What does Fortnite do to get kids so addicted to it? Why are kids eager to spend money on Easter eggs and tokens that have nothing at all to do with quests but are just fun? And why do millions of young people watch other people play Fortnite on Twitch?
More importantly, what can Fortnite teach us about cybersecurity awareness programs?
Those are the questions that Shayla Treadwell, director of cybersecurity and organizational psychologist at ECS, had after observing her preteen relative’s passion for the video game. What she came up with was an approach to cybersecurity awareness strategy and planning based on the tenants of video game obsession and humanistic behaviorism, which she presented at (ISC)2 Security Congress in Orlando.
Why Security Awareness Is Important
The threat landscape is rife with dangers to your organization. The bad guys seem to be getting smarter or better at circumventing security tools. More companies admit that they are more concerned about the reputational hit from a data breach or other cyber incident than they are the financial hit. You may never fully recover from reputational damage.
The biggest risk to the security landscape? The usual answer is the human factor. People are the ones who are causing all these threats; people are the ones who make the mistakes that cause data breaches; people aren’t doing enough to be cybersecurity-educated.
Treadwell sees it differently, though. She said we need to see humans as the best defense to cybersecurity, and that begins with addressing the elephant in the room: security awareness. Most people simply have little to no security awareness. And why is that important? “Security awareness seeks to influence the security cultural attitudes of employees regarding the protection of the information assets of an organization,” Treadwell said.
If you have a good security awareness program, your company is safer. But that’s not what you want to stress. You want to stress that your employees are safer. The more they know about keeping safe and protecting data, the better their overall security habits will become, and that’s something that they will take home with them. They’ll use better security hygiene on their personal devices and encourage their families to do the same. In other words, we need to change the language of security awareness, Treadwell said. We need to make it personal, and we need to stress how it will protect our kids. The more we emphasize it in those terms, the more it will spill back into the workplace.
What Fortnite Teaches Us
Fortnite has dance parties, and you pay extra for those dance parties that have nothing to do with the game. Yet, people pay for them. They give people a different type of connection to the game that has nothing to do with quests or winning or even the game. Instead, it’s introducing something desirable within the game and keeps the users engaged in new ways.
Treadwell said watching the Fortnite dance party made her realize that organizations are taking the wrong approach to security awareness and education. They want to do it their way, when what they should be doing is engaging the employees in ways that matter to the employee. They should follow the practices of humanistic behaviorism, which Treadwell described as “The introduction of techniques or stimuli that can help individuals develop self-control skills toward a desirable outcome.”
Building community through a virtual dance party or watching other players to learn new techniques is how Fortnite uses humanistic behaviorism. In a security awareness strategy, security leadership wants to focus on improving the frequency of desirable behaviors. That starts by focusing on individual behavior and emphasizing the role of learning by explaining how to resolve problems. Treadwell stressed that we can’t learn if we aren’t taught how to recognize where things have gone wrong and how to fix things, but just as importantly how to make things better. Watching someone’s techniques will provide new insight to how to make yourself better. That works in Fortnite and it works in cybersecurity, too.
Your security strategy should be a framework of how you make decisions, built around the security awareness your employees have acquired. Draw them in to the security strategy. Get them to understand that everything they learn to benefit the company will also benefit them. And if you have to, throw a dance party once in a while to build the community. The more everyone works together, the more they’ll succeed as individuals, and the more secure your organization will be.