How do you turn something as serious as cyber security into something engaging and fun, and in doing so, create a security awareness culture?
Being able to laugh with your workmates can help get you through the ups and downs of working life. A sprinkle of fun can also make the difference between a dull lecture and something that sticks in a learner’s mind. But just reading the phrase “security awareness” can make you yawn and your eyelids close.
A Few Ideas to Make Security Awareness Training Fun
Security Awareness Training is used to develop a culture of security. Educating staff about the dangers of cyber security threats ensures that staff across the entire organisation understand how to keep their working environment more secure.
But cyber security is not typically seen as a fun thing. Just thinking about security can, let’s face it, make many of us want to go back home to bed and hide under the covers. But by using humour, the security awareness yawn can become the security awareness smile.
The goal of security education is to build a security awareness culture: we all know that when learning is fun it is more likely to stick. And there is plenty of scientific evidence to back this up, showing that adding some fun into learning pays off.
Here is an example: one discipline that is arguably even drier than security is statistics. A study published in the Journal of Statistics Education explored the use of humour and fun in improving learning outcomes for statistics students. The study found that humour was one of the “five most important interventions” to help students learn more effectively; humour helped to alleviate anxiety in learning the subject.
Similarly, in educating employees on the dangers of cyber security threats, including phishing and social engineering, humour can go a long way to help these dry and often complex subjects, stick in the minds of employees.
Here are a few ideas on how to use fun and games to cement your security awareness culture.
Get People Talking About Security
Humour can be a great way to break the ice and form bonds. To get the conversation going on security matters, add a few jokes into the training sessions. One way to do this is to use visual aids, and one such aid that has universal appeal is the ‘funny meme’.
Memes are great to use when learning something as they are memorable. The internet is awash with memes on every subject from cats to babies and even cyber security. Security Awareness Training posters that use memes can be great at grabbing the reader’s attention with a funny quote and then drilling down into the details of a security awareness issue. Build a series of security posters, each based on a different meme that focuses on a core issue, such as a good password policy.
For inspiration, check out this list of the top ten security memes: Top 10 Cyber Security Memes
“Escape From Cybercriminals!”
People love the escape room concept, as the 1500 escape rooms across the UK demonstrates. The reason for this popularity is most likely because of the teamwork involved in solving a puzzle. Focusing on a problem with other people can be a fun thing to do, it can help to build a culture of security awareness and cement relationships.
When designing a Security Awareness Training program, use interactive tasks and puzzles within a team context. Think about the ways that can be used to add an element of fear or of “the chase” to focus employee minds on the types of attack methods that cybercriminals use. Try splitting a group into two and making one group cybercriminals and the other “victims” – set the task to ‘socially engineer’ the group representing “victims”.
Switch the teams around to make sure that everyone gets a chance at thinking like a scammer – by thinking like a cybercriminal, the employee will start to see how cybercriminals operate and how manipulation happens.
Fun and Games to Creates a Security Awareness Culture
We are all just big kids when it comes down to it.
Using games to help people learn is something that works to help solidify human understanding. The area of Game-based Learning Theory describes gamified learning as ‘experiential’. This type of learning is effective as it builds experiences through role-playing and other games.
A study “Gamification of Information Security Awareness and Training” from the Norwegian University of Science and Technology, found that “…high level of interactiveness was said to potentially defeat some tediousness of e-learning”.
When building a security awareness culture, make sure that you include lots of interactive elements that are fun and use humour to make memories. Don’t expect a security awareness culture to develop if employees are made to sit in stuffy offices and listen to boring lectures. A good Security Awareness Training program will offer interactive videos that are human-centric and make learning fun.
Building an effective framework for a security awareness culture is tough. But by engaging employees in events that are fun and memorable, a company is more likely to cross the boredom boundary.
It is important in a climate where cyber security impacts every company and where losses due to phishing and ransomware are staggering, to secure your organisation. This battening down of the corporate hatches must include your people.
By using humour, an organisation can make the concept of security the goal of everyone and get people talking about it, not falling asleep at the mention.
