How gamifying cyber training can improve your defenses

Every employee needs to be aware of cyber security risks and the basic steps they need to take, such as properly reporting suspects. fishing Attacks require more in-depth training, including IT staff.

There is also a legal requirement for cyber security training. The Data Protection Act 2018 Chapter 4, Section 71, Subsection 2 provides that:

“In relation to the principles set out in subsection (1)(e), the duties of the Data Protection Officer include:

  1. Allocate responsibilities under that policy.
  2. Raising awareness of those principles.
  3. Training of personnel involved in processing operations.
  4. Conducting audits required under those policies.”

Meanwhile, Dr. B6 section National Cyber ​​Security Centerof Cyber ​​Assessment Framework Guidelines advocate Safety training for employees.

Traditional methods of making employees aware of safety issues, such as through presentations, can sometimes be met with boredom and apathy. Some may also view safety training as a box-ticking exercise.

To protect themselves and their employees, organizations need to find attractive ways to present their cybersecurity training, so that it actively appeals to employees.

A widely used strategy to improve engagement is to conduct a test at the end of a training session. When participants were informed that they would be expected to answer multiple questions in order to pass the training session, they tended to pay attention. “Where there is no test at the end of the training, people try to get through it as quickly as possible,” says Colin Tankard, managing director. The digital way.

Gamification of training

Gamification is an attempt to improve systems and activities by creating experiences similar to games to motivate users and build their confidence. This is usually done by applying game-design elements and game principles (dynamics and mechanics) to non-game contexts. Research on gamification has proven that it has positive effects.

Gamification techniques are intended to exploit our natural desires for socialization, learning, mastery, competition, achievement, or our natural response to situations framed as a game. Some of the techniques used in this approach include adding meaningful choices, introducing new concepts through tutorials, increasing the challenge, and adding a narrative to the experience.

Gamification is done dismissed Some as a fad, but the application of elements found in game play, such as competing or cooperating with others and scoring points, can effectively translate into employee training and improve engagement and interest.

“The way cyber security training sessions are happening is changing, and it’s for the better,” says Helen McCullagh, cyber risk specialist at an end-user organization. “If you look at people’s sitting engagements and they do a one-hour course every year, it’s just a box-ticking exercise. Companies are trying to get 100% compliance, but what you have is them sitting there listing their purchases.”

Embedding collaboration into training

Simply dividing participants into groups and having them compete against each other encourages engagement. This is why team-building exercises are often based on multiple group tasks that require collaboration. “If you put a group of adults in a room and then put them in groups, you make them competitive and they’re going to go for it, hell for leather,” McCullagh says. “They’re going to come out of their shells and they’re going to talk to each other.”

McCullagh recalls: “About four years ago, we had an interesting idea that there were a lot of escape rooms [where players need to work together to solve a series of puzzles to escape from a room] And it sparked conversation in our team. We realized that if we did it a little differently, it would interest people a little more. The way we develop homes is by observing them Security controls in a room. We will see a photograph of one of their office spaces, showing the risks. They’re the most fun things to do, but they’re also extremely impactful.”

Another example is a top trump-style card game, in which players have a set budget and must build a cybersecurity capability that includes people, technology, and processes. Once each player has finished, each strategy is evaluated and the player with the strongest ability wins.

While this may seem silly and trivial, it can enhance the learning experience. By embedding cybersecurity principles through a game, players can engage with the topic without feeling overwhelmed or intimidated. “Gamification can sometimes dumb it down,” says Tankard. “That’s where, in the cyber world, you have to be really careful between making it enjoyable for the employee and still keeping it serious. I’ve seen some really interesting ways to train in that middle ground.

There is also Simulated disaster management, where cyber incidents are simulated to give employees a realistic experience of hacking without any risk to the network. Employees can be scored based on their actions during the simulation and how well they cooperate with each other. With an appropriately granular assessment record, organizations will be able to identify key areas to focus on for training.

There are also video games that teach safety concepts. An example of this is CyberCEEwhich is structured similarly The Sims Video games. In CyberCJE, players assume the role of an IT manager for a small organization and it’s up to them to defend against various types of cyber attacks. Players purchase and configure workstations, servers, operating systems, applications, and network devices. They must balance productivity and safety within tight budget constraints. In long scenarios, players progress through a series of stages and must defend increasingly valuable corporate assets against increasing attacks.

“We embedded network security simulations in a video game by using resource management tensions employed by games such as SimCity And Roller Coaster TycoonThose were relatively new games when CyberCEGE was initially developed over 20 years ago,” says Michael Thompson. A research associate Naval Postgraduate School.

“Students must provide game characters with computing resources to enable them to achieve their goals, including access to information resources. CyberCEJE has a few general introductory and training scenarios, but at the heart of the game are scenarios that require students’ computers and networks. Security concepts need to be understood.”

Target training for the audience

To maximize usefulness and engagement, training needs to be tailored by understanding the audience’s current needs and skills. Tankard says: “Training needs to be done at the right level for individuals, which sometimes you see when training isn’t across the board. There’s nothing more frustrating than when you’re above their level.”

All employees need some level of ongoing safety training, but in-depth training should be targeted at specific individuals who need it most. “You can see who is observant and who needs a little more training,” says Tankard. “Scoring makes it easy for the IT team and administration people to know what level the workforce is at.”

The security sector, especially those in the field of operations, are familiar with gaming and many are gamers themselves. As such, they will be comfortable with many gamified elements and language in gamified training. However, those not directly involved may be unfamiliar with gaming and may not appreciate the approach used or fail to see its merits.

Online moving training

Since the pandemic, safety training has been moving online and virtually even though gamification processes have. Although online training sessions naturally reduce face-to-face interaction, they can foster greater collaboration between teams, as they are no longer geographically bound. By keeping everyone focused on a specific goal, they can work together in a virtual environment. “By training online, collaboration is better, because you can collaborate with people from different countries,” says McCullagh.

But focusing on training being gamified can be self-defeating because it can delay the implementation of a training system, and any training is better than no training. “Making it entertaining — that’s the secondary thing,” Tankard says. “The first thing is to get something in place and get it going – that’s the key.”

Cyber ​​security training, and the way it is presented, is changing, but in our connected world, with ever-evolving threats, training needs to evolve and become more engaging. McCullagh concludes: “If you have a short session where you sit people down with other team members, it engages them and brings them along. If you take them on a trip, or have them compete against each other, suddenly they become. engaged and need to know, for example, how long it will take to guess this password.”

Source link