For people who have been doing serious work in IT or Cyber, there are so many serious problems to be solved, and the problems are mounting. So, it’s understandable when professionals who are focused every day on those serious problems are asked about gamification. They often don’t like it. But that doesn’t mean it isn’t an important tool for solving some of the most serious problems.
What’s serious about gamifying of spear-phishing and social engineering awareness training?
The problems of spear-phishing and social engineering attacks are a great example of how gamification can be one of the most valuable tools in addressing cyber security risks. These are clearly serious problems, as over 90% of security breaches involve employees making poor risk decisions about phishing messages or social engineering scams.
So, if you can recognize that humans behave differently than other security safeguards like firewalls and intrusion detection systems, it will make sense that employees must be trained differently than the way we set up rules for those technical systems. Understanding how and why employees learn and then behave is really important if we want to make them a self-defending team.
How gamification helps employees learn and bahave in a more predictable way
Gamification helps employees learn new skills in a more reliable way that traditional learning in several ways:
- Engagement is essentially driven by our reptilian brain. When something is new and different, we pay attention. So, we all agree that the look and feel of an environment that is gamified has at least the opportunity to look different, to gain that initial engagement. This gives us the opportunity to plant a seed and the employee will give us a chance to teach them more, before they shut down. But it’s just the beginning, and engagement needs to be driven through a variety of new looks and feels. This is something you rarely see in traditional training platforms.
- Immediate feedback is needed to reinforce concepts. In a highly interactive, gamified environment, there are great opportities to provide feedback with every user interaction. So, not only does it help people understand the consequences of a decision, so they can learn and correct it, the engagement factor remains or increases if this is done the right way. Again, traditional learning platforms really don’t let you engage people in the feedback phase of a learning program. It’s almost always at the end, or in a quiz.
- Repetition of challenges is like exercising “muscle memory”. This is one of the most powerful parts of gamification for learning about risks. It’s simply naive to think that you can learn how to defend against a cyber threat if you only ever have one chance to think about a particular concept. It needs to be reinforced through repetition. Just like you can’t learn a martial arts skill without practicing at the dojo and sparring with partners, you won’t learn how to defend against phishing or social engineering scams effectively with one pass through a course. But how do you convince employees to repeat a boring online training course?… YOU CAN’T! – Again, you need engagement. Now you can see how important engagement is. It’s deeper than just having a new “skin” on your training program. It has to be integrated into the entire platform. Furthermore, other social drivers like a “leaderboard” are a natural way to encourage people to improve their skills by going back in to repeat lessons they didn’t score well on. The process starts to naturally feed on itself.
- Simulating risk decisions in a safe place is extremely valuable. We all know about “phishing simulators”, and they are a commonly used tool in cyber security awareness programs. But you really only get to simulate a phishing message, and you can’t send too many in too short a timeframe, or it just gets silly. But the real problem is that there are so many risks that we need people to spot, how can we replicate a similar risk scenario outside of phishing in a traditional training program? It’s very hard to do in a scalable way. So, if you can create “social simulations”, you can literally let employees practice making important risk decisions in a safe environment. These are situations they will likely face in the real world, but which are almost impossible to create in “meatspace”. So, having a social simulator capability is really important, but it also needs… wait for it… ENGAGEMENT. It has to be an enjoyable experience for the users in order for them not to get frustrated. After all, you’re trying to trick them in an immersive experience. But you can’t make it too hard for them, or it won’t be productive. It’s very hard, if not impossible, to create an engaging simulation environment in a traditional training platform, and phishing assessments can really only address a small fraction of the risk scenarios we need employees to understand.
- Analytics provides assurance for real risk management. Once you have employees in an environment that is gamified, they understand it’s not a bad experience, and they will learn important skills. They are repeating their activities to improve their ability to defend against simulated attacks, and their mindset is becoming more attuned to security risks. With all that activity comes data. From all the decisions made by employees in each lesson, we can see that they repeatedly complete certain challenges, but may have trouble with specific types of risks. Now, we have some ASSURANCE of what people know. It isn’t just based on guessing in a quiz, or repeating the quiz until they get enough right to pass. They actually had to think, and they actually had fun doing it. This is valuable information about vulnerability, which can be used in the same way that technical vulnerability data is used in penetration tests and vulnerability assessments. In contrast, what do you learn from the reporting of a traditional learning platform? How many people completed the program, and probably a quiz score that is fairly meaningless. It is data… but it is BAD DATA!
How can you gamify all of this to improve employee awareness of phishing and social engineering risks?
So, while this may all seem like a complex set of requirements in order to really make gamification a serious contender for cyber security awareness training, the Click Armor platform has all of these elements built into it right now. We have been building and testing it for over a year now, with great results and feedback. People can practice analyzing many phishing emails and various types of social engineering scams, and they can see where they went wrong, and have fun improving their scores.
We are finding that more employees complete the program faster than they had completed other awareness programs in the past. As one VP told me recently, “I was originally a skeptic about how effective gamification would be for our team. But I was really surprised how quickly people went in and completed the program on the same day it was launched.”
So if you are looking for an affordable way to improve your team’s defenses against phishing and social engineering scams, while also promoting a more fun security culture, then maybe Click Armor is the right place for you to start.