In a lot of countries, October is ”Cybersecurity Month,” and organizations like to time their security awareness programs around this period. As we approach October, it is important to start thinking about security awareness training and how best to engage employees. Users should be trained regularly to improve their security awareness level to prevent and detect cyber attacks. But continuous improvement (and keeping the security awareness at a high level) is not an easy task.
Typical elements of security awareness programs are trainings (now including more e-learning and fewer “classroom” presentations); posters, cards, advertisements and screensavers containing the most important rules and keywords of information security; gifts (notepads, calendars, mugs, T-shirts, mousemats) containing security awareness messages; useful items like webcam covers, password generator cards and secure credit card holders; and games (quizzes, competitions). Many of these things are useful, but according to past experiences and feedback from users, people typically forget about many of them quickly, especially those that are sometimes boring or contain unnecessary information, such as messages like “lock your computer,” “use secure passwords” and “use the shredder.” Employees like to be an active part of security awareness programs and answer the main questions: Why is it good for me? Why should we be security aware? What could happen if a user does not follow the rules?
When I perform social engineering audits and security awareness trainings, I have observed that trainings are more effective when the presentation is colored with examples and photos from social engineering tests (or even real life). Bored participants in the classroom trainings become alert when shown photos about the audit of their workplace—many are curious when they see a familiar desk or situation. They then become active participants and share their experiences. These experiences let to the creation of a new element of security awareness programs: the security awareness escape room.
The security awareness escape room uses gamification to test the security awareness level of users and improve their information security knowledge using “learning by experience.” This program encourages teamwork. Players can be attackers or colleagues of a ficticious employee during the game. Participants work in an open office and their goal is to read the content of a secret file to “escape the room.” They can utilize only the security awareness mistakes of the targeted person and they should not use any hacking methods.
The exercises cover the following security areas:
- Physical security, badge, proximity card and key usage (e.g., a key left in the flowerpot)
- Clean desk and clean screen policy (e.g., important documents on the desk)
- Secure physical usage of mobile devices (e.g., a notebook without a Kensington lock or unsecured data travellers in a bag)
- Secure passwords and PIN codes (e.g., easy PIN codes that could be found even on Facebook, such as birthdays or useful password reminders under the mouse mat)
- Secure applications and application usage (e.g., fitness apps or games on mobile phones that could help to gather useful information about the target)
- Encrypted devices and encryption methods (this can sometimes be a new feature for the players because they do not know the accepted encryption methods at their workplace)
- Information sharing and social media usage (it is very important to train users to avoid public sharing on Facebook and other social media sites; during the game players can see how easy is to gather information about the target)
- Secure printing and scanning (e.g., paper left in the scanner or forgotten documents in the printer)
- Secure shredding of documents (not only can secure documents be useful for an attacker, but notes or other internal information in the trash could also be interesting)
- Attack methods of malwares and phishing (in some versions of the game, players should also be security aware because they can open easily infected files or malicious websites in the mailbox of the target)
If you want to perform a similar game, you only need a place for the “fake” office (a free meeting room, an unused office or even a hallway), an office desk, a chair, a chest of drawers, a trash bin, Internet access and electricity. If these are available, you can define a story and tasks of the game.
Editor’s note: For further insights on this topic, read Eszter Diána Oroszi’s recent Journal article, “Using Gamification to Improve the Security Awareness of Users: The Security Awareness Escape Room,” ISACA Journal, volume 4, 2020.