maxoidos - Fotolia
What is your take on the gamification of security programs within enterprises? Do you think creating an Incentivized Awareness program is an effective way to get your employees involved with security?
Employee training can be a difficult task. In the end, most users will still open the email attachment they have been warned about since the mid-90s. Computer-based learning programs are often used because they make it easy to report compliance, not because the employee necessarily learns or retains anything useful. Security is failing as an industry in this critical area and it needs a new approach.
Gamification has been used successfully in other industries, most notably in marketing new products. It is also being used successfully in other company driven initiatives such as fitness programs where employees collect points for exercising or having a physical. Employees are exercising to collect points to redeem for different products like a tablet computer or single-cup coffee machine. If gamification can motivate people to eat right and exercise, perhaps it can finally motivate them to stop opening that malicious email attachment.
There are some good and bad examples of gamification in information security awareness training programs. One good example is a company that used a monthly newsletter with definitions and puzzles that could be solved for a $50 gift card prize. The employees did retain the ideas communicated through the puzzles and became proponents of good security practices. Conversely, another company promoting HIPAA awareness had a contest where employees painted ceramic hippos. The employees probably didn't learn anything about information security, and may still refer to HIPAA as "HIPPA."
Current information security training programs are not having the desired impact of improving security practices within companies. Gamification is a good way to supplement an information security program to drive employee involvement and add some excitement to the material. The most successful training programs will use the gaming elements to spark interest while still focusing on the core subject matter. Gamification of information security training should be used as a supplement to an overall training program since this technique may not be popular with all employees.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
The benefits of employee security awareness training.
Dig Deeper on Information security certifications, training and jobs
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading