For an organization to have a strong cyber readiness strategy, employees within must be willing to recognize potentially harmful cyber behaviors and proactively work to change them. But how can you effectively influence employee behavior when it comes to cyber safety? The answer may surprise you…
It comes down to understanding employee’s psychological faculties first. What influences and motivates employees to actually change how they conduct themselves online, using workplace online systems and platforms? What must an employee think, do, and care about in terms of cyber security to alter behavior? What external factors and trainings can be adopted or modified to facilitate behavioral change?
The answer lies in games! Games are fun and engaging because it appeals to certain psychological drivers within us as human beings. These drivers motivate us toward certain activities. By utilizing gamified, immersive, hands-on cyber training, employees are able to improve their cyber awareness and ultimately change day-to-day actions.
Games can help change behavior because they address several psychological factors that inform and influence learning :
- Games Provide an Immediate Benefit to Individual Learner – Games typically offer a sense of competition by way of leaderboards, scoring, and team-based play alongside incentives that help players understand “what’s in it for me?” when learning new information.
- Games Offer a Sense of Accomplishment – Everyone wants to feel like they are making progress and working toward something, eventually culminating in some kind of reward (money, material items, praise, etc). Things like digital badges, “trophies,” level progression, and certificates can drive players to complete challenges and take on additional learning
- Games Promote Feelings of Ownership – Self-paced games that a player can engage with on his/her own time makes them feel like they “own” Ownership innately motivates people to make their objective at hand, better. Self-paced cyber activities where the user is at the helm of their learning experience increases ownership and empowerment. They don’t have their manager lurking over their shoulder waiting for the next activity to be complete. They can do training on their schedule and at their convenience, when they are ‘ready’ to do it and in the right mindset.
- Accountability – Utilizing games that involve teamwork instill feelings of acceptance, a ‘we’re in this together’ attitude, and a healthy drive of competition. These activities draw people closer together and make concepts relatable and understandable when they learn together. Training feels less ‘lonely’ and isolated.
Our platform, inCyt, is the perfect tool to help you weave cyber security awareness training into the fabric of your organization. By offering easy to digest information portrayed through interactive games, non-technical employees can gain a deeper understanding of how to stay safe online.
inCyt is an evolving training solution where those with limited cyber knowledge learn basic concepts through cyber themed battles. Currently, inCyt teaches password and email security along with general online safety, with future topics ranging from social media to remote work safety practices and more!
Change behavior to change company culture with inCyt. Not only will your employees feel more empowered to make safe choices online, but your organization will be better protected from looming threats.
To learn more about cyber psychology in the context of building a stronger cyber team and employee base, be sure to check out our on-demand webinar, Time to Reboot: The I/O Psychology of Cyber Security. To learn more about inCyt, schedule a demo today!
You know it and we know it: Security awareness training doesn’t have the best reputation Many employees who are required to undergo security awareness training do so under the direction of human resources or a risk and compliance department within their company. Trainings have long been conducted via static PowerPoint presentations, lecture-based talks, online “tutorials”, and through other passive methods that don’t result in the employee retaining much of anything. It merely becomes a box employees check off on their requirements sheet and they move on.
This is not the way cyber security awareness training should be implemented. We know that current trainings like this are ineffective in helping employees learn cyber best practices or, more importantly, change their online behavior for the better. The “learning pyramid”, sometimes referred to as the “cone of learning”, developed by the National Training Laboratory, suggests that most learners only remember about 10% of what they read from textbooks. Whereas, retention is improved when gamification is incorporated into training and learning activities. In fact, according to Talent LMS, 89% of employees believe they’d be more productive if their work was more gamified.
Don’t believe us? Take a peek at the recent news headlines and industry reports that show human error is still a primary contributor and cause significant company breaches. Employees aren’t empowered with the knowledge to know what to look for in suspicious emails or phone calls, resulting in higher cyber risk for organizations.
- Shark Tank’s own Barbara Corcoran recently lost $380,000 in a phishing email scam.
- People are getting scammed by hackers capitalizing on fear of the Coronavirus to steal money and sensitive data, according to Yahoo Finance.
- The 2019 Data Breach Investigations Report (DBIR) highlights that a third of data breaches (34%) involved internal employees.
- CNBC reports “Individuals reported losing almost $153 million to government imposter schemes in 2019, according to the Federal Trade Commission.”
And that’s only a few of many incidents that indicate the need to foster more effective security awareness training to truly change digital behavior.
Pain Points of Traditional Security Awareness Training
- Actually changing —Getting an employee to go through security awareness training is one thing but actually changing their behavior is another challenge all its own. Training can’t be a ‘one and done’ effort. It must be engaging enough for people to retain learned information so they can recall it when faced with a cyber threat. To do this, security awareness training must have a ‘what’s in it for me?’ component otherwise, there’s no incentive for an employee to do the training at all. Teaching elements like scoring, competition, badges, levels, and ‘digital rewards’ help engage employees so they take training off the ‘must do list’ and onto the ‘want to do list.’
- Convincing employees it directly impacts them—If you’ve never been in a car accident, you may be inclined to drive a little faster on the highway, not thinking twice about the repercussions because “an accident will never happen to you.” Wrong. Just because your company may not have been breached (yet) doesn’t mean you’re immune to security awareness training. Unfortunately, the daily onslaught of company breaches making news headlines indicate that the ‘we don’t need security awareness training’ thinking is not only outdated but will leave your organization more vulnerable to an attack. Everyone needs security awareness training if they do any kind of work on an electronic device (whether computer, phone, internet-connected system, etc.)
- Perceived protection from technology—It’s quite common to presume that today’s technology has ‘built-in’ security to protect against hackers, and while some devices do offer limited protection, it’s not enough. With as fast as technology is advancing, there’s always a gap in security waiting to be exploited. Spam filters, antivirus software, and firewalls are great, but hackers know the easiest way to get sensitive data and cause disruption is by going through people first. A multi-layered security strategy that places people at the forefront of defense is critical to hardening posture from all angles.
Empower Employees with Fun Security Awareness Learning
Just because the industry has typically conducted security awareness training in a passive manner in the past, doesn’t mean it works—and it certainly doesn’t mean that we have to keep doing it. So let’s flip the script on security awareness training shall we?
We recently debuted inCyt, a security awareness learning tool, at RSA this year. It is an evolving solution designed for non-technical employees to learn cyber foundations and improve online workplace practices. In it, we dare to have fun with security awareness training by simplifying and gamifying the complexity of cyber. We expand the understanding of the threat landscape to non-technical employees who work on business systems by introducing basic concepts through the mind of a hacker. THEN the player is encouraged to demonstrate their learned knowledge in a “final” lesson where the player defends their digital assets from a bot hacker. Games are designed around the cyber attack sequence that outlines the structure of an online threat.
Players with limited cyber knowledge learn basic concepts through cyber themed battles against a bot attacker and the learning becomes ‘sticky’ as information is retained because it’s engaging. Colorful characters, friendly competition, and relevant cyber examples improve security awareness aptitude.
inCyt currently teaches the following security foundations with more on the way!
Phishing & Email Security
- Understand what phishing is.
- Understand the impacts of phishing.
- Identify common indicators of phishing attempts.
- Identify appropriate countermeasures related to phishing.
- Understand the risks associated with public internet.
- Identify proper safety precautions when online shopping.
- Understand the impact of what and when you post online.
- Understand the importance of strong passwords.
- Identify best practices when creating passwords.
- Understand multi-factor authentication.
Future game topics and themes will include: Social Media, Least Privilege, Remote Work / Bring Your Own Device (BYOD), Computer & Software Updates, Response to Potential Attack, Data Value, Preservation & Recovery.
So what do you think? Is it time to change up your security awareness training approach? Perhaps try something new to augment the most vulnerable attack element in your organization: your people.
Schedule a demo of inCyt today to learn more.
Circadence mentioned in Cyberwire’s “Daily Briefings” section for debut of inCyt, security awareness solution for enterprises and non-technical employees.
Circadence Corporation, announced the debut of inCyt, its new cybersecurity awareness learning solution, at the RSA conference today. inCyt will be demonstrated to RSA attendees between February 24 – 28, 2020 at the Moscone Center in San Francisco, California in preparation for its official release in Spring 2020.