People are an indispensable factor in the day-to-day operation of a business. As a result, all businesses can't get around one security loophole: people.
The most effective cybersecurity measure is to raise employee security awareness, but the budget is always "not enough". This leads to a global cybersecurity blind spot and paradox:
Personnel vulnerabilities are the most dangerous and easiest to fix (they don't require expensive technology products and top technical talent), and they are also the most difficult to fix (underappreciated and lack of budget).
From a business perspective, it's easy to understand that raising employee awareness is often not the first choice when placed in parallel with concepts such as "safety products". The awareness of people is a very abstract concept, and the sensitivity to the budget makes this aspect of the work more rigorously tested when moving forward.
Not only cybersecurity, but also routine employee training is boring and monolithic in the process of repeated implementation.
1. It is not uncommon for the implementation effect to be unsatisfactory or the feedback is poor.
In this context, how to innovate in the ways and methods of awareness education and corporate cyber security culture shaping, so that security training can change from the "passive" imposed by the company to the "active" of employees' independent investment, has become an urgent topic to be discussed. In this article, we'll look at how gamified design can be applied to awareness education campaigns to accelerate corporate cybersecurity culture change.
The term "gamification" [1] was first coined in 2002 by a programmer from the United Kingdom to explain a class of design ideas that have been widely used in different fields.
Professor Kevin Werbach of the University of Pennsylvania gives a simple, detachable definition of this concept:
gamification is the use of game elements and game design techniques in non-game contexts.[2]
Gamification is the use of game elements and game design techniques for non-game domains. ”
To put it simply, game elements, game design techniques, and non-game contexts are the key concepts that constitute gamification design, which correspond to the smallest units of interaction design, process design, and design scenarios, respectively, and they all ultimately serve purposes other than "games", so that training and other scenarios can be more interesting to participants. Increased focus for better implementation.
In addition, the innovation of technology has also been very striking in terms of game design. For example, in order to better allow participants to enter specific situations, we can use VR devices to experience the scene under the reality of the metaverse in EY W**espace, and we can also introduce AI digital humans to interact.
Harvard Business Review's 2023 report "Training Not Working? Try to gamify it" articleThe right gamification training can significantly improve employee performance- Continuous, serious training, including challenges and levels that reflect progress, immediate feedback, points and competition.
In the actual business scenario, the concept of gamification has a wide range of application scenarios, and its practice form is represented by "immersive training". In recent years, EY[3] has adopted the concept of "gamification" to provide cybersecurity training and awareness raising services to a number of enterprises, helping them drive change in their cybersecurity culture.
Take a leading retail enterprise as an example:
In order to enhance the influence of the security function in the enterprise, improve the cybersecurity awareness of all employees, and form a cybersecurity corporate culture from top to bottom, we designed the first year transformation plan for the client:
Create a "brand" image, design an image spokesperson and slogan that conforms to the corporate culture and has safety attributes;
Establish communication channels and sites for the network security team, such as internal public mailboxes;
Design an adventure theme for this year's transformation plan, running through monthly events, and setting up badges to motivate employees to participate;
Customized training courses for employees of different functions and levels, replacing "lecture" training with "games" and interactive methods;
The content and form of the monthly report have been innovated, and the original text-only content has been transformed into a new model of original comics combined with popular science and suitable for mobile reading, and the reading volume has doubled several times and has been widely praised.
Hold an annual security day, display scenes such as door card theft and wifi fishing through "black technology", and also publicize safety knowledge with the help of small games, and set up small mechanisms such as **, punch in, and social circle publicity on the spot to improve the publicity effect.
Traditional information security threats have not subsided, new cyber security challenges are emerging one after another, and security concepts are constantly evolving, so it is necessary for the entire enterprise to maintain a good and progressive cyber security culture.
Leveraging immersive concepts and "gamification" design, EY is able to provide multifaceted cybersecurity culture change services for enterprises:
Brand image building:
Design original image spokespersons, logos, declarations, themes, etc. for the team, strengthen the output effect of the network security brand, and lay the foundation for subsequent interactions and work.
Cyber War Game:
According to the differences between drill objectives, audiences, and processes, there are three main types:
Customized, interactive training:
According to the characteristics of the enterprise, the audience or the theme, the training effect is strengthened through gamified training methods, and the safety awareness and safety skills of employees are improved.
Awareness campaigns, such as Privacy Day and Safety Week, are designed to raise awareness of all employees on their daily precautions and protections, as well as how to deal with potential threats.
Awareness Campaign:
For example, Privacy Day, Safety Week, etc., aims to raise the awareness of all employees on daily prevention and protection, as well as how to deal with potential threats.
Regular promotion of the journal:
Journals are generally published biweekly, monthly, and quarterly, and are pushed to all employees and specific groups of people (such as management, product teams, and store personnel) in an interesting and lively form. The content can cover current affairs, security knowledge, security incidents, recent events or project updates, etc. For example, when generative AI becomes a hot topic in early 2023, employees will be promoted to how to cautiously open the door to the "new world" through small animation scenes close to the daily operation of the enterprise, such as ** development, translation, data analysis, etc.
Clear purpose, reasonable design, and novel form are the core advantages brought by the integration of gamified design and corporate culture empowerment, and immersive training is an important carrier to provide an easy-to-accept and effective cornerstone for enterprises to "take a small step". In the digital era, where the importance of cyber security and data protection is becoming more and more prominent, it is believed that more and more enterprises will shift from "first" to "prevention", and take cyber security culture as the first bastion on the line of defense, so as to empower the core competitive advantage of enterprises.
Note: 1].wood, lincoln & reiners, torsten. (2015). gamification. 10.4018/978-1-4666-5888-2.ch297.
2].werbach, kevin & hunter, dan. (2012). for the win: how game thinking can revolutionize your business.
3].Ernst & Young (China) Corporate Advisory***
This article is prepared for general information purposes only and is not intended to be relied upon as accounting, tax, legal or other professional advice. Please ask your advisor for specific advice.