Gamifying awareness
January's topic is 'resilience', a concept that means different things to different people. So what does it mean to workers? What is 'resilience' about? What does it imply? What are the key aspects, the things that everyone ought to know about?
The concept we have in mind for the awareness challenge is simple enough: under guidance from our security awareness materials, groups of workers discussing and exploring their understanding of the term 'resilience' will occupy the bulk of the challenge. Turning that into a practical and engaging awareness activity takes a bit more work though.
Our approach involves prompting and supporting someone - ideally an information security awareness professional - to deliver an effective session. Short of actually leading the session in person, we provide the materials and the inspiration to make the event fly, awareness by proxy you could say.
Despite our experience of being out there, doing it, the particular awareness audience and leader/presenter forms a unique combination. That's the tricky bit! It would be straightforward to prepare narrowly-scoped materials for a specific event but we have customers at different stages of maturity in their awareness and training programs, in a variety of organizations and industries or contexts ... hence we deliberately keep the awareness challenges reasonably flexible and open-ended. They may be run as one or more discrete events specifically for this purpose, or as sessions incorporated within some other event such as a briefing, training course or seminar. Online sessions are possible too, ideally in a manner that retains some social interaction. Participants should learn stuff from each other and have fun doing it.
'Having fun doing it' is not just about having a good time: do you recall those deadly dull awareness and training sessions of old where fun was simply not part of the equation? We remember the aggravation and tedium more than the content. Some of us (understandably) actively avoided or evaded the sessions while attendees generally resented being lectured-at. Overall, a very negative experience, counterproductive and ineffective. How not to do it.
The nasty neologism 'gamification' has been coined for a different approach, although exactly what it means is uncertain. To some it means literally turning awareness and training into a game, for example snakes and ladders or monopoly with playing boards and rules adapted to the subject. Climb up the security controls or slide down the risks and incidents, perhaps, or rather than buying properties, seize control of them by hacking, social engineering or malware.
To software-based awareness companies, it evidently means crude, low-budget computer games with cartoon characters and pixellated graphics vaguely reminiscent of Pong.
Either way, there is more than just a hint of treating fully-grown workers as if they are children. Picture it: "Warning! This awareness game contains scenes that may upset some people. Seek the guidance of a parent or guardian."
To us, 'gamification' is more to do with socializing information security. We provide factual and conceptual information to groups of people, encouraging them to interact with both the awareness materials and with each other in an upbeat, positive, engaging setting - such as an awareness challenge. Having fun is a valuable part of the approach, the means to an end rather than an end in itself. If fun was THE objective, it would be easier just to send everyone to the bar to liquefy what remains of the awareness and training budget.