Story image

Gamification: Cybersecurity's secret spice for effective employee training

23 May 2017

Security is only as strong as its weakest link, and for many organisations human fallibility is that weakest link. Whether by accident or by malicious intent, employees are often targeted because they have access to sensitive information - at least according to Palo Alto Networks.

“Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats," comments Sean Duca, Palo Alto Networks' VP and regional chief security officer for Asia Pacific.

He believes it's a matter of engaging employees through education - and that education must be much more than pure compliance-driven approaches.Those approaches are not interesting or personal enough, he says.

“Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace," he explains.

So how do organisations engage employees more with the education process? The company suggests gamification is a good way to get employees on board.

Gamification, in which security education programs can use gaming mechanics in a non-gaming context, combine the 'excitement of games' with other activities that traditionally might not be as entertaining. Palo Alto Networks says that competition and rewards are also helping to make gamification popular across a wide range of industries.

The company suggests there are two main ways to use gamification to address cybersecurity in their organisation: 1. Develop exciting and engaging training exercises for employees Gamification can help businesses show their employees how to avoid cyber attacks and also to learn about software vulnerabilities.

“Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly," Duca says.

PwC is one organisation that uses gamification in its security programs. It launched 'Game of Threats', in which executives compete against each other in real-world cybersecurity scenarios. As attackers, they can choose the tactics, methods and skills of attack, while defenders can develop defence strategies, technology investment and talent investment to respond to the attack

According to PwC, the game shows training, company preparedness and what security teams face every day.

2. Include incentives and rewards

Working under pressure and deadlines can make employees more prone to overlooking their company's security policies. Sometimes those employees make mistakes. According to Palo Alto, organisations can lighten the load by including rewards.

“Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with material rewards such as a gift voucher," Duca explains.

One way to do this is by running fake phishing exercises, known as 'PhishMe' campaigns. Phishing emails can be regularly sent across the organisation, testing employees' responses and actions. According to Palo Alto, this can be an effective way to train employees on better email security.

“This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber secure working environment," Duca concludes.

The silver lining in Australia’s Government cloud strategy
Cloud has been a huge part of the ‘digital transformation’ conversation within Australian government during recent years.
‘Buy-now-pay-later’ taking consumer markets by storm
A new survey shows that young people are embracing this new method of purchasing, with over 1.5 million users in the last year in Australia alone.
Versent acquires AI specialist Contexti
Versent announced its acquisition of Sydney-based, actionable insights business, Contexti.
8x8 launches X series contact centre cloud solution in A/NZ
“With X Series, organisations throughout Australia and New Zealand can now integrate all of their employee communications and contact centre solutions on one cloud platform.”
How Australia can access the connected supply chain
"Australia’s logistics industry now needs to set its eyes on how it can go about digitalising all the areas of the traditional supply chain."
Aerohive achieves ISO/IEC 27001 cloud platform certification
Aerohive is the first cloud-managed networking vendor recognized by a global standard for commitment to information security management systems.
Better data management: Whose job is it?
An Experian executive’s practical advice on how to structure data-management roles within a modern business environment.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.