One of the challenges we have with security awareness is when you come down to it, awareness training and education can become boring over time.  Yes there are steps you can take to make it exciting, and there are many things you can do to sexy training up, but how often do you have employees bragging about how good their security behaviors are?  Or how often do you have employees researching on their own how they could be more secure?  While that is not happening for most organizations, it is something gamification could possibly change. Gamification (as defined at Wikipedia) is applying game and design techinques to non game applications to engage audiences.  I'm not talking about creating security awareness related games, such as what Wombat folks did with their Anti-Phishing Phil game.  I'm talking about taking the entire concept of security awareness and making it a competition / game.  Bruce Schneier has a interesting blog post on how the concepts of gamification even apply to the building of jihadist communities.  Examples for gamifying security awareness programs include ... Leader Board - Have a leader board tracking who are the most 'aware' employees.  This could be measured by things such as scores on awareness quizzes or how many months employees have gone without falling victim to phishing assessments.  People then compete to be in the lead. Badges - Have achievement badges for different courses or training levels people complete. Currency - Have a points or currency system.  The more points people earn, the more things they can do (buy company shwag, team lunch, etc).  They can earn points by completing more training, reading newsletters, replying to security awareness questions, helping others secure themselves, etc.  Then allow people to trade, share or gift these points. Challenges - Create security awareness challenges between users or even departments. The end goal here is not to create games for security awareness training, but to make security awareness training (and changing behaviors) a fun game!
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.