I am looking into new ideas how we can create security awareness programs. Due to information overload I am thinking toward playing and learning; does anyone have experience with how we can create programs based on the concept of learning by playing?
Interesting. Are you thinking about online program/web based or offline one?
I, personally, have done interactive briefings that keep people engaged in what you are talking about. If you are also talking about games, I have seen work associates use games such as Jeopardy. have subjects and answers like they use on the game.
-Chris
@Ernst_Huijten wrote:I am looking into new ideas how we can create security awareness programs. Due to information overload I am thinking toward playing and learning; does anyone have experience with how we can create programs based on the concept of learning by playing?
Hi Ernst,
By all means, develop lists of ideas for security awareness training elements and implementation, but don't think that you're alone in the endeavor. Make room for the corporate culture and departmental managers to influence your thinking and recommendations. You'll need buy-in from management anyway, and they may be more enthusiastic if they feel as though they've had some input.
Whether or not gamification is a good option goes back to the culture. At my last job, it was very popular. Not so much where I work now, as management prefer to keep the training metrics confidential.
My two big recommendations have to do with size and content. Users are more likely to pay attention to and retain smaller parcels of training information. Also, don't be afraid to occasionally offer training tidbits on information security topics that may not have direct relevance to company operations (safely using Facebook and configuring home Wi-Fi, to name a few). Users will pay attention if they believe they will derive benefit from the training.
Above all, be effusive with your praise when users rely on their training to good effect, and encouraging when they don't. Some of my best "security partners" ended up being users that blew it a few times.
Some great advice from previous replies. Reiterating to fold the business partners / departments into the content development process, connecting your message to everyday business activities with which the teams can relate. Also, as previously stated, I've found also beneficial when looping in "personal / home" security into the discussion often reemphasises the message. Partnership accross the company is key.
PBS Nova Labs partnered with Lockheed Martin to create a cybersecurity game that is pretty good for general computer and security awareness. It might provide some ideas for what you're looking to do.
One key point is to make certain that the communication is two-way.
We are attempting to modify psychological behavior when dealing with security awareness. The goal is to make the behavior of the end-user a natural response erring on the side of safety.
Implement as part of your training program an element of testing on the important objectives of your SA program. See if the end-users can repeat back to you in the form of question/answer the gist of your objective. If not, blame the material and define a better curriculum. Employ metrics. Learn how to better train your users base.
One pet topic: talk to HR people. If you have an in with a professional HR body (eg the CIPD in the UK), so much the better. There are many people in the HR space who have significant experience in changing working culture (and much of the time this is what security awareness training needs to tackle) - so go pick their brains.
James
Thanks for your response, will take this to heart!
Hi Andika, I haven't made a decision yet on the type of distribution, but looking for content that would fit my needs. What I do see is that trying to create webbased programs will have a huge financial impact, so thinking about how to make it cheap and effective.