Originally published in The Huffington Post
The cybersecurity industry seems to be heading toward dire straits as data breaches grow in size and number every year, while in tandem, monitoring networks is becoming ever more challenging with internet traffic increasing at an accelerating pace.
But with the cybersecurity industry suffering from a widening talent gap, organisations will need to turn toward their employees and executives to strengthen their ranks against the myriad of enemies that threaten them. However bringing employees onboard the security team is easier said than done because they happen to be part of the problems that lead to security incidents.
In this regard, security experts can borrow a lesson or two from the gaming industry. The use of gaming elements—competition, sense of accomplishment and of course rewards—can help remediate this situation by breaking down the complexity of cybersecurity concepts and making an otherwise complicated task simple to understand and fun to accomplish.
Making cybersecurity fun
Inadvertent users, employees who break security rules out of ignorance, are one of the most dangerous insider threats every organisation faces. A considerable percentage of security incidents continue to occur due to users carelessly opening infected email attachments, clicking on links pointing to malicious sites, or connecting infected thumb drives to their computers.
Many employees fail to appreciate security rules and abide by them because they see them as unrewarding, excessive and unnecessary control imposed by IT teams, which can be overlooked for the sake of comfort and convenience and without having critical consequences.
The rift between security staff and average users is something that experts at cybersecurity vendor Digital Guardian are trying to bridge with their DG Data Defender initiative, a game that improves the implementation of security practices among employees and executives by incentivizing them.
As Connie Stack, Chief Marketing Officer at the firm says, “Security actually can be fun when you apply game mechanics to it.”
In a nutshell, DG Data Defender is a free gaming system that becomes incorporated into the workflow of organisations and rewards employees based on their adherence to security rules, such as sending an email that doesn’t trigger a policy violation (e.g. containing unencrypted sensitive information), or using a cloud engine that has been approved by the company. Every security-wise action will earn users points, enough points will earn badges, and eventually, real rewards such as gift cards are given out to users who show a long history of security compliance and meet specific milestones.
“If encrypting credit card data in an e-mail before you send it could earn you a cool badge, and 10 badges could earn you a $25 Amazon gift card, you’d be more likely to encrypt that data,” says Stack. “That’s why we introduced DG Data Defender, to add a layer of fun to protecting sensitive information like credit card and social security numbers.”
Scoreboards and leader charts also add an element of competition to the mix, creating more incentive for users to improve their adherence to security rules.
DG Data Defender is a serious shift from the traditional approach to protecting data, which involves policing users and focusing on punishing and blocking activities deemed non-compliant. And this is how security professionals and end users can be brought on to the same team, Stack believes.
Educating executives on cybersecurity
Training staff and employees on the principles of cybersecurity in an effective and behavior-changing manner is one of the main challenges every organisation faces, especially at the executive and c-suite level, where critical decisions are made.
This is something that gaming can remedy, believe experts at consulting firm PricewaterhouseCoopers, and that’s why they’ve created Game of Threats, an interactive role-playing game that lets boards and executives learn the basics and principles of cybersecurity, and hone their skills by participating in replications of real-world attacks.
Participants split to two teams, the defending organisation and the threat actor. The game is played in a series of 60 second turns. At each turn, defenders have to make choices such as investing in security personnel or breach detection tools while attackers have to select their method and scheme of attack. Because they get the chance to see both perspectives of an attack, players find a deeper understanding of how cyberattacks are staged and how they can set up their defenses and prepare to react to threats.
At the end of each game, which usually lasts ten rounds, consultants from PwC go through each round and advise executives on best practices and better decision making. Game of Threats is played for up to eight hours at a time by finance auditors, compliance employees, c-suite and other boardroom executives, and PwC hopes the game will raise awareness of cybersecurity across all layers of a company.
With cyberthreats evolving and becoming more complicated by the day, cybersecurity should become everyone’s business, not just the IT security team. Fortunately, gamification and gaming mechanics offer a bridge that can bring everybody on the same page and the same team to protect organizations from the advanced threats of the future.