blog-logo.png

A BLOG ABOUT CYBER SECURITY

Wombat Security is a leader in security awareness and training. Our blog covers the latest cyber security news, insights, and best practices. We arm infosec professionals with the knowledge and tools they need to improve end-user behaviors and reduce organizational risk.

Turning End-User Security Into a Game You Can Win

Posted by Gretel Egan on Mar 3, 2016 9:00:00 AM

Topics: Security Awareness and Training, Phishing, Keys to Success, All Posts, Gamification

Wombat_Gamification2016.jpgGamification, as a concept, is nothing new. (Think back to some of the creative ways your parents and teachers tried to get you to do things, and you’ll know immediately what I’m talking about.) And gamification is certainly not restricted to the electronic realm (I’m looking at you, McDonald’s MONOPOLY). That said, in this day of mobile apps and Xbox One, we are most likely to equate gamification with bleeps, bloops, points, and prizes (real or virtual).

At Wombat, we naturally have a good sense of the positive effects of gamification. After all, several of our employee training modules use gaming techniques like points, lives, and scoring thresholds to teach users how to make good decisions about emails and URLs. And all of our cybersecurity education modules tap into what we feel is the most important aspect of gamification: interactivity. As we’ve noted in the past, interactivity leads to user engagement, and engagement paves the way for knowledge retention.

But beyond what we do inside our tools and platforms, we encourage our customers to think about the potential for gamification within their own security awareness training programs. The idea of “friendly competition” can ignite interest in your end users and lead to a more successful program overall.

A Suggested Gamification Plan (and a Nod to ‘Jerry Maguire’)

1. Get buy-in from stakeholders 

And we don’t just mean C-level decision-makers. Start smaller and get some advocates from elsewhere the organization and encourage them to champion the project with you. (That VP who loves to take the floor at company meetings? He’s a great start.) It’s a “help me help you” kind of thing. After all, everyone’s lunch is on the line when it comes to cybersecurity.

2. Establish the parameters of success

Keep in mind that you’ll have a lot more flexibility if you have reliable measurement tools in place. Here are a few success indicators you could use:

3. Determine your scoring formula

You'll also need to decide whether you’ll have individual winners or “group winners” (by department, office location, etc.). Here are some ideas:

  • Non-clicks on simulated phish earn users a point. Reported emails earn two points. Clicks subtract one point.
  • Users who do not click at all during a series of mock attacks are automatically in a winners’ pool.
  • Users who complete a training assignment within the first week earn 3 points. Those who complete within 30 days earn a point. Those who take longer than 30 days earn no points.

4. Select the awards

Though prizes don’t have to be monetary in nature, the phrase “show me the money” does come to mind. Consider these options:

  • Top scorers (or non-clickers) automatically win or are put in a drawing to win one of a selection of gift cards.
  • The best performing group wins a pizza party or catered lunch.
  • Top performers are recognized at a company meeting, in a monthly organizational newsletter, or some other public forum.

5. Communicate to your organization about the upcoming activities

Do your best to have them at hello. You can be as general or specific as you’d like, but it’s important to set expectations, clearly indicate benefits, and attempt to generate interest out of the gate. (Note: If you are doing simulated phishing attacks, we recommend being at least slightly vague about the start of the program and suggest communicating at least a week in advance of sending your first mock phish.)

6. Game on

After communicating, the only thing left to do is launch your program. Given that cybersecurity awareness and training is treated as a “necessary evil,” a bit of creativity and out-of-the-box thinking can make a world of difference in participation rates and, more importantly, up the attention ante. Customers who have taken a chance on gamification have seen a number of positive personnel results — including more interest in the topics and more conversations about security best practices — that have ultimately paid off in the form of fewer clicks, fewer malware infections, and less employee downtime.

 

From simulated attacks and knowledge assessments, to interactive training, to positive reinforcement tools, to results measurement and analysis, to award-winning customer service…we can complete your end-user security awareness and training program.

icon-book.png

Try Our Interactive Security Awareness Training Modules

Our 25+ interactive training modules in topics like Email Security, URL Training, Mobile App Security, and more are proven to change the behavior of end users and reduce risk.

Try Our Modules

   Educate Yourself: Protect Against Security Vulnerabilities