Fall is here again; my favorite time of year. Which means it’s almost time for that annual autumn tradition we all know and love: National Cybersecurity Awareness Month! OK, so maybe that’s not what you thought I was going to say. But it is an important reminder to focus for a bit on our personal and professional online security. And there’s no reason why it can’t be as much fun as say, a good college football game or Halloween, right? (Or at least a close second or third?) Around this time last year, I wrote about using cybersecurity training games to make learning fun and make it stick. So I’m back today with some new ways to get your staff actually interested in being part of the solution, by using games and other interactive methods.
Fortifying the human firewall
But first, why is this so important that we need to go back over it every October? Well, that’s because human errors and mistakes are often the cause of security breaches. In fact, studies show that human error is one of the top root causes of data breaches, preceded only by malicious or criminal attacks. At the same time, humans are the ultimate firewall in stopping cyberattacks that have sneaked past automated security measures. So, improving employee awareness should be at the forefront of most companies’ security training. In other words, it’s time to turn that vulnerability into a defensive asset!
Toss out that boring Powerpoint
There’s no reason why cybersecurity training needs to be a series of dull slideshows and blah, blah, blah lectures. At CGNET we make it a point to use quizzes and games in our training. And there’s a good reason why: Studies suggest that almost 9 in 10 employees feel happier when their learning is gamified at work. Check out this great study that offers up some fascinating statistics when comparing gamified to non-gamified training. One stat of note is that when gamified elements were added to training, 83% of subjects reported feeling motivated vs. only 28% having reported this when they were given more traditional training. And reports of boredom dropped from nearly half to only 10% after a gaming aspect was introduced.
Really, it’s just common sense. Doing something fun and interactive holds our attention far longer than being made to sit passively through a lecture. And if you are paying closer attention, you are more likely to remember what you’ve learned that much longer.
Let the games begin!
In my post last year I introduced you to several cybersecurity training games that were available at that time. Unfortunately, most of the links in that post have since vanished, with the exception of a pop quiz from Cybercrime Magazine (still quite relevant, as it is geared to remote workers) and a resource for 41 cybersecurity quizzes and trivia games from ProProfs.com. (Also all still worthwhile.) So, I figured I’d better jump on the internet and find you all some new ones. (And don’t forget: Incentivize your games with rewards for playing and prizes for competitions!)
In this simulation game you need to spot and remove common workplace security violations before the timer runs out. I tried it out – took me 2 tries to “pass” before the clock ran out. Simple, yet a quick and fun little game that pointed out some good cyber-safety tips. Could be a good intro game at the start of a training session, just to gage where people are at in terms of their cyber know-how.
This is an exercise/quiz in which the user tries to find the phishing indicators that are the most difficult to spot within a message. And as part of the process, users are given detailed explanations as to why they guessed correctly or incorrectly. This helps users gain awareness of specific tactics hackers employ to abuse their trust.
Each year since 2013, the Division of IT at Texas A&M University comes up with a well-crafted online game to bring cybersecurity awareness to their students, faculty and staff. Even if you’re not an Aggie, you can still play along. And I did. This one from 2019 – with graphics reminiscent of one of my all-time favorite tv shows, Monty Python’s Flying Circus – was surprisingly engaging. (As well as educational, of course.) I think if you were to pass the link around to your staff, they – and you – would not be disappointed.
Here’s another one from Texas A&M (their 2020 contribution). I went through a bit of this one and also found it to be both fun and useful. In fact, their whole catalog of cybersecurity training games, dating back to 2013, is still available on the school’s main cybersecurity page here. I didn’t have time to try them all. But if they are anything like the two that I did check out, I have feeling they’re also pretty darn good.
Feeling creative? Make up your own game
Security awareness offers the perfect scenarios to create role-playing games. For example, have some team members act as cybercriminals and come up with ways to try to scam the other team. Then have them switch sides to learn about the different aspects of how phishing messages are crafted, as well as how to spot the signs. Or make up a cybersecurity trivia game, with points awarded for correct answers and a prize for the winner. (This would be an easy one to play over Zoom or Teams!) Or how about having teams work together on a “Create a Cybersecurity PSA Contest”. Each team could be assigned some aspect of security (passwords, phishing, office place security issues, etc), and then the Team with the best/most educational PSA (as determined by the IT staff) wins an award. Just a few ideas to get your creative juices flowing…
The bottom line is this: However you decide to do your training, keep in mind that by making it fun, the lessons should really “stick”. So put on those creative thinking caps (or just borrow from my list above) and get those games going!