A panel of security professionals at the SC Congress in New York agreed that instead of using phishing email "social engineering" tests to raise security threat awareness among employees they should turn it into a game.
During the October 20 panel, its members said companies could benefit by turning these tests, that are designed to increase employee awareness of internet security issues like phishing, into competitions between different offices or departments. Instead of secretly testing staffers.Bruce McCulley, senior information security specialist, U.S. Senate – Sergeant at Arms, said that companies should keep in mind that their employees want to do the right thing. He pointed out that by turning social engineering tests into a game and keeping score you can monitor progress and give employees an incentive to practice safer habits that don't interfere with their workflow as much.
McCulley added that companies should point out to employees that it's in their best interest that they understand cybersecurity. And not just for the safety of the business, but also on a personal level.
Michael Lamberg, vice president, CISO, at OpenLink Financial told the audience that security officials should look to “find a hook” that helps their employees put cybersecurity in to perspective that will help them view internet safety similar to how they view their safety in the real world.
James Gabberty, professor of computer science and information systems at Pace University, said companies should also not be judgmental when helping their employees understand cybersecurity.