Raising email security awareness through gamification

November 17, 2020 | Jason Lawrence

October was National Cyber Security Awareness Month which is an excellent opportunity to invest in a modern approach to email security awareness.  Most companies and organizations conduct security awareness training annually, during onboarding, and after an adverse event.  The effectiveness of periodic training varies greatly and depends on organizational culture and structure, leading to unexpected or undesired results. 

Organizations should seek to modernize their awareness training and adopt a creative approach to training that addresses these challenges.  Gamification is a modern approach that personalizes awareness training by adding creativity to an otherwise mundane activity.  One way to think of gamification is by adding game principles, game dynamics, or game logic to a task to encourage participation. 

By turning learning into a more interactive and fun activity, users and employees are motivated to participate, leading to better-sustained outcomes.  Applying gamification to email security training helps individuals and organization change their behaviors when it comes to email security.

According to an article in Computer World (July 2014), "Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email. "(Patrick Heim, chief trust officer, Salesforce.com).

How should organizations start with email security awareness gamification?

Start with traditional awareness training and build upon that.  Once all email users have been through an initial round of security awareness training, follow up with a contest of sorts.  For example, reward users that report phishing emails correctly. 

To create a broad behavioral change, publicize the contest winner's names and rewards.  Rewards and positive reinforcement encourages the reporting of phishing emails. Thus, building momentum in email users to participate in the game.

This contest is considered the first step into the gamification experience.  This initial step highlights the effectiveness of traditional security awareness training.  During this phase, collect metrics to measure the buy-in of users and other stakeholders.

Next, we want to increase the users' understanding of phishing emails.  Think of this phase as the gameplay aspect of gamification.  All games need the following components: a goal or objective (definition of what is winning), rules of the game, and scoring.  Wining creates motivation to continue to play the game (positive reinforcement).  Rules help the players understand how to play and progress through the game.  Scoring shows the participants their achievements and how well they are doing.

In email security awareness, we use phishing simulations to test users' understanding of a malicious email's type and content.  In the gamification version of these simulations, we score the details that users identify as malicious.  We call this game "Catch the Phish" and work through different levels of difficulty.  The first round contains blatantly obvious misspellings, email addresses, and content.  In each subsequent round, the clues become less obvious to the point where they are very subtle.

To create positive momentum, publicize users' accomplishments on a leaderboard of sorts, either on the company's intranet or in a periodic newsletter, or any other company-wide medium.  Other options within the spirit of gaming are to create inter-departmental or cross-department competitions—for Example, IT vs. Finance, HR vs. Legal, and so on.

There are many creative ways to make email security awareness training an engaging, fun activity that increases users' participation and measurably enhances an organization's security posture.  The examples laid out here are just the tip of the iceberg; use them as inspiration to start "gamifying" your organization's Security Awareness Training.

Jason Lawrence

About the Author: Jason Lawrence

Jason Lawrence is a Principal Architect with AT&T Cybersecurity Consulting, Leading the CSOC Practice. He has held various roles in his 25-year career in Cybersecurity, from Incident Handler and Digital Forensics Investigator to building Security Operations Centers for top financial institutions and Big Four Accounting Firms. Jason also enjoys teaching Digital Forensics, Incident Response, and Security Operations courses.

Read more posts from Jason Lawrence ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe

RSS

Get price Free trial