Use gamification techniques to improve your security posture and decrease breach risk
Identification of risk owners
Before leveraging gamification for cybersecurity posture improvement, it is important to map risk to owners. Balbix discovers asset owners by observing and analyzing your network traffic and endpoint behavior with specialized AI algorithms. The platform can also incorporate information (even if outdated or incomplete) from your CMDB and legacy inventory systems.
You can use natural language search to define groups and assign them to specific owners. Groups and owners can be organized in multiple hierarchies to reflect the organizational structure of your enterprise. With Balbix’s search capabilities, you can look for gaps in ownership and use this to further refine your setup.
Notifications and digests
As a gamemaster, you will need the ability to communicate with your game players (risk owners) using rich context. For example, when a new threat such as wannacry emerges, you will want to automatically notify each risk owner about the situation and let them know if they have a new remediation task that they need to complete.
Balbix’s flexible notifications framework enables you to set up and manage this type of systematic distribution of tasks. You can customize and specify the conditions under which tasks will get created and assigned. Some tasks would be of a periodic nature, while others would be triggered by some external event.
Tasks with context
Each required mitigating action becomes a task with a value that reflects priority. When assigning tasks, you will want to provide risk owners with maximal context including information about different options for mitigating the risk. Humans generally perform best when provided with some degree of autonomy in how the task may be achieved and are more engaged when they know they have room to learn and show creativity and initiative.
Humans also learn a lot from failure, so you will want to tolerate a little bit of this without compromising the overall integrity of your security program. The Balbix platform provides maximal context where your risk owners will learn every day and continues to stay engaged because of this learning opportunity.
Points and incentives
Points and incentives are at the heart of gamification. As your risk owners complete tasks in a timely fashion, they are awarded points. The accumulation of points is what drives your risk owners and also lets you measure the relative effectiveness of different risk owners. The Balbix platform can be programmed to track and verify the completion of tasks by risk owners, including their points and other achievements. Positive feedback to risk owners is in real-time as their points balance increases. This information can then be published as leaderboards.
You may also want to create quarterly or annual financial incentives for the “winners” of your game. These can go a long way in incentivizing engagement and ownership for your colleagues in the game.
Integrations to ticketing and orchestration
The introduction of gamification into your cybersecurity practice does not have to be outside your existing enterprise workflows and reporting frameworks. In fact, both of these systems operate together.
Balbix integrates with ticketing systems like ServiceNow and Jira so that you may use tickets to carry task assignments and context. All of your traditional tracking and reporting systems that work on top of your ticketing system will continue to work as you gamify.
Leaderboard and badges
The gaming leaderboard is key to harnessing the competitive spirit of your risk owners to aggressively manage cyber-risk. Public recognition in the form of (physical) badges that are achieved also goes a long way in driving a deeper sense of risk ownership and management to individual risk owners. In an ideal world, badges also infer some privileges on the badge-holder. For example, a holder of the “Risk Busting Ninja” badge-of-honor may have the right to go to the head of the coffee line in the company cafeteria.
The Balbix notifications and digests can be programmed to implement a leaderboard and track badge achievements.
How to Calculate your Enterprise's Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility
2022 State of Security Posture Report