Boost your security training with gamification -- really!
Don't scoff; rewarding good deeds actually works.
Computerworld - Getting employees to take security seriously when security is not their job is an old challenge that now has a new answer: Gamification.
That's right; game-like elements can be used to enhance security awareness and modify users' behaviors. The results are tightly connected to the real world.
"Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email," reports Patrick Heim, chief trust officer at Salesforce.com, describing the results the company saw after the first 18 months of an ongoing security awareness gamification effort that's based on positive recognition rather than negative reinforcement.
Building awareness of physical security was also part of the effort at Salesforce, which has 13,000 employees. A campaign to test "tailgating" (when an unauthorized person sneaks through a secured door by following immediately behind an authorized person) drew 300 volunteers who were rewarded if they successfully slipped through a door and took something.
Generally, before security training, 30% to 60% of users will fall victim to a fake phishing email, says Lance Spitzner, training director at the SANS Institute, a security training vendor. After training and six months to a year of a gamification program, the rate can fall to 5%, he says.
"Gamification has nothing to do with computer games," says Ira Winkler, president of Secure Mentem, a computer security firm in Annapolis, Md. "Rather, it's the application of gaming principles to a business problem."
Winkler says there are four principles to gamification:
- Define a goal.
- Define rules for reaching that goal.
- Set up a feedback mechanism.
- Make participation voluntary.
You can see those principles in action in the game of golf, he notes: The goal is to get the ball into the cup with the fewest attempts, but rules that forbid players from simply dropping it into the cup make the task intriguing. Feedback is provided by the scoring system, and players are there voluntarily.
In the case of corporate security awareness, gamification usually means awarding points to employees who do the right thing, with various forms of recognition, including badges, prizes and a leaderboard listing participants' point totals, he explains.
Security-related behaviors rewarded by such programs include reporting phishing emails, preventing or reporting tailgating, reporting or preventing other attempted intrusions (especially via social engineering), reporting USB memory sticks found on the ground, keeping desktop software properly patched and updated, maintaining strong passwords, attending security seminars, not leaving laptops in parked cars, and (for developers) reporting bugs or vulnerabilities.
But gamification is not a term that has been embraced widely in the business world. "As soon as you use the word 'game' in a corporate environment, there tends to be a lot of pushback, as work is supposed to be serious and games are not," says Jordan Schroeder, IT security administrator for Family Insurance Solutions in Vancouver, B.C. "So I have been using the term 'active feedback' instead. That flew a lot better."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!