A large number of working adults still do not know what phishing and ransomware are, let alone how to detect a social engineering attack, according to Wombat Security’s 2017 User Risk Report. And many organizations are not explicitly aware of the burden in costs and lost productivity that these types of attacks can put on them.
Many CIOs and security training professionals have instituted security awareness training programs, but the trick is to engage users. Motivation can help drive participation and results, and gamification that sparks competition is a good motivator.
Here is a suggested gamification plan (and a nod to Jerry Maguire) that can help you promote knowledge retention and change user behaviors.
I don’t just mean C-level decision makers, although that is important. Seek advocates across your organization, and encourage them to champion the project with you. (That VP who loves to take the floor at company meetings is a great start.) Emphasize the money that can be saved by avoiding attacks and the hit to corporate reputation that a breach can cause.
The Ponemon Institute puts the average cost to businesses to recover from a successful phishing attack at $300,000, much of it due to lost productivity.
Cybersecurity education tools that use gaming techniques such as points, lives, and scoring thresholds can teach users how to make good decisions about best practices around emails, URLs, and other day-to-day activities. These can include phishing tests and training modules that let you identify top-performing departments and individuals.
Best of all, you can use gamification techniques that promote interactivity and encourage competition that will increase retention. Creating a continuous interactive security training model leads to higher user engagement, which paves the way for better knowledge retention.
Here are a few success indicators you can use:
Decide whether you’ll have individual winners or group winners (by department, office location, etc.). Here are some ideas:
This is where Jerry Maguire comes in. Though prizes don’t have to be monetary in nature, the phrase “Show me the money” does come to mind. Some other options:
When you announce your gamified security awareness initiatives, do your best to “have them at hello.” Set expectations, clearly indicate the benefits to them, and attempt to generate interest right out of the gate. If you plan to simulate phishing attacks, be a bit vague about when that will start, and then wait at least a week before sending your first phishing test.
Gamification is nothing new. Just think back to some of the creative ways your parents and teachers tried to get you to do things. Games can be just as engaging for your users.
Once-a-year classroom training and follow-up videos are not effective in the battle against sophisticated cyberattacks, and simple slideshows or presentations aren’t terribly effective tools for knowledge retention.
Organizations that turn to gamification as a security awareness tool will see an increased user interest in security, and users may even start talking about security best practices. The result will be been fewer clicks, fewer malware infections, and less employee downtime, all of which saves money.
Friendly competition can ignite interest among your users and lead to a more successful program. After all, who doesn’t appreciate the opportunity to earn some bragging rights around the office?