I am a member of the IT security team of a large organization in the financial services industry. I have been with my employer for about 7 years, and am well respected, often serving in advisory capacity to management. Recently we started a peer security champions program for which I am a member to aid other employees in secure practices and promote security awareness.
While all employees are required to acknowledge security policies annually, it seems that employees either dont bother reading the policy or understand its importance so it's only acknowledged on paper. For example, many questions the security champions team gets are addressed in policy and cover common requirements such as when encryption is required or processes to follow when traveling with company computing equipment. The folks that asked these questions have been with company for many years and our policy averages only about 2 - 3 pages, so I dont think neither lack of experience nor unreasonable requirements are at fault.
Previously, I asked a question about whether security policy acknowledgement should be tailored based on user job roles, and based on feedback, we customize end user security training modules.Results have been positive. To help increase employee awareness, we are thinking of using principles of gamafication, such as awarding points to employees who perhaps can answer quiz questions correctly, and allowing trades for small prizes when points accumulate to a certain level.
Is gamafication for the problem in the second paragraph a good idea?
http://dlvr.it/Rzrsnw
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment