“Gamification”, a simple HR principle for cybersecurity

By Risk Performance and Technology group

Original, as it appears on FacteurH – http://facteurh.com

Applying policies, rules of conduct and written principles in an organization is complicated. Why? Because we no longer read. We do not want to “lose” our precious time trying to understand what seems trivial and “just good sense”. As a result, the documents, which were so expensive for the organization to design, write, assemble and review, suffer the agonizing death of depressing bureaucratic literature based on the order to do or not do, sitting on a shelf or lost at the very bottom of a storage area in the file server, judged and condemned to obsolescence by an obsequious, bureaucratic auditor. “Sigh”.

Poor little information security policy that only a few weirdos on the payroll (myself included) will read and obsess over one-too-many commas, and view as violating their private lives, which they claim, however, they do not take to the office, and who, once they have read the document and digested no more than 20% of it, will literally forget how to apply it five minutes later.

So what? Should we write these documents exactly as we started this article in the style of a satirical column so that people will read it? No! People no longer read. A video? Training session? You can already see yourself listening to a monotonous talk on a topic of no interest to you by a guy discouraged by corporate life. So how do we re-implement this hygiene that we all need?

If you have read my articles, you’ll have noted that I am as concerned about your private life as your corporate assets and actions. So what? “Gamification”, another buzzword! No, because today I am explaining it to you and embedding it in your consciousness. Who will be our associates of tomorrow? It will be your teenage sons and daughters, your children in five or 10 years! I teach at Polytechnique Montréal, and the generations of students, already older, declare that email is obsolete and they won’t be forced to use it. Imagine the rest! So, do we need to post our policy on Instagram or Snapchat along with special effects? No. This generation plays a lot and it watches quick, intense mini-capsules where the message is immediate, almost pre-digested edutainment. This is the highway to their understanding. Do you think that the problem will be worse by going in that direction? I don’t think so. Even you, in your 30s, 40s or 50s, with several years of corporate experience, do not want to read this document.

You expect me, or people like me, also known as Chief Information Security Officers (CISOs) to change you so that you will follow the path to this hygiene. I need to change you, but into what? Well, it’s really quite simple. Let’s review the basic HR mechanisms for galvanizing employee motivation: When we want a learner to acquire a behaviour quickly, they need an ACTIVE posture while they’re learning! In order for the learner to be motivated to learn and willingly assume an active posture, they need quick, simple objectives converted into a mission translated into actions to generate a competition (against themselves, the environment, a machine or other people) collectively or alone to receive a reward, a form of social glory and recognition of the change achieved through the experience. So much for the transformation of SMART or SMARTER objectives into real edutainment objectives. Now, to transform the learning employee into a learning player, we need the mechanics of the game to naturally suggest the following roles: Explorer, Adventurer, Fighter, Protector, Duellist, Researcher or even Wiseman.

You’re beginning to understand… The exceptional leader already knows to do this with their team. A game can become a corporate social platform for discussion among employees (perhaps you have a chatroom or an internal forum). The game can lead you to important principles of security and perhaps challenge your behaviour. For example, to prevent employees from transferring corporate information using their personal email, organizations provide secure transfer and communication tools, but too few employees use them. The game can measure your use of the tool and grant rewards and glory to your avatar. The game could help you to protect yourself by guiding you on a quest. It could simulate phishing exercises. This game could allow you to play with your children and protect them at the same time. The corporate social network will communicate daily corporate information, promotions, new skills, new projects (missions, quests, etc.) via the game.

You don’t believe me? The reason that Clash of Clans, Fornite or Battle Royal have been so successful and brought in so much money is that they are based on these principles. You’re not familiar with these games? Then you will have to learn more about the next generation of associates.