Skip Links

How to create security awareness with incentives

Gamification is an alternative to pushing employees to improve security awareness.

By Ira Winkler and Samantha Manke, CIO
December 02, 2013 03:37 PM ET

CIO - One of the reasons many security awareness programs fail is that they rely on a "push" mentality, where they force employees to take awareness training and expect or, more likely, hope that employees will seek out additional training, because it is the right thing to do. While many there are programs that do this that are successful, they are relatively rare.

[Slideshow: 9 tips, tricks and must-haves for security awareness programs]

Recently, we began experimenting with helping our clients implement gamification techniques, which switches the whole awareness paradigm. Instead of employees being forced to take training or risk potential punishment, employees do the right things by default and seek out additional training, because they want to.

Too many people confuse the term gamification to mean that you create a game to do awareness training, and there are many companies who are developing such games. They can be useful, but much like a poster, newsletter, or phishing campaign, they are just a single component in what should be a well rounded security awareness program.

Gamification is actually a scientific term that roughly means applying game principles to a situation. The simplest definition of those principles is: 1) Goal establishment, 2) Rules, 3) Feedback, and 4) Participation is voluntary. Every game has to incorporate those principles. Goal establishment is the desired outcome for people participating in the game. Rules are actually limitations that people adhere to that allow the game to be a challenge. Feedback means that participants are made aware of how they are doing compared to their goal. Voluntary participation means that nobody is forced to play the game.

Using golf as an example, which we will highlight is in no way a computer-based game, the goal is to go 18 holes with the fewest number of strokes. The rules provide limitations as to how the player can get the ball in the hole. After all, the easiest way to get the ball in the hole would be to carry it and place it in the hole, but people seek out the challenge of accomplishing the goal through skill. The running number of strokes is the feedback mechanism. And, short of peer or work pressure, almost everyone plays golf on a voluntary basis. All games generally exhibit the same principles. This includes all sports, card games, playground games, chess, checkers, etc. Games do not need to involve computers.

[Challenge your security awareness with the NEW clean desk test]

As the term is confusing, we began to call our process, "Incentivized Awareness Programs". That better represents what we are talking about, as a comprehensive awareness program does not limit itself to a single tool. With incentivized awareness, you create a reward structure that incentivizes people to exercise the desired behaviors, which could include seeking out additional training. The incentives ideally make demonstrating or learning about awareness behaviors fun.

Depending on the program and the job functions, people earn points by finding bugs in software, taking a training course, reporting a phishing message, reading a security related publication, stopping a tailgater attempting to enter the facilities, etc. Different activities are worth different points, and people can accumulate points.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News