Or, in this case, he walks into the European SANS Security Awareness Summit.
I love it when professionals in a particular field view a niche part in their own field. In this case, my colleague Bill Montgomery, from VanityAndSecurity.wordpress.com attended the SANS event with me when I presented on cognitive bias in communicating risk.
Bill’s response was a blog post: “10 Things I Learned at the SANS European Security Awareness Summit”
I particularly wanted to address his 2nd point “You can game the game” about gamification of security awareness:
Sure, you can start small, but what happens when you run out of incentives? “I’m not reporting this bug I found. I’ll wait until the t-shirts are back in stock.” or “Psst, buy me lunch and I’ll tell you a great hack for the new app.” Sounds like a slippery slope.
What I particularly liked about the approach presented at the summit was the combination of permanent and temporary points. If your incentive is to get the good parking space, you are only going to get that perk for a short time. The point decay idea was genius because it means that your incentives stay scarce, and therefore valuable longer.
The other point I’d like to make is that the gamification programme should be designed to focus on good behaviours and to empower people to engage in those behaviours, even if there are no incentives. “Shared belief” is a major component in any culture, even a security culture, and the branding, messaging, and even the incentives should reinforce the belief that secure behaviours are a benefit to all.
This takes more thought than simply “what colour t-shirts should we get?” But the rewards far exceed the effort.