Re: Gamification of Information Security

[Michael Dickey <lonervamp () gmail com>]

I'll bite!

- track badge use to open secured doors...maybe even a gatekeeper of door X?
This would hopefully promote always using a badge to go through a door,
rather than following someone else in.
- uses of email encryption services or PGP
- tickets submitted through approved means (promotes tracking and
efficiency...walk-up interruptions are the bane...)
- uses of change mgmt forms for changes
- points for reporting any security violations? I hate to promote a
tattle-tale culture, though...

For Developers/QA, there definitely could be a point system set up for
finding actionable security issues in websites and applications, or
additional points for pre-emptively solving them (would suck to leave them
there just to find them later since you knew they were there). I know
Jeremiah Grossman has made mention of their internal "games" where they all
rush to find security holes in a site. That itself would be fun, assuming
you have enough people with some aptitude. The challenge system could work
here as well, to challenge someone else's code/site/app.

Obviously, to throw the wet blanket down, all of this would have to be
carefully planned, as you'd hate to have it foster real competition and
incent "gaming" of the "games" too much, especially if ANY of it starts to
influence appraisals or reward.



On Mon, Apr 4, 2011 at 7:12 PM, Brian <brian_erdelyi () yahoo com> wrote:

>  Gamification <http://en.wikipedia.org/wiki/Gamification> has been the
> buzz for the past few years.  Game design concepts are appearing in everyday
> interactions like education<http://www.forbes.com/2010/10/28/education-internet-scratch-technology-gamification.html>
> , physical fitness/wellness<http://gamification.co/2011/03/16/customized-fitness-on-dailyburn/>
> , automotive design<http://gigaom.com/cleantech/upcoming-honda-insight-turns-eco-friendly-driving-into-game/> and
> even personal 
> finances<http://www.geekwire.com/2011/bobber-interactive-brings-gamification-personal-finance-facebook-set>
>  [and<http://finlittv.com/2011/03/mint-com-launches-game-to-teach-middle-schoolers-money-management/>].
> I am thinking about ways to use gameplay mechanics to reward employees for
> completing otherwise mundane tasks.  I want to unlock that achievement
> "Making Work Fun".
>
> Typical gaming techniques include:
>
>
>    - achievement "badges"
>    - achievement levels
>    - "leader boards"
>    - a progress bar or other visual meter to indicate how close people are
>    to completing a task a company is trying to encourage, such as completing a
>    social networking profile or earning a frequent shopper loyalty award.
>    - virtual currency
>    - systems for awarding, redeeming, trading, gifting, and otherwise
>    exchanging points
>    - challenges between users
>    - embedding small casual games within other activities
>
>
> There are hacker challenges and 
> competitions<http://newsok.com/oklahoma-students-qualify-for-national-cyber-security-competition/article/3551228> that
> encourage youth into the field of information security (or used as a
> recruiting ground by government agencies or companies)
>
> What could day-to-day gamification of Information Security in the workplace
> look like?  I want to brainstorm a few ideas first without thinking about
> the specific implementation (as this may put constraints or limits on the
> mechanics of the awards).
>
> For example, awards could be something like:
>
>
>    - "Security First": # of days without violating security policy or
>    acceptable use (30 days, 90 days, 6 months, 1 year, 2 years, 5 years)
>    - "Security Smarts": # of hours of security awareness
>    training completed (users could also get credits for reading security
>    bulletins).
>    - "Security Star": based on the score an employee receives on security
>    awareness quiz (bronze: >80%, silver: >90%, gold: 100%)
>    - "Strong Passwords": employee uses strong passwords
>    - "Memory Like an Elephant" - # days without a password reset (30 days,
>    90 days, 6 months, 1 year, 2 years, 5 years)
>    - "Security Points": some form of currency or experience points for
>    completing security related tasks or activities
>
>
> For IT staff there are other things I can think of regarding service
> management, system management, patch management, change management and risk
> management (this can apply to most employees).
>
> Maybe these are tracked and displayed individually or as a department to
> foster friendly competition and encourage better security practices.  Maybe
> these are used as part of an annual performance review.
>
> Basically, informatio security departments tends to get a bad
> reputation because they are the stick enforcing security policies.  I'm
> trying to think of ways to be the carrot.  I would rather provide a wall of
> fame for the superstars rather than a wall of shame (though I remember in
> one organization we had a giant screw mounted on a piece of wood... "screw
> up award"... it was the hot potato... we were always quick to pass it along
> to the next deserving coworker).
>
> Any examples of gamification you've experienced in the workplace?  Or, can
> you think of any ways to gamify information security?
>
> .b
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com