A Non-Security Awareness Guy Walks Into a Bar

A non-security awareness guy walks into a bar

Or, in this case, he walks into the European SANS Security Awareness Summit.

I love it when professionals in a particular field view a niche part in their own field. In this case, my colleague Bill Montgomery, from VanityAndSecurity.wordpress.com attended the SANS event with me when I presented on cognitive bias in communicating risk.

Bill’s response was a blog post: “10 Things I Learned at the SANS European Security Awareness Summit

I particularly wanted to address his 2nd point “You can game the game” about gamification of security awareness:

Sure, you can start small, but what happens when you run out of incentives? “I’m not reporting this bug I found. I’ll wait until the t-shirts are back in stock.” or “Psst, buy me lunch and I’ll tell you a great hack for the new app.” Sounds like a slippery slope.

What I particularly liked about the approach presented at the summit was the combination of permanent and temporary points. If your incentive is to get the good parking space, you are only going to get that perk for a short time. The point decay idea was genius because it means that your incentives stay scarce, and therefore valuable longer.

The other point I’d like to make is that the gamification programme should be designed to focus on good behaviours and to empower people to engage in those behaviours, even if there are no incentives. “Shared belief” is a major component in any culture, even a security culture, and the branding, messaging, and even the incentives should reinforce the belief that secure behaviours are a benefit to all.

This takes more thought than simply “what colour t-shirts should we get?” But the rewards far exceed the effort.

Comments 1

  1. Oh, but I do believe in security awareness. I do believe in security awareness. I really, really do!

    Granted it’s a single check box on my list of 200 PCI requirements but that’s not my fault.

    You can have the best annual security training in the world and I will check the box for Req. 12.6.1. You can have the worst annual security training in the world and I will still check the box for Req. 12.6.1.

    But I will tell you…
    …after I’ve done my spiel on risk management
    …after I’ve done my spiel on storing PCI data
    …after we’ve done our 3-day teambuilding exercise in the Rockies
    …I will tell you that you can do security awareness well or you can do security awareness poorly; for the same price. I’ll even help. I’ll do 20 minutes of stand-up on PCI awareness for any audience; any time.


    I’m not convinced that gamifying security awareness is the best approach. I’m not even sold that applying behavioural expertise is the best approach. It still feels like we’re trying to simulate an internal awareness with external controls. They may get the job done. But have we really made the world more secure?

    So, I also agree with go-phish that “shared belief” is a higher goal. I’ve just yet to see a game that I’m convined can deliver it.

Leave a Reply

Your email address will not be published. Required fields are marked *