Gamification: Cybersecurity's secret spice for effective employee training
FYI, this story is more than a year old
Security is only as strong as its weakest link, and for many organisations human fallibility is that weakest link. Whether by accident or by malicious intent, employees are often targeted because they have access to sensitive information - at least according to Palo Alto Networks.
“Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats," comments Sean Duca, Palo Alto Networks' VP and regional chief security officer for Asia Pacific.
He believes it's a matter of engaging employees through education - and that education must be much more than pure compliance-driven approaches.Those approaches are not interesting or personal enough, he says.
“Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace," he explains.
So how do organisations engage employees more with the education process? The company suggests gamification is a good way to get employees on board.
Gamification, in which security education programs can use gaming mechanics in a non-gaming context, combine the 'excitement of games' with other activities that traditionally might not be as entertaining. Palo Alto Networks says that competition and rewards are also helping to make gamification popular across a wide range of industries.
The company suggests there are two main ways to use gamification to address cybersecurity in their organisation: 1. Develop exciting and engaging training exercises for employees Gamification can help businesses show their employees how to avoid cyber attacks and also to learn about software vulnerabilities.
“Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly," Duca says.
PwC is one organisation that uses gamification in its security programs. It launched 'Game of Threats', in which executives compete against each other in real-world cybersecurity scenarios. As attackers, they can choose the tactics, methods and skills of attack, while defenders can develop defence strategies, technology investment and talent investment to respond to the attack
According to PwC, the game shows training, company preparedness and what security teams face every day.
2. Include incentives and rewards
Working under pressure and deadlines can make employees more prone to overlooking their company's security policies. Sometimes those employees make mistakes. According to Palo Alto, organisations can lighten the load by including rewards.
“Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with material rewards such as a gift voucher," Duca explains.
One way to do this is by running fake phishing exercises, known as 'PhishMe' campaigns. Phishing emails can be regularly sent across the organisation, testing employees' responses and actions. According to Palo Alto, this can be an effective way to train employees on better email security.
“This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber secure working environment," Duca concludes.