The security of your agency’s network is at risk on a daily basis. In order to combat impending threats, all staff must be on board to take responsibility. Getting folks to take security measures seriously when it’s not part of their job duties, on the other hand, is quite the challenge. The answer may be gamification.
What is gamification? Formal definition says that it is “the application of game theory concepts and techniques to non-game activities.” In simple terms, the goal of gamification is to engage a participant with an activity he/she finds fun in order to influence his/her behavior. In a business environment, this usually means implementing a system to reward points, badges, or awards to employees who do the right thing.
In a recent CIO article, Lamont Wood interviews top security executives regarding the gamification campaigns at their prospective businesses. Companies such as Salesforce and SANS Institute believe that game-like elements can be used to enhance security awareness and modify users’ behaviors.
Security-related behaviors rewarded by such programs include reporting phishing emails, preventing or reporting tailgating, reporting or preventing other attempted intrusions (especially via social engineering), reporting USB memory sticks found on the ground, keeping desktop software properly patched and updated, maintaining strong passwords, attending security seminars, not leaving laptops in parked cars, and (for developers) reporting bugs or vulnerabilities.
Such programs have yielded positive results. For example, Salesforce’s Chief Trust Officer, Patrick Heim, reports, “Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.” In addition, Lance Spitzner, Training Director at the SANS Institute, reports, “before security training, 30% to 60% of users are likely to fall victim to a fake phishing email. After training and six months to a year of a gamification program, the rate can fall to 5%.”
Gamification is not new to federal agencies. In fact, Hawaii recently incorporated gaming principles and technologies into the state’s website. As a result, overall adoption of online services is up as much as 20 percent. In addition, the National Geospatial-Intelligence Agency (NGA) recently released open-source gamification software to GitHub, the collaborative software development environment.
Bottom line here is that implementing a system based on positive recognition rather than negative reinforcement may be just the thing to get employee buy-in when it comes to implementing security practices. At any rate, gamification is worth a try.
For more information and tips on using gamification to engage employees, read the full CIO article.