Is Gamification Working in Security Training?
Gamification is a term used in education to mean using game elements to improve knowledge retention. Learning new information, understanding how to use that information, and ultimately retaining that learning is the goal in all education and training programs. But this isn’t recess and not all games are useful. For security training via gamification to be successful, it must be crafted by talented game masters.
“Gamification has made its way into many aspects of technology and security awareness and training is no exception. There are pros and cons to gamification, and success is widely dependent on how it is used and implemented,” says Javvad Malik, security advocate at AlienVault, an AT&T company specializing in unified threat detection.
AlienVault also developed the Open Threat Exchange, which claims to be the world’s largest crowdsourced computer-security platform.
It’s one thing to make the learning experience fun so that students enjoy the encounter and complete their work. It’s quite another matter to make sure they can perform those skills on the actual job later.
“While gamification can be great to engage and create ‘sticky’ content that people come back to repeatedly, care should be taken that the game part doesn’t distract from the overall goals and learning objectives. It’s all well and good having people complete learning modules, but it needs to be effective in educating the participants,” says Malik.
Since security training is vital for both user training and security-professional education, outcomes must be clearly defined and measured for each category. Anything short of that in gamification is gaming, not education.
Gamification Outcomes for User and Executive Training
“Gamification can help foster interest in cybersecurity, which is serves as a big advantage to employees that aren’t exposed to cybersecurity practices in their day-to-day tasks. Assurance firm PwC has had success using Game of Threats, a digital game to simulate the experience of executives being targeted by a cyberattack, to teach cybersecurity and measure employee readiness,” explained Tim Bandos, VP of cybersecurity for Digital Guardian, a company that specializes in endpoint detection and response.
User awareness is critical in thwarting phishing attacks, including spear and whale phishing.
“To be effective, any training – especially cybersecurity training – needs to occur on a regular basis. Companies like Omnicare, recently acquired by CVS, Deloitte, and Beaumont Health System, Michigan’s largest health-care system, implemented gamification-style training and improved employee engagement. Teaching users to identify and react to attacks in real time – and enjoy doing so – prevents security from becoming an afterthought,” added Bandos.
It’s vital to instill a sense of joint responsibility for security among all users to prevent them shortcutting and undermining established security protocols in favor of on-the-job convenience.
But while these arguments are sound and well received, the question remains of whether gamification improves security skills among users and executives. Several studies conclude that when done well, gamification does work in fending off attacks. According to a recent study, 77 percent of U.S. companies with interactive employee-training programs have seen a reduced number of attacks.
“That being said, individual organizations won’t know how effective their own programs are until they’ve been audited,” said Bandos. “Monitoring scores and engagement can make it easy to identify employees that need extra education; it also helps identify how effective overall existing security processes are. Companies need to review programs, potentially with the aid of NIST’s National Initiative for Cybersecurity Education (NICE) framework to address skill gaps and ensure gamified exercises are working.”
Gamification Outcomes for Security Professionals
One need only to look at hacker games and competitions to see the compelling allure of gamification in training and practice for security pros. Top competitions in terms of level of difficulty, number of competitors, and security focus include the NSA’s Codebreaker Challenge, the Center for Internet Security’s US Cyber Challenge, and the National Cyber League’s Ethical Hacking and Cyber Security Challenges. Many such contests are also used for …