Common faults in cybersecurity training are continuing to put companies at risk, delegates at the Cybersecurity in the Financial Industry conference hosted by the New Statesman this week were told. This is, in part, down to the low levels of engagement achieved through traditional training. Gamification of such cybersecurity training courses, where a competitive element is added, could be the solution to making it more impactful.
Ed Bishop, the co-founder and CTO of email security company Tessian explained at the two-day conference that cybersecurity training, while well intended, is often “executed fairly poorly.” Bishop added that there is a need to move away from the “non-engaging, boring, and ineffective approach to security training.”
Bishop believes “gamification” could help achieve better employee engagement in cybersecurity training and deliver lower risk of a breach for businesses. Other security experts agree that different techniques are required to foster a more positive relationship between staff and security teams.
How effective is cybersecurity training?
Cybercrime has grown rapidly in recent years, particularly during the Covid-19 pandemic, with criminal gangs often targeting human, rather than technical, vulnerabilities. Nearly 85% of successful data breaches in 2021 have involved duping humans into giving up crucial information, so-called phishing attacks, rather than exploiting flaws in code, according to a report from Verizon.
Though this demonstrates a need for effective cybersecurity training, many companies are failing to deliver what their staff need. A report by Capgemini found that 52% of those surveyed did not think their company’s cyber training programs gave them any new digital skills, and 45% found the training “useless and boring”. A Helpnet Security survey revealed 61% of employees who had undergone cybersecurity awareness training failed basic tests afterwards.
You need to flip [training] so it’s more empowering and gamified and relevant to their work.
Ed Bishop, Tessian
Speaking as part of a panel looking at how to be secure in the age of rapid digital transformation, Bishop said the traditional method he calls “training through trickery”, where staff are persuaded to click on fake phishing links and are redirected to a cybersecurity awareness course, is outdated. “You need to flip it so it’s more empowering and gamified and relevant to their work,” he said.
What does the industry think of cybersecurity training gamification?
Gamification is a way of designing training which uses interactive elements to help those taking part retain more information. “By adopting gaming mechanics like competition, points, badges, leader boards into their corporate training programs, organisations can make learning a fun immersive experience and nudge behaviour in a desired direction,” a report from security company Cyberrisk explains. So, to use the phishing attack example, a gamified training course may use a quiz to test whether participants can spot fake emails or other phishing attempts, with prizes on offer for those who score highest.
When employees are forced into training due to a mistake, their engagement is often low says Jake Moore, cybersecurity specialist at security company ESET. “Sneaky tactics are increasingly becoming outdated and can even frustrate staff as they are seen to attempt to catch people out,” Moore says, adding that gamification “is a more proactive approach and can make people aware of the fast-moving threat landscape in shorter spaces of time, ensuring the awareness sticks when needed. High-quality education can avoid the curse of the dreaded compulsory courses, which often have no value.”
In fact, levels of deception sometimes involved in this sort of training are increasingly viewed as permanently destructive to the relationship of trust between management and employee, explains Javvad Malik, lead security awareness advocate at security training provider KnowBe4. “When security teams go out of their way to trick their colleagues, it can lead to resentment,” Malik says. “It’s important for the security department to foster good relations with their colleagues. If they are perceived as the department of no, then any number of approaches will likely fail.”
Positive relationships through engaging experiences will yield better results, Malik adds. “Security teams should focus on building positive relationships with their colleagues and explain the dangers of phishing” he says. “In instances where a collaborative approach is used, and staff are informed in advance of simulated phishing exercises taking place, then any emails that are received are more likely to be viewed as a learning experience, and they will be more open to further education.”