security padlock

One of the reasons many security awareness programmes fail is that they rely on a "push" mentality, where they force employees to take awareness training and expect or, more likely, hope that employees will seek out additional training, because it is the right thing to do. While many there are programmes that do this that are successful, they are relatively rare.

Recently, we began experimenting with helping our clients implement gamification techniques, which switches the whole awareness paradigm. Instead of employees being forced to take training or risk potential punishment, employees do the right things by default and seek out additional training, because they want to.

Too many people confuse the term gamification to mean that you create a game to do awareness training, and there are many companies who are developing such games. They can be useful, but much like a poster, newsletter, or phishing campaign, they are just a single component in what should be a well rounded security awareness programme.

Gamification is actually a scientific term that roughly means applying game principles to a situation. The simplest definition of those principles is: 1) Goal establishment, 2) Rules, 3) Feedback, and 4) Participation is voluntary. Every game has to incorporate those principles. Goal establishment is the desired outcome for people participating in the game. Rules are actually limitations that people adhere to that allow the game to be a challenge. Feedback means that participants are made aware of how they are doing compared to their goal. Voluntary participation means that nobody is forced to play the game.

Using golf as an example, which we will highlight is in no way a computer-based game, the goal is to go 18 holes with the fewest number of strokes. The rules provide limitations as to how the player can get the ball in the hole. After all, the easiest way to get the ball in the hole would be to carry it and place it in the hole, but people seek out the challenge of accomplishing the goal through skill. The running number of strokes is the feedback mechanism. And, short of peer or work pressure, almost everyone plays golf on a voluntary basis. All games generally exhibit the same principles. This includes all sports, card games, playground games, chess, checkers, etc. Games do not need to involve computers.

As the term is confusing, we began to call our process, "Incentivised Awareness Programmes". That better represents what we are talking about, as a comprehensive awareness programme does not limit itself to a single tool. With incentivised awareness, you create a reward structure that incentivises people to exercise the desired behaviours, which could include seeking out additional training. The incentives ideally make demonstrating or learning about awareness behaviours fun.

Depending on the programme and the job functions, people earn points by finding bugs in software, taking a training course, reporting a phishing message, reading a security related publication, stopping a tailgater attempting to enter the facilities, etc. Different activities are worth different points, and people can accumulate points.

The points go towards earning rewards. Some organisations recognise people with martial arts belts equivalents, like Six Sigma training. Some organisations provide recognition and certificates. Others provide cash awards when certain point thresholds are met. Whatever the reward system is, it should be something that is appropriate to the organisation's culture. Depending on the size of the organisation, you might want to have different reward structures for different subcultures. Roles, divisions, or geography might define these subcultures. For example, Japanese workers tend to be much more impressed by being personally recognised by a senior manager and the rewards should reflect this preference.

Clearly, some points would lead to the professional equivalent of "participation" trophies that many children's sports leagues now give out, which basically reward people for just showing up. There is actually nothing wrong with that. Security Department's tend to get a bad reputation for being organisations that punish people for bad behaviour. Rewarding people for doing the right behaviours gets them to be more security conscious, while creating a better reputation for the security department as a whole.

There of course must be an appropriate balance between points awarded for meeting base expectations and points awarded for going beyond those limited expectations. Give a low value reward for meeting base expectations. A second level should be created that is within reasonable reach for most employees by demonstrating some additional, relatively simple behaviors. Further levels and rewards should be increasingly more difficult to achieve, but the rewards should be on par with the required level of effort.

Some people might say that many of their employees will not participate in this type of reward system, and that is reasonable. However, they might be surprised at the number of people who are interested in some type of reward system. Nevertheless, even if the programme is not accepted by the entire employee base, the measure of success is not in participation, but in the metrics that matter to the organisation. Fundamentally any security measure is measured not in participation or perfection, but in the amount of loss mitigated by the measure compared to the cost of implementing the programme.

Creating an Incentivised Awareness programme does take some effort, but the companies that have successfully implemented such a programme are reaping the benefits by reduced losses and having better relationship between the security team and the general user base. Gamification has proven itself to be an effective measure to further a wide variety of business interests. It is time to start implementing it to further security awareness and educate your employees to the next level.