sb-nz logo
Story image

Gamification: Cybersecurity's secret spice for effective employee training

23 May 2017

Security is only as strong as its weakest link, and for many organisations human fallibility is that weakest link. Whether by accident or by malicious intent, employees are often targeted because they have access to sensitive information - at least according to Palo Alto Networks.

“Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats," comments Sean Duca, Palo Alto Networks' VP and regional chief security officer for Asia Pacific.

He believes it's a matter of engaging employees through education - and that education must be much more than pure compliance-driven approaches.Those approaches are not interesting or personal enough, he says.

“Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace," he explains.

So how do organisations engage employees more with the education process? The company suggests gamification is a good way to get employees on board.

Gamification, in which security education programs can use gaming mechanics in a non-gaming context, combine the 'excitement of games' with other activities that traditionally might not be as entertaining. Palo Alto Networks says that competition and rewards are also helping to make gamification popular across a wide range of industries.

The company suggests there are two main ways to use gamification to address cybersecurity in their organisation: 1. Develop exciting and engaging training exercises for employees Gamification can help businesses show their employees how to avoid cyber attacks and also to learn about software vulnerabilities.

“Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly," Duca says.

PwC is one organisation that uses gamification in its security programs. It launched 'Game of Threats', in which executives compete against each other in real-world cybersecurity scenarios. As attackers, they can choose the tactics, methods and skills of attack, while defenders can develop defence strategies, technology investment and talent investment to respond to the attack

According to PwC, the game shows training, company preparedness and what security teams face every day.

2. Include incentives and rewards

Working under pressure and deadlines can make employees more prone to overlooking their company's security policies. Sometimes those employees make mistakes. According to Palo Alto, organisations can lighten the load by including rewards.

“Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with material rewards such as a gift voucher," Duca explains.

One way to do this is by running fake phishing exercises, known as 'PhishMe' campaigns. Phishing emails can be regularly sent across the organisation, testing employees' responses and actions. According to Palo Alto, this can be an effective way to train employees on better email security.

“This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber secure working environment," Duca concludes.

Story image
Red Hat to acquire Kubernetes-native security provider StackRox
Red Hat will further expand its security offering, adding StackRox's complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio.More
Story image
Cybersecurity strategies must involve every part of the organisation - study
In the past year, a third of the breaches incorporated social engineering techniques and the cost of a breach caused by a human error averaged to $3.33 million. More
Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More
Story image
BackupAssist partners with Wasabi for greater cyber-resilience
This partnership provides customers with an up to 80% less expensive solution that is faster than the competition for achieving enterprise-grade cyber-resilience, the company states. More
Story image
Kaspersky steps in to protect automotive industry from cyber threats
The company’s TI report, previously available for a selected range of customers, is able to provide car manufacturers with in-depth analysis of industry-specific security threats.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More