Escaping Traditional Cyber Security Awareness Training

Share this
Escaping Traditional Cyber Security Awareness Training - Sage Knows IT.  All Rights Reserved.

As many of you know, Cyber Security Awareness Training has always been near and dear to my heart.  I am a firm believer that everyone should be equipped with the right tools to defend themselves should they become the ire targets of bad actors; but over the years, I have seen somewhat of a plateau in terms of the effectiveness among my colleagues.

One of the apparent challenges many have with today’s methods of learning is literally consuming the same material without flair or consequences.  In hindsight, I can see where that would be an issue.  It’s like chewing the same piece of gum for an extended period of time.  After the flavor is gone, it just seems like you are going through the motions.  Eventually, it will lose it’s appeal or purpose and it gets discarded.  Same could apply to using the same techniques year over year.

You see, as an employee, if all you are looking forward to is 1-hour of downtime clicking through screens, boredom will set in and quite quickly.  The brain will not be receptive to learning because there is no interest or value with the seemingly regurgitated material.  So how do you solve that as an organization?

A quick aside that will dove-tail into this post (I promise).  One of my favorite networking events the last 12-months has been joining the ISC(2) Alamo Chapter.  It’s been a joy getting to know all of the members as well as see the breadth of knowledge and (non-monetary) resources they have at their disposal.  This month they organized an Escape the Room-esque style of event.

For months since the announcement, I didn’t know what to expect and was filled with anxiety and excitement for the event.  I have seen others in the community (but outside of our Chapter) stream Capture The Flag (CTFs) content and seeing the lengths that they would go through to complete the challenges, I felt I would be outside of my depth.  When I logged into this month’s meeting, I was utterly shocked at what we were getting into.

The Chapter Head introduced that they had secured a spot for all of us to participate in a web-based team builder exercise developed by a company called Living Security.  The vendor specializes in Cyber Security Awareness Training for Fortune 1000 companies and/or large enterprises.  What makes them unique is the format and literal gamification approach they take to providing awareness training.

Gaming Into Gear

Effortlessly, we were assigned into groups of three by the administrator.  The material instantaneously captured my attention as the initial presentation was laid out as if we were agents of a secret organization.  Our mission (if we choose to accept it) was to complete 10 challenges within a 1 hour timeframe.  The challenges were described as an engagement of activities including the identification of security violations, OSINT (open source intelligence) and Social Engineering attacks.  After the announcement of the last two activities, my ears perked up, I adjusted out of my seat and leaned in considerably.  With a big smile on my face, and excitement in my heart, I yelled to my virtual team, “YEAAAAAAAAH!”
YouTube: Living Security

It was literally at this moment that I knew this wasn’t just a techie version of escape the room but that this would be a unique Cyber Security Awareness Training platform and I was definitely here for it.

Without spoiling the details, I will say that the initial challenge was fun; not terribly difficult which I assume was by design.  We were asked to identify a variety of violations in a corporate office.  This challenge was likely placed there to get us acquainted with the platform itself.  In the back of my mind, I was secretly hoping the next one would be a bit more challenging.

We knocked out challenges 2 – 5 pretty quickly but as we got to challenge 6, we could tell that the difficulty was noticeably different.  In the previous challenges, the leader of the group could single handedly solve the challenge without much input from the rest of the team.  Challenge 6 was going to require a bit more teamwork and this is where it got fun.

Instead of playing the role of the end user or admin, we got to test our skills as the threat actor. I recall the group looking at each other with a small smirk on our faces and a nod.  This was an interesting approach to learning.  

In one of the challenges, we had to do our own OSINT to craft the perfect social engineering attack against our target. With a wide variety of material presented by the platform, we had to ensure that the attack we were about to purportrate was convincing enough to trick our target and gain access.  This required much needed teamwork and with the clock ticking, we could start to feel the anxiety of not getting to the end, kick in.

Although we were only able to complete 7 challenges in an hour, I personally felt like I learned a lot more doing this than the traditional way of learning.  After speaking with Living Security and providing feedback, I learned that they do provide a variety of different challenges with more difficulty than what was presented to us.  This is good to know as we were only a small group and putting this on an enterprise scale, would require a vast amount of challenges and difficulties.  To know that this is scalable is a positive sign for the company.

Is Gamification the Future of Cyber Security Awareness Training?

Is Gamification the Future of Cyber Security Awareness Training?

That is the question and I would say yes.  There is something to being competitive that brings out the best in all of us and if we can harness that energy into learning something new and be effective, I believe that experience will last a lifetime, improving network security.

Unfortunately, I did not have the opportunity to inquire about their clients’ average ROIs (return on investment)  or net gains by utilizing a service like this but I would definitely be interested in the metrics from a business perspective.  As a security researcher, I would love to dive deep into year over year metrics and see how effective this approach is.  With the increased amount of ransomware and data breach attacks in the last five year, out of the box thinking like this could be a game changer (sorry, needed at least one pun).

To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

Creating Your Wireless Workspace in 2023

As more and more of us work remotely or from home, having a wireless workspace has become increasingly important. Not only does it allow for greater flexibility and mobility, but it can also help declutter your desk and make your work environment more efficient.

Failing Exams: How to Turn Failure into an Opportunity for Growth

One of the most valuable lessons I have learned is that failing an exam is not the end of the world. In fact, it can be a crucial step in the learning process. When we fail, it forces us to take a step back and assess what went wrong.

What Is Symmetric Encryption? [VIDEO]

Symmetric Encryption is an algorithm that uses the same secret key to both encrypt and decrypt plaintext into ciphertext….