There has been a barrage of breaches recently with many billions of customer records, and even money, liberated by criminals. After the dust has settled, and the investigations completed, what each has in common is that each breach can be traced back to an unwitting employee clicking a weblink, opening an attachment or surrendering credentials that threw the gateway wide open, writes the IT security product firm PhishMe.
Another common factor in the majority of these breaches is that technology existed to prevent spam, malware and other malicious material getting in. So what went wrong? The message was aimed at a human and there isn’t a single person that is 100% infallible. So what can be done to turn this weakest link into the strongest connection? When travelling through major travel hubs, most of us will have heard the announcement; “If you see something, say something.” While security personnel will be patrolling the concourse and manning checkpoints, they can’t be everywhere at once. They collectively rely on travellers to be their eyes and ears in places they cannot be. In this way, the travelling public become the ‘sensor’ watching for, detecting, and alerting on suspicious behaviour such as unoccupied bags.
What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a potential data breach by reporting suspicious emails, instead of falling for them. Will this vigilance work in an office environment?
One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Think back to all of the corporate training you’ve sat through during your career. How much knowledge from those courses did you retain? Although you technically completed the training, have you applied any of the information you were given in real life? For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory – until next year – buried in a pile of other dull corporate training they’ve been forced to endure over the years. As a result, traditional approaches to awareness training have failed to achieve their objective – change a user’s security behaviour.
When trying to get a person to do something that doesn’t come naturally, such as security awareness training, it needs to be engaging and ultimately fun. There are many people who view change, of any sort, as something to be feared. Adding a training element makes it seem that the task is not only different, but also difficult – why else would they need to be trained? It’s this irrational objection that causes most organisations the most difficulty.
When we think of games, particularly video or ‘arcade’ games as they’re more commonly called, the ultimate belief is that they’re fun, with the reality that they’re also addictive. It is this behaviour that forms the basis of Gamification – described as a tool to design behaviours, develop skills and enable innovation. So, could it teach users to be more security savvy?
Gamification can make security awareness training quick, interactive, minimally disruptive to the user, and above all interesting. When used correctly it is arguably one of the best methods to grab and keep a person’s attention to make security awareness memorable. With that in mind, here are five steps to make your security gamification training engaging and maybe even (dare we say it?) fun:
Never name and shame: While it might be tempting to make an example of spoofed users, the negative backlash this generates will quickly undermine your program. Keep things positive by measuring results and recognising people and departments who have done well. Educate and support those that need additional help through repetition.
Level 1: For the average user, security concepts are difficult to grasp, so start simple! You wouldn’t send a new driver out onto a busy motorway on their first day and expect them not to be traumatised (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts. Start with a basic scenario, such as an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since the goal is to improve behaviour, start simple and work up to more complicated scenarios.
Variety is the spice of life: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients. Offer training content in video form, HTML templates, and add an interactive element to ensure it appeals to different learning styles and personality types.
Get down to details: Clichés not only can cause confusion, but might also get your users to tune out. Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.
Make it practical: Think back to your school days – which were more enjoyable? The teachers who got you doing practical exercises, of the mundane reading and reciting of information? Another reality is that, if you don’t see why you need to remember the information, once you’ve completed the final exam you’ll forget what you worked so hard to remember. Security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. By continuously training users at different times throughout the year, in an engaging manner, safe security behaviour becomes a habit and not something forgotten as soon as training is over.Security training shouldn’t be seen as a chore, and by turning phishing into sport it might just be the impetus needed to give your users the sharpened eye needed to spike an attack. The more fun and creative you can be, the more engaged your workforce will become and, who knows, improved security posture just might be the winning score.
