Gamification: beating cybercriminals!
Gamification: beating cybercriminals!
In cybersecurity, people are often the weak link. With insufficient knowledge of digital risks, they can easily fall into fraudsters’ traps. To better protect their IT assets, companies need to train their teams in digital hygiene. The various types of gamification help staff adopt the right behaviour in this area. From the weak link, the human element can become a strong link in the security chain by increasing awareness of the risks and good practice.
According to a study published by the Ponemon Institute in 2016, 50% of data breaches result from cybercriminal attacks and 23% are caused by human error. Those high figures confirm that staff are insufficiently aware of cybersecurity good practices: using complex, difficult to guess, passwords, encrypting sensitive data, being vigilant when receiving emails (phishing) that can usurp an official organization, administration or even a partner...
The techniques used by cybercriminals or malicious employees (data leaks can originate in the house) provide a breeding ground for serious games. They encourage the employee to interact with a computer application combining educational, training or information aspects with fun and/or technologies.
The aim is to make awareness raising more enjoyable, but also to put staff in realistic situations so that they develop the right reflexes safeguarding their company’s business operations.
There are various categories of serious games: fun learning on the basic rules, simulations with various attack scenarios, and roleplays tailored to the positions at risk (CFO, accountant, director, mobile manager, etc.).
And the results are promising. According to a report commissioned by Vanson Bourne for McAfee and published in April 2018, 57% of the respondents* stated that gaming increases awareness of the risks of intrusion amongst users and IT staff. 77% of senior managers say that their company would be more secure if they used gamification more.
This category presents various advantages. The first is to convince employees following an e-learning training more easily. One of the main challenges in distance learning relates to the isolation and lack of motivation when we find ourselves alone in front of our computer screen. Using game-like elements, gamification is more motivating for trainees. Users are driven to try to reach the next level and perhaps score more 'points' than their colleagues. Motivation levels are much higher than with Massive Open Online Courses (MOOC), whose dropout rate is between 80% and 90%.
The second advantage is improving knowledge and reflexes whilst avoiding overly complex or even monotonous sessions. The final advantage: increasing the motivation and cohesion of the teams, who can be led to meet challenges specific to their business line (how to thwart a money transfer scam, an attempt to steal a network administrator’s identity, a theft of critical information, etc.).
The benefits are twofold. Firstly, staff become their company’s 'watchmen'. Staff engagement can lead to suggestions on how to improve the cybersecurity policy and to the discovery of bugs or vulnerabilities during software, website or connected device development.
Secondly, the company safeguards its business operations and can issue regular reminders by organizing serious game challenges. Users are placed in realistic situations, with no risk to the data, but with such an immersive scenario that they forget that it is a game and develop the right reflexes without even realizing!
But to take full advantage of gamification’s benefits, experts should be involved. It is important to determine the right formula best suited to the company’s particularities and priorities. Although the training remains fun, the aims are serious: increasing staff expertise and keeping them mindful of attackers’ threats and techniques. In facing threats with varying levels of severity or sophistication and learning how to use security software, they develop better reflexes, which strengthens the organization’s entire ecosystem.
*300 senior managers and 650 security professionals working for public and private sector companies with 500 and more employees in the U.S., UK, Germany, France, Singapore, Australia and Japan.