How do we make security awareness fun?

Now that Taktikal is embarking on a journey to reach new markets and expand our product offerings we decided it was a good idea to obtain  an ISO 27001 Information Security Standard certification. This helps us show our customers that we take the security of their data seriously with a risk based approach.

In order for the company to be able to secure customers' data it’s important that we promote a company-wide culture of security, since every single employee is a potential target for individuals with malicious intent. This involves continually training our employees, so that they are confident in making the right decisions about security.

"Successful security culture can only happen when every employee begins taking responsibility for protecting their organization."

"To do so, they must be confident in making security-minded decisions and their ability to recognize threats and issues."

- Harlie Hardage, Security Training Expert at 1Password

We started out by utilizing the built-in security awareness training in our compliance software. But found that it wasn’t leaving a lasting impression on the staff. Likewise, requiring that everyone sit in a stuffy meeting room looking at a powerpoint presentation isn’t particularly likely to result in apprehension and recollection. And let’s be honest, if they can’t remember what the presentation was even about, how likely are they to put it to use? Not very.

With this problem in mind we started looking into ways to make security awareness training more fun and engaging. Perhaps an information security themed pub quiz? At the same time we were asking the staff what sort of team building activities they would be most interested in doing over the next few months, and the most popular option…game night!

And then it came to us… we’ll play a security themed role-playing game! And thus, we introduce our version of the famed open source game Werewolf, but we've repurposed it and called it, appropriately - Hackers.

We of course went all-in, and designed playing cards (which you can download for free) as well as created stories about how each individual player would get hacked. In this way, everyone got to play a fun game, share lots of laughs, and also learn about the various methods hackers use to attack companies.

On the day of the security awareness training, everyone showed up dressed in the official hackers uniform (a.k.a. wearing hoodies, which was totally out of the norm…for absolutely nobody on the team), the meeting room was stocked with drinks and snacks, and then games began. Since one of our players joined us remotely, his role was delivered via Slack, which went remarkably well. The results were happy, engaged staff and a recurring office joke about how the same two guys turned out to be the hackers, both times.

But what about retention? Did they actually remember anything from the training afterwards? Well, we should probably ask the delivery guy who showed up with coffee the next day and was met with great suspicion and the new catch phrase at the office, “Just because they wear a uniform, doesn’t mean they belong here!”