Security training program uses gamification to change employee behavior at Aduno Group
- Make employees aware of and knowledgeable about security policies and procedures
- Show employees how attackers work and the methods they employ
- Fundamentally change awareness of the role employees play in information security
- Created a multidisciplinary team to develop and implement a security awareness program
- Launched a multifaceted program that employs gamification practices to encourage employee participation
- Used videos, gamification, giveaways, stickers, brochures, and articles in the company intranet to get the word out
- High visibility for the program from the C-suite down
- Active employee participation and ongoing involvement
- Signs that the security awareness culture is changing for good
Employees: first line of defense
As a financial services provider, the Aduno Group faces immense pressure to secure its data because breaches can have immediate and lasting business implications.
Since employees represent the first line of defense, the organization reached out to DXC Technology to help improve information security awareness and weave it into the corporate culture in a sustainable way.
DXC technology, which provides clients with a full range of risk management services, proposed a multifaceted program that employs gamification and encourages employees to actively engage in security awareness. The activities don’t look or feel like training, which is key to effecting meaningful change. The training program is hosted on on Aduno Group’s intranet and consists of videos and quests. Employees get points for completion, and progress is tracked on a leaderboard. New quests are posted each quarter.
Creating an awareness campaign
Aduno Group undertook the effort because studies and experience showed employees needed a refresher on existing security policies and the purpose of those policies, and that they lacked practical instructions on how to comply with those policies.
“Often the lack of knowledge about the content, and the lack of understanding of the meaning and purpose of security polices, is the main reason incidents occur,” says Thomas Müller, head of security and open platform strategy at Aduno Group. “The campaign therefore aims to improve awareness for information security and to sustainably anchor it in the corporate culture.”
With the backing of the CEO and the full board, a core multidisciplinary team was assembled with DXC. People from IT and information security, corporate communications, organizational development/human resources, legal and compliance, and operations services collaborated to develop and implement the program. “An awareness campaign is part of internal communications and must therefore be broadly based within the company,” Müller says.
The campaign’s goal is to educate employees about how cyber criminals operate so they can consciously make sound decisions about the security issues that crop up in everyday work situations. The focus is on communicating risks and their potential impact on the company.
Chasing the phantom
The core of the security awareness program that Aduno Group built together with DXC revolves around quests that feature a fictional “Phantom” who represents cybercriminals trying to gain access to Aduno Group’s data. Employees, who are called “PhantomBusters,” learn by looking over the shoulder of the Phantom to see how cybercriminals think and act and what role the employees could play in thwarting the Phantom’s efforts.
Each quest is focused on a topic, such as phishing or the handling of sensitive data. The game starts with a short video of two to three minutes and then presents three questions. Employees get points when they answer the questions correctly, and their results are tallied. A leaderboard tracks high scores.
If half of all employees answer the questions correctly and everyone gets a certain number of points, they catch the Phantom for that quest. The group element is important because the program is voluntary, so employees are likely to encourage other employees to complete the quest. Employees who want to dig deeper on a given topic can access a knowledge base kept on the intranet.
Aduno Group has published seven quests to date, and new ones are now posted once per quarter. It is an ongoing process because you need to have a dialogue to change behavior, says Marcus Beyer, advisory lead for resilient workforce at DXC.
To get the word out about the program, life-size cardboard stand-up figures of the Phantom have been placed in the building, and there are giveaways, stickers, brochures, presentations and articles in the employee magazine and on the intranet.
Given that the goal of the program is to fundamentally change the security culture in a positive way, results can be hard to measure. But the PhantomBuster program has high visibility throughout the company, employees are actively involved and they enjoy participating. The effort is considered a great success.
“The Security Awareness Program was very positively received by the employees,” Müller says. “This is certainly due to the fact that it is different from all previous measures on the subject of information security. And that is definitely what matters.” The company quickly saw employees embrace a safety culture of the future, which is characterized by:
- Conscious safe behavior as risks become known
- Conscious action in everyday work situations
- Active information flow, increased risk awareness and establishment of an “error culture” that acknowledges that mistakes happen, but you can learn from them and share the knowledge gained
The program for Aduno Group draws heavily from DXC’s rich experience in effecting long-term cultural shifts through integrated and integral internal communications campaigns. In fact, DXC and Aduno Group recently won two awards for this program — one in Switzerland and one in central Europe for countries where German is recognized as an official language.