Cybersecurity Culture- Implementing game mechanics and competition into the mix can incentivize employees to improve their cybersecurity posture.
Chief information security officers (CISOs) of Global 2000 enterprises have one of the toughest jobs in the world, defending their organization’s cyberspace and being the guardian of its assets and private information. But CISOs also have a second, even bigger problem: Their own company employees.
There are always gaping holes in individual organization’s cyber-defenses, including but not limited to: Unpatched systems, reused passwords and misconfigurations. CISOs want to shore up their organization’s defenses, but unfortunately, the rest of the company might not very helpful: They either do the wrong thing, or nothing at all to help improve the company’s cybersecurity posture.
Human causes of cyber-breaches like misclicks, misconfiguration or the failure to fix a known and critical vulnerability are very common, and improving cybersecurity awareness to the point when business owners can be effective cyber-risk owners is very hard. CISOs struggle to explain to their colleagues that there is no way that they and their small security teams can secure everything alone. In fact, CISOs require the help of every employee.
Fortunately, an effective strategy to increase employees’ ownership of cyber-risk management can be found in an unlikely place: Ad-hoc gamification.
Gamification to Improve Cybersecurity
Gamification of a company’s cybersecurity practice involves leveraging employees’ natural desires for learning, mastery, competing, achievement, status, recognition and rewards towards reducing an organization’s overall breach risk. According to findings from the American Psychological Association, competition increases physiological and psychological activation, which prepares employees’ minds for increased effort and enables higher performance. In this case, higher performance means being better able to detect and thwart security threats.
Gamification is most effective when the “gamemaster” of the initiative applies a comprehensive approach.
The first step is to identify risk-owners. This can be partially done via an organizational chart, but that should be shored up by observing and analyzing a company’s network traffic and endpoint activity. This allows risk to be traced back to individual users’ actual behavior. What services do they connect to? What privileges do they have?
Analyzing the configuration management database (CMDB) and legacy inventory systems can fill out the picture and identify assets for which there appears to be no risk owner.