A large number of working adults still do not know what phishing and ransomware are, let alone how to detect a social engineering attack, according to Wombat Security’s 2017 User Risk Report. And many organizations are not explicitly aware of the burden in costs and lost productivity that these types of attacks can put on them.
Many CIOs and security training professionals have instituted security awareness training programs, but the trick is to engage users. Motivation can help drive participation and results, and gamification that sparks competition is a good motivator.
Here is a suggested gamification plan (and a nod to Jerry Maguire) that can help you promote knowledge retention and change user behaviors.
Get buy-in from stakeholders
I don’t just mean C-level decision makers, although that is important. Seek advocates across your organization, and encourage them to champion the project with you. (That VP who loves to take the floor at company meetings is a great start.) Emphasize the money that can be saved by avoiding attacks and the hit to corporate reputation that a breach can cause.
The Ponemon Institute puts the average cost to businesses to recover from a successful phishing attack at $300,000, much of it due to lost productivity.
Let the games begin
Cybersecurity education tools that use gaming techniques such as points, lives, and scoring thresholds can teach users how to make good decisions about best practices around emails, URLs, and other day-to-day activities. These can include phishing tests and training modules that let you identify top-performing departments and individuals.
Best of all, you can use gamification techniques that promote interactivity and encourage competition that will increase retention. Creating a continuous interactive security training model leads to higher user engagement, which paves the way for better knowledge retention.
Measurements of success
Here are a few success indicators you can use:
- Number of users who don't click on simulated phishing emails
- Number of users who report simulated and actual phishing emails
- Number of users who turn in a planted USB device
- Number of users who complete a training assignment within a specified timeframe
Determine your scoring formula
Decide whether you’ll have individual winners or group winners (by department, office location, etc.). Here are some ideas:
- Users who don't click on phishing tests earn a point. Those who click lose a point.
- Users who do not click at all during a series of mock attacks are automatically in a winners’ pool.
- Those who successfully identify and report a phishing test or suspicious email earn two points.
- Users who complete a training assignment within the first week earn three points. Those who complete within 30 days earn one point. Those who take longer than 30 days earn zero points.
Select the awards
This is where Jerry Maguire comes in. Though prizes don’t have to be monetary in nature, the phrase “Show me the money” does come to mind. Some other options:
- Top scorers (or non-clickers) automatically win or are put in a drawing to win gift cards.
- The best-performing group wins a pizza party or catered lunch.
- Top performers are recognized at a company meeting, in a monthly organizational newsletter, or some other public forum.
Communicate about upcoming activities
When you announce your gamified security awareness initiatives, do your best to “have them at hello.” Set expectations, clearly indicate the benefits to them, and attempt to generate interest right out of the gate. If you plan to simulate phishing attacks, be a bit vague about when that will start, and then wait at least a week before sending your first phishing test.
The name of the game is engagement
Gamification is nothing new. Just think back to some of the creative ways your parents and teachers tried to get you to do things. Games can be just as engaging for your users.
Once-a-year classroom training and follow-up videos are not effective in the battle against sophisticated cyberattacks, and simple slideshows or presentations aren’t terribly effective tools for knowledge retention.
Organizations that turn to gamification as a security awareness tool will see an increased user interest in security, and users may even start talking about security best practices. The result will be been fewer clicks, fewer malware infections, and less employee downtime, all of which saves money.
Friendly competition can ignite interest among your users and lead to a more successful program. After all, who doesn’t appreciate the opportunity to earn some bragging rights around the office?