Building fun into cybersecurity? Gamification is the way
As organizations look to their people to ensure cyber resilience, sustained training and retraining become an important aspect in the process. Teams at German company Uniper, and Hasso Plattner Institute of Design collaborated with Infosys to make training interesting and fun. Here’s the story of how it happened.
Imagine having to read pages after pages or long instructional notes, with complex wordings and abstract content, on the Dos and Don’ts to avoid being cyber duped or attacked. Just understanding the basics of a concept as heavy sounding as ‘Cyber Security’ or ‘data privacy’, may not be much of a challenge for people oriented towards technology, but for non-technical minds it could feel akin to entering a black hole. Worse still, imagine retaining all that information! Even for technically sound minds, spending their time on mundane details could be quite off-putting.
Now imagine a humorous interactive video, or a game, taking you through the concept and all its aspects. Imagine a cyber security toilet where you can play games on the topic while doing your business and create security settings with a click. Might sound a little gross, but familiar, no? Fun perhaps?
Well, a group of students at Germany-based Hasso Plattner Institute Design School (HPI-D) thought it was.
“If you think a bit more about it, the toilet is also a sacred place. You don't want to be breached in there, because it is a private space, right? Same with the computer,” explains Ferdinand Wagner amid peals of laughter and giggles from fellow teammates from HPI-D.
This team of young students at HPI-D have been working on a module to help the employees of German energy solutions and supply company, Uniper, understand the concept and aspects of cyber security. Awareness and vigilance on cyber-attack threats in day-to-day situations, in tasks as simple as checking emails or web browsing, or using public Wi-Fi network, is the core goal of the team.
“Awareness,” as Canadian author and spiritual teacher Eckhart Tolle puts it, “is the greatest agent for change”.
According to a study by American cyber security solutions company, Check Point Software Technologies, all organizations are vulnerable to cyber threats. It noted that cyber-attacks increased 28% in Q3 of 2022 when compared to same period in 2021. This translates into a weekly average of over 1,130 attacks per organization globally.
The cost of such attacks to organizations too is unsettling. The World Economic Forum (WEF) estimated that data breaches cost an organization an average of $ 3.6 million per incident. It found that companies need around 280 days to identify and respond to cyber-attacks.
“We have the responsibility to make sure that this infrastructure is available, it's running and it's performing as it should.” - Dr. Christoph Waidacher Tweet
Not just organisations, but individuals too are exposed to such attacks given the omnipresence of technology and interconnectivity in our lives.
No wonder then Uniper’s Director of Data Management Dr. Christoph Waidacher calls cyber security one of the most important topics of our times. Yet, it is a topic not many people take very seriously.
For Uniper, the sheer scale and nature of operations makes the topic even more relevant and crucial.
“We are a multinational energy company, and that means we combine the business models of running assets of different types… of course, that brings quite a lot of challenges regarding information security,” said Dr. Waidacher.
“We are actually providing infrastructure services that are of critical nature for, for society… So, we have the responsibility to make sure that this infrastructure is available, it's running and it's performing as it should...” he says, adding – “Again, this is a data heavy, high paced, fast activity, in which we need to make sure that we keep the company safe for its operation.”
Dr. Waidacher sees cybersecurity critical to running Uniper’s operations and the respecting the data of its vast user base. With this criticality in mind, Uniper partnered with Infosys and HPI-D to train its employees on identifying and thwarting such attacks.
What's the big deal with cyber security today? Why do we have to really take it so seriously?
Rashmi Kashyap Explains: In the times that we are in today, where your refrigerator is going to read a recipe for you while you cook, there is any escape from the digital world. We live more in the digital world than the physical one. As long as I have a smartphone or some connectivity, there's definitely going to be that exposure to all the good things that the digital world brings with it, but also all these threat actors and attacks and all of that. It's a no brainer, cybersecurity is here. It's here to protect us. While yes, we have lot of technical controls, like firewalls, all that breach requires is, like, you know, inadvertent click of malicious link.
At the very start, the students at the design school were introduced to the project and Uniper’s goal. Several interactions, with Uniper employees across verticals, helped them get an in-depth view of the company. Students were also able to learn about the work culture, where the company stands in terms of information security, and the view of colleagues on the subject. Some Uniper employees attended design workshops to understand the whole construct and approach.
Uniper’s Philipp Ludwig recalls how students had exciting methods to get the team away from the main line of thinking and exploring all the opportunities at hand.
“At first, we were steering into different directions and looking at a lot of options. And then we were steering towards one solution that we would pick out of a few possible ideas,” he said. “It was basically switch between design sessions, design workshops, and then interviews to test our progress, how it how it works with our colleagues”.
Through several of these workshops and interactions, students were able to form their ideas on how to approach the problem from the design thinking perspective.
The cyber toilet project was one of the 18 ideas that students of HPI-D had tossed in the ideation stage.
“Design thinking is a user-centric approach, we think about the user. What does a normal employee of a company do during the workplace? I mean, obviously, if they have free time, or if they have the need to have to go to the toilet, right? So, we thought maybe, this is a nice approach, to bring cybersecurity training a little bit more into their life,” said Wagner.
The cyber toilet idea, sadly, didn’t hold steam, but they came up with an equally creative application.
Not a boring solution
Using the powers of humour and sarcasm, the students designed the application -- Cyber Tiger and Sly Fox.
Rashmi Kashyap, a cybersecurity expert at Infosys said, the app is meant to be on every employee’s laptop. It comprises training, fun codes or ideas around the topic of cybersecurity, yet “it is not an app that is monitoring you”. It is basically a security assistance that is not involved or annoying.
She adds the app will also help as a refresher course which the user can go to from time to time, as periodic interventions are important for the purpose to be served. Yet, “it should not feel like an imposition, it should not feel like a punishment, it should be something that the person should want to know”.
Dr. Waidacher reckons that although the idea of the cyber toilet was rejected, it created and openness to something that is a really engaging way of making people aware of what is being talked about.
“At the end, I think humour is a major element of creating that space for, for innovation. And that's what we what we saw there,” he said, adding that is also the best way to learn about a topic. So, although is paradoxical that a topic as overwhelming as cyber security should be simplified using humour, that is perhaps the best way to help employees understand it better.
“The world we're living in right now, I think all new ideas, most of the important ideas are not just coming out of one discipline,” Prof. Uli Weinberg Tweet
Gamification in cyber security awareness training has been touted as one of the most effective ways of communicating to employees and ensuring retention of information. It could be adventure games, puzzles, simulations games, or visual novel format that present real life scenarios for the trainee to relate to.
“To make it more fun, I think gamification is very important. Coming up with the more playful approach, which helps people to think of it as: ‘Oh, there is a nice little helper, there is a kind of system, which you just have to set up and start and then it alerts me, it gives me some hints to deduce things in a different way’. I think that is an interesting outcome,” said Prof. Uli Weinberg, Director School of Design Thinking at HPI-D.
Why is Gamification of Awareness relevant?
Dr. Christoph Waidacher notes: To raise the awareness for the importance, and also make it easy to learn how to handle this kind of security aspects. That is a big challenge. Coming up with a more playful approach, which helps people to think of that, oh, there is a nice little helper, there is something there is a kind of system, which you just have to have to set up and have to start and then it alerts me, it gives me some hints to deduce things in a different way. I think that is an interesting outcome. I think there is a big need for a larger group of people to raise the awareness of importance of IT security.
As for the students, the final solution is reflective of the fun and learning they had during the exercise. In unison, they agree, that the very idea of solving a problem is an exciting place to be in.
Interestingly, some students were not fully aware of the importance and concept of cyber security. Not surprising, because many are from varied educational backgrounds and interests. Therefore, the thrust to make the topic interesting was bigger.
“When I learn something new and it can be really boring how can I make it interesting for others?” pondered one.
Lisa Mindthoff recalls approaching the task with an open mind and discovering something new every day.
“It's just fun, and really exciting to explore the golden nuggets that are under the surface, and that you don't know anything about… and to also follow your intuition and your gut feeling. And not be super goal-orientated to have a goal in mind… I think in the process of design thinking in our project, it's to be open for everything that comes along the way. At the right or left side, or even behind sometimes,” she said.
A collaborative approach to solutions
Innovative thinking, out-of-the box solutions, and a collaborative approach to designing a solution form the core of HPI’s education programme. The students are encouraged to think in a non-linear way.
The diverse geographical and educational background the students come from, makes HPI a melting pot of different experiences, fresh perspectives, and approaches.
“It's very important to have diversity, and to not have just the experts in security, in IT security. It is important to have, maybe, a lawyer looking at the same thing, a designer, maybe a mechanical engineer, maybe an architect, and we have this kind of diversity and diversity is key,” said Prof. Weinberg.
“The world we're living in right now, I think all new ideas, most of the important ideas are not just coming out of one discipline, out of one silo, it's the combination, it's the connectivity between the different areas. And that is the key thing here”.
He also stresses on the importance of cultural diversity because it helps in tackling the same challenge in different cultural contexts.
Diversity plays a significant part in a team or the collaborative approach that the school is trying to promote as opposed to an individual, competitive approach.
For long, our educational systems have stressed on grades and individual performance for progress. Prof. Weinberg says this approach is no more relevant in the 21st, highly connected century. Not more, when it comes to design thinking and problem solving.
“I like this blank page. And when you combine people as books and pages, you make a beautiful canvas and painting this is wonderful,” said Felix Schmalenbach, another HPI-D student. “You're not a blank page, you're like, third or third page and you can bring it to the table and other people can share. Like, you can share it with other people and people learn from your experience.”
In fact, this project itself is a shining example of the wonder collaborations can do.
“I see the fertile intersection of collaboration between companies like Infosys, Uniper, and the HPI-D school,” said Dr. Waidacher. “You have a company like Infosys with all your technology and implementation experience. You have the HPI-D School, which is really a leading institution in terms of design thinking, and then you have Uniper as one of the leading energy companies with our specific knowhow and the specific questions that we want to get solved”.
“I think this is a fantastic mix, and it's setting us up for success”.
Design Thinking’s contribution to breaking down complex contexts
Professor Uli Weinberg: In our school of design thinking we are very close to real life, we are not in the academic Ivory Tower, even if we are a part of a normal academic institutions. We allow ourselves to be experimental and to do things that are pointing into the future, and that help students and coaches, and also our project partners, to get a better picture of what we need what is actually needed in the future in terms of learning and working, and to combine both.
Ferdinand Wagner: The crucial thing in design thinking is to really understand and get empathy with the challenge. What you do is you take the challenge, you analyze every word in it, you analyze the word gamification. You do interviews with people, you tell them about the challenge, what their feelings are about the challenge. Also, what kind of interesting perspectives they have, and then you create a POV. With this POV, you dissect everything, and then put it into one little sentence that somehow frames the problem in the perspective of users. And after that, you of course, go into big ideation, which are the ideas. It's really always the process of opening yourself up, converting all the all the goodies you have, and doing it again and again, really in iterations. And this is the whole magic about design thinking.