation, testing employees' responses and actions. According to Palo Alto, this can be an effective way to train employees on better email security.

“This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber secure working environment," Duca concludes.

IP theft: A global issue catching NZ businesses off guard
“We have this incredible record of innovation in New Zealand. But our innovative businesses haven’t always been meticulous in shoring up their IP."
Why A/NZ organisations need to improve compliance protocols
Only a mere 4% of IT decision makers and data managers surveyed said their organisation faced no data management challenges. 
What the people say - Gartner’s November Customers’ Choices
A roundup of the latest Gartner Peer Insight Customers’ Choices from Backup and Recovery to Business Intelligence and Analytics, and more.
BlackBerry buys out cybersecurity AI firm Cylance
“We are eager to leverage BlackBerry’s mobility and security strengths to adapt our advanced AI technology to deliver a single platform.”
Data protection is key to building customer trust
"New data compliance rules offer an opportunity for businesses to re-evaluate their processes and improve data management and customer loyalty."
NZ Internet Task Force joins iSANZ Hall of Fame
NZITF chair Barry Brailey and former chairs Mike Seddon and Paul McKitrick received the award in Auckland last week.
Quantum computing: The double-edged sword for cybersecurity
Quantum computing is quickly moving from science fiction to reality.
Three ways to achieve data security whilst enabling BYOD
"A mobility strategy is now more important than ever before, that said, selecting the right one is often no small task."