[BHIS - Sourcing Cyber](../Cyber%20Talent%20Development/BHIS%20-%20Sourcing%20Cyber/BHIS%20-%20Sourcing%20Cyber.md) [Cyber Team Building](../Cyber%20Team%20Building/Cyber%20Team%20Building.md) [Workforce Education](../Workforce%20Education/Workforce%20Education.md) Building a cybersecurity culture is incredibly difficult. By it's nature, cybersecurity needs to account for malicious intent in all aspects of the organization. Granted, a pragmatic and prioritization approach should be taken. # Gamification, Learning Tools, Approaches, Misc - [Highly Customizable Course Authoring | Employee Training | Storyline 360 | Articulate](https://www.articulate.com/360/storyline/) # Free Training, Resources - [GCA Cybersecurity Toolkit for Small Business | Sponsored by Mastercard](https://gcatoolkit.org/smallbusiness/) - # Incentivizing Training and Exercises - Rewards systems - Recognition in company newsletters - Special certificates - Professional development opportunities - sponsor certifications or courses related to security - Cyber Security Month - Workshops - Webinars - Tabletop exercises - Friendly competition - Gamifying projects? - For a long-term project like data governance, you could break it down into smaller, manageable tasks or milestones and then create a points system for completing each task. - Additionally, setting up team-based challenges can encourage collaboration and collective effort towards the larger goal. - Maybe not. I think I'm more trying to think about how this would actually look concretely. How would I track these things? Would I need full-time employment like FTE, like a full job to gamify this stuff? I want this to be low-cost, high- benefit. - It sounds like you're trying to balance effective implementation with resource constraints. You want something that’s engaging but doesn't require a lot of overhead or additional full-time staff. - One way to manage this could be using existing project management and collaboration tools. Tools like Trello, Asana, or even Microsoft Teams can help track progress and assign points or badges for completed tasks. You can set up a system where milestones are recorded, and achievements are celebrated within these platforms. - To keep costs low, you could form a small cross-functional team to oversee the initiative part-time, perhaps with representatives from different departments. This way, the responsibility is shared, and it doesn't fall on a single person. - For tracking and leaderboards, you could use a shared spreadsheet or an existing project management tool. Many of these tools have features for tracking progress and displaying results in an engaging way. - Gamified custom assessments, forms, questionnaires and quizzes - Quizzes with rewards: Kahoot or Quizizz - Interactive Scenarios: branching scenario tools - Training Approaches - Microlearning: Break down training into short, focused modules that employees can complete in a few minutes. TalentLMS - Social Engineering (General Employees): - Simulated Phishing: Regularly conduct phishing simulations using tools like KnowBe4 or Cofense to train employees to recognize and report phishing attempts. Track improvement over time. - IT Employees - Gamified Training Platforms: Use platforms like Cybrary or Hack The Box, which offer gamified learning paths and labs for hands-on experience. - Events from Cyber Team - Cyber/Privacy Day: Organize events with guest speakers, workshops, and interactive activities. Use these days to highlight success stories and best practices. - Security Champions: Appoint security ambassadors in different departments to champion security initiatives and gather feedback. These ambassadors can facilitate communication between the security team and other departments. - Reducing Friction: - Change Management - Feedback Mechanisms: Implement regular surveys or feedback sessions to understand employee pain points regarding security measures. Tools like SurveyMonkey or Google Forms can help gather and analyze feedback. - Collaborative Platforms: Use collaboration tools like Slack or Microsoft Teams to create dedicated channels for security discussions. This can help foster open communication and quick resolution of issues. - Customized Training for Departments: - Department-Specific Modules: Develop training modules tailored to the specific security needs and practices of different departments. This can be done using a Learning Management System (LMS) that supports customization. - Role-Based Training: Offer role-specific security training, ensuring that the content is relevant to the tasks and risks associated with each role. - Do you feel like there's any innovative, unorthodox, or pragmatic ways I can go about pushing some of these? - Security Escape Game: virtual escape room experience where participants solve puzzles related to security concepts to "escape." This can be a fun team-building activity that reinforces security principles. - Interactive Security Awareness Videos: Platforms like Hapyak - Security Champions Program: Establish a program where employees volunteer to become security champions. Provide them with advanced training and resources, and involve them in decision-making processes related to security initiatives. - Security Roadshows: Organize security roadshows where the security team visits different departments to conduct live demos, answer questions, and discuss relevant security topics. This can make the security team more approachable and visible. - Security Innovation Lab: Set up a security innovation lab where employees can experiment with new security tools and techniques. Encourage them to come up with creative solutions to security challenges and share their findings. - Real-time Feedback and Rewards: Use real-time feedback tools like Kudos or Bonusly to recognize and reward employees for good security practices immediately. This can create a positive reinforcement loop and encourage ongoing vigilance. - Integrated micro-learning - Security Pop-ups: Implement pop-up tips or quizzes that appear when users log into their systems or access certain applications. These can provide quick security reminders or ask questions that reinforce training. - Just-in-time Learning: Embed security tips and resources within the tools and applications employees use daily. For example, a short tutorial or reminder about secure password practices can pop up when users change their passwords. - Microlearning Modules: Use platforms like Duolingo for Work or Axonify that deliver small, daily lessons or quizzes directly to employees' devices. These can cover different security topics in short bursts that fit into their regular workflow. - Security-related Slack Bots: Integrate a Slack bot that periodically sends out security tips, quizzes, or challenges. Employees can engage with these in their existing communication channels without disrupting their workflow. - In-app Security Prompts: Customize your internal applications to include security prompts or mini-assessments related to the actions employees are performing. For example, a prompt might appear reminding them to verify a recipient before sending sensitive information. - Role-playing games and simulations - **Classcraft**: This is a gamification platform designed for educational settings that can be adapted for corporate training. It allows you to create role-playing scenarios where employees can take on different roles, complete quests, and earn rewards. - **Mursion**: Mursion offers immersive VR simulations where employees can engage in role-playing scenarios. It’s great for soft skills training and can be customized for security training scenarios. - **Labster**: Primarily used for science education, Labster offers virtual labs and simulations. You can use it to create custom security training scenarios that employees can interact with. - **Scavify**: This tool can create scavenger hunts and challenges that can be adapted to role-playing scenarios. Employees can complete tasks related to security practices and earn points or rewards. - **Mentimeter**: While not a full-fledged role-playing game system, Mentimeter allows you to create interactive presentations and polls. You can use it to facilitate role-playing exercises where participants make decisions based on different security scenarios. - **Twine**: Twine is an open-source tool for creating interactive, nonlinear stories. You can use it to develop text-based role-playing games where employees make choices and see the consequences of their actions in a security context. - **SimulTrain**: This is a project management simulation tool that includes role-playing elements. It can be adapted for security training by creating scenarios where employees have to manage and respond to security incidents. - **VirBELA**: A virtual world platform that allows for immersive role-playing scenarios. It can be used to create environments where employees engage in security-related role-playing activities. - Branching storytelling and scenarios - **Articulate Storyline**: A robust e-learning authoring tool that allows you to create interactive, branching scenarios. It's widely used for creating custom e-learning courses. - **Twine**: An open-source tool for creating interactive, nonlinear stories. It's great for text-based scenarios where users can make choices and see the consequences. - **HapYak**: This platform enables you to create interactive videos with branching paths, making it easy to engage learners with decision-making scenarios. - **BranchTrack**: Specifically designed for creating branching scenarios, BranchTrack allows you to build interactive simulations and role-playing exercises quickly and easily. - **Raptivity**: This tool provides a range of interactive templates, including branching scenarios, which can be used to create engaging e-learning content. - **ZebraZapps**: A powerful platform for creating interactive, multimedia learning experiences, including branching scenarios. - Statistics on employee training with highly dispersed problems like cyber - **Phishing Simulations**: Numerous studies have shown that regular phishing simulations significantly reduce the risk of successful phishing attacks. For example, a report by KnowBe4 found that organizations that conducted regular phishing simulations saw a dramatic decrease in their Phish-prone™ percentage, from 27% to just 2% over 12 months. - **Microlearning**: Microlearning, which involves short, focused learning sessions, has been found to be highly effective. Research by Axonify shows that employees who engage in daily microlearning sessions retain knowledge better and are more likely to apply what they’ve learned compared to traditional training methods. - **Gamification**: Incorporating gamification elements into training can increase engagement and retention. A study by TalentLMS found that 83% of employees who receive gamified training feel more motivated, and 87% feel more productive. - **Interactive and Scenario-based Learning**: Studies indicate that scenario-based learning and interactive modules significantly improve retention and application of knowledge. A report by eLearning Industry found that scenario-based learning can improve retention rates by up to 50%. - **Just-in-time Learning**: Embedding learning resources directly into employees' workflows ensures they can access relevant information at the moment of need. Research by Bersin by Deloitte found that this approach leads to better performance and knowledge retention. - **Security Awareness Programs**: A comprehensive security awareness program that includes regular training, updates, and communication can foster a culture of security. According to SANS Institute, organizations with robust security awareness programs see a marked improvement in employee behavior and a reduction in security incidents. - **Feedback Mechanisms**: Implementing regular feedback loops, such as surveys or focus groups, helps in understanding the effectiveness of training and areas for improvement. This approach can lead to continuous improvement in security practices and awareness. - Reducing friction and fostering a collaborative culture - **Security Liaison Program**: Appoint security liaisons within each department. These liaisons can act as the bridge between the security team and their respective departments, ensuring that security practices are tailored to their specific needs and concerns. - **Regular Cross-Departmental Meetings**: Hold regular meetings with representatives from different departments to discuss security issues, share updates, and gather feedback. This fosters open communication and helps the security team understand the unique challenges each department faces. - **Tailored Training Programs**: Develop training programs that are customized to the specific needs and workflows of each department. This ensures that the training is relevant and practical, reducing resistance and increasing buy-in. - **User-friendly Security Tools**: Invest in security tools that are intuitive and easy to use. Complex or cumbersome tools can create resistance, so focusing on user-friendly solutions can help reduce friction. - **Feedback Loops**: Implement mechanisms for continuous feedback, such as surveys or focus groups, to understand employee pain points and make necessary adjustments to security practices. - **Security Office Hours**: Set up regular "office hours" where employees can drop by to discuss security concerns, ask questions, or seek advice. This makes the security team more approachable and accessible. - **Incorporate Security into Daily Routines**: Embed security practices into daily routines and existing processes. For example, include security checkpoints in project workflows or regular meetings. - **Recognition and Rewards**: Recognize and reward employees who demonstrate good security practices. This could be through formal awards, public recognition, or even small incentives. - **Interactive Workshops and Simulations**: Conduct interactive workshops and simulations that allow employees to experience real-world security scenarios. This hands-on approach can make learning more engaging and practical. - **Visible Leadership Support**: Ensure that leadership visibly supports and participates in security initiatives. When employees see that security is a priority for leadership, they are more likely to take it seriously. - **Clear and Consistent Communication**: Communicate security policies, updates, and best practices clearly and consistently. Use multiple channels, such as emails, intranet posts, and team meetings, to reach all employees. - Personal edited videos from the security department - **Creating Videos**: - **Tools for Recording**: Use your smartphone or a basic webcam to record videos. Most modern smartphones have excellent video quality. - **Editing Software**: Use free or low-cost editing tools like iMovie (Mac), Windows Video Editor (Windows), or online tools like Kapwing and Clipchamp. These tools are user-friendly and sufficient for basic editing needs. - **Microphone**: Invest in a good quality, low-cost microphone like the Blue Snowball or a lavalier mic for clear audio. - **Lighting**: Use natural light or inexpensive ring lights to improve video quality. - **Hosting and Sharing Videos**: - **Intranet**: If your company has an intranet, host the videos there. Tools like SharePoint or Google Sites can be used to create a simple video library. - **Video Platforms**: Use platforms like YouTube (unlisted videos for privacy), Vimeo, or internal tools like Microsoft Stream if your organization uses Office 365. - **Email and Messaging**: Share video links through company emails or messaging platforms like Slack or Microsoft Teams to ensure everyone has easy access. - **Specialized Training for Departments**: - **Learning Management Systems (LMS)**: Use low-cost LMS options like TalentLMS or Teachable to create and manage customized training modules for different departments. - **Interactive Platforms**: Tools like Articulate Rise or EdApp allow you to create interactive, mobile-friendly courses. These platforms often have free or affordable plans for small teams. - **Gamification Tools**: Use tools like Kahoot! for quizzes and challenges, or create interactive scenarios with Twine or BranchTrack. - **Implementing Training**: - **Schedule Regular Sessions**: Set a regular schedule for releasing new videos or training modules, such as monthly updates or quarterly training sessions. - **Department-Specific Content**: Work with department leaders to identify key security concerns and customize content accordingly. Use tools like Google Forms or SurveyMonkey to gather input on relevant topics. - **Feedback and Interaction**: Encourage employees to leave comments or questions on video platforms or LMS. Conduct short surveys after training sessions to gather feedback and measure effectiveness. - **Tracking and Reporting**: - **Analytics**: Use the built-in analytics features of video hosting platforms or LMS to track views, completion rates, and engagement. - **Reports**: Generate regular reports to review progress and identify areas for improvement. Share these reports with department heads to keep them informed and engaged.