If you are looking for innovative, fun and proven methods of gamification-based learning to apply in organizations that can be used without any restrictions in the development and execution of cybersecurity incident response tabletop exercises (TTEs), Lego Serious Play (LSP) is a worthy choice.
Keeping participants engaged in TTEs should be a top priority. If you do not get creative and present a visually appealing and better experience for your participants, you will always get less interaction and engagement from them.
Gamification is the use of game mechanics to drive engagement in non-game business scenarios and change behaviors in a target audience to achieve business outcomes. LSP is a systematic method that enables people to use Lego bricks to solve problems, explore ideas, play and have fun, and achieve objectives.
We have led several TTEs for financial organizations applying the LSP method, and we observed that participants who used the Lego models represented a team understanding of a cyberattack, its impact, and the step-by-step incident response/shared vision for a response strategy, as well as the mitigation of the cybersecurity incident simulated in the TTE. TTE participants can make physical connections between various Lego models to demonstrate how they are related, which helps organizations solve relationship problems between cross-functional roles (i.e., legal, IT, human resources, public relations) and issues of resistance to performing cross-functional tabletops.
By observing connections among Lego model systems, and by playing in the cybersecurity incident scenario, participants are able to identify the underlying truths that guide them through future and realistic cybersecurity incident scenarios.
And, importantly, participants recognize the value in the cybersecurity incident response TTEs using LSP because it increases team understanding and decreases frustration, while also creating a level playing field for discussion.
Editor’s note: For further insights on this topic, read Fabian Garzón and Gustavo Garzón’s recent Journal article, “Cybersecurity Incident Response Tabletop Exercises Using Lego Serious Play Method,” ISACA Journal, volume 4, 2020.