As I have mentioned time and time again, it is very often the employee (in fact, even all of us humans in general) that are weakest link in the Security Chain. For instance, this may the employee from being a victim of a Social Engineering attack (which can then be leveraged into a Business Email Compromise) or even a Phishing scam. Whatever the Cyber attack is, using the employee as source of bait can be a point of entry for any would be hacker.
So, we keep talking about how employees need to be trained, etc. But what one thing I have failed to mention is how this training program should look like. Of course, this will depend upon each and every business and corporation, but there are two common denominators here:
*The training needs to be consistent throughout the year;
*The employee needs to be consistently engaged so that they will not only retain the information, but retain it as well.
Thus, comes in the concept of the Gamification, and how it should be implemented into a Security Training program. Gamification can be specifically defined as follows:
“Gamification is the process of taking something that already exists – a website, an enterprise application, an online community – and integrating game mechanics into it to motivate participation, engagement, and loyalty.”
So, to make a long story short, it is important for the team that is creating and deploying this Security Training program to use the concepts of gaming in order to keep the actual training interesting for the employee. Here are six steps as to how it can be done:
- Recognize and foster good “Cyber Hygiene”:
By this, I mean recognize those employees that have abided by your Security Policies, and have not fallen victim to any sort of scam. This reward does not have to be expensive; rather, you could take him or her out to lunch, or just give them a simple gift card. By using this kind of approach, the employee will remain positive and even encourage other employees to follow the same practices. But, it is also important to keep this reward system on a consistent basis: Such as once a quarter.
- Include talks about Data Protection:
The use of Gamification, will motivate open dialogue amongst your emp employees when it comes time to talk about discussing how to properly handle confidential information and data. This is even more important now that the General Data Protection Regulation (GDPR) has been implemented.
- Increase the frequency of your Security Training program:
Remember, a Security Training program does not have to be a formalized classroom venue. It can take place on the employee’s computer, as Gamification will allow your employees to work on their Security skills without interfering with normal business operations or hours.
- Consistently engage your employees:
As mentioned, keeping your employees interested is very important. This is where Gamification can come into play yet again, by creating a sense of competition: “Through friendly leader board competitions, end users are instantly engaged in the game—or training—at hand . . . this increases internal communication and creates new relationships, improving employee engagement across the board.” (SOURCE: https://www.techrepublic.com/article/6-reasons-gamification-improves-cybersecurity-training/).
- Recruit Cyber security talent:
As we all know, the job market for the Cyber security professionals should continue to remain strong in the long term. There are plenty of young kids out there that attend Penetration Testing camps. So, why not hire one of them? Or perhaps hold a national Cyber Security challenge competition and hire the winners from that into your organization? Check this link out for further details on this kind of competition:
- Have metrics, and keep tabs on them:
Sure, introducing the concepts of Gamification can be fun, but it does have a serious purpose as well. In this regard, it is important to create some Key Performance Indicators (KPIs), implement them, and use them to gauge how well your Gamification techniques are working, and that they are achieving the desired result.
One point of concern here is how you are going to get the buy in from upper management to fund a Gamification based Security Training program. Well, just remind them of this fact: According to a July 2018 Cybersecurity Insiders Report, more than 90% of Cyber attacks have been cause either by malicious employees or those that have mistakenly done something that they should not have done in the first place.
This Report can be downloaded at this link:
In the end, whatever kind or type of Security Training program you implement (even if it does not include Gamification), remember one thing at all cost: “Fire-Hose Training”. This is where employees are inundated with what to do, and then sent back to their desks.