It’s no hidden secret that an increased level of training and education is both one of the biggest needs and shortcomings in the cybersecurity industry. Organizations are falling victim to cyberattacks more frequently than ever before and the ramifications are only getting worse. According to IBM Security’s and Ponemon Institute’s 2019 Cost of a Data Breach Report, the average incident costs a business $3.92 million and results in the loss of nearly 26,000 records. What’s even more concerning though, is that 49% of these breaches are still being caused by human error, which can come in the form of misconfigurations, poor coding processes, or just simple misclicks.
There’s two different ways to think about human error, both of which certainly play a part in the overall issue. First, errors could be caused by organizations not taking the basic steps to train their employees on cybersecurity best practices in general. Second, and the more likely culprit given that organizations are aware of the importance of education, is that their employee training methods are ineffective, as they’re out-of-context, infrequent, and just plain boring. This is why new, unique approaches to cybersecurity education and training are needed to better spread awareness and reduce these types of mistakes in the workplace.
Fortunately, a training method known as gamification exists, enabling today’s organizations to deliver this information in more engaging, interactive, and motivating manners. With this in mind, in light of National Cybersecurity Awareness Month, and to help build awareness about the growing need for effective cybersecurity education, here are three tips to better gamify your training and awareness programs, particularly when it comes to addressing developers and coding best practices:
Tell a Story:
Characters, role-play, and a relevant, well-established narrative go far beyond the traditional facts and figures when it comes to distributing information. Storytelling in general can have a significant impact on stimulating brain power (just think about the growth and adoption of podcasts). There’s a reason storytelling should be intertwined with training gamification, and when it comes to cybersecurity education, this can make all the difference between your lessons falling flat and making an actual, lasting impression.
Provide developers with characters and scenarios they can relate to. Make them feel as though they’re part of the story and overall “mission” in keeping their respective organization safe. Give them a chance to actually play out real-world scenarios—e.g., finding hidden code vulnerabilities—and offer awards and praise to participants at the end (e.g., most likely to orchestrate a successful bug bounty). All of this combined should keep trainees more engaged and interested.
Offer Prizes & Rewards:
Everybody loves the idea of winning a prize, especially in the work setting. Incentivizing participants during the actual training courses, as well as after they finish up, can be a key way of increasing engagement and attracting others within the company to join in on the fun. These rewards can be as simple as winning digital points that accumulate over time for good cybersecurity behavior, and as extensive as being able to redeem these points for gift cards, coupons, or even vacations (for those truly dedicated security advocates).
The key here is creating a system and leadership board where participants can track both their scores, as well as those of their peers, to create an atmosphere of healthy competition. Assign point values to various items—for example, receive 50 points for reporting a potential phishing link. Earn 150 points for identifying a source code vulnerability and remediating it. Or, earn a simple 10 points by keeping a list of secure coding best practices right on your desk. You can get as detailed or high-level as you’d like—the important thing is to make sure it’s motivational, fun, realistic (meaning people actually can earn the prizes), and is ultimately making everyone within the organization pay more attention to security.
Make the Long-Term Investment:
It’s important to remember that cybersecurity education and training isn’t a one-and-done effort. In order to really make your lessons stick, and bring security to the forefront of every operation, trainings must be delivered at a regular cadence—at the very least on a quarterly basis. The cybersecurity landscape is rapidly changing, and in just those three months, an entirely new crop of threats could arise that employees should be aware of.
Starting small and making the program interactive via gamification and prizes, is a great way to kick-start this effort, especially if budgets are limited. The key after that is to keep this educational environment going, especially with regular company-wide reminders and updates from your IT team, to encourage security awareness across the board.
Cybersecurity training and education is no longer a nice-to-have within modern organizations—it’s now a necessity and must become a bigger priority if we’re going to mitigate the current threat landscape. By up-leveling your efforts with these three tips, you can be well on your way to empowering those around you to turn exposure into advantage.
Curious how Checkmarx you can take your cybersecurity training and awareness programs to the next level? CxCodebashing can help by cultivating a culture of software security that empowers developers to take security into their own hands. Learn more and schedule a demo here.