How Gamification Training Empowers Employees Against Phishing Attacks
[Unpublished article for a former client]
Cybersecurity is everyone’s job. Despite the mounting data pointing to the human factor in cyberattacks, many executives and managers still see cybersecurity as a problem for the IT department. They play a crucial role in an organization’s security infrastructure, but IT cannot prevent attacks alone. Companies should hold their whole staff responsible for enforcing cybersecurity measures.
Employees face potential cybersecurity threats daily, from phishing email attempts, social engineering, SMiShing, vishing and other attacks. Remote employees have increased vulnerability to these attempts. In 2020, 43 percent of companies experienced cybersecurity issues with employees who worked from home.
Cybersecurity training enables employees to be the strongest line of defense against cyberattacks. But not all training is alike. Adding a gamification element to a training program can help employees retain information and be better armed to protect themselves against threats.
How Gamification Works
Traditional training has its role in educating employees on a company’s cybersecurity protocol and best practices. Established tactics like presentations, videos and tutorials can provide the foundation for security awareness and gauge the employee’s understanding.
Gamification training integrates gaming techniques with traditional learning. Using a combination of psychology and skills motivates employees to achieve specific goals—in this case, recognizing cybersecurity attacks. By creating a higher level of engagement, gamification sustains their attention and boosts their motivation to learn the material.
Training games do more than explain the complex topic of cybersecurity; it puts employees in real-life situations, so they can learn how to uncover and respond to threats. Gaming incentivizes employees by tapping into the brain’s reward system and creating an emotional response to the game. It can also reinforce behaviors associated with positive outcomes.
Many security awareness courses teach solely through quizzes or multiple-choice questions, but it doesn’t promote analysis. Passive learning encourages memorization rather than active participation. Hands-on learning through video games can help employees retain more information. It also provides a safe place for employees to recognize attacks and safeguard cybersecurity measures.
Learning styles have been studied for decades, and time again, hands-on learning has always had better outcomes. Bloom’s Taxonomy is an educational principle based on the idea that learning should go through steps of varying complexity to achieve mastery of a subject. By using the information they have learned, students not only understand subjects but can think critically about them.
In adults, this learning theory can be applied to any complex subject. A student's goal should be to know how to apply the knowledge they have received. In cybersecurity training, it can mean the difference between having informed employees who know how to avoid an attack and an employee who simply knows threats are out there.
Statistics show that 97 percent of people cannot identify a phishing scam. With attacks constantly evolving and appearing across email, social media and even texts, employees need to know how to identify and, more importantly, how to stop them.
Make Employees Cybersecurity Advocates
A company’s cybersecurity efforts should extend beyond the IT department. Employees are entrusted with equipment, so they should be enlisted to protect it. Within the last year, 83 percent of global organizationsexperienced phishing attacks. The cost alone of repairing the damage of an attack should be reason enough to hold employees responsible for preventing these breaches, but often it is not.
Many organizations think anti-theft software and encrypted data are all they need to protect their information. Many employees can be susceptible regardless of how comfortable they are with technology. Phishing attacks are becoming more sophisticated, and even the most cautious employees could be caught off guard if they are having a busy day. If all employees were aware of threats and knew how to avoid and report attacks, a company would have a stronger cybersecurity system that relied on their whole team rather than one department.
Diverse and ongoing training is the first step in building stronger safeguards against security breaches. Specialized training programs that encompass both gamification and traditional learning methods will encourage employees to be accountable for the safety of their employer’s data and advocate against cyber threats.