What does it take for corporate security directives to become personal ethos? News Flash. If we collectively knew the answer you probably wouldn't be reading this blog (or generally seeking any sort of guidance). In attempting to scale the mountain of translating complex ideas and never-ending security mandates many completely miss the mark.
Countless organizations have fallen into the trap of over-emphasizing the minutia, focusing on excessive technical details, and most damning, broadly failing to understand what motivates their workforce, leaving corporate unable to shift mandates into a change in thinking.
Transitioning from dated and ineffective methodologies to an approach that tangibly makes a difference in your security posture is no small task. Increasingly, many sectors are turning to gamification to supercharge the process and motivate their workforces to prioritize cyber.
Define the terms
According to Tech Target, Gamification commonly refers to “the application of game theory concepts and techniques to non-game activities. Game theory is a branch of mathematics that seeks to understand why an individual makes a particular decision and how the decisions made by one individual affect others. The overreaching goal of gamification is to engage the participant with an activity he finds fun in order to influence his behavior.
[More broadly speaking], a gamification initiative might address the cognitive and emotional aspects of game theory as well as the social ones by including a system of rules for participants to explore through active experimentation and discovery.”
Within cyber, data indicates that “using a combination of rewards such as points and badges, and allowing students to show their social standing via the use of a leader-board, the implementation of gamification in this scenario improved knowledge acquisition.”
So, in practice what does this mean? How do we bring this strategy from theoretical to practical?
Gamification in the context of cyber
Turning cyber training and awareness into a meaningful conversation isn't like flipping a switch. To try and make the process less tedious and in the end really resonate with employees security professionals need to start thinking about hearts and minds vs fear tactics and imposing directives.
Some of the most productive methods to implement gamification into a program of cyber skills-building may include any of the following:
Every security directive sent out to employees include a monetized game testing the skills learned.
Have weekly team and dept based games that focus on a singular security goal?
Ex. Finance on Fridays focuses on Phishing and Fraud
Marketing is spending June diving into social engineering, will you fall into their tricks?
Publicly recognize individuals who have shown excellence in various cyber risk and skills games over a qt.
Include a sought-after reward like cash, vacation time, or a dept bonus
Actively get employee feedback on ways they would like to compete in a zero-pressure environment. The process only works if the entire team is comfortable with the activities involved.
For any security strategy to be implemented effectively, it must gain employee buy-in. Gamification provides an avenue to meet employees on their terms, and reward them for enhancing a critical skill set while readjusting company thinking to impart sweeping directives and broad policy demands.
George Gerchow pinpoints why more and more organizations are turning to gamification to gain some sort of traction in altering their employee's approach to cyber risk. “Policies, procedures, and compliance are so dry. People sign policies without knowing what they’re getting into. I thought there’s gotta be something we can do to make this interesting.” Through the use of a gamification strategy “Over the course of this last year, we had a 10% reduction in end-user risk.”
By shifting from the stick to the carrot business are decreasing their attack surface and creating more cyber-savvy employees.
What do the Stats Say?
Gamification has increasingly become a buzzword in the high-tech and corporate worlds. With so much hype and even more confusion on what it actually achieves, putting the results of gamification into context gives significantly more clarity to the picture.
According to Zippia.com:
The North American gamification industry, led primarily by the U.S., is valued at $2.72 billion.
Companies that use gamification are seven times more profitable than those that do not use gamified elements at work—whether with employees or consumers.
On average, employees experience a 60% engagement increase with a gamified work experience
Key steps moving forward
There isn't, nor will there ever be an all-in-one solution that can realistically manage every element of your cybersecurity outlook. While it might be nice to throw a product or even better a massive budget to resolve structural cybersecurity issues, in practice this approach does dramatically alter your organization's security posture.
How do organizations better approach to IT and cyber risk management? Part of the equation must include gamification and the underlying ethos behind it, i.e communicating important ideas in a method best and most likely to be received by the critical audience.
In order to motivate staff, every approach, especially new and innovative ones must be tried and tested. Rome wasn't built in a day and neither was an effective way to communicate evolving cyber risk. Understanding the massive task at hand it is mission-critical to implement gamification as a cornerstone educational policy aimed at improving both security and employee participation at every step along the way.