Mitigating Cyber Security Risk with Scenario-Based Games

Mitigating Cyber Security Risk with Scenario-Based Games

A company’s reputation takes years to build, but it can be lost overnight if it becomes the victim of a cyber-attack that compromises its data. In fact, cyber-criminals are getting increasingly bold and are keeping information security professionals on their toes. In today’s world where everyone’s information is online, it is indeed challenging to protect that information from destruction or unauthorized access.

So who exactly needs to know about information security? With security being a concern for everyone, every employee using the Internet needs to understand information security. Therefore, effective cyber security awareness training is essential for all employees.

However, it is quite challenging to hold the attention of learners long enough to impart the required information on security, especially when the training is mandatory and the topic is viewed as boring or mundane. So what could be the best way to train employees on this topic? Scenario-based games have proved to be an effective training method as they are engaging and interactive, while also facilitating effective knowledge transfer.

In this post, I will discuss how we helped our client overcome the drawbacks in its existing course on information security, and increased the knowledge transfer and retention levels of its employees using a scenario-based game approach.

The Requirement:

Our client identified gaps in their current employee training on the topic of information security. It was observed that employees were not able to retain the information imparted during the training programs from the existing eLearning course. Therefore, they wanted to upgrade and revamp the Information Security course to address the low rates of retention.

However, they were not sure how a mundane topic could be made interesting. They had already rolled out an eLearning course on information security but employees couldn’t retain the information taught, as it was more of content and no interactivity.

The Challenges:

This client had a course that covered 5 basic methods through which data could be compromised:

  • Weak Passwords
  • Unprotected Devices
  • Malware
  • Phishing
  • Cloud Computing

Given the nature of its business, large amounts of different types of information was at risk in many possible ways. This could potentially harm the overall perception, performance and reputation of the client.

To effectively counter the risks of inadequate information security, the client sought training to help employees recognize, rectify and report risks as appropriate. However, they had challenges:

  1. Most of the employees could not retain the learning from the course
  2. Training needs to reach 1,000 corporate and franchise supermarkets that operate under 22 regional and market segment banners.

Our Solution – The Scenario-based Games Approach

We proposed a two-pronged approach:

  1. Application-driven scenario + challenge approach
  2. Short quizzes that reinforce learning and improve retention
  • We developed video-based scenarios for each of the 11 learning objectives in the course (<1 min each). These video-based scenarios introduced the learners to situations they might quite possibly encounter in the course of their daily professional duties.
  • All scenarios were linked through a single background story pertaining to “a day in the life of the employee”. This approach allowed the learner to relate more to the course, learn exactly how information security pertained to their work, and know what to be wary of.
  • Each video-based scenario was followed with a set of questions pertaining to the scenario. These questions tested the learner’s understanding of information security in the context of the scenario previously witnessed.
  • This proved helpful as the learner could understand the context and also relate to the subject better.
  • A gamified scoring system with an ‘information security’ score was provided in the course, where the learner’s choice of the right/wrong answer drove the score up/down. The aggregate score at the end was compared to the pre-decided passing grade for the course.

But why the Scenario-Based Games Approach?

1. Games are Challenging

When learning is presented in a game-based approach, the challenge presented in the game is a strong predictor of the learning outcomes, as learners are completely engrossed and are given immediate feedback. In games, learners are motivated to learn, in part, because learning is made relevant though it transpires through a process of enquiring, understanding, and reflecting upon the simulated world inside the game.

Our client effectively tried to counter the risks brought on by inadequate understanding of information security, and trained its employees to recognize, rectify, and report risks as appropriate.

We suggested game-based scenarios that set the stage for each learning objective, where learners could be immediately tested on what they would do in each scenario, through relevant questions. The questions were challenging as they made learners think of the consequences of each question.

2. They Provide A Risk-Free Environment

Games provide learners a risk-free environment to experiment and fail without penalties and consequences. They allow learners to learn from their mistakes. Getting down to work without proper training can be dangerous in certain situations. For example, if learners are not aware of what constitutes a security threat, the chances of a security breach are higher. This is purely due to the lack of proper knowledge on information security.

When the topic is presented to learners in a virtual environment via gamification, they can learn in a risk-free environment, despite making mistakes. It gives learners insight into why a certain step was wrong. This approach also gives learners a sense of accountability at every stage, as they can analyze their performance and make the necessary amendments.

3. Games Hook Learners

For any training program to be effective, learners have to thoroughly engage with the content. And this can be done when the training program is interactive. Therefore, when the content is presented in a gamified approach, learners are hooked to the course, allowing them to learn better. Most often, learners are bored with mundane training programs due to lack of interactivity.

Our client faced a similar situation when they couldn’t achieve any results with their basic IT security training program, because security breaches continued at the workplace. However, when the same course was presented in the form of a game, their learners learned without hesitation and with better retention. There was increased engagement and there fewer security breaches going forward.

4. Information is More Effectively Retained

A compelling scenario forms an effective gamified eLearning experience. Scenarios are pointless if they don’t relate to real-life incidents. Learners will be better able to relate to a course when they can solve issues that they might face in real-life. When the learning is based on real-life situations, it helps learners garner more knowledge and develop the needed skill sets. They are also more likely to participate actively when they can solve problems. Therefore, the subject matter has to tie in to a real-world problem.

In the course on cyber security, learners were presented with scenarios that spoke of various cyber security issues, such as Phishing, Security Incidents, Passwords, Acceptable Use of Corporate Devices, etc., The aim was to educate learners on the various kinds of security breaches they might face in their workplace.

Through various scenarios, learners were able to identify and differentiate between safe and unsafe practices. As learners could relate to the scenarios, they were able to identify issues correctly and solve them accordingly. Besides, as content was presented through a game-based approach, they could go back and set things right in places where they made mistakes – all within in a safe and secure environment.

Thus, it is not surprising at all that organizations prefer scenario-based games when it comes to presenting compliance training programs, of which IT security training is a big part. Have you tried this approach for IT security training? What are the strategies you employed in your organization? Do share your thoughts.

Game-Based Learning for Increased Learner Engagement