Chapter 1
Introduction
Why are we focusing on cybersecurity awareness?
The old saying “employees are your weakest link in cybersecurity” is still frequently heard today. Employees represent a large attack surface, and a moment of their inattention can be sufficient for an attacker to be successful.
Technical measures that detect attacks and limit their impact are available and often implemented. Attackers have a wide range of techniques available and only need to find one vulnerability. Because technical measures come with a trade-off between usability (for employees to be able to do their job efficiently) and security, these measures have their limitations. At that point, the “human firewall” becomes the most important part of the defense.
To strengthen this layer of defense, many organizations rely on cybersecurity awareness sessions. Often, this ranges from simple emails with do’s and don’ts to web-based learnings, and even classroom awareness sessions.
And yet, most traditional security awareness programs are ineffective…
Every organization that takes cybersecurity seriously has adopted some form of campaign on this topic. And yet, most successful attacks are still based on this “weakest link”, indicating that these campaigns are not fully effective. When taking a closer look, most awareness programs share common flaws.
1. They lack proper success metrics – the focus is on knowledge when it should be on behavior
Success is traditionally measured through “completion of the training” or “a passing mark at the training’s quiz”. Such a metric indicates whether participants obtained new knowledge, measured from a compliance viewpoint; what the metric does not reflect is the culture change you want to achieve as a result. People are often very skilled at recognizing the correct answer at the end of the quiz, but do not apply this knowledge during their working activities.
2. They lack regular content updates – fail to keep up with the tempo of cybercriminals
Frequently updating the topics and their content is a strong requirement within a dynamic threat landscape. Cybercriminals evolve their methods constantly, and awareness programs also should.
3. They lack regular engagement – awareness is delivered as a “one-off” exercise
The battle for people’s attention is fierce. In today’s complex organizations, everyone is expected to have knowledge of different rules and regulations in a wide range of topics. Often, cybersecurity is one of the many topics for which the same activity is undertaken every year, in order to meet the requirement. The focus of such an approach is in having a periodic “one-off” exercise, leaving out more regular engaging campaigns.
4. They lack engaging content – fail to grab people’s attention
All of us have experienced the classic web-based training. Often you start with good intentions reading through the content with a half eye, but end up clicking through the slides as fast as possible to “tick the box”. This type of content is not engaging enough and diminishes the effectiveness of a training.
5. They lack alignment to business risk – use generic campaigns
Many off-the-shelf awareness solutions exist, and organizations can rapidly launch a campaign with limited effort. Every organization is different, both in the threats they face and the solutions they implement to mitigate the risk. Generic campaigns that are not aligned with the actual business risk often miss the point, as the audience does not recognize themselves or the organization.
Chapter 2
Gamification
How will gamification help you raise cybersecurity awareness?
The points we just raised make one thing very clear: we urge you to revisit your existing awareness program objectives and evaluate whether you achieve these objectives. In case they are not effectively met, a behavioral and cultural change might be required. Gamification is not the solution to all issues, but can be a strong step forward towards more engaging content.
Gamification is more than just a buzzword or playing silly games. The technique is based on gaming mechanics such as leader boards, point systems and badges, and creates a drive for competition with a sense of achievement. Its principles rely on basic psychological drivers that motivate human engagement. It essentially helps change perception and attitude and provides a hands-on approach to learning. The element of competition increases motivation and (indirectly) connects people.
How do I apply gamification to make my awareness campaigns engaging?
Gamification is not a silver bullet, and bringing this principle into your existing campaigns is not just a “click and done” step to take. We have supported clients with awareness campaigns based on gamification principles which we want to share.
1. Physical cybersecurity escape room
Escape rooms have represented one of the biggest growing markets in recent years. In cybersecurity escape rooms, just as in any other, participants need to solve puzzles and overcome obstacles to get out of the room in a race against the clock. The level of cybersecurity knowledge required to solve the challenges can be tailored to the participants. Solving such challenges (from an attacking or defending point of view) instead of just hearing about them, results in tremendous involvement and a very successful learning experience.
2. Cybersecurity business game
This awareness exercise offers the players a first-hand glance at the impact of the choices they make during the game. Different choices can result in a change in the available cybersecurity budget, an impact on the organization’s reputation and customer appreciation, or even regulatory impact. The game provides a platform for ideas sharing, debates, critical thinking and a strategic thought process.
3. Capture the flag
On a capture the flag platform, various awareness campaigns can be launched. The result of each campaign can be tracked individually or per department, and can even be integrated into the corporate phone book. Using such a platform can motivate employees to go the extra mile, just in order to gain that extra point to beat the other team, effectively pushing them to complete a campaign because they want to and not because they are forced to.
The platform enables an adoptable, flexible, ‘change-as-you-go’ design. Employees work to reach real-time, measurable, meaningful targets, and get immediate feedback as they choose a specific action.
4. Hacking demos
The hacking demos demonstrate how a cyberattack works, often highlighting both the victim’s and the attacker’s perspective. The ethical “hackers” from our team show how easy it is to perform an attack on an organization or on innocent people. Such demos are designed to focus on the impact on the individual, offering specific tips and tricks to prevent attacks. Participants can apply the techniques they learned to verify how vulnerable they are and track their progress toward strengthening their personal security.
5. Cyber” learnshops"
Gamification principles can also be applied to the traditional web-based learnings in order to make them more engaging. Using small but powerful changes, such as inter-department competitions that result in additional budget for team events, can make this learning a talking point throughout the organization.
Chapter 3
Tips
Other success factors for your awareness program
Creating the ultimate cybersecurity awareness program that effectively leverages gamification principles is without a doubt a very tough challenge. Of course, we wouldn’t stop here without outlining some tips to help in this endeavor.
1. Define concrete behaviors requiring improvement
When raising awareness, the ultimate objective is in fact twofold: avoiding certain “dangerous” behaviors and building a long-lasting security culture. As a first crucial step, it is important to define which specific behaviors you would like to train and which ones should be avoided. In later stages, the objectives of awareness campaigns can then be linked to these behaviors, becoming KPI’s to evaluate whether the campaign has been successful.
2. Define success criteria and measure success of each campaign
Explicitly defining when an awareness campaign is successful and how it can be measured is an important first step. These measurements are very valuable for the security team who is then able to evaluate the awareness efforts. Furthermore, these can be shared with the employees to bring competition into the campaign.
3. Integrate your awareness campaigns into the organization’s change programs
One of the challenges when designing your awareness campaigns is finding the right balance between “just enough” and overdoing it. When the push is too hard, either on cybersecurity as a topic, repetition of topics, gamification principles or “doing something new”, it could result in a dislike for anything related to awareness.
Finding the right balance is a tricky exercise and requires insight into the organization’s culture. Testing new campaigns with a limited audience from across the organization can give a first indication of their impact, before they are launched across the entire population.
Key takeaways
Cybersecurity awareness is an important topic in all organizations, its importance even growing exponentially in the future. In order to be successful, it is crucial to clearly define the objectives of your awareness program and to follow-up on the lessons learned. Gamification principles can be used to increase engagement and embed security into the organization’s culture but, to be effective, they need to be applied as part of a well-designed program.
Newsletters EY Belgium
Subscribe to one of our newsletters and stay up to date of our latest news, insights, events or more.
Summary
By embedding the principles of gamification into their cybersecurity awareness campaigns, organizations can transform behaviors in much more efficient ways. But is gamification the full solution?
