Programmes aiming to raise awareness about issues relating to online security are increasingly important and are part of every CSO’s (Chief Security Officer) agenda.  An example of this are malicious emails, i.e. phishing, a universal problem which represents a great business risk, especially for employees who work with confidential or sensitive information.

But, what is phishing exactly?

By means of social engineering and identity theft, emails which appear to come from trusted sources are sent out. Their real aim, however, is to gain the user’s confidential information for a scam or to commit fraud.

The channels by which these attacks are made have multiplied in recent years. Email is no longer the sole path of entry, with social media, IMs and mobile phones becoming more and more common sources of phishing.

How does this affect organisations?

85% of entities suffered phishing attacks in 2016; the attacks are increasingly sophisticated, and the number of attacks is greater each year (+22% compared to 2015).

In 2016 there were more than 1,300,000 email campaigns linked to phishing, more than 156 million phishing emails are sent each day and more than 15 million get through companies’ security measures; 8 million people open the emails and almost 1 million click on the phishing email links; 70% don’t let the company know about the security incident. This happens because of a lack of awareness with regards to corporate security.

Emails are the easiest channel through which to carry out scams; hackers have stolen by this mean more than a billion Euros in the last two years alone.

Can we protect ourselves from phishing?

In addition to the digital security counter-measures implemented by the organisation, the final decision lies with the email recipient, will they open the message or not? Will they click on the link? There’s no use in regretting it once it happens, the solution is training and awareness-raising.

Gamification, as we have seen in previous articles, is a useful tool which allows learners to gain solid and long-lasting knowledge in key areas such as awareness.

How can we apply gamification to online security awareness-raising?

Firstly, we should clarify that gamification for online security awareness-raising is not a game and can’t only be based on launching a game platform. If we want to be successful with awareness-raising, we can’t try to solve it with just a single training effort or with training based exclusively on videos. In addition, there’s no use in forcing users to receive training.

According to José Antonio Morales, a founding member of Opera Soft and Opera Plus (pioneering companies in Spain’s golden age for videogames), “applying techniques from the world of videogames to corporate training enables people to be motivated and to have fun while learning, without feeling they are making a great effort and with better results than traditional training”.

Applying gamification to online security awareness-raising requires focusing on behaviour, with a continuous program which proactively rewards appropriate behaviour with regards to security, encouraging employees to contribute materials to increase awareness.

Our gamification methodology for online security awareness-raising is based on seven steps:

  • Assessing the company’s culture beforehand
  • Identifying the relevant metaphor and possible Champions
  • Defining objectives and rewards
  • Voluntary participation
  • Social gamification and recognition
  • Continuous feedback
  • Progress reports

With this methodology we are able to ensure that people participating in the program go from “I have to” to “I want to”.

If you’re interested in knowing more about GamePaths’ awareness raising programs for online security, contact us today: