Carrots not sticks- Using Gamification to Transform Security Mindset of an Organization
4 likes1,437 views
The document outlines the use of gamification to enhance security awareness among employees by promoting vital behaviors such as vigilance, reporting, and training through engaging methods. It emphasizes the importance of prioritizing key behaviors, measuring progress, and using incentives to foster a security-conscious culture within the organization. The goal is to transform the mindset towards security from a chore to a valued part of the employees' roles, ultimately reducing incidents like phishing and unauthorized access.
Carrots not sticks- Using Gamification to Transform Security Mindset of an Organization
- 1. Carrots Not Sticks Using Gamification to Transform Security Mindset of an Organization Masha Sedova Senior Director of Trust Engagement, Salesforce [email protected] @modMasha
- 2. I want my employees to: Often our requirements are very general What Does Security Awareness Mean To Your Organization? Have more security common sense Make less security mistakes Be more vigilant Care more about their actions
- 3. What Are Your Vital Behaviors? Ask: What behaviors am I trying to change? Ask: What will people do differently after my effective program is in place? Ask: How will I measure this?
- 4. What behavior does this change? What Are Your Vital Behaviors? “More people will take more training more often”
- 5. 1. What are your most frequent incidents? 2. What would be the most damaging to your company? 3. What are easy wins? Less is more: • Asking for executive backing on too many behaviors can dilute the power of their support. • Have a backlog of behaviors but only act on the top few. • Have a few wins and iterate. Prioritizing your vital behaviors How To Choose Vital Behaviors
- 6. Linking Results to Vital Behaviors Say no to badge surfing See something, say something Think like a Chief Security Officer Don’t get fooled by Phishing Get certified and be ready # of people who fall victim to a phishing attack # of people who detect and report a vulnerability # of employees who completed annual security training # of Security Champions in Org # of unauthorized people accessing secure areas
- 7. Can this be solved with technology? Do it! Changing mindset is the hardest way to go about enforcing change. “I didn’t realize that security was part of my job” Communication, marketing, awareness campaigns “I didn’t know what to do about it” Training and skills “I didn’t have the resources or support to do it” Management alignment “I didn’t want to” Gamification and incentives Why are these behaviors not being done? Investigate Root Cause
- 8. Why Does “Want To” Matter? Most employees prefer a visit to the dentist over taking security training
- 9. It’s About Unleashing “Discretionary Performance” Getting To “Want to” Can we get more people to choose the stairs by making it fun to do?
- 10. It’s About Unleashing “Discretionary Performance” Getting To “Want to” 66% more people than normal chose the stairs over the escalator.
- 11. It’s Not About Playing Games At Work (Though 70% of Execs Admit Playing Video Games at Work)
- 12. Gamification Elements 3 1 4 5 2 Autonomy: we like having choices Mastery: we like getting better at what we do Feedback: we like getting feedback on how we are doing Purpose: meaning amplifies what we do Social: all this means more with others
- 13. Pick Vital Behaviors Connect to Purpose Test And Give Feedback Reward/ Recognize or Educate Socialize Gamifying Security
- 14. Vital Behaviors: Phishing, Reporting, and Badge-Surfing
- 15. Connect to Purpose Source: Verizon Breach Report 2014
- 16. Trust Conformity Connecting to Purpose Morality Curiosity Fear Reward “Holy wow…Check out this video of a giant snake eating a zoo keeper!” “If you don’t pay the fine, your files will be locked and you will be reported to the FBI!” “Can you hold that office door open for me, my arm’s broken and this package is heavy.” How attackers exploit “bugs in human hardware”
- 20. Reward: Security Champion Program Basic awarenessApprentice Successful TestingPadawan DoingKnight TeachingMaster InnovatingGrand Master Trust Points
- 21. Item Point Value Receiving a Trust badge 50 Read security newsletter and chatter about it 50 Reporting phishing email/ social engineering call 100 Completing 100 level course 100 Completing 200 or 300 level course 200 Identifying a vulnerability (P0 - P3) P0 =500, P1=300, P2=200, P3=50 Attending a Security lunch and learn 200 Winning a bug bounty event 500 Attending hands-on security training course 600 Teaching/Presenting on Security topic 1000 Presenting at Conference on Security 2500 Security Patent 3000 Interning with Trust 3000
- 22. Incentives and Rewards • Competition • Achievement • Status • Self-Expression • Altruism
- 23. 14,000 50% 82% The Results Salesforce Employees Have Gone Through This Experience Less Likely to Click on a Phishing Link More Likely to Report Threats to [email protected]
- 24. Incident Detection Employee and customer reports “My mouse cursor is moving by itself” “Is this email really from American Express?” “Someone just badge surfed into 3 Landmark” “I lost my sweater on BART” “My browser proxy settings were changed”
- 25. Incident Detection Employee and customer reports • Salesforce employees trained to report any suspicious activity. • Customer reports also welcome.
- 27. thank y u
Editor's Notes
- #2: Over the next 40 minutes I will walk you through the journey I took to creating a gamification program at Salesforce. This includes the questions I asked of myself, my security team, and the organization to get clear direction on the program I was going to build.
- #3: How can we measure this? I want to argue that metrics come first, not as the last step of a program.
- #4: The training is not the end result. It is a stepping stone to drive an outcome of a behavior you are targeting Mistake: I want more people to take more training more often. Does that prove security mindset? No, it proves that people have sat through a training. Figure out what you are measuring! Test people on that behaviors first! Maybe they dont need training and are already doing it!
- #6: Dont try to boil the ocean. Execs have a hard time backing 12 things they should enforce, but it is easier for them to see how their orgs are doing on one key behavior.
- #7: Define what done looks like so you can move on! Phishing is a great example. Click rate doesn’t matter. Reporting does. Find a % range your organization is confortable, get there, and maintain.
- #8: Once you find your behaviors, do some investigation work. Why are things not being done?
- #23: John Gottman and colleagues (1998) explored the positive-to-negative ratios in marriages. Using a 5:1 ratio, which Gottman dubbed "the magic ratio," he and his colleagues predicted whether 700 newlywed couples would stay together or divorce by scoring their positive and negative interactions in one 15-minute conversation between each husband and wife. Ten years later, the follow-up revealed that they had predicted divorce with 94% accuracy.