Security Summit: Gamification beefs up cyber security
Gamification is an effective tool in developing a robust cyber security awareness training programme.
So said Priscilla Mutembwa, VP of US-Africa Cybersecurity Group, speaking yesterday during the ITWeb Security Summit 2021 event, held virtually.
According to Mutembwa, awareness training is crucial to any company’s cyber security strategy. Even before the COVID-19 pandemic, she said, many companies were affected by cyber attacks.
However, Mutembwa said the current COVID-19 environment has made things more difficult to the extent that every organisation – big or small – is vulnerable.
The coronavirus pandemic has created new challenges for businesses as they adapt to an operating model in which working from home has become the “new normal”.
Companies are accelerating their digital transformation, and cyber security is now a major concern, according to consultancy firm Deloitte.
“The point of security awareness training is to equip employees with the knowledge they need to combat these threats; security awareness is a must for all employees, using a range of learning methods,” Mutembwa said.
“Security awareness training helps to raise awareness of cyber security threats; it reduces incidents that are associated with human-borne risks within the organisation; and embeds a culture of security compliance.”
Security awareness training must address the distinct generational differences within companies.
“That’s where gaming becomes important. Gaming is the art of analysing the elements of fun, interactivity and rewards, and using these elements to drive behavioural change.
“Although there are some people who argue that generational differences may result in different engagement levels with gamification, as well as that males play games differently to females so they will react differently to gamification, I am very happy to say the studies show that gamification is quite effective as an awareness tool for all generations and genders. So I really recommend gamification as part of cyber awareness training,” she said.
Mutembwa added that security awareness training is a tool that assists in developing a security-focused culture: “Criminals do not always exploit only technical deficiencies within organisations, they often rely on people to access sensitive data. It is, therefore, the human factor that causes the most serious security breaches.”
Describing a security culture, she said: “The shared values, attitudes, knowledge and behaviours of an organisation are focused on creating security in the business.”
In an effective security culture, she said, security thinking is an obvious part of the business, where everyone is aware of the security risks and are willing to play a part in the reduction of security incidents.
“Security awareness also assists in getting everyone on the same page. I want to highlight that security awareness is for everyone in the organisation, since no one is immune to these attacks.
She also stressed that security awareness helps companies in shifting employees’ perspectives from being reactive to proactive.
“If an organisation is reactive to security incidents, this means an incident has already occurred and that is not good. An organisation should look at security incidents as something to prevent.”
She also noted that security awareness is a pertinent component of building a culture of compliance in defending against threats.
“Despite the clear importance of security awareness training, it’s often a struggle for cyber security experts to demonstrate its worthiness from an investment perspective. Security awareness training requires a vision, specific outcomes and it also needs to be fun."