Gamifying Security Awareness

As a high-profile internet technology business, we take our responsibility for information security very seriously. IAC’s Chief Information Security Officer establishes a framework and expectations for all businesses, and each is scored based on their fulfillment of requirements across the various categories that make up the framework. Employees are strongly incentivized to meet these expectations. Security awareness—the process of educating all employees on the importance of cybersecurity—is one specific area on this scorecard, and we host an annual security awareness month to meet this objective.

This year, as security awareness month approached, we asked employees what they remembered learning from the previous year. It quickly became obvious that aside from a few security tropes, much had been forgotten (or possibly never learned!), which was a problem. As a lean organization, the importance of each individual understanding their part in our overall security process cannot be overstated. We deliberately do not dedicate security roles to individuals, requiring that everyone carry an extra bit of burden in the interest of having a strong collective security posture. Our development teams have embraced DevOps practices, so expanding this to incorporate security (i.e. DevSecOps) fits naturally with our culture.

To make the lessons from security awareness month memorable, we put our creative hats on. We changed the traditional security awareness process into an ongoing month-long game for all. Eschewing security-related signs and banners in the office, we opted for activities and games that mandated participation. We awarded points (positive AND negative) for quizzes, online course completion, attendance at presentations, and on-site tasks that required full engagement. Games included challenges like capturing selfies in front of unlocked and unattended computers, along with secret challenges that tested awareness when people didn’t think they weren’t being watched. We involved the entire organization in efforts like bug hunts, identifying MFA capable services missing them, sleuthing data exfiltration and cleartext password occurrences that had escaped notice. We even brought in outside “spies” to test our physical security. And finally, we prominently displayed a leaderboard in the office and online, with daily status updates communicated via slack. At the end of the competition, we awarded prizes to the top 6 point-recipients—and remediation classes to everyone with a negative score!

Security Crimes—taking selfies in front of unlocked, unsupervised computers

The approach was not uncontroversial. Initial complaints included concerns that the games were tilted in favor of the technical staff, that being called out might be bad for morale, and that the staff had enough “real work” to do without having this requirement. Despite that feedback, the competitive instinct (or desire for prizes and to avoid remediation classes) drove a level of participation that took the organizers by surprise and essentially resulted in a points-race on a daily basis.

When security awareness month came to an end, we realized we had a lot to think about as an organization. Increased participation demonstrated that individuals are willing to care about security when presented in the right format.

  • Security is not simply a checklist. It’s dynamic, constantly evolving, and requires ongoing vigilance.
  • One policy does not fit all. For example, we found that 3 folks get more phishing emails than everyone else. The top recipient gets 5x more than the next person. This is useful information because rather than buy expensive software services for everyone, we can pilot solutions with the target group.
  • Physical security is susceptible to social engineering. Collectively, we failed most of the games focused in this area. Two spies made it into the office–one sat down and worked at a desk for an hour, the other walked the office twice unescorted and without being stopped or questioned. In both cases, the staff commented that the spies didn’t look untrustworthy! Chivalry or niceness simply obviated the physical security measures in place. This again highlighted the necessity for “lock your screen when you step away” policies which seem tedious but can limit the effectiveness of socially engineered physical intrusions into our office space.
  • Don’t assume everyone knows and understands security best practices. We found that we had a number of secrets improperly stored in plain text/code. We thought the best practice was rather obvious, but the feedback we received suggested that the policy wasn’t understood or evangelized, highlighting the need for continuing education. It also presented an opportunity to create automated solutions to police these practices.
  • Security IS everyone’s responsibility. We discovered that we had some applications that were Multi-Factor Authentication (MFA) capable but that hadn’t been enabled since inception. Every member of the organization, technical or otherwise, must challenge themselves to think about the security implications, and continuously go back to determine whether capabilities that were previously unavailable have since been implemented.

With everything we learned during our security games, we welcome the opportunities for remediation and initiatives we have identified. Most of all, we look forward to once again engaging our colleagues and continuing to keep them on their toes with security awareness.

by Roro Okpu, Software Engineer