Re: Gamification of Information Security

[Brian Erdelyi <brian_erdelyi () yahoo com>]

It's not a trick email :).  I am considering writing some sort of article on this first before any kind of 
implementation.  Comments like yours are very helpful.

I'm glad you mentioned reporting of incidents.  I'm still thinking how to spin this in a positive way.  Less focus on 
"tattle tail" and more on "good samaritan"... maybe about the cost savings or the damage that was averted.

Points could be awarded in a way that subsequent activities get fewer points until you don't get more points for 
repeatedly doing the same thing.

As for impacting appraisals... I think a manager that intentionally circumvents or ignores controls needs to be called 
out.

.b


On 2011-04-05, at 3:11 PM, Michael Dickey <lonervamp () gmail com> wrote:

> I'll bite!
>  
> - track badge use to open secured doors...maybe even a gatekeeper of door X? This would hopefully promote always 
> using a badge to go through a door, rather than following someone else in.
> - uses of email encryption services or PGP
> - tickets submitted through approved means (promotes tracking and efficiency...walk-up interruptions are the bane...)
> - uses of change mgmt forms for changes
> - points for reporting any security violations? I hate to promote a tattle-tale culture, though...
>  
> For Developers/QA, there definitely could be a point system set up for finding actionable security issues in websites 
> and applications, or additional points for pre-emptively solving them (would suck to leave them there just to find 
> them later since you knew they were there). I know Jeremiah Grossman has made mention of their internal "games" where 
> they all rush to find security holes in a site. That itself would be fun, assuming you have enough people with some 
> aptitude. The challenge system could work here as well, to challenge someone else's code/site/app.
>  
> Obviously, to throw the wet blanket down, all of this would have to be carefully planned, as you'd hate to have it 
> foster real competition and incent "gaming" of the "games" too much, especially if ANY of it starts to influence 
> appraisals or reward.
>
>
>  
> On Mon, Apr 4, 2011 at 7:12 PM, Brian <brian_erdelyi () yahoo com> wrote:
> Gamification has been the buzz for the past few years.  Game design concepts are appearing in everyday interactions 
> like education, physical fitness/wellness, automotive design and even personal finances [and].  I am thinking about 
> ways to use gameplay mechanics to reward employees for completing otherwise mundane tasks.  I want to unlock that 
> achievement "Making Work Fun".
>
> Typical gaming techniques include:
>
> achievement "badges"
> achievement levels
> "leader boards"
> a progress bar or other visual meter to indicate how close people are to completing a task a company is trying to 
> encourage, such as completing a social networking profile or earning a frequent shopper loyalty award.
> virtual currency
> systems for awarding, redeeming, trading, gifting, and otherwise exchanging points
> challenges between users
> embedding small casual games within other activities
>
> There are hacker challenges and competitions that encourage youth into the field of information security (or used as 
> a recruiting ground by government agencies or companies)
>
> What could day-to-day gamification of Information Security in the workplace look like?  I want to brainstorm a few 
> ideas first without thinking about the specific implementation (as this may put constraints or limits on the 
> mechanics of the awards).
>
> For example, awards could be something like:
>
> "Security First": # of days without violating security policy or acceptable use (30 days, 90 days, 6 months, 1 year, 
> 2 years, 5 years)
> "Security Smarts": # of hours of security awareness training completed (users could also get credits for reading 
> security bulletins).
> "Security Star": based on the score an employee receives on security awareness quiz (bronze: >80%, silver: >90%, 
> gold: 100%)
> "Strong Passwords": employee uses strong passwords
> "Memory Like an Elephant" - # days without a password reset (30 days, 90 days, 6 months, 1 year, 2 years, 5 years)
> "Security Points": some form of currency or experience points for completing security related tasks or activities
>
> For IT staff there are other things I can think of regarding service management, system management, patch management, 
> change management and risk management (this can apply to most employees).
>
> Maybe these are tracked and displayed individually or as a department to foster friendly competition and encourage 
> better security practices.  Maybe these are used as part of an annual performance review.
>
> Basically, informatio security departments tends to get a bad reputation because they are the stick enforcing 
> security policies.  I'm trying to think of ways to be the carrot.  I would rather provide a wall of fame for the 
> superstars rather than a wall of shame (though I remember in one organization we had a giant screw mounted on a piece 
> of wood... "screw up award"... it was the hot potato... we were always quick to pass it along to the next deserving 
> coworker).
>
> Any examples of gamification you've experienced in the workplace?  Or, can you think of any ways to gamify 
> information security?
>
> .b
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com