Behavioral and cultural change are not only important aspects of information security and privacy … but also one of the most difficult. Everyone knows that change is not easy, whether at the individual level or at the corporate level. Just think, how long have you been saying you want to take 10,000 steps daily, schedule more time for yourself, or spend less time on your phone? Probably for a long time without actually doing anything about it.
A culture that safeguards secure behavior is essential to an organization’s information security and privacy. Suppose a municipality deploys virtually everything; from e-learning to phishing tests to using the latest password managers to secure their data and systems from outside dangers. Without the essential behavioral and cultural change among employees, you can deploy whatever you want, but the danger of a data breach remains. You may be slightly better protected against cybercriminals, but strong information security stands and falls with its human line of defense.
But difficult certainly does not mean impossible. There is a technology that makes behavior change much easier. Also known as the “Serious Game. Not a classic game for entertainment but a cutting-edge technology that allows you to playfully convey new insights and concepts that ultimately contribute to sustainable behavior change.
Serious games vs. entertainment games
Serious games are games used for primarily non-entertainment purposes. In the aviation industry, the serious game, or flight simulation, has been used for some time. Through real flight simulation, future pilots learn several critical flight maneuvers. But the serious game is now gaining ground in other sectors, including cybersecurity and privacy
The most important aspect that distinguishes serious games from entertainment games is the educational purpose. Serious game developers want to teach their players something, give something away. For example, awareness of a particular problem, transferring knowledge or bringing about a change in behavior. The creators of serious games use the motivational principles (such as curiosity, competition and reward) from entertainment games to encourage their players to play the game. Then they use this won attention to teach their players something in an engaging way.
Why changing behavior is so difficult
“Humans are pleasure-seeking creatures of habit.” writes psychologist Martin Appelo in his book “Why Change (Usually) Fails. Why changing behavior is difficult can be attributed to the functioning of our brain. Appelo explains that we do most of our daily actions on autopilot. For repetitive or ingrained actions, we use only our reptilian brain (the oldest part of the human brain). In the reptilian brain, all fixed habits are programmed and cost us the least amount of energy to use.
During a particular action or making a choice, we therefore choose the option that is most familiar to us, completely unconsciously and often intuitively. Furthermore, we also have a limbic brain that regulates our emotions and is guided by rewards and punishments (always preferring that which is pleasurable, hence pleasure-seeking). And the youngest part of our brain is the neocortex, which provides our ability to think. This part of the brain allows us to analyze, communicate and reflect, but it also costs us the most time and energy.
Daniel Kahneman also describes this phenomenon in his book “Thinking fast and slow. In which he shows that our brain operates from two modus operandi: systems 1 and 2, as he calls them . System 1 acts as the unconscious autopilot by which we make 95% of our decisions. System 2 is our rational system through which we make only 5% of our decisions through conscious and controlled thought processes. Which means that 95% of our choices are intuitive/emotional and only 5% are rational.
To change behavior, we first need a wake-up call. The message that our (automatic) actions are no longer adequate and we need to make conscious choices. In the areas of information security and privacy, that message has long been broadcast: “work safely and use a password manager,” “this is how to recognize a phishing email,” “these are the consequences of a data breach.” The wake-up calls have been sent out, the message has arrived, awareness has been created and yet it still does not always succeed in actually changing behavior. Even better than just awareness is a shock effect. A situation in which one immediately experiences clearly that one’s current actions are absolutely unacceptable.
Thus, we go from unconscious incompetence to conscious incompetence and feel the urgency to change. We switch from system 1 to 2, or from unconscious and intuitive action to a controlled thought process that allows us to make a rational choice.
After feeling the urgency that something must change, or motivation, people will have to move, act accordingly. Here it is necessary to be aware of the alternatives in behavior, to see and be able to estimate to what extent these are going to make a positive impact and what that means for yourself or the group.
Finally, the new operation will have to be repeated. Just until the new behavior is ingrained and the old behavior is replaced. After that, we can go back to making consciously competent decisions nicely as pleasure-seeking creatures of habit on autopilot, but safely.
How serious games bring about behavior change
And that’s exactly where serious games add value. In addition to creating a shock effect (think: getting hacked, experiencing the effect of clicking on a phishing email, or causing a massive data breach), a well-developed serious game lets its players experience the consequences of certain behaviors.
Unlike other media products such as educational films, books and e-learnings, serious games are interactive and can often be played in teams. The player is actively involved in making decisions, is completely immersed in the game experience and receives immediate feedback on his or her decisions. According to researchers Ritterfeld, Cody and Vorderer, who wrote the book on mechanics and effects of serious games, this is why serious games produce better learning outcomes.
“Serious games are both educational and fun because they are intrinsically motivating. The game environment is responsive and can have complexity that enables learning opportunities.”
Besides just the wake-up call, in the form of a shocking scenario, direct feedback on your choices challenges the unconscious behavior. You will need to use the neo-cortex to think analytically about your choices, your own behavior, how your behavior relates to your work and any implications of your behavior. Through direct and constructive feedback on your actions, you are reached for possible alternative courses of action.
So you not only read about potential dangers but you literally experience what happens in such situations. As Confucius (551-479 B.C.) already said, “Tell me and I will forget. Show it to me and I will remember.” Let me experience it and I will make it my own.”
“Tell me and I will forget. Show it to me and I will remember it.” – Confucius
The second step in behavior change has been taken. After recognizing unconscious unwanted behavior, you will have to act on it and make new rational choices. In serious games, this is done through an intrinsically motivating game where, under the guise of pleasant experiences, your limbic brain is always eager to win and thus must learn to make the right choices. The step, which often fails traditional media.
The final element of lasting and sustainable behavioral and cultural change is repetition. The more often one performs certain actions or has to make choices, the faster it becomes automatic. In this, unfortunately, we still have to resign ourselves to the discipline of the individual himself. But we can, of course, promote repetition by using other interventions. Or repeating it in meetings and making it a standing agenda item. You can also invite a speaker or train colleagues to become information security and privacy ambassadors who in turn can coach others in the workplace.
How Brooklyn Partners uses serious games
Serious games can be used in a number of ways. We use them primarily as part of a broader awareness program, or as part of our “Approach 100% Cyber Aware“. After we have clearly mapped out the goals to be achieved in an organization and the corresponding behaviors we want to see changed, we select an appropriate serious game.
Our clients also often use serious games as an introduction for new colleagues. Instead of boring and dry material regarding information security and privacy, entry-level students learn about these important topics in an engaging way. In this way, you invite new colleagues in an engaging way to join the conversation together, work together and adopt the right processes.
Brooklyn Partners’ serious games
At Brooklyn Partners, based on different themes, we have developed a number of innovative and stimulating serious games. For example, we have a game all about basic safe behavior, such as handling passwords. In the game, you will learn and experience how to hack someone’s inbox based on their social media data. Another example in this game is the use of (unknown) usb sticks, do you pick them up and put them in the computer? Yes or no? Plug it in, your game crashes for 30 seconds and you get feedback on your actions.
In another game, you experience the impact of your “little innocent behavior,” such as holding open secured doors or clicking on a phishing email. Above all, this game encourages constructive exchange and discussions within the team. As a result, the themes become fully alive in the workplace.
Furthermore, we have also developed a game that addresses the fact that “safe and fast work (should) go hand in hand. In which it is not a question of one or the other. In passing, this game also introduces you to the future of deep-fakes.
And finally, a game about ransomware, where at one point you get to negotiate with a hacker. You really experience what it is like to be in a negotiation, how the ransom amount rises or falls, how you are threatened to sell your data on the darkweb. You are fully part of the experience. In the interactive chat, you will learn that there are a lot of ways to enter such a conversation. Based on your answers and actions, the outcome of the game changes. But above all, what we want to teach you is the fact that behind seemingly small hackers there is a professional business
Next level serious games
What makes our serious games even more real is the fact that we adapt the games to the organization where we deploy them. So the player is addressed by his or her own director or manager, interfaces are adapted to the interfaces of the organization, we follow the internal processes, and we email with our own contacts such as the CISO. This is to mimic one’s own situation as accurately as possible and increase the effect of the game.
In addition, you play all of our games as a team; either as multiplayer, or together on the same screen. You can also play it alone, but playing together is both more fun (you don’t go monopolizing by yourself) and more educational! Much of the learning aspect is in the shared experience with colleagues, hearing other motivations, making other decisions and discussing together what is a right or wrong choice.
Not to mention, the positive learning experience. We make sure that most of the participants can finish the game. Through the feedback given, you can continually make adjustments and ensure that you successfully reach the finish line. Important because a positive learning experience is key to a successful learning experience.
In short, the serious game is a worthy warrior on the information security and privacy front. Through a shock effect, an interactive learning environment, immediate feedback on choices made, providing alternatives, constructive discussions and repeatedly engaging with information security and privacy, cyber security and desired behaviors eventually become part of cyber awareness. Interested in even more applications of the game aspect in the workplace? In our next article, we will discuss the “gamification of information security. Stay tuned!
Wondering if serious games can do something for your organization? Or experience a serious game yourself? Plan
here
submit a Demo immediately!
