[BreachExchange] Gamification Can Transform Company Cybersecurity Culture

Destry Winant destry at riskbasedsecurity.com
Wed Sep 4 10:15:57 EDT 2019


Implementing game mechanics and competition into the mix can
incentivize employees to improve their cybersecurity posture.

Chief information security officers (CISOs) of Global 2000 enterprises
have one of the toughest jobs in the world, defending their
organization’s cyberspace and being the guardian of its assets and
private information. But CISOs also have a second, even bigger
problem: Their own company employees.

There are always gaping holes in individual organization’s
cyber-defenses, including but not limited to: Unpatched systems,
reused passwords and misconfigurations. CISOs want to shore up their
organization’s defenses, but unfortunately, the rest of the company
might not very helpful: They either do the wrong thing, or nothing at
all to help improve the company’s cybersecurity posture.

Human causes of cyber-breaches like misclicks, misconfiguration or the
failure to fix a known and critical vulnerability are very common, and
improving cybersecurity awareness to the point when business owners
can be effective cyber-risk owners is very hard. CISOs struggle to
explain to their colleagues that there is no way that they and their
small security teams can secure everything alone. In fact, CISOs
require the help of every employee.

Fortunately, an effective strategy to increase employees’ ownership of
cyber-risk management can be found in an unlikely place: Ad-hoc

Gamification to Improve Cybersecurity

Gamification of a company’s cybersecurity practice involves leveraging
employees’ natural desires for learning, mastery, competing,
achievement, status, recognition and rewards towards reducing an
organization’s overall breach risk. According to findings from the
American Psychological Association, competition increases
physiological and psychological activation, which prepares employees’
minds for increased effort and enables higher performance. In this
case, higher performance means being better able to detect and thwart
security threats.

Effective Implementation

Gamification is most effective when the “gamemaster” of the initiative
applies a comprehensive approach.

The first step is to identify risk-owners. This can be partially done
via an organizational chart, but that should be shored up by observing
and analyzing a company’s network traffic and endpoint activity. This
allows risk to be traced back to individual users’ actual behavior.
What services do they connect to? What privileges do they have?

Analyzing the configuration management database (CMDB) and legacy
inventory systems can fill out the picture and identify assets for
which there appears to be no risk owner.

>From there, the gamemaster can define groups and assign them to
specific team leaders.

Next, enable notifications and digests that allow the gamemaster to
communicate with all employees by using rich context. For example,
when the next WannaCry emerges, the gamemaster will be able to
automatically notify each relevant risk-owner about the situation to
let them know if there is a high-value remediation task that must be

Allow the gamemaster to assign tasks with context to each risk-owner
that includes different options for mitigating risk. People tend to
perform at their best when provided with some degree of autonomy in
how the task may be achieved, and are more engaged when they know they
have room to learn as well as show creativity and initiative.

Why Participate?

Gamification takes the fun part about games and effectively applies it
to situations that are generally seen as not fun or as having no
day-to-day value (a.k.a. “busywork”). The heart of effective
implementation of gamification revolves around points and incentives;
risk-owners that complete cybersecurity tasks correctly and in a
timely fashion will be awarded points.

If using a gamification platform, it can be programmed to track and
validate the completion of tasks by risk owners as well as tally their
points and other accolades. Consider integrating with ticketing
systems like ServiceNow and Jira to provide task assignments and

Public recognition in the form of physical badges that are achieved
also goes a long way in driving a deeper sense of risk ownership and
management to individual risk owners.

Scores can be published on a leaderboard to inspire further
competition. Companies can even consider monthly, quarterly or even
annual recognition of top performers with a prize. What employee would
not want to participate in cybersecurity posture transformation if
there was a chance of winning an all-expenses paid trip to Hawaii?

Furthermore, implementing gamification with an AI-powered or automated
cybersecurity platform allows corporate security teams to assess
employees that may need more training, identify weaknesses such as
reused passwords or risk hotspots, and identify security controls that
are ineffective or hard to use.

By taking the best parts of game mechanics and applying it to
something that may be seen as dull by a company’s employees,
gamification can improve an organization’s cybersecurity with an
all-hands approach. In our experience, we have seen a dramatic
improvement in cybersecurity posture due to gamification, e.g.,
mean-time-to-patch for critical CVEs dropping from 30 days to four

More information about the BreachExchange mailing list