Cybersecurity awareness training has become an essential part of every security program for enterprises over the past decade, as over 90% of successful security breaches now begin with a phishing or social engineering attack on employees.
When contrasted against the projected $6 trillion in global cybercrime losses by 2021, there is clearly still an enormous deficiency in employees’ ability to spot and avoid cyberthreats that target them. In virtually every conference panel on cybersecurity, chief information security officers (CISOs) continue to make employee awareness training a top priority. Risk management executives clearly need better security awareness training outcomes than what they have been seeing.
Compliance Without Comprehension Has Led to a Vicious Cycle
Compliance requirements initially drove the development and delivery of security awareness content a decade ago in regulated industries such as government, financial services and health care. However, because the threats changed so rapidly, concepts had to be generalized, which caused learning content to stay at a high level (e.g., “Watch out for suspicious links”). The experience also became an unpleasant one for learners, as they typically found the content too vague to be meaningful or useful to them.
It’s understandable that many organizations limit security awareness training to as little as 30 minutes per year, to minimize lost productivity during training. However, this approach has led to compliance without comprehension. It has become a vicious cycle of avoidance due to the low expectations on both sides. As a result, CISOs and other executives have come to see these compliance programs as a necessary evil that employees must endure, since the risks are so evident that standards and policies still require it, and they see nothing better to address the problem.
Using Gamified Learning to Build Proficiency
To reach an outcome that sees employees being armed and ready to defend against cyberattacks, there is a logical chain of learning that progresses from understanding to knowledge to proficiency. However, in this subject area, it is not as easy to achieve this outcome as it is for many other awareness programs, since there are many nuances employees must learn within a changing threat environment. This reality calls for a set of coordinated techniques that can engage learners to master foundational skills in a variety of ways.
There are many definitions available for the gamification of learning. Practically, gamified learning is the ability to motivate learners through the psychological drivers that have been proven in the various studies and applications of gamification. This concept provides important tools for breaking the vicious circle of compliance without comprehension.
Within security awareness, gamified learning offers a promising opportunity to show quick wins and a way forward for building proficiency. Using proven gamification techniques such as implicit learning, unpredictability, social relatedness and scarcity in an enjoyable content delivery environment, employees can learn about the basic security terminology used for more complex analysis of cyberthreats.
Once they’ve learned these basic concepts, employees can learn about cyberattackers’ motives and methods and exercise their critical thinking within immersive risk scenarios. While this type of learning does demand time and concentration from employees, the use of proven psychological drivers within purpose-built game mechanics can make the experience enjoyable.
Because these defensive skills require practice, gamification is an important driver of repeated attempts, providing opportunities to practice complex decision-making. Simply understanding a defensive concept is not enough to enable employees to make the right decision under pressure. For example, they need to be able to recognize a possible threat that interrupts them in the middle of a task and plays on their emotions.
Measuring the Benefits of Gamified Learning
Having employees better armed and ready to defend against cyberattacks is of great value, but implementing gamified learning can present challenges; managers and executives may immediately think of lost productivity as employees spend time “just playing games.” This issue is an optics problem that learning and development (L&D) professionals can address by demonstrating the positive impacts of a pilot program and then extrapolating them to a broader scope of content and a wider audience.
To justify themselves, these initiatives need to provide measurable results, at least in terms of knowledge retention and proficiency in simulated scenarios. Ideally, executives will see a correlation between participation in the gamified learning program and real security incidents. L&D professionals can create this correlation by coordinating initiatives with incident response and help desk teams and identifying whether incidents decrease among trained staff. Incidents and tickets can usually be tied directly to individuals, making that correlation relatively easy to track.
L&D professionals can use other methods to measure employee feedback. Being able to gather information from employees about the levels of learning and enjoyment they have achieved from a gamified learning program is also valuable in gaining support from executives. This feedback can provide validation on whether or not staff are responding more positively than they would to other techniques, such as live phishing assessments that try to simulate attacks through email.
These kinds of simulations are already showing signs of negative cultural impacts and diminished value for risk management, due to the limitations on the types of live risk scenarios that are considered culturally acceptable. (For example, an email promising a cash bonus may get clicks but would be inappropriate as a phishing test email.)
Making Defensive Proficiency A Necessary Element of a Security Program
Once executives can see positive trends related to a gamified learning program, in the form of reduced security incidents and an improved security culture, they will be more open to increasing the time budget for employees to spend on the training. In fact, there is an opportunity to transition into a “continuous cybersecurity awareness” mode: Organizations can deploy gamified challenges on a monthly basis to inform staff about recent incidents observed in industry or even internally.
Just as in precision military operations or mission-critical industries like aviation, the ability to rapidly simulate tactical situations and to recertify staff for proficiency should become the norm in cybersecurity awareness training. Attackers will continue to exploit organizations whose employees are unprepared and ill-equipped to defend against them.
The sooner executives can see evidence demonstrating that an investment in gamified learning will provide them with better outcomes in defending against cyberthreats than the tools currently available to them, the sooner they will begin to embrace this kind of innovation in training.