One of the reasons many security awareness programs fail is that they rely on a "push" mentality, where they force employees to take awareness training and expect or, more likely, hope that employees will seek out additional training, because it is the right thing to do. While many there are programs that do this that are successful, they are relatively rare.
Recently, we began experimenting with helping our clients implement gamification techniques, which switches the whole awareness paradigm. Instead of employees being forced to take training or risk potential punishment, employees do the right things by default and seek out additional training, because they want to.
Too many people confuse the term gamification to mean that you create a game to do awareness training, and there are many companies who are developing such games. They can be useful, but much like a poster, newsletter, or phishing campaign, they are just a single component in what should be a well rounded security awareness program.
Gamification is actually a scientific term that roughly means applying game principles to a situation. The simplest definition of those principles is: 1) Goal establishment, 2) Rules, 3) Feedback, and 4) Participation is voluntary. Every game has to incorporate those principles. Goal establishment is the desired outcome for people participating in the game. Rules are actually limitations that people adhere to that allow the game to be a challenge. Feedback means that participants are made aware of how they are doing compared to their goal. Voluntary participation means that nobody is forced to play the game.
Using golf as an example, which we will highlight is in no way a computer-based game, the goal is to go 18 holes with the fewest number of strokes. The rules provide limitations as to how the player can get the ball in the hole. After all, the easiest way to get the ball in the hole would be to carry it and place it in the hole, but people seek out the challenge of accomplishing the goal through skill. The running number of strokes is the feedback mechanism. And, short of peer or work pressure, almost everyone plays golf on a voluntary basis. All games generally exhibit the same principles. This includes all sports, card games, playground games, chess, checkers, etc. Games do not need to involve computers.
As the term is confusing, we began to call our process, "Incentivized Awareness Programs". That better represents what we are talking about, as a comprehensive awareness program does not limit itself to a single tool. With incentivized awareness, you create a reward structure that incentivizes people to exercise the desired behaviors, which could include seeking out additional training. The incentives ideally make demonstrating or learning about awareness behaviors fun.
Depending on the program and the job functions, people earn points by finding bugs in software, taking a training course, reporting a phishing message, reading a security related publication, stopping a tailgater attempting to enter the facilities, etc. Different activities are worth different points, and people can accumulate points.
The points go towards earning rewards. Some organizations recognize people with martial arts belts equivalents, like Six Sigma training. Some organizations provide recognition and certificates. Others provide cash awards when certain point thresholds are met. Whatever the reward system is, it should be something that is appropriate to the organization's culture. Depending on the size of the organization, you might want to have different reward structures for different subcultures. Roles, divisions, or geography might define these subcultures. For example, Japanese workers tend to be much more impressed by being personally recognized by a senior manager and the rewards should reflect this preference.
Clearly, some points would lead to the professional equivalent of "participation" trophies that many children's sports leagues now give out, which basically reward people for just showing up. There is actually nothing wrong with that. Security Department's tend to get a bad reputation for being organizations that punish people for bad behavior. Rewarding people for doing the right behaviors gets them to be more security conscious, while creating a better reputation for the Security Department as a whole.
There of course must be an appropriate balance between points awarded for meeting base expectations and points awarded for going beyond those limited expectations. Give a low value reward for meeting base expectations. A second level should be created that is within reasonable reach for most employees by demonstrating some additional, relatively simple behaviors. Further levels and rewards should be increasingly more difficult to achieve, but the rewards should be on par with the required level of effort.
Some people might say that many of their employees will not participate in this type of reward system, and that is reasonable. However, they might be surprised at the number of people who are interested in some type of reward system. Nevertheless, even if the program is not accepted by the entire employee base, the measure of success is not in participation, but in the metrics that matter to the organization. Our past article discusses this in more detail, that fundamentally any security measure is measured not in participation or perfection, but in the amount of loss mitigated by the measure compared to the cost of implementing the program.
Creating an Incentivized Awareness program does take some effort, but the companies that have successfully implemented such a program are reaping the benefits by reduced losses and having better relationship between the security team and the general user base. Gamification has proven itself to be an effective measure to further a wide variety of business interests. It is time to start implementing it to further security awareness and educate your employees to the next level.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.