Gaming in security culture training is not about learning rules by heart, but about learning to identify risks.
Serious gaming is a way to enhance the security culture among employees. To learn more about the impact of gaming, I organized a meeting of the Security Culture User Group the Netherlands on the subject. In this blog I share some of the lessons learned, told by users and supplier of the Elevator game.
For what purpose you should deploy gaming?
Playful enough to talk about at the coffee machine, that’s the purpose when you start gaming on information security. It is not about getting to know all policies and procedures. The point is getting people alert, to create a security culture. Nobody wants his company to be out of business because of a problem in information security. In the mix of methods to enhance a security culture a game can be fun, which makes the subject interesting. With a game you achieve greater support for the subject. It also gives a signal that the organization frees resources so apparently the topic is on the agenda. A few years ago, people said: “Security, that’s what IT is for, right?” Now they say, ‘Why didn’t you tell us before, we want to know!” When people play games in a group more and more people want to be part of it. You achieve that people talk about security and the game. You convince people and if they are willing to share their conviction, you have achieved your goal.
Implementation of a game
A penetration of 70%, that’s our speaker’s goal. He’s not yet started to implement the game. Our other speaker began about five months ago with the communication about the game. The staff who actually played the game were enthusiastic. In this organization the culture is somewhat conservative, but many people do like new gadgets. A game fits these employees. Despite that, and all the encouragements, the penetration was stabbing at 8%. The supplier of the game indicated that for a serious game, where employees volunteered to participate, 8% is a good score. Voluntariness was a conscious choice. But as I said, the other speaker raises the bar: the target is 70%, with a 30% as minimum: “If my goal was 8% I would not even start!”
The question is how to roll out the game. The speaker did not want to be the first and waited for several organizations having gained experience with implementing the Elevator game. A few months after the completion of the game by IJsfontein this organization launched his campaign. The communication went through many channels: Intranet, posters, flyers in the cafeteria, call to action at many meetings, and so on. This was repeated after about a month, which resulted in an upsurge in the number of games played. Also, prizes were raffled among the people who had gained the last level. The CIO was super excited and played most games. In the culture of the organization it was not considered appropriate to give executives a leading role to get more people playing.
During the meeting, we could play the game Elevator ourselves, which was fun.
The evaluation found that everyone who played was very enthusiastic. In retrospect, one concludes that it would have been wise to use this enthusiasm to get more people playing. You play the game in pairs. Interacting and playing together was a very positive experience. A point that was less appreciated were the informative texts. These were sometimes perceived as pedantic. Fortunately, these are adaptable, an area for improvement for the next round. By stopping the publicity, the number of players quickly dropped back to zero.
The result is that a new audience was reached. Some people indicated to have gained a completely different view at the subject, even though they do not like gaming nor the topic of information security.
In the end we concluded culture is key to the success of the game. Starting with a small group and then enlarge the circle is regarded as the best method for deployment.
This blog provided you with some considerations at the implementation of gaming as a means to enhance security culture. Use it, if your organization is ready for gaming.
I am co-founder of the Dutch security awareness community serving any security awareness pro who wants to be inspired by knowledge sharing colleagues.
I am a Certified Security Culture Practitioner (CSCP).