Words: Cornelia Puhze, SWITCH
According to the Verizon Data Breach Investigations Report 2022, the human factor was involved in a full 84% of all data breaches. The technology-focused professionalisation of the information security industry has made it much easier to hack people than IT systems. So why aren’t more resources invested in sound methods and measures to address the “human factor” just as professionally?
People are not programmable
The good news is that our behaviour can be influenced. But never in the way that the behaviour of a machine can be changed. It actually makes sense to apply different teaching methods to humans. That is, not to start from the premise that the more data, the more certain the learning success. All too often, however, this approach is found in companies, for example in the assumption: if employees click through enough phishing simulations, they will eventually learn to recognise a phishing email. Unfortunately, it is not quite that simple. People cannot be trained like a text robot. People learn with experience, to which emotions such as motivation are linked. People have to understand, “grasp” why they should do something and then want to do it.
Shaping learning experiences positively
There are many different methods to make learning experiences positive and motivating. One of them is learning through play. We have developed our Security Awareness Adventures following this method. Our goal is to demystify security and make it a tangible experience. In small groups, various security challenges are explored in a playful way, curiosity and interest are aroused, the participants have fun together and a fundamental change is made: the attitude towards security. When we play with security, there are only winners!
How does learning in play work?
Whether chess, Taboo or Fortnite – games are entertaining and capture the attention. For a moment, the world of the game becomes reality and the rules become law. A game therefore has everything that is needed to successfully convey educational content. Playing games is fun and increases the participants’ willingness to deal with the conveyed topic (problem awareness). To play a game, the rules and the goal of the game must be learned (training) in order to be able to apply them directly (practice). Play has the potential to convey messages in a way that sticks in the mind and positively influences employees’ perception of an issue.
Proven games with security learning content: Escape Room, Scavenger Hunt, and Dungeons & Dragons
In the SWITCH Security Awareness Adventures, various playful approaches are used to teach the players how to think like a hacker. Participants playfully learn how easy it is to brute force 5-digit passwords in the “Hack the Hacker” Escape Room, follow the hacker’s digital footprints in the “Track the Hacker” scavenger hunt or test their social engineering skills in the “Piece of Cake” tabletop role-playing game. Of course, these educational games do not scale. But the influence that enthusiastic employees have on their colleagues should not be underestimated! Participants share their positive experiences in the coffee corner, so the training game reaches far more than just six people. The adventures can be carried out on a mobile basis or acquired in the form of licenses to suit different needs and situations.
This article is featured on CONNECT43! Read or download the full magazine here