Cyber security training and awareness through game play?


Many organisations are choosing to implement their cyber security training and awareness programmes through game play, both to improve user participation and bring a level of interest to the subject area. This tactic presents advantages in that users are much more likely to respond to an interactive training programme, rather than having to read through pages and pages of security policies. Cyber security and awareness training is renowned for being difficult to teach to people, with many users less interested in how their actions may affect the organisation and more interested in getting on with their job while retaining the ability to browse the web and perform personal tasks.

However, cyber security training and awareness is imperative for organisations to ensure that users are aware of their policies and how breaching these may cause risks to business. This is vital for two reasons – firstly, if an employee breaches a security policy accidentally, this is more often than not because they are not appropriately trained in the subject area. For example, an employee that forgets to include a protective marking on an email that is subsequently released into the public domain. This scenario can be easily avoided through appropriate training on data protection and markings. However, failure to provide appropriate training may leave employees non the wiser on the risks of not marking data appropriately.

Secondly, and more importantly, malicious insiders that have not received appropriate training may be able to use this as an escape mechanism for undertaking illegal activity. For example, an employee with malicious intentions that has not received appropriate training but is fully aware that they are breaching security policies can use the excuse that they haven’t been trained properly  if they are caught doing something wrong, e.g. extracting company data or installing a malicious back door into the network. If the organisation provides appropriate cyber security and awareness training then these malicious insiders have no excuse as they have been trained appropriately and are aware of the consequences of their actions. This is why it is particularly important to ensure that employees sign some form of acceptable use policy following training, so that, if legal proceedings do occur due to misuse, that the organisation has ensured that the employee is aware of their misuse.

information assurance security policies

Making information security policies more interactive increases the chances of users understanding, and ultimately complying, with them

So, we have looked at the reasons as to why cyber security and awareness training is important to an organisation, but what is the best way to deliver this type of training? As discussed, it is often a boring subject area that employees have little interest in. It is also a difficult subject area to convey in an interesting format so as to keep users interested in the subject area. With this in mind, many organisations are starting to implement cyber security training and awareness through game play.

Cyber security training and awareness can be best achieved through interactive means, either via game play, questionnaires, quizzes or live security training and group participation. Interactivity is key, and many cyber security training programs offer this kind of interactivity as part of a package. For example, a particular piece of software may provide some form of e-learning, where the employee works through presentations and data before answering a subset of questions at the end. This is often a popular route and  organisations can even configure these packages to restrict access to a system or service until the training is complete. The training package can also be configured to recur within a set time, mix up questions and content and even track all those that have complied. Finally, the software is capable of providing, storing and monitoring acceptable use policies. This may be one way of achieving cyber security training and awareness through interactivity.

The next option is to procure, or develop, an awareness style game that provides interactivity for the user. A simple first person style game can be produced that presents several real life scenarios and options for the user. The user must score a specific percentage in order to pass, and those who choose the wrong options are presented with the explanatory risk that has occurred due to their actions. The outcome is that cyber security training and awareness through game play enhances the users interactions with your security policies, ensures that the content remains fresh in their brain due to a circumstantial, scenario based approach. By developing an effective, interactive game data protection and security issues can be addressed in a relatively fun way – providing well educated employees that are less likely to succumb to security risks.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Recommended for you

Leave a Reply

Your email address will not be published. Required fields are marked *