To no one’s surprise, end users continue to be the favorite target of cybercriminals. Verizon’s 2017 Data Breach Digest, the companion to its annual data breaches report, states that of the data-loss incidents studied, 90% involved phishing or the social engineering of end users. A July 2018 Cybersecurity Insiders report (PDF) concluded, once again, that more than 90% of the participating organizations felt vulnerable to insider malicious behavior or inadvertent errors by end users.
SEE: Security awareness and training policy (Tech Pro Research)
Some experts suggest attitude is a big reason why end users are targeted. “Some IT pros will say that training end users is a waste of time, as they [end users] will click through the training but not heed the warnings,” writes CompTIA product manager Stephen Schneiter, in his CompTIA.org article We Are All End Users: Cybersecurity Training as a Life Skill. “That end users are of the mindset that network security is someone else’s responsibility or that if antivirus software is running, they are protected, or that really, there is nothing of importance on my computer.”
Try a new approach to cybersecurity training
That seems harsh, and whether it’s true or not is irrelevant. Schneiter is more concerned about finding a solution. “There is another theory, however, one of which I am a proponent,” explains Schneiter. “It is the theory that end users on our networks are not the problem, but, in fact, our first and most important line of defense!”
To make this theory work, Schneiter suggests, first and foremost, training departments need to avoid what he calls “fire-hose training” where end users are inundated with what to do, and then sent back to their desks. “First, we need to evaluate the level of knowledge that users have about securing personal information and our network,” suggests Schneiter. “Training should include adult learning principles and participants’ prior learning experiences and engage the participants through structured activities. Include the participants in the planning to find out what they want to learn.”
SEE: 10 ways to raise your users’ cybersecurity IQ (free PDF) (TechRepublic)
Why gamification might be the answer
Engaging end users is especially of interest to Mark Stevens, senior vice-president of global services at Digital Guardian. “In addition to using traditional training methods, businesses are increasingly looking for other more immersive solutions,” writes Stevens in his SiliconRepublic article 6 top tips to make cybersecurity training more fun. “This is where gamification can play a role.”
“Gamification is the process of engaging people and changing behaviour using game mechanics in a non-game context. Essentially, it’s taking what’s fun about games and applying it to situations that aren’t much fun–like how to block the next hacker from infiltrating a company’s network.”
To make his point, Stevens’ offers the following reasons why gamification is a good idea.
1. Recognize positive cybersecurity behavior. Stevens is well aware that employees must be considered when determining what factors could affect a company’s cybersecurity posture. By using gamification, he suggests, employees can be rewarded when they abide by the rules, which in turn encourages good behavior.
2. Talk about data protection. Gamification, according to Stevens, will inspire open dialogue among employees when discussing how to properly handle sensitive data–important now that the General Data Protection Regulation (GDPR) is in place. Stevens adds, “Instead of the topic being boring or rogue, workers hopefully will talk about their achievements, challenges, or lessons learned.”
SEE: GDPR security pack: Policies to protect data and achieve compliance (Tech Pro Research)
3. Increase the frequency of cybersecurity training. To be effective any training–in particular cybersecurity training–needs to occur on a regular basis. The fact that gamification can be automated is a huge plus, because it allows employees to work on their skills without interfering with normal business operations.
4. Engage employees. Friendly competition is one reason gaming is so popular. “Through friendly leader board competitions, end users are instantly engaged in the game–or training–at hand,” suggests Stevens. “This increases internal communication and creates new relationships, improving employee engagement across the board.”
5. Find cybersecurity talent. Gamification is already helping increase interest in cybersecurity. “Organisations such as Cyber Security Challenge have been trying to tackle the talent gap by hosting yearly competitions,” writes Stevens. “Winners are then offered lucrative job opportunities at large tech firms and government agencies who sponsor the challenges.”
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
6. Audit to measure effectiveness. Gamification becomes nothing but additional work and expense if it is not effective. Stevens feels that businesses should conduct cybersecurity audits on a regular basis to determine if security is improving.
How to convince managers about gamification for cybersecurity training
Ask any cybersecurity professional about the difficulty in getting funds for a project, and the person will likely have a story or two to tell. CompTIA’s Schneiter has an interesting idea that might help convince company management to invest in gamification:
“Professional development is something that organizations should be promoting with cybersecurity training. Everyone wants to gain more skills and succeed in their career, and cyber-training could be blended into a continuous training program.”
What about remote workers and cybersecurity?
Many sophisticated data breaches have started out by subverting an employee working from home or remotely. At-home or remote employees willing to apply security skills learned using gamification training can help eliminate a popular attack vector used by cybercriminals.