How gamification could boost security

Despite widespread security training, end users are often the weak link when it comes to cybersecurity. Gamification could be the answer.

By Aled Herbert

Wed 14 Feb 2018 @ 16:07

Too often, the end user is seen as the weakest link in the security chain, despite the amount of training employees now receive to address this shortcoming. The problem is that changing user behaviours is difficult, especially when cybercriminals are stepping up their social engineering efforts.

Take whaling, for example. The social engineering technique, also called CEO fraud or business email compromise, relies on very little technical trickery. It works by fooling the target into releasing money based on the contents of an email rather than an attachment containing malicious code.

Phishing and social engineering are thought to be behind at least half of security breaches, and research has found that over two-thirds of organisations have fallen victim to social engineering attacks.

Last year, the director of the GCHQ-funded UK Research Institute in Science of Cyber Security said we need to stop blaming the user and instead place some blame on unusable security systems.

She said: “If security doesn’t work for people, then it doesn’t work. We need to reconfigure the relationship between security teams and the users they serve. Simply blaming users is counter-productive and does not improve security.”

We’ve all attended security awareness training. It’s always well intentioned. But often it seems like a box-ticking exercise, unengaging and dull.

Yet better security awareness among the workforce is essential to prevent criminals with savvy social engineering skills from breaching the organisation. So perhaps different ways of training are needed to raise awareness and motivate the workforce, other than the dreaded online tutorial and multiple-choice test that lets you print out a certificate to pin up on your hot desk.

Some organisations are turning to gamification as a possible solution. Gartner defines gamification as “the use of game mechanics and experience design to digitally engage and motivate people to achieve their goals”.

Many areas of the organisation have played with gamification. HR departments, for example, have long used gamification techniques in areas like training, on-boarding and leadership development.

But gamification has the potential to boost security beyond staff training. And this can extend across the organisation. Some businesses have used gamification techniques on staff training, others to focus on and prioritise security teams. There are also initiatives aimed at raising awareness and responsiveness to threats among senior management.

Beginning with the ‘human firewall’, both Ford and Deloitte have reported successes with a fresh approach to staff security training.

Ford turned to a gamification consultancy to create an online training community complete with levels, badges and trophies that encouraged friendly competition among staff members. The community proved popular with employees and had more than 100,000 unique visits on its first day.

Deloitte used similar techniques to incentivise cybersecurity awareness on its own learning portal. The business created communities that encouraged employees to enter into friendly competition with peers, with high performers being recognised as ‘security champions’.

At a management level, PwC has developed a gamification system called Game of Threats to help teach business leaders about cybersecurity and how to respond to attacks. The online game simulates a realistic cyberattack, creating an environment where executives need to respond to events as they develop and make quick, high-impact decisions to minimise damage caused by the fictional criminals.

The game prepares players to understand, respond to and remediate incidents. During the game, players can take on the role of a company or threat actor to see the events unfold from both perspectives. One goal is to demystify cybersecurity technology and terminology among senior managers.

But it’s not just security awareness that gamification can help with. It can also play a part in bolstering the skills within security teams.

Marks & Spencer’s security team has built gamification into its operations. The blue team is assigned to defend the network while the red ‘ethical hacker’ team aims to probe the defences and find weaknesses. Teams and individuals are given points and awarded different levels of ‘ninja’ rank as they rack up achievements. Staff can be ‘promoted’ based on these achievements and reportedly enjoy the element of progression and competition.

Another organisation thinks the solution to the security skills shortfall is to recruit people from the gaming community. The Cyber Security Challenge UK runs would-be security pros through simulations to test problem-solving and identify talent.

Cyber Security Challenge director Bob Nowill is reported as saying: “The next generation of cybersecurity talent is likely to come from the gaming environment... so we have to reach them in their own environment.”

Gamification can help find solutions to old problems: poor security awareness training and the so-called weak human links in the security chain. Its success is based on turning the old problem on its head by making work fun and not like work at all. By asking people to take a fresh and more enjoyable perspective on an ever-present issue, we could engage the unengaged and make the insecure safer.