Games-based cybersecurity training: Beaumont Health System's latest safety tactic
When Beaumont Health System in Dearborn, Michigan, identified the need for heightened and more effective security training in 2014, it brought on a new security executive with a bright idea. Scott Larsen, manager of cybersecurity operations and architecture, tracked down a company that delivers security training in bite-sized chunks – 10-minute interactive sessions using the gamification style.
“Our previous security training was death by PowerPoint,” Larsen said. “It was very non-interactive, very sterile and uninteresting. It did not capture the interest of the end user. The responses we got was ‘this is not useful to me, it’s a waste of time, I don’t understand why it’s necessary,’ comments like that. The employee engagement was very challenging.”
The 10-minute training modules from security training firm Security Mentor, on the other hand, have vastly improved employee engagement according to user feedback, Larsen said.
“It is presented in a very interactive format; all throughout they share different scenarios based on real events in the workplace,” he explained. “It asks questions and quizzes the user at each stage.”
It’s games-based learning, added Dan Lohrmann, chief strategist and chief security officer at Security Mentor.
“We mix it up, we like gamification, interactive content, sometimes the games are at the beginning, sometimes later,” Lohrmann said. “Take our phishing lessons. We identify some basic definitions around what is phishing, what is spear-phishing, what are the tricks hackers use, how does social engineering work. [Cybercriminals] are outstanding at what they do, they trick us because they play on our emotions and other factors, so we tell users what to look out for.”
Phishing could occur via e-mail, text message or phone, and the training module shows ways that people get tricked in each modality.
“We walk through the why, the how, the where, some real-life examples, then we walk them through three brief games, they are fun and interactive, but we are training people as they go through the lesson and as they play the games,” Lohrmann added. “The first one is a simple text message from Susie, check out this great video. It’s a shortened URL. People drag the flag over to say this is a shortened URL and it’s a phishing event. And maybe another example where they have to get the seven reasons why this is a phishing attempt, like find the missing e-mail element.”
The training firm also adds content customized to an organization, such as who to turn to in a situation that might be a cyberattack.
“We’ve got quarterly training: ‘You Are The Key to Security’ is one, ‘Don’t Get Phished’ is another one, ‘When Is A Friend Not A Friend’ for social is another. We’re running a total of 12 and we’re going to add another two,” Larsen said. “And they are working on a custom lesson for us. Some of the new lessons include Internet of Things, Keeping Your Office Secure, Protecting Information, and The Wild Wild Web for safe online browsing.”
Beaumont Health System started the training right before the spike in cyberattacks in healthcare, so the lessons were quite timely and helpful, Larsen said.
“We got ahead of that and as things started to unfold in the industry employees got to see why it is so important,” he said. “We cannot afford buying all of the technology to protect us, and our people are our greatest asset, so we’re much better off with better training. We are getting a lot more advance notice from our users who say I think this is spam or phishing, what do you want me to do with it? We’re getting more proactive employees.”