But gamification is not a term that has been embraced widely in the business world. "As soon as you use the word 'game' in a corporate environment, there tends to be a lot of pushback, as work is supposed to be serious and games are not," says Jordan Schroeder, IT security administrator for Family Insurance Solutions in Vancouver, B.C. "So I have been using the term 'active feedback' instead. That flew a lot better."
Spitzner at SANS notes that security awareness gamification is not a mature field yet, and the few organizations that have done it have targeted only a few behaviors. Nevertheless, there are success stories, such as what happened at Salesforce.com.
"We wanted to see what would happen if we created a program where employees wanted to do the right things, rather than being pushed to do so," explains Saleforce.com's Heim. After consultations with heads of business units, "We came up with a short list of behaviors that we believed would have the biggest impact, including optional security training, reporting phishing emails and preventing badge surfing" or tailgating.
Security training at the firm is mandatory, but participation in the corporation's gamified security awareness program is not, adds Heim. But employees get points and recognition if they do participate and take security-related actions, like reporting phishing attempts, he explains.
People who were my biggest concerns are now my number one partners in security. Jordan Schroeder, IT security administrator, Family Insurance Solutions
At Family Insurance Solutions, Schroeder says he relies on positive feedback when users do the right thing (in response to phishing and break-in attempts, real or drills), and showing them correct behavior when they do the wrong thing. Unlike at Salesforce.com, there are no points, badges, levels or prizes, he says. "I am not convinced of the effectiveness of giving away physical things," in a small organization, he adds.
He was not able to supply specific metrics, but he notes that users no longer hide what they did wrong for fear of reprisals. "If they are confident of a positive response they want to elicit that response strongly, and will report emails hoping to get that response. People who are normally reticent are now openly engaging with me, asking if this or that is OK. It's exciting watching them educate themselves. People who were my biggest concerns are now my number one partners in security. I have been shocked at how successful it has been with people who I did not think it would be successful with."
Middle-aged office assistants tend to be the most responsive, while the ones he has the most trouble reaching are younger people who play computer games, he says. "They tend to see through the gamification, but do respond to challenges," he notes.
Sign up for CIO Asia eNewsletters.