Gamification of Information Security

[Brian <brian_erdelyi () yahoo com>]

Gamification has been the buzz for the past few years.  Game design concepts are 
appearing in everyday interactions 
like education, physical fitness/wellness, automotive design and even personal 
finances [and].  I am thinking about ways to use gameplay mechanics to reward 
employees for completing otherwise mundane tasks.  I want to unlock that 
achievement "Making Work Fun".


Typical gaming techniques include:

        * achievement "badges"
        * achievement levels
        * "leader boards"
        * a progress bar or other visual meter to indicate how close people are to 
completing a task a company is trying to encourage, such as completing a social 
networking profile or earning a frequent shopper loyalty award.
        * virtual currency
        * systems for awarding, redeeming, trading, gifting, and otherwise exchanging 
points
        * challenges between users
        * embedding small casual games within other activities

There are hacker challenges and competitions that encourage youth into the field 
of information security (or used as a recruiting ground by government agencies 
or companies)
What could day-to-day gamification of Information Security in the workplace look 
like?  I want to brainstorm a few ideas first without thinking about the 
specific implementation (as this may put constraints or limits on the mechanics 
of the awards).


For example, awards could be something like:

        * "Security First": # of days without violating security policy or acceptable 
use (30 days, 90 days, 6 months, 1 year, 2 years, 5 years)
        * "Security Smarts": # of hours of security awareness training completed 
(users could also get credits for reading security bulletins).
        * "Security Star": based on the score an employee receives on security 
awareness quiz (bronze: >80%, silver: >90%, gold: 100%)
        * "Strong Passwords": employee uses strong passwords
        * "Memory Like an Elephant" - # days without a password reset (30 days, 90 
days, 6 months, 1 year, 2 years, 5 years)
        * "Security Points": some form of currency or experience points for 
completing security related tasks or activities

For IT staff there are other things I can think of regarding service 
management, system management, patch management, change management and risk 
management (this can apply to most employees).

Maybe these are tracked and displayed individually or as a department to 
foster friendly competition and encourage better security practices.  Maybe 
these are used as part of an annual performance review.

Basically, informatio security departments tends to get a bad reputation because 
they are the stick enforcing security policies.  I'm trying to think of ways to 
be the carrot.  I would rather provide a wall of fame for the superstars rather 
than a wall of shame (though I remember in one organization we had a giant screw 
mounted on a piece of wood... "screw up award"... it was the hot potato... we 
were always quick to pass it along to the next deserving coworker).

Any examples of gamification you've experienced in the workplace?  Or, can you 
think of any ways to gamify information security?

.b



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com