Security is not something to play with
Well, actually, it may be. All depends on the perspective. Game-like elements are a splendid tool in achieving the goal of every workers’ awareness and willingness to participate in solving security issues. A methodology called ‘gamification’ is currently under various tests and is doing extremely well. Researches show that companies that are using this approach at a certain level of implantation (depends on the company) are actually gaining from it.
The thing is that workers that don’t have security issues as their primary tasks often simply don’t care about them too much. Or even are scared of possible outcomes if the issue has something to do with their actions, whether they were intended or not. And is there a better way to get everybody involved that making them interested and not afraid? Everybody loves games, right?
Gamification actually has nothing to do with actual videogames. Its simple psychology applied to a business environment. In other words it is the implantation of game principals into the real world. Proper gamification consists of four stages.
- A defined goal
- Rules which are pre-defined for each goal
- A proper feedback mechanism
- Participation has to be voluntarily
It’s like soccer. The goal is getting the ball into the competitor’s gates. And the rules make the game challenging and interesting. Nobody would like to see a guy just carrying the ball right into the gates. And it would not be fun if people were forced to play or to watch.
In case of security awareness the goal is making people act properly. And where is a goal there should be a reward. This part is personal for every company and every businesses department. You should be smart when choosing prizes. The prize can be a pen, a badge, a picture on a ‘wall of leaders’ of a sort or a salary raise. Yet it does not have to be material. It can be anything, depending on a company’s standards and politics.
And the approach to granting these prizes has to be individual. You may create the official company’s Star Wars Jedi Order and grant the knight status to the winners. Your IT department will love it! But will the accountants be happy?
Figure out what should be rewarded. It has to be depending on the companies needs. Whether those are reports of found USB memory sticks or phishing emails, preventing or reporting ‘tailgating’ (a situation when an unauthorized worker sneaks right after somebody with authorization into the locked due to security purposes door), or following other instructions.
You may figure out a system of granting game point that may be changed into bonuses. Remember that this is a game and levels have to become harder. The firs point may be awarded for simple attendance on security seminars. Than it has to get harder, you can even provoke your workers with fake security issues in order to see how they are doing. Yet don’t use this too often. Otherwise we all know the ‘Boy, who cried wolf!’ story.
Make sure the workers feel secure. They must know that if they are reporting themselves doing something bad that they will be encouraged, rather then punished. Their managers must remain unaware, unless the issue is of high importance or is constantly repeating.
Also the goals must be realistic and profitable for the business. There were cases noticed that when the QA department was granted extra bonuses for the bugs they’ve found (which is their primary job!) they began writing more bugged code, in order to get more prizes.
Don’t say ‘gamification’. It causes extra negative fluids in the serious business organizations. The work has to be treated seriously, they would say. Yet if you rephrase and use the ‘active feedback system’ words all will flow in a much better way.