M+E Europe

M&E Journal: How Fun and Games Can Reduce Your Cyber Risk

Picture the scene: 5 p.m. on deadline day, and you still haven’t finished your mandatory cybersecurity training. You know you have to do it, open what you’ve been assigned, skim through information on how to spot a phishing attempt, how to protect your data, all the rest … and you keep hitting “next” over and over, as fast as possible.

Then you guess most of the answers for the test. You’ve finished for another year, and pretty much forget about it.

And that’s the key: how much have you really retained? According to a study by the National Training Laboratories Institute for Applied Behavioural Science, most of the traditional methods of training and awareness — from posters, watching videos, reading articles and annual training — results in as little as 30 percent retention of the information you’re being given.  Not a great return on your investment, right?

And certainly not helpful in reducing the risk of someone in your company clicking on a bad link or falling for fraud. Even at a live cybersecurity demonstration or event, many people will be interested, but I’ve seen a few people playing games on their phones.

There’s nothing wrong with the content traditional methods of cybersecurity training offer. It’s the delivery that’s lacking. If you’re not fully engaged, you don’t remember as much. Which means you’re unlikely to change your behaviour.

The National Training Labs study goes on to say that by being immersed in a subject will see you retain up to 75 percent of the information offered.

Even better, if the experience is truly engaging and immersive, you’ll retain 90 percent, and be more likely to pass on your new-found knowledge onto others.

LEARNING THROUGH DISCOVERY

But how do you achieve this successfully? Think about applying a combination of gamification with “practicing doing” to your cybersecurity training, meshing the mental reward of solving gaming-like problems with a real-world challenge using everyday objects as an analogy for cyber threats.

By discovering, you’re already engaged, and retaining knowledge without even knowing it.  And it’s important these challenges aren’t a series of separate puzzles, but linked together as a story, where one puzzle leads to the next, with a goal at the end.  Think of your favourite TV drama: You’re glued to the story from start to finish.

This is what Xcapism Learning aims for with its cybersecurity training programmes.  Cybersecurity awareness campaigns have generally become associated with the faceless hacker, hunched over a computer, in hiding from the law. But in reality, a hacker could be someone on the bus, someone who sits next to you at work, someone not living in their parents’ basement.  Do whatever possible to help your organisation re-think who cyber attackers are.

Depending on your organisation’s culture, the tone may need to be widened, to make it as simple and relatable as possible to appeal to your diverse workforce. Why not replace the guy in the hoodie with a cartoon crook?  Additionally, what we’ve found at Xcapism Learning is that cybersecurity training is enhanced when internal teams at companies compete.

Playing in teams, adding a league to find the fastest time out of a cyber escape room, prizes for the best team name, all combine to heighten the enjoyment, and consequently, engagement.

Gamification principles will lead your colleagues to remembering more, because you’re more likely to remember a time when you had fun.

And if you’ve had fun, you’re building a more cyber-risk averse culture across your company.

* By Meera Mehta, CEO, Xcapism Learning

=============================================

Click here to download the complete .PDF version of this article
Click here to download the entire Spring 2021 M&E Journal