Here at Solutions Review, we’ve written before on how employees are your enterprise’s largest digital attack vector. Even if they are not acting as deliberately malicious insider threats, they can and will act recklessly, negligently, or ignorantly when it comes to cybersecurity. According to Kaspersky Lab, only 12% of employees know their enterprise’s cybersecurity policies. Enterprises’ cybersecurity education efforts aren’t translating to employee retention. Clearly there is a communication failure occurring on a mass scale. With cybersecurity teams already suffering from understaffing and overworking, they need their fellow employees to take up digital security best practices to help them retain their sanity.
So how can your enterprise reduce the rate of human error? The answer may be gamification. Gamification is the process of utilizing game mechanics, including competition and reward mechanisms, into a non-game context to boost engagement and foster communication. It’s already being incorporated in everyday business processes and education—and it might just be what your cybersecurity training needs.
Here are some ways you can use gamification to improve your cybersecurity training and effectiveness:
Through Gamification, Make Training Hands-On and Exciting
The key to retention—ensuring information is not immediately forgotten and is actually used—is engagement. And nothing encourages engagement like the spirit of competition and a sense of fun. This applies to cybersecurity as well. Employees might sit down to a lecture but between tight deadlines and general office demands may not put that knowledge to use; the knowledge atrophies.
To combat this, some firms actually use variations on war games to truly help employees learn how digital threat attackers think and where they are vulnerable in an engaging manner. Other firms will use tools like PhishMe campaigns to transform learning email security best practices into an engaging activity. Studies have found that 77% of employees find game-based training more engaging, so experimentation in gamification is certainly a worthwhile investment to increase retention.
Furthermore, avoid giving long lectures when doing cybersecurity training: use microcontent or interactive challenges to boost engagement. Keep training sessions under 10 minutes per week, which will make sure employees don’t get bored while learning best practices.
Use Gamification to Establish Rewards
Don’t worry; nothing in gamification says the rewards have to be anything that breaks the bank. Rewards don’t have to be more that badges (digital or physical) or “achievements” that you give employees who have been following cybersecurity best practices (such as sending 100 emails without triggering a security event). You can incorporate a scoreboard in the office based on following digital hygiene, with nothing more than bragging rights as a tangible reward. Or you can offer a small gift card to the employee who does the best at maintaining digital security that month or quarter.
The idea is to incentivize good behavior rather than just punishing bad behavior. This will help keep engagement high and keep it at the front of employees’ minds through friendly competition.
Gamification Can Find Vulnerabilities in your Workforce
Most of the time, going through each employee one by one to find out who need additional cybersecurity training is a hassle for both your IT and management teams. Gamification by its very nature offers reporting mechanism by both users and automation, that can make it far easier to recognize who is neglecting or struggling with cybersecurity best practices. You can make the determination on why they are failing to keep up and work out a solution to that employee’s problems. Additionally, gamification encourages employees to seek help if they are struggling through the same competitive impulse that motivates your best performers.
However, keep in mind that if you are planning on gamifying your enterprise’s cybersecurity, you need to make sure it is coupled with an adequate auditing and evaluation protocol to ensure it is effective. Also, make sure that the spirit of competition that gamified processes foster is a healthy one. Creating a toxic atmosphere in trying to stamp out hackers will create much larger problems in the long run.