As published in the July/August edition of InfoSecurity Professional Magazine
By Crystal Bedell
As a former cyber analyst for the government, Masha Sedova has seen firsthand what a Russian state-sponsored attacker is capable of. So, when she was charged with building a security culture at Salesforce in 2012, she knew an employee newsletter and animated videos wouldn’t prepare end users in the event of a targeted corporate attack.
“I thought, ‘There’s no way this will work. It’s a waste of time,’” says Sedova, co-founder of Elevate Security in Berkeley, Calif. “In order for an organization to withstand an attack like that, people have to want to do security instead of have to. If it’s just a check-the-box task, people will do the bare minimum and not any critical thinking. Unless I got people to buy into the idea that they could and needed to defend the network, I wasn’t going to get any measurable security change.”
George Gerchow also recognized early in his career the need to better engage end users with cybersecurity. “Policies, procedures and compliance are so dry. People sign policies without knowing what they’re getting into. I thought there’s gotta be something we can do to make this interesting,” says the chief security officer at Sumo Logic, headquartered in Redwood City, Calif. Like other security leaders, Sedova and Gerchow started experimenting with gamification to improve end user awareness. The results have been “remarkable,” according to Gerchow.
“Over the course of this last year, we had a 10% reduction in end user risk. Most organizations, when they get compromised, it happens because an end user has a weak password, gets phished or downloads malware. The amount of education you need to do around these things is incredible. One percent to 2% is a win, but a 10% reduction is remarkable,” Gerchow says. Sedova has also seen quantifiable improvements in security awareness through gamification. During her tenure at Salesforce, she sent a phishing attack to two groups of people—those who had participated in her gamified training and those who had not. Alumni of her program were 50% less likely to click on a malicious link and 82% more likely to report the link.
What is Gamification?
So, what is gamification and why does it work? “Gamification is taking game mechanics and applying them to business objectives. It focuses on autonomy, mastery, feedback, getting better at a particular task,” Sedova explains. “Gamification helps with the motivation factor. It doesn’t necessarily change the mindset. The thing I’ve realized is that people still might not care about security—that comes from a different place. It might not mean anything to me to be secure, but competition or winning or a sense of accomplishment might mean something to me.”
Spencer Wilcox, the executive director of technology and security at PNM Resources in Albuquerque, N.M., puts it another way: “To me, gamification is the use of game-like structures—play, if you will—to incentivize people to act in the way you want them to.”
A common example of gamification within cybersecurity is around phishing attacks. At Sumo Logic, for example, when users successfully identify and report a phishing attempt, they receive points that lead to different rewards. When users earn enough points, they can cash them in for a reward. “That’s worked out pretty well,” Gerchow says. “The last thing you want is for people to hide when they do something wrong. You want transparency.”
Annalea Ilg, chief information security officer at Involta in Cedar Rapids, Iowa, uses gamification to keep her SOC team apprised of the latest attack methods. Her goal is to reduce the team’s mean-time-to-detect and mean-time-torespond to attacks. “Any way you can promote continual training in the security space is important,” Ilg says. “At this point, the more creative ways we can find to keep security professionals up to date, the better. It’s hard enough to find the talent, once you have it, you have to keep everyone educated because security is evolving and you have to keep evolving with it.”
Ilg uses Project Ares, an online cybersecurity learning and assessment platform from Circadence. Team members “train” daily in Project Ares by attempting to stop a simulated attack as it moves through the kill chain. “The team goes in daily because there isn’t a compromise every day. The more they can be familiar with the real-world scenario, the more ready they’ll be. That’s the real advantage. It’s all about continuous readiness.”
The first step to applying gamification to your cybersecurity training is to understand what behavior you want to drive. “Get really clear on what you want the outcome to be,” Sedova says. “The behaviors should be the things you really want to change in your organization because you want to make your organization safer or reduce risk.” Once you’ve identified the behavior you want to improve, you need to establish a way to measure that behavior. “Ultimately, you want to recognize people who are doing great and give course-corrective feedback to those who aren’t meeting the delta. In order to do that, you need data,” Sedova says. The next step is to determine how good behavior will be incentivized and bad behavior disincentivized. A common approach is to give or take away points accordingly. Karl Kapp, a professor of instructional technology at Bloomsburg University and author of The Gamification of Learning and Instruction, advises companies to be careful about what is emphasized in the points process.
“Rather than feedback around the game, give feedback messages around the behavior. That way when the employee is rewarded, it’s aligned with the behavior you want to occur,” Kapp advises. “Instead of telling a user they’ve earned 20 points, tell them they’ve successfully identified four phishing attempts, thereby saving the organization x dollars.” Users are often allowed to cash in their points for rewards. These, too, should be carefully considered. “The thing about rewards is to look at the culture and see what’svalued in the culture and tap
rewards into that,” Kapp says.
For instance, if your company has a hectic, fast-paced environment and people burn out quickly, then extra time off might be a good incentive. Lunch with an executive might be highly valued if you’re in a hierarchical environment where the average employee doesn’t have access to upper management. In a retail environment where disposable income is an issue, then gift cards might be a good incentive. Finally, don’t underestimate the power of public recognition. “Rewards that are recognized company-wide visibly reinforce the behaviors you’re driving. Employees know the company is paying attention and rewarding good behavior, and you’re more likely to get more of it from other people,” Sedova says.
Ensuring Success; Challenges To Avoid
To be successful, gamification requires a team effort. Gerchow advises security leaders to get human resources staff involved early in the process. “Talk to people and get ideas from them,” he says. Getting HR involved will not only reduce any concerns they may have about a competitive program, but it will also help security leaders sell the initiative to the rest of the company.
“HR is usually non-technical, so if you can get them to participate first, you’re enabling a champion of the people. You’re taking the people who look out for everyone within the organization, who have great communication skills and can help you sell to the organization,” Gerchow says. Experts also emphasize the importance of having executive support.
“You need an executive suite sponsor and they should lead by example. If you’re having classes on cybersecurity, that executive should attend. A lot of times in organizations, executives launch the initiative but they’re not part of it, and that sends the message that this is not very important,” Kapp says. It’s also important to have direct-line supervisors on board, according to Kapp. They should be monitoring user behavior and providing verbal feedback whenever possible to reinforce the program. If positive feedback can be given within a group setting, that’s even better.
Finally, Gerchow recommends starting small. “When I was at VMware, I got overly excited. I created a program that consumed too much effort and I could never get it going,” he says. “Building
momentum is key. Have quantifiable things you can measure—even if it’s as simple as phishing. Start there, build, review it and then add on.”
When it comes to technology for gamifying cybersecurity awareness training, companies have several options. According to Kapp, there are two types of gamification platforms. There are learning platforms that ask questions, provide simulations and report on behavior. “All of that is divorced from the user’s actual behavior.” Then there are performance-based gamification platforms. “These serve as an integration layer that can sit on top of your systems. That layer reports back into a dashboard or your LMS, where you can then monitor, track and report on user behavior,” Kapp says.
Still another option is to build your own solution, as Gerchow’s team at Sumo Logic did. Security developers built integrations between the company’s public-facing Slack channel, “Ask the SOC,” and Excel, where they can monitor and analyze the data from their various gamification efforts.
Much like the other components of gamification, experts agree that the platform that works best for one organization won’t necessarily work as well for another. “It’s not one-size-fits-all,” Kapp says. “Trying to shoehorn into your organization gamification that worked for another organization won’t work. Engineers are less likely to buy into a cartoony gamification platform versus HR folks or teachers, for example, while engineers love to solve problems. For them, you’ll want to make it more problem focused than character focused.”
Wilcox adds, “The more playful you make the environment, the more incentivizing and rewarding people will find the environment. You need to find the right balance of play and entertainment that the culture requires to build awareness, to reward good behavior and disincentivize poor behavior.”