Gamification: to become stronger than cybercriminals!

Gamification: to become stronger than cybercriminals!

In cybersecurity, the human being is often the weakest link. Insufficiently aware of digital risks, they can easily fall into hackers’ traps. In order to better protect their information assets, companies must train their teams in digital hygiene. The various forms of gamification help employees more easily adopt the right behaviours in this area. From a weak link, the human element can become a strong link in the security chain by increasing awareness of risks and best practices.

According to a study published in 2016 by the Ponemon Institute, 50% of data breaches result from cybercriminal attacks and 23% are due to human error. These high figures confirm that employees are not sufficiently aware of best practices in IT security: using strong, hard-to-guess passwords, encrypting sensitive data, being vigilant when receiving emails (phishing) that may impersonate an official organisation, administration or even a partner, etc.

The techniques used by cybercriminals or malicious employees (data leaks can also originate internally) provide a fertile ground for serious games. Their purpose is to invite employees to interact with a computer application that combines educational, training or informational aspects with playful elements and/or technologies.

The goal is to raise awareness in a more engaging way, but also to place employees in realistic situations so they develop the right reflexes to avoid putting their company’s activity at risk.

There are different categories of serious games: playful learning of basic rules, simulation of various attack scenarios, and role-playing adapted to high-risk job functions (CFO, accountant, executive, mobile worker, etc.).

And the results are promising. According to a report commissioned by Vanson Bourne for McAfee and published in April 2018, 57% of respondents stated that using games helps raise awareness of intrusion risks among users and IT staff. 77% of senior executives believe their company would be more secure if gamification were used more widely.

Motivation

This approach offers several advantages. The first is that it helps convince employees more easily when they follow e-learning training. One of the main challenges of distance learning is isolation and lack of motivation when sitting alone in front of a computer screen. By using game mechanics, gamification makes training more engaging. Users become motivated to reach the next level and possibly score more “points” than their colleagues. This increase in motivation is far higher than that of MOOCs (Massive Open Online Courses), which have dropout rates of between 80% and 90%.

Employee engagement

The second advantage is improving knowledge and reflexes without overly complex or boring sessions. The final benefit is that it increases team motivation and cohesion, as employees may be challenged with tasks specific to their job roles (how to thwart a fake transfer scam, an attempt to impersonate a network administrator, or the theft of critical information, etc.).

The benefit is twofold. First, employees become their company’s “watchdogs”. Employee engagement can lead to suggestions for improving IT security policies, the discovery of bugs or vulnerabilities during the development of software, websites or connected devices.

Challenge

Second, the company strengthens the sustainability of its operations and can regularly reinforce awareness through challenges organised via serious games. By placing users in realistic conditions, with no risk to data, but within such immersive scenarios that participants forget they are playing a game, they develop the right reflexes without even realising it!

However, to fully benefit from gamification, experts must be involved. The right approach must be identified to best fit the company’s specific characteristics and priorities. Even though such training remains playful, the objective remains serious: strengthening employees’ skills and keeping them aware of attackers’ threats and techniques. By being exposed to various threats of different levels of severity and sophistication and by learning how to use security software in practice, they develop better reflexes, which strengthens the entire organisational ecosystem.

Source: 300 senior executives and 650 security professionals working in public and private sector companies with 500+ employees in the United States, United Kingdom, Germany, France, Singapore, Australia and Japan.