Escaping Traditional Cyber Security Awareness Training

Share this
Escaping Traditional Cyber Security Awareness Training - Sage Knows IT.  All Rights Reserved.

As many of you know, Cyber Security Awareness Training has always been near and dear to my heart.  I am a firm believer that everyone should be equipped with the right tools to defend themselves should they become the ire targets of bad actors; but over the years, I have seen somewhat of a plateau in terms of the effectiveness among my colleagues.

One of the apparent challenges many have with today’s methods of learning is literally consuming the same material without flair or consequences.  In hindsight, I can see where that would be an issue.  It’s like chewing the same piece of gum for an extended period of time.  After the flavor is gone, it just seems like you are going through the motions.  Eventually, it will lose it’s appeal or purpose and it gets discarded.  Same could apply to using the same techniques year over year.

You see, as an employee, if all you are looking forward to is 1-hour of downtime clicking through screens, boredom will set in and quite quickly.  The brain will not be receptive to learning because there is no interest or value with the seemingly regurgitated material.  So how do you solve that as an organization?

A quick aside that will dove-tail into this post (I promise).  One of my favorite networking events the last 12-months has been joining the ISC(2) Alamo Chapter.  It’s been a joy getting to know all of the members as well as see the breadth of knowledge and (non-monetary) resources they have at their disposal.  This month they organized an Escape the Room-esque style of event.

For months since the announcement, I didn’t know what to expect and was filled with anxiety and excitement for the event.  I have seen others in the community (but outside of our Chapter) stream Capture The Flag (CTFs) content and seeing the lengths that they would go through to complete the challenges, I felt I would be outside of my depth.  When I logged into this month’s meeting, I was utterly shocked at what we were getting into.

The Chapter Head introduced that they had secured a spot for all of us to participate in a web-based team builder exercise developed by a company called Living Security.  The vendor specializes in Cyber Security Awareness Training for Fortune 1000 companies and/or large enterprises.  What makes them unique is the format and literal gamification approach they take to providing awareness training.

Gaming Into Gear

Effortlessly, we were assigned into groups of three by the administrator.  The material instantaneously captured my attention as the initial presentation was laid out as if we were agents of a secret organization.  Our mission (if we choose to accept it) was to complete 10 challenges within a 1 hour timeframe.  The challenges were described as an engagement of activities including the identification of security violations, OSINT (open source intelligence) and Social Engineering attacks.  After the announcement of the last two activities, my ears perked up, I adjusted out of my seat and leaned in considerably.  With a big smile on my face, and excitement in my heart, I yelled to my virtual team, “YEAAAAAAAAH!”

https://youtu.be/pIKZi5HbPQo
YouTube: Living Security

It was literally at this moment that I knew this wasn’t just a techie version of escape the room but that this would be a unique Cyber Security Awareness Training platform and I was definitely here for it.

Without spoiling the details, I will say that the initial challenge was fun; not terribly difficult which I assume was by design.  We were asked to identify a variety of violations in a corporate office.  This challenge was likely placed there to get us acquainted with the platform itself.  In the back of my mind, I was secretly hoping the next one would be a bit more challenging.

We knocked out challenges 2 – 5 pretty quickly but as we got to challenge 6, we could tell that the difficulty was noticeably different.  In the previous challenges, the leader of the group could single handedly solve the challenge without much input from the rest of the team.  Challenge 6 was going to require a bit more teamwork and this is where it got fun.

Instead of playing the role of the end user or admin, we got to test our skills as the threat actor. I recall the group looking at each other with a small smirk on our faces and a nod.  This was an interesting approach to learning.  

In one of the challenges, we had to do our own OSINT to craft the perfect social engineering attack against our target. With a wide variety of material presented by the platform, we had to ensure that the attack we were about to purportrate was convincing enough to trick our target and gain access.  This required much needed teamwork and with the clock ticking, we could start to feel the anxiety of not getting to the end, kick in.

Although we were only able to complete 7 challenges in an hour, I personally felt like I learned a lot more doing this than the traditional way of learning.  After speaking with Living Security and providing feedback, I learned that they do provide a variety of different challenges with more difficulty than what was presented to us.  This is good to know as we were only a small group and putting this on an enterprise scale, would require a vast amount of challenges and difficulties.  To know that this is scalable is a positive sign for the company.

Is Gamification the Future of Cyber Security Awareness Training?

Is Gamification the Future of Cyber Security Awareness Training?

That is the question and I would say yes.  There is something to being competitive that brings out the best in all of us and if we can harness that energy into learning something new and be effective, I believe that experience will last a lifetime, improving network security.

Unfortunately, I did not have the opportunity to inquire about their clients’ average ROIs (return on investment)  or net gains by utilizing a service like this but I would definitely be interested in the metrics from a business perspective.  As a security researcher, I would love to dive deep into year over year metrics and see how effective this approach is.  With the increased amount of ransomware and data breach attacks in the last five year, out of the box thinking like this could be a game changer (sorry, needed at least one pun).


To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
For over 20 years, I have had the distinct opportunity to work in the Information Technology space under a variety of distinct roles. My unique position has helped me become a risk management Maven for Fortune 500 and Small Business Companies around the world. For the last 12 years, I have assisted Small Business Owners and Insurance Agency understand the impacts of Cyber Incident exposures and what steps to take to help mitigate potential data breaches. My desire to expand my reach related to cyber security has led me to establish the Sage Knows IT blog as a way to help Small Business Owners and aspiring Information Technology (I.T.) Professionals better understand the road-maps of I.T. through the experiences I have had. Information Technology and Information Security is the future of our world and I hope this blog will inspire those that are interested in joining our ever involving field.

Related Posts

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

Creating Your Wireless Workspace in 2023

As more and more of us work remotely or from home, having a wireless workspace has become increasingly important. Not only does it allow for greater flexibility and mobility, but it can also help declutter your desk and make your work environment more efficient.

Failing Exams: How to Turn Failure into an Opportunity for Growth

One of the most valuable lessons I have learned is that failing an exam is not the end of the world. In fact, it can be a crucial step in the learning process. When we fail, it forces us to take a step back and assess what went wrong.

What Is Symmetric Encryption? [VIDEO]

Symmetric Encryption is an algorithm that uses the same secret key to both encrypt and decrypt plaintext into ciphertext….

Sage Knows IT: The Future Risks of Smart Contracts

The Future Risks of Smart Contracts

In its simplest form, Smart Contracts are programmable logic (or code) that exists on a blockchain.  It is commonly used to define terms or agreements among parties such as ownership, rights, payment options or business logic.

CIA Triad 2022

Understanding the CIA Triad in 2022

A question I commonly see when individuals are trying to break into the Cybersecurity industry is: What do I need to understand to be successful and make…