Every employee needs to be aware of cyber security risks and the basic actions they may need to take, such as correctly reporting suspected phishing attacks. Others, including IT staff, need more in-depth training.
There is also a legislative requirement for cyber security training. The Data Protection Act 2018 states in chapter 4, section 71, subsection 2, that:
“In relation to the policies mentioned in subsection (1)(e), the data protection officer’s tasks include:
- Assigning responsibilities under those policies.
- Raising awareness of those policies.
- Training staff involved in processing operations.
- Conducting audits required under those policies.”
Traditional methods of educating staff in security mindfulness, such as through presentations, can sometimes be met with boredom and apathy. Some may also view security training as a box-ticking exercise.
To protect themselves and their staff, organisations need to find engaging ways to present their cyber security training, so that it will actively appeal to employees.
A widely used technique of improving engagement is to have a test at the end of the training session. When attendees are informed that they will be expected to answer a series of questions in order to pass a training session, they tend to be attentive. “Where training doesn’t have a test at the end, people just try to get through it as quickly as they can,” says Colin Tankard, managing director of Digital Pathways.
Gamification of training
Gamification is an attempt to enhance systems and activities by creating similar experiences to those in games, in order to motivate and engage users, while building their confidence. This is typically done through the application of game-design elements and game principles (dynamics and mechanics) in non-game contexts. Research into gamification has proved that it has positive effects.
Gamification techniques are intended to leverage our natural desires for socialising, learning, mastery, competitiveness, achievement, or simply our natural response to a situation being framed as a game. Some techniques used in this approach include adding meaningful choice, introducing new concepts through a tutorial, increasing challenge, and adding a narrative to the experience.
Gamification has been dismissed by some as a fad, but the application of elements found within game playing, such as competing or collaborating with others and scoring points, can effectively translate into staff training and improve engagement and interest.
“The way that cyber security training sessions are happening is changing and it’s for the better,” says Helen McCullagh, a cyber risk specialist for an end-user organisation. “If you look at the engagement of sitting people down and them doing a one-hour course every year, then it is merely a box-ticking exercise. Organisations are trying to get 100% compliance, but what you have are people sitting there doing their shopping list.”
Embedding collaboration within training
Simply dividing the attendees into groups and having them compete with each other encourages engagement. This is why team-building exercises are often based around a series of group tasks that require collaboration. “If you sit a group of adults in a room and then put them in teams, you make them competitive and they are going to go for it, hell for leather,” says McCullagh. “They are going to come out of their shells and they are going to talk to each other.”
McCullagh recalls: “About four years ago, we had an interesting thought that there are a lot of escape rooms [where players need to work together to solve a series of puzzles to escape from a room] and it sparked the conversation in our team. We realised that if we did this slightly differently, it would interest people a bit more. The way we develop the room is to make them observant about the security controls within a room. We’ll have them looking at a photograph of an office space, showing where the risks are. They are the most fun things to do, but they are also hugely impactful.”
Another example has been a Top Trumps-style card game, in which players have a set budget and need to create a cyber security capability that encompasses people, technology and processes. Once each player has finished, each strategy is assessed and the player with the strongest capability wins.
Although this may seem playful and frivolous, it can enhance the learning experience. By embedding the principles of cyber security into the medium of a game, players can engage with the subject without feeling overwhelmed or intimidated. “Gamification can sometimes dumb it down,” says Tankard. “That’s where, in the cyber world, you have to be really careful between making it enjoyable for the employee and still keeping it serious. I have seen some really interesting ways of doing training in that middle ground.”
There is also simulated disaster management, in which cyber incidents are simulated to give staff practical experience of a hack without any risk to the network. Staff can be scored based on their actions during the simulation and how well they collaborate with each other. With a suitably granular assessment record, organisations will be able to identify key areas for training to focus on.
There are also video games that teach security concepts. An example of this is CyberCIEGE, which is structured akin to the Sims video games. In CyberCIEGE, players take on the role of an IT manager for a small organisation and it is up to them to defend against different types of cyber attack. The players purchase and configure workstations, servers, operating systems, applications and network devices. They must maintain a balance between productivity and security, within strict budgetary constraints. In longer scenarios, players advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.
“We embedded network security simulation into a video game through the use of resource management tensions employed by games such as SimCity and Roller Coaster Tycoon, which were relatively new games when CyberCIEGE was initially developed 20 years ago,” says Michael Thompson, a research associate at the Naval Postgraduate School.
“Students must provide game characters with computing resources to enable them to achieve their goals, which include access to information assets. CyberCIEGE has a few simple introductory and training scenarios, but at the heart of the game are scenarios that require students to develop an understanding of computer and network security concepts.”
Target training for the audience
To maximise usefulness and engagement, the training also needs to be pitched appropriately for the audience by understanding their current needs and skillsets. Tankard says: “Training needs to be pitched at the right level for the individuals, which sometimes you see when training isn’t across the board. There is nothing more frustrating than when you are way above their level.”
All staff require some level of ongoing security training, but in-depth training should be targeted to the specific people who need it most. “You can see the people who are observant and those that need a little bit more training,” says Tankard. “Scoring makes it easier for the IT teams and the governance people to know what level the workforce is at.”
The security sector, especially those in the operations field, are familiar with gaming, and many are gamers themselves. As such, they will be comfortable with many of the gamified elements and language in gamified training. However, those not directly involved may be unfamiliar with gaming and may not appreciate the methodology used, or may fail to see the merits of it.
Moving training online
Since the pandemic, security training has been moving online and so too have the gamification processes, albeit virtually. Although online training sessions naturally diminish the face-to-face aspect, they can enhance greater collaboration between teams, as they are no longer bound geographically. By having everyone focused on a specific goal, they can work together in a virtual environment. “By taking training online, the collaboration is better, as you can collaborate with people in different countries,” says McCullagh.
But focusing on training being gamified can become self-defeating because it can delay the implementation of a training regime, and any training is better than no training. “Making it entertaining – that’s the secondary thing,” says Tankard. “The first thing is to get some something in place and get it going – that’s the key.”
Cyber security training, and the way it is presented, is changing, but in our connected world, with ever-increasing threats, training needs to evolve and become more engaging. McCullagh concludes: “If you sit people down with other team members and do a short session, it engages them and brings them in. If you take them along on a journey, or make them compete with each other, all of a sudden they become engaged and need to know, for example, how long this password is going to take to guess.”