Game On for Cybersecurity Competence

We have to live with cybersecurity threats and attacks. This is not a static situation and continues to evolve. You can buy and subscribe to tools and services that help protect your networks and applications. We also need to improve the security performance of our users. Some surveys indicate that more than half of the security issues can be traced back to the users, who with negligent behavior, open networks and applications to security attacks.

Security training can be dull -- in many cases mostly forgotten. What if we applied gamification to the training of users in cyber security? This may be the way to improve the competence quality of users dealing with security (see "Security Protection, Better than Security Correction").

Users: The Achilles' Heel

You need to look inside as well as outside the organization for the source of the attacks. An April press release from Dtex Systems reported that 95% of organizations have employees seeking to bypass security controls. Employees and contractors can account for over 50% of cybersecurity attacks. In most cases, it is negligence, an accident, or malicious behavior by employees and contractors. Training your employees and contractors is the primary method for reducing these attack sources (see, "How Security-Conscious Are Your Users?").

Employee and contractor poor security behaviors are a result of how aware and well trained they are regarding security risks. How many employees and contractors sign an organization's security policy and don't read it? Good cybersecurity behaviors depend on recognizing risks, knowing how they occur, and the implications of misuse and abuse (see, "IT Security: Training and Beyond").

A Gamification Proposal

I read a recent blog from Forbes contributor Stephen Baer, called "Why You Should Gamify Your Cybersecurity Training" , which suggested a different approach to cybersecurity training that could increase the interest, competence, and effectiveness. The blog contained a quote from Scott Larsen, manager of cybersecurity operations for Beaumont Health Systems, that really sum up what most users feel about cybersecurity training: "Our previous security training [before gamification] was death by PowerPoint. It was very non-interactive, very sterile and uninteresting. It did not capture the interest of the end user. The responses we got was 'this is not useful to me, it's a waste of time, I don't understand why it's necessary,' comments like that. The employee engagement was very challenging."

Defining Gamification

Gamification is the application of game principles and design elements of game design to non-game interactions such as cybersecurity training. Gamification for cybersecurity competence improvement can deliver value by maximizing employee engagement levels, improving accountability, and ensuring that user operations align with the cybersecurity strategy.

Research studies on gamification have found it has positive effects on individuals. Gamification can improve a user's ability to comprehend digital content and understand the study of cybersecurity. Delivering rewards for accomplishing tasks can generate competition visible to other players.

I covered gamification in the contact center in my previous blog, "Gamification Plays Well in the Contact Center." The same values of gamification for agents can be produced by users when cybersecurity competence is required.

Tips for Cybersecurity Training

You need to rethink how and what you deliver in training. The training should be attractive. It should be interesting to use. It should not be training that bores the learner. The worst kind of training is training that "I need to take to check it off my to do list." Don't make the training a burden and something that the users want to avoid.

Here are three tips that can help you improve your cybersecurity training program.

  1. Avoid Indigestion -- Most people think of digestible food, but we can also apply that word to digestible training content. Instead of creating hour-long or more training sessions with many PowerPoint presentations and/or videos, divide the training into multiple short lessons delivered once a week over a longer period of time. Keep the lessons to about 10 or 15 minutes each. Measure the user's response to the lessons and their development of competence.
  2. Make the Training Interactive -- Make the user participate in the training rather than being passive. Add ways to reward the user such as points and badges and displaying their capabilities on leader boards. Higher engagement means employees will learn and interact with the content, thereby improving their training retention. I find the more I interact with training, the more likely it is I am going to remember the content and be able to apply it in the future.
  3. Reward Top Performers -- Make the rewards memorable. They should be low-cost so that you can give out many of them. A reward might be a plaque, it might be a luncheon, or it might be a mention in an email.

We can never completely eliminate cyber security problems. With the right training, users can adapt and understand the processes necessary to reduce the vulnerabilities. The goal is to reduce risk and change the user's behavior. Interactive training, when properly designed, can do this for you.

Learn more about Security/Compliance at Enterprise Connect 2018, March 12 to 15, in Orlando, Fla. Register now using the code NOJITTER to save an additional $200 off the Advance Rate or get a free Expo Plus pass.