The document discusses gamification strategies for enhancing security awareness, including techniques like Digital Self Defense (DSD) dojo, escape rooms, and self-phishing initiatives. It emphasizes goals such as improving phishing recognition, increasing training participation, and fostering a positive training environment. Various structures, tools, and data on phishing reporting outcomes are also highlighted to propose effective security education methods.

2. © 2019 Ben Woelk
https://youtu.be/cRTaksvIpUg

3. © 2019 Ben Woelk
What is Gamification?

4. © 2019 Ben Woelk
Why Gamify Security
Awareness?

5. © 2019 Ben Woelk
Changing the
Culture
Build strong roots

6. © 2019 Ben Woelk
Build on Foundation
•DSD classes
•Monthly topics
•Social media
•Leverage events

7. © 2019 Ben Woelk
Inspiration

8. © 2019 Ben Woelk
DSD Dojo

9. © 2019 Ben Woelk
Digital Self Defense (DSD)
Dojo

10. © 2019 Ben Woelk
Dojo Goals
•Socialize best practices
•Increase training participation

11. © 2019 Ben Woelk
Structure
•Badges and Belts
•Website
•Physical Badges
•Gift Cards

12. © 2019 Ben Woelk

13. © 2019 Ben Woelk
Escape Room

14. © 2019 Ben Woelk
Goals
•Leverage escape room popularity
•Educate about phishing
•Educate about passphrases

15. © 2019 Ben Woelk
Structure
•Portable
•7 Puzzles
•Various locks
•USB drive
•Fishing game
•Email samples

16. © 2019 Ben Woelk
Self Phishing

17. © 2019 Ben Woelk
 Improve end user recognition of
phishes
 Improve timeliness of reporting
 Improve baseline detection rate by
25%
• For example, 70% detection rate to 87.5%,
NOT 70% to 95%
Goals

18. © 2019 Ben Woelk
Guiding Principles
 Self Phishing
 Positive Experience
 Non punitive
 Anonymized results
18

19. © 2019 Ben Woelk

20. © 2019 Ben Woelk
Phish Handling
Communications

21. © 2019 Ben Woelk
PhishBowl

22. © 2019 Ben Woelk
Phishing Program Structure
 Initial Announcement
 Division/Department
 3 and 1
 Follow up presentations

23. © 2019 Ben Woelk
Reporting
Results
• Ignored
• Reported
• Reported in First
Minute
2018 12
Delivery
2018 12
File
2018 12
Maintena
nce
2019 02
Order
2019 03
Credit
2019 03
Gloogle
Doc All
2019 03
Quarentin
e
2019 04
Red Light
ALL
2019 05
Office 365
Invoice
ALL
2019 06
Mailbox
Full All
2019 07
Ransomw
are All
F&A
Average
Ignored 94% 100% 99% 92% 97% 99% 99% 96% 94% 91% 99% 91%
Reported 18% 24% 19% 35% 35% 12% 25% 36% 8% 30% 4% 14%
Reported in First Minute 14% 18% 12% 16% 14% 12% 10% 10% 8% 11% 4% 4%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Phishing (by template)
Ignored Reported Reported in First Minute

24. © 2019 Ben Woelk
Phish First-minute
reports
First-minute
report rate
Reported Report Rate Ignored Ignore Rate
2019 03 Credit 15 14% 37 35% 102 97%
2019 03
Gloogle Doc All 12 12% 12 12% 101 99%
2019 03
Quarantine 10 10% 26 25% 104 99%
Sample Department Results

25. © 2019 Ben Woelk

26. © 2019 Ben Woelk
New Student Orientation

27. © 2019 Ben Woelk

28. © 2019 Ben Woelk
and…

30. © 2019 Ben Woelk

31. © 2019 Ben Woelk
Snapchat
Filters and
Geofencing

32. © 2019 Ben Woelk

33. © 2019 Ben Woelk
Discussion
•Should you gamify?
•What would you gamify?
•What would you not gamify?

34. © 2019 Ben Woelk
Ben.woelk@rit.edu
www.rit.edu/Security
34

35. © 2019 Ben Woelk
References• Jessica Barker, "The Human Nature of Cybersecurity," EDUCAUSE Review, May
20, 2019.
• Julianne Basinger, A Campus Culture of Cybersecurity, (Washington DC: The
Chronicle of Higher Education, 2019).
• Valerie Vogel, "Security Awareness Made Simple: 2019 Security Awareness
Campaign Materials," Security Matters (blog), EDUCAUSE Review, December
17, 2018.
• Ben Woelk, "Building a Culture of Digital Self Defense," Security Matters (blog),
EDUCAUSE Review, September 20, 2016.
• Ben Woelk, “Wind, Trees, and Security Awareness" Security Matters (blog),
EDUCAUSE Review, September 13, 2019.