Make a game of it: Training employees in security best practices doesn’t have to be drudgery

However, changing user security behaviour is often left to annual compliance training or focused exclusively on phishing tests, and will result in little measurable improvement to security. Often, training is an “add on” to the security program — something for staff to do in their spare time. In fact, according to a Securing the Human report, more than 50 per cent of awareness personnel have a budget of $5,000 or less.

We see training programs and awareness campaigns in other areas — workplace safety at oil and gas companies or clean hands programs in hospitals — succeed in changing how users behave on a day-to-day basis. These training and awareness programs have the same challenges of limited investment and personnel that security programs do.

How do cyber security training and awareness personnel learn from the success of other industries and training areas to improve the “human firewall”? Drawing on innovative concepts used outside the cyber security training and awareness space, organizations can think differently about how they change user security behaviours. What follows are successful training and awareness programs that made measureable improvements in user behaviour. These examples are intended to inspire and kick-start your cyber security training and awareness program and help you realize a shift in behaviour — that ultimately helps protects your critical data and assets.

Gamification
Think Pokemon Go. Gamification incorporates game mechanisms — such as leaderboards, levels, and points — into non-game activities to engage and motivate users. Gamification enables organizations to take existing training material that staff may not be using and encourages staff to use it through an online community.

Ford Motor Company of Canada is an example of successful gamification of existing training content. Ford wanted to improve safety, customer service, and sales. Ford already had training material in these areas. Staff just were not using it. With gamification provider Bunchball, Ford created an online community with levels, badges, trophies, and friendly competition between staff. The result: the first day the site launched, it had more than 100,000 unique visits.

Deloitte also gamified its existing Executive Leadership Program — a program with dozens of courses and training content, which went largely under-utilized. In doing so, Deloitte generated 50 per cent faster course content completion.

“At Deloitte, we are seeing an uptake in innovative gamified cyber security training solutions. Organizations are creating online communities that enable employees to enter into friendly social competition and get rewarded to be security champions,” says Marc MacKinnon, Cyber Risk Services Partner at Deloitte Canada.

Rewards and incentives
Most security awareness programs produce little improvement due to the focus on dispensing information, rather than influencing on-the-job behaviour of employees. Understanding and using the principles of behavioural psychology helps define training approaches that can effectively change high risk user behaviours.

Embedding rewards and incentives (e.g. points programs, gift cards, extra budget for team activities) into security training and education is a way to use the principles of Reciprocity/Consequence (i.e. people feel obliged to repay, in kind, what has been given to them) or Scarcity (i.e. people overvalue things that are rare, lack availability, or are difficult to acquire) to encourage better security behaviour.

In the security space when we use incentives, they are often based on the “consequence” side of the Reciprocity/Consequence Principle. For example, giving users “tickets” for leaving their computers unlocked and unattended or leaving confidential documents out — in contravention of a Clean Desk Policy.

The Swedish Speed Lottery is an example of applying the “reciprocity” side of the principle to change user behaviour and, in this case, reduce speeding. In addition to punishing the high risk behaviour — speeding — Sweden rewarded the desired user behaviour — going the speed limit — by using a traffic camera to capture licence plates of those going the speed limit. Those people were entered into a lottery and one lucky person was selected each month to receive a per centage of the fine collected for the month.

How can you apply this principle to your security training and awareness program? Reward departments and teams who follow a clean desk protocol with an extra social event each year.

Make it relatable
Cyber security training and education programs often focus on policy and procedures that employees need to understand and apply to their day-to-day work. What if organizations scrapped their traditional cyber security training and helped employees apply good security practices to their personal use of technology, such as sharing pictures with friends over Instagram, contributing to a LinkedIn discussion, or buying merchandise online?

Deloitte has found that making cyber security training relatable improves uptake, understanding, and application of secure practices. Employees retain knowledge that relates to not only their work, but also their personal circumstances.

The UNICEF Dirty Water Campaign is an example of making a topic relatable and yielding significant results. UNICEF wanted to raise awareness and funding for the thousands of children dying each day from lack of clean water. UNICEF bottled dirty water in eight lethal varieties, converted a vending machine to dispense the water, and launched it in Manhattan. Individuals could then “buy” the dirty water through the vending machine and, in doing so, donate to UNICEF’s campaign.

By delivering the message in a form to which the public relates (bottled vending water), this innovative media engaged over 7,500 pedestrians, attracted worldwide media coverage, and increased donations beyond expectation. If you think your security training budget is tight, UNICEF did this with a zero dollar budget.

There are some straightforward and equally low-cost training ideas to make cyber security relatable in the workplace:

•     Providing safe online shopping tips or sessions to employees and their families during December. Employees will apply similar online security and password management principles to their work accounts.
•     Setting up a rogue wireless access point at an off-site meeting (e.g. SSID “conferernceconnect”, with an extra “r”) and seeing how many people connect, then sharing this information and the not-so-careful users during the opening remarks of the meeting.
•     Publishing a YouTube video series (of publicly available videos) on social engineering individuals’ personal (e.g. phone, bank, insurance) accounts to help Services Desk personnel recognize suspicious behaviour.
•     Creating a contest in which staff create their own phishing emails to help them understand how phishing works. Have management select the best email for the upcoming phishing test and reward the winning employee.

We recognize that even the most innovative idea cannot be successful without the support and investment of leadership. The ideas discussed above are an opportunity to have a more creative conversation with your leadership team and training personnel about refocusing training and awareness efforts. Using gamification and rewards, and making training relatable will help organizations get users’ attention and improve the “human firewall” to defend against cyber-attacks.  

Megan Brister and Tiffany Williams are cyber security professionals in Deloitte’s Cyber Risk Services practice. (www.deloitte.ca).