I’ve written many times that one of the biggest barriers to our success as security practitioners is the fact that most people within an organisation don’t really know about or care about what we do. I don’t understand what a social worker or a police officer does, so why should I assume they understand what I do?
So as Security practioners, we need to innovate to get our messages across. As existing readers of this blog will know, my preferred approach to solving this is the Health and Safety approach, i.e. bake it into everything we do. Recently I’ve had interesting debates with colleagues about the potential for us all getting formally regulated if we don’t get our house in order. Some people think this is a good idea, whereas I would rather be the master of my own destiny.
So, the next question is, if we accept the above proposition, how do we achieve it? I’ve been doing some research on this, and one of the approaches I came across is the concept of gamification. I spent some time talking to a chap called Phil White, who is a VP at a company called Jagex. Jagex write games software, and are the biggest British software company you’ve never heard of, based in ‘Silicon Fen’ in Cambridge. Writing games is what they do, and there is a lot of talk in their industry of the potential of gamification being used for not just commercial gain, but for social good too.
Gamification involves using gaming interfaces and methods to get across a message. This is something we’ve been doing for children for years (and I don’t mean playing Operation with your siblings). I remember playing maths games on a BBC B Micro when I was at school in the latter half of the 19th century. There are examples everywhere now, from simple ‘collect the points’ approaches (Nectar) to get us emotionally attached to buying stuff, to arcade style games teaching us about healthy lifestyles and such. It works because it’s fun, engages a part of the brain that adds to the learning process and makes stuff stick. As another example, I had an attractive and bonhomie-filled French teacher at school, and a Geography teacher who was neither, and it’s fair to say my French is better than my Geography as a result.
Looking specifically at Security best practice, Phil White supplied an example of a company using gamification to teach its employees about its security policy. They actually produced a press release which is here:
In PrivacyVille, you start with a picture of a town and can click on various icons, much like in a Zynga game. A progress bar at the bottom shows you how far along you are in the tutorial. The town is modelled after CityVille, which has 85 million monthly active users on Facebook. Overall, Zynga has 283 million monthly active users, making it the largest game company on Facebook.
“At Zynga we take user privacy seriously,” the San Francisco company said in a statement. “As part of our commitment to user privacy we strive to make it easier for players to learn more about the types of information we collect, how it is used and what their choices are for that information.”
After you read through PrivacyVille, you can claim zPoints that can be used to redeem virtual items across Zynga titles. Zynga already has a more mundane Privacy Center with the same information. But this new way is more fun.
How about doing something like this for your security policy, and giving away points that can be redeemed for coffee? Or lunch? Some organisations I know use incentives to get their staff to do things. This to me would seem to be a nice way of getting a message across and would have an increased likelihood of getting it to stick.
Something along the lines of ‘Would you like free coffee? Then play this game on the intranet at lunchtime…’ is hardly oppressive and would probably get you more attention than sealing them in a room with some lukewarm dominos pizza once a year.