In many companies and organizations it is currently “Game on” instead of “Game over.” And for good reason. “Playing is an inherent instinct and it makes lots of things easier,” says Peter Kreutter, Director of the Stiftung Wissenschaftliche Hochschule für Unternehmensführung (WHU), located in Vallendar, on the banks of the river Rhine. Kreutter has been working on the topic of gamification in companies for quite some time. Gambling in the office? Not at all, but rather a serious opportunity to sustainably promote sensitivity to information, security issues, and security awareness at the workplace. Gamification, i.e. the integration of playful elements into a context that is not part of the game, is currently booming. As researchers at the Danube University Krems in Austria have found out, the integration of playful elements makes it easier to motivate employees to solve complex tasks. Through this informal learning, things can be tried out without triggering the danger of real consequences. Motivation is high, because you want to win. The tension increases with a playful approach, and ultimately drier topics can also be conveyed much more easily.
Awareness expert, Vogt, also confirms this: “Frontal preaching with PowerPoint is not an effective means of achieving awareness for information security.” A playful format, on the other hand, minimizes the risk of employees ‘switching off’ quickly, keeps their attention high, and forces interaction. “As moderators from ISM, we act as competent partners in questions of information security. The advantage of this classroom training is the interactivity with the employee. Questions and dangers are discussed in the group and face-to-face with the participants and, if possible, answered immediately. That works.”
The employee feels taken seriously and is introduced and sensitized to the topics by the moderators. Due to the many constructive discussions and the fun factor when solving the problems during the event, the sustainability of these topics should not be underestimated. Cognitive knowledge and emotional behavior are taught. This kind of “Awareness to touch," experienced in a Security Parkour as a classroom event is an ideal complement to awareness measures and contributes to the success and creation of Helaba’s security culture.
The Telekom subsidiary’s security course has been set up very traditionally – as planned by the word creators of the “parcursus” in Old Rome-- as an exercise or drill in military and non-military training operations. The only difference is that the obstacles to be crossed on the T-Systems course are based practically on world-famous board game classics. Whether phishing as “fishing for fish," social engineering as “trivial pursuit” or cyber security as “monopoly,” a moderator, internal or external, serves as the game leader. There is one station for each security topic, for example phishing, social engineering, cyber security or the “Safe on the Move” module; a game usually comprises five stations at which teams of up to ten people compete against each other for around 15 minutes. The game changes from station to station, “and of course we can focus on one or more specific topics as required. This way, the course continues to develop thematically,” says Thomas Schramm, Principal Solution Sales Manager at T-Systems.
“In a sense, our employees form the human firewall. If, despite all our precautions, a phishing attack should actually get through, they are the last line of defense.”
And that’s exactly what Helaba has achieved. In cash management, for example, the level of security has “risen extremely” and the rate of phishing suspicions passed on is also much higher than it used to be. The course had encouraged employees to take action and further removed the taboo from the issue of IT security. The virtual “safety belt” is anchored a good deal deeper in the corporate culture, even in departments that have only a few points of contact with potentially risky areas.
Having created this awareness has also made the work of Jürgen Vogt and his colleagues easier. They are now regarded as “buddies” who can be asked for advice at any time when it comes to security. Information Security Management, and with it IT as a whole, now has the reputation of a protector who takes care of his colleagues. “Our employees have understood it: With an awareness of security, you protect yourself, your workplace and colleagues, the company, and our customers. The security course was indispensable for creating this awareness,” Vogt sums up. Helaba has understood how to put everything at risk in order not to risk anything.
More Information: www.helaba.com
More Information: www.t-systems.com