The human or insider factor accounts for a staggering number of data breaches across the globe. Human error, negligence, or malfeasance is one of the top root causes of security events, topped only by malicious or criminal attacks.
And while the vast majority of staff members don’t set out to cause damage, many of them do so inadvertently, through bad security hygiene, including poor password habits, careless web browsing or clicking on a malicious link in an email. This results in employees becoming prime targets of, and falling victim too, social engineering, phishing attacks, and worse.
Unfortunately, while most enterprises claim to have established effective policies and procedures to help their staff avoid and manage cyber threats, the stories of data breaches that litter the headlines on a daily basis paint a very different picture, with many studies claiming more than half of cyber breaches are caused by employee negligence or malice.
Too often employers underestimate the role that their own employees, from the mailroom to the boardroom, can play. Any chain is only as strong as its weakest link, and although employees should act an effective security measure, they are usual one of the greatest vulnerabilities.
Moreover, cybercrime is only intensifying, with threat actors growing increasingly determined and aggressive, and their tools more complex and sophisticated, meaning that private and public sector entities need to find better ways to engage their employees in truly effective cyber security awareness training.
One strategy that is being relied on more and more is gamification. After all, children and adults alike enjoy gaming, and for good reason. Today’s games are engaging and compelling, taking players through challenges and steps to accomplish a task, rewarding them every step of the way. In this way, players become immersed and involved, and more importantly, invested in the quest or end goal.
It is this very concept that makes gamification, which adds game mechanics into environments that aren’t traditionally gaming ones, to increase participation. And one of the main applications of this concept has been to make training content more appealing, particularly when it comes to cyber security.
One of the main hurdles that cyber security awareness programs need to overcome is getting staff members to finish the necessary steps, and gamification makes this far easier to do, for several reasons.
A major reason that games hook the players is that they have compelling storylines with relatable characters and exciting new worlds – it is what keeps gamers returning again and again.
Adding gamification into cyber security awareness training makes it fun, and a competitive and enjoyable team activity. It is also a positive way for workers to engage with security, and it can be set up in any office or remote environment. Employees learn a lot without even realising it, and games can be adapted to tackle any cyber security awareness issues.
If employees have fun while they’re learning about cyber security awareness, they are far more likely to finish the course, and probably even look forward to joining the next one.
Gamification has proven highly effective in ensuring employee participation in cyber security awareness programs, because it incentivises them to perform certain actions by appealing to their competitive natures. For gamification to be effective, trainers need to make participation an easy and fun part of the user experience.
In addition, the majority of cyber security awareness programs follow the same tired old formula, beginning with an introduction, then a teaching section, and a quiz to test how well the employees understood the content. An approach that incorporates gaming and fun into the equation will invariably lead to better engagement.
Users also enjoy video games because of they are interactive and immersive. When looking for a cyber security awareness training programme, scrutinise the various types of learning options they bring to the table. The more gamified the training, the better your users will learn.
A major issue with most cyber security awareness campaigns is that employees do not believe the content is targeted at them directly. They finish the necessary material but do not take it a step further, and integrate it to their habits because they found it unreliable.
With gamification, users have to interact with the content and get feedback loops in the form of points, which makes them become far more engaged with the subjects. This, in turn, leads to simpler internalisation of the concepts the training is introducing and at the end of the day, to positive behaviour changes.
And best of all, gamification can be integrated in regular cyber security awareness programs that should ideally be completed a couple of times a year, such as choosing strong enough passwords, and avoiding phishing.