How to Utilize Game Theory for Security Awareness
Building classic gaming principles like positive reinforcement and escalating goals into security education can drive new levels of engagement.
How do you get employees to care about security? For years, security leaders have been great at conveying the negative consequences of a data breach or security incident – the organization could be attacked, data could be lost, fines levied, employees fired, discipline issued. While this approach conveys the gravity of a potential risk, it often does little to inspire employees to report failures to the security team, to improve their engagement with security, or to advocate for security with peers.
“We keep asking employees to do security work, and when they do a good job, we don’t say anything,” says Masha Sedova, Co-Founder of security awareness training company Elevate Security and former Senior Director of Trust Engagement at Salesforce. “When they don’t do a good job, we just wait until they mess up before we correct and retrain them. We only look for opportunities for negative reinforcement. We’re missing opportunities for positive reinforcement. When I send you a phishing email, do I just wait for you to click on it so I can send you to training, or if you report it, do I send a recognition note to your manager saying ‘You have a security-minded employee, congratulations.’?”
Consider it this way: Employees all have to pay their taxes, no matter what. Should the security team be seen as the IRS, coming to collect taxes after the fact, or like an accountant who helps employees prepare taxes, address issues and find benefits?
Building up trust and increasing positive reinforcement can start to help employees to see security in a different light, and possibly even start to change some minds about the personal benefits of paying close attention to security rules.
Twenty percent of employees have bought into security – they’re onboard, regardless of any incentives; 70 percent will listen, if you make it worth their while; 10 percent think security is not their job, says Sedova. For the 20 percent, make these your security ambassadors, she says; these employees will translate your security message to their teams, so the goal is moving peer-to-peer (“Finding a way to get the conversation out of security’s mouth and into the mouths of other employees and managers has been a really effective way of scaling it,” says Sedova). For the 10 percent, enforcement might be the best way to get through to them about security. But for the 70 percent, security leaders may need to be creative.
CSOs have long been asking “how do I get my employees to care about security?” Sedova suggests that the question should be “What do my employees need to care about, and how do I know that they’re doing it or not doing it?”
First: CSOs need to know the goal. If employees were aware and invested in malware prevention, for example, what would they do tomorrow that they don’t do today? With that goal in mind, evaluate which groups do or do not need training and awareness around this issue.
There are many paths to awareness, and there’s no silver bullet that fits all needs across all enterprises. Even in the same company, a poster or flyer campaign could be most effective to improve awareness about badge-wearing policies, while a phishing test could be more beneficial to educate employees about suspicious links, and in-person presentations could be the best method to discuss insider threats. However, each of these areas could benefit from a little game theory.
That’s not to say that enterprises should start asking employees to play video games at work in the name of security – it’s applying different techniques that make games particularly successful and memorable to an education program and business objectives, Sedova says.
So if you’re considering gamifying your security awareness program, remember these five key elements:
- Autonomy: Give people choices: what level to start at, what challenge to address next, etc.
- Mastery: Give people the opportunity to improve. Have information of greater difficulty or increasingly challenging tests as employees advance so they continue to learn.
- Feedback: Let people know how they’re doing, whether compared to their team, the organization as a whole or to other organizations. Let users know how their actions have secured the company (i.e. You reported a phishing email – here’s the magnitude of attack you may have just helped to prevent).
- Purpose: Let people know why this matters. This is a challenge for security, as users want a specific goal. In gaming, you complete a level to defeat a boss or win a treasure. For security, provide case studies, deconstruct past attacks, demonstrate the risks that the training helps to address.
- Social: Things mean more to people when they do them together. Group-based accomplishments, friendly competition between business units, or an ongoing counter of how many days since the last malware or phishing error can help to drive social engagement and investment.
And gamification is not just a cybersecurity best practice – physical security can reap the benefits as well. Consider a tailgating challenge: Sedova asked for volunteers to tailgate onto a floor where they weren’t recognized 10 times in a week. If they were stopped by someone, that person would receive a “Thank You” note (which could be posted on their social profile so their peers could see it) and potentially a reward. If the tailgater got through, they got these points instead.
In terms of rewards, many options are available: security leaders could send kudos through to the employee or their manager, or have an ongoing leaderboard with the top phishing email reporters of the month, or a points system with rewards along the way.
For example, assign a point amount to different behaviors: forwarding a phishing message to IT earns you 50 points, stopping a tailgater gives you 100, and finding a security vulnerability deserves 200. Employees could cash these in at different levels for different rewards: 100 points gets a t-shirt; 1,000 points gets executive acknowledgement; 3,000 points could get a day off. Assigning rewards of value to your employees helps get their attention.
Sedova also recommends partnering with other departments that are known for being able to connect with people’s intrinsic motivations: advertising, marketing, HR, behavioral science. These are functions that know how to get people to want to do something, she says.
A natural fit for cross-collaboration would be the marketing department, Sedova adds. “They can help you figure out ways that marketing can help you craft a message, focus on your visual design, or create a brand for the security team so people can recognize a message from the security department when you send something out. Marketing is also really good at giving out swag, and they may have extra concert tickets that you can use for your Security Champion program.”
The goal isn’t the game, Sedova reminds: “If you put terrible content into a gaming environment – information no one wants to know, and it doesn’t relate to their job, and they don’t have an understanding of the impact of why they’re playing this game or what the challenge does – you’re going to see a limited effect.
“Go through and check your root causes of why people aren’t following the behavior you want: Do they not know it’s part of their job? In which case, awareness is the right tool for this. Do they not know what to do? Then training is the right thing. Do they not care? Then, by all means, apply incentives, apply leadership backing, get gamification on board, but make sure you know the root causes you’re trying to solve for,” she adds.
For example, if employees aren’t wearing their badges, ask them why. It might be because they don’t know it’s the policy, or it might be because their badge pulls broke, and they don’t know where to get new ones.
“Get curious,” Sedova says. “Spend a moment and assume your users are resourceful, intelligent and have many job responsibilities, and just go in with a more kind, compassionate and optimistic view of them, and get curious about their experience of security. I think we’ll find that the solutions we need to be rolling out look a lot different than the solutions we think we need.”