The employees at your organization are badly in need of security awareness training. What do you do?
- A. Bore them with dull content that feels like a lecture.
- B. Engage them with gamified, interactive lessons.
"B" is obviously the correct choice, but not all companies succeed in motivating their workers to learn the ins and outs of phishing, social engineering and other cyber threats.
One of the more intriguing new offerings to help in this regard is a new video-based security awareness training program from Madison, Wisconsin-based Infosec (aka the Infosec Institute) – based on the nostalgic Choose Your Own Adventure brand of books. Originally published between 1979 and 1998 and reissued to this day, the "CYOA" books have entertained young readers for decades, challenging them to make choices as stories progress and then supplying them with different endings – not all of them happy – based on their decisions.
The concept lends itself well to corporate security awareness programs, considering that employees also have high-stake choices that can either avert a cyber disaster or trigger one.
“We've been looking for ways to help our customers better engage their workforces around [a topic] that, honestly, the workforce can see as boring,” said Jack Koziol, founder and CEO at Infosec, in an interview with SC Media. “You don't want to force people to take the training because then they don't really pay attention to it so, so we're always trying to figure out ways to make things... more interesting.”
That’s why Koziol was thrilled when he discovered last year that the Choose Your Own Adventure brand was available for licensing. “I read a lot of Choose Your Own Adventure books and I always loved them,” Koziol continued. “As a kid of the ’80s, I probably read 40 of them.”
Upon hearing Infosec’s pitch, ChooseCo, the publisher behind Choose Your Own Adventure, could tell this proposal was a natural extension of its well-known brand. “We’ve been approached many times, but it’s never been quite the right fit,” said ChooseCo CEO and publisher Shannon Gilligan. “One of our jobs is to make sure the brand stays true to its zeitgeist, its character, and [Infosec] really had it down right from the beginning.”
Koziol said that feedback from corporate customers has been positive in the early going because it feels “like an actual game and actually fun, and not like torture.” There is particular enthusiasm, the CEO continued, among “forward-thinking organizations” with more mature “security awareness programs that are looking to do more than just ‘check the box.’”
Launched in January 2021, Infosec’s first installment of its Choose Your Own Adventure Security Awareness Games, “Zombie Invasion,” is an homage to the monster/horror genre. The premise: a malware program is turning employees into drooling zombies. The trainee playing the game assumes the role of a marketing employee who must defend her company against various forms of malware delivery, including weaponized links and attachments.
At one point, the employee receives a social media invite that appears to come from the CEO, but she is mildly suspicious. You, the player, now have three choices: click the link in the invite, report the email, or delete it. Clicking the link turns you into a zombie (though you will be given a second chance to correct your mistake). Deleting it will save you, but your co-worker will turn into a zombie because no one warns him of the same scam and he gets tricked. The best course of action, naturally, is reporting the scheme, which saves all employees from the attack.
Make all the correct choices, and you will be promoted. Make mistakes along the way, and you or your mates may not survive the workday intact.
“We're really trying to capture the spirit of Choose Your Own Adventure in the modules, where it's fun and it's quirky and things happen that are unexpected,” said Koziol. “That’s the fun part of it. I recently read a Choose Your Own Adventure book with my 10-year-old son – the one about the yeti – and he likes reading the endings where the yeti pulls his arms off.”
In fact, the newest training module, which SC Media did not have the chance to preview, is called "Yeti Escape," and covers working from home.
Another adventure, "Deep Space Danger," centers on social engineering: Your space station, run by a supercomputer, needs repair. But three separate repair ships arrive to help. Two of them are fraudsters trying to socially engineer their way onto the station. Will you follow the correct protocols of authenticating the parties’ identities before granting them access?
“The premise of social engineering is that attackers rely on people wanting to be polite,” said Koziol. “The polite thing to do is not to question people. The polite thing to do is when someone asks you to hold the door open for him, you do it, and that's what social engineers take advantage of. So really what we're trying to drive home is: trust, but verify.”
Just last month, Infosec announced another tool in its portfolio – an employee survey designed to assess security culture within one’s organization. Companies that don't necessarily have the time and resources to develop their own survey can stand up this “Infosec IQ Cybersecurity Culture Survey” to perform a quick assessment of their organization.
The survey is designed to capture internal perceptions toward security practices, policies and strategies. Specifically, it helps measure five key domains: how confident employees are in applying their cyber knowledge, to what degree workers believe security is their responsibility, how engaged employees are when undergoing security training, how much workers trust their company’s security procedures, and how workers perceive the consequences of a security incident.
"Once an organization gets a score for each domain, they can get a better idea of how strong or how weak they are in those domains,” and craft a strategy accordingly, said Tyler Schultz, product marketing manager at Infosec. “Each organization can… run the survey early on to see where they stand and then run that survey again in six months or 12 months to see… how they're improving or how things are trending.”