4/11/2011 Gamification of Information Security ...Pauldotcom(mailist )

Gamification has been the buzz for the past few years. Game design concepts are appearing in everyday interactions like education, physical fitness/wellness, automotive design and even personal finances [and]. I am thinking about ways to use gameplay mechanics to reward employees for completing otherwise mundane tasks. I want to unlock that achievement "Making Work Fun".

Typical gaming techniques include:

achievement "badges"

achievement levels

"leader boards"

a progress bar or other visual meter to indicate how close people are to completing a task a company is trying to encourage, such as completing a social networking profile or earning a frequent shopper loyalty award.

virtual currency

systems for awarding, redeeming, trading, gifting, and otherwise exchanging points

challenges between users

embedding small casual games within other activities

There are hacker challenges and competitions that encourage youth into the field of information security (or used as a recruiting ground by government agencies or companies)

What could day-to-day gamification of Information Security in the workplace look like? I want to brainstorm a few ideas first without thinking about the specific implementation (as this may put constraints or limits on the mechanics of the awards).

For example, awards could be something like:

"Security First": # of days without violating security policy or acceptable use (30 days, 90 days, 6 months, 1 year, 2 years, 5 years)

"Security Smarts": # of hours of security awareness training completed (users could also get credits for reading security bulletins).

"Security Star": based on the score an employee receives on security awareness quiz (bronze: >80%, silver: >90%, gold: 100%)

"Strong Passwords": employee uses strong passwords

"Memory Like an Elephant" - # days without a password reset (30 days, 90 days, 6 months, 1 year, 2 years, 5 years)

"Security Points": some form of currency or experience points for completing security related tasks or activities

For IT staff there are other things I can think of regarding service management, system management, patch management, change management and risk management (this can apply to most employees).

Maybe these are tracked and displayed individually or as a department to foster friendly competition and encourage better security practices. Maybe these are used as part of an annual performance review.

Basically, informatio security departments tends to get a bad reputation because they are the stick enforcing security policies. I'm trying to think of ways to be the carrot. I would rather provide a wall of fame for the superstars rather than a wall of shame (though I remember in one organization we had a giant screw mounted on a piece of wood... "screw up award"... it was the hot potato... we were always quick to pass it along to the next deserving coworker).

Any examples of gamification you've experienced in the workplace? Or, can you think of any ways to gamify information security?


taken from :http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

Digg it StumbleUpon del.icio.us