

Online social engineering scams have been a problem in organizational security for decades. As technology becomes more sophisticated, the impact of these scams will only become harder to bear. Recent cybercrime statistics show that threat actors are seeing increasing success. For example, in 2023 alone, scammers stole more than AU$3 billion from Australian consumers, while the US Federal Bureau of Investigation (FBI) reported that Americans lost US$12.5 billion through internet crime in 2023.1
These are just 2 examples of the staggering cost of such scams, underscoring a growing trend and the escalating burden they place on organizations and consumers alike. The increase in the effectiveness of scams can be attributed to the fact that scammers are increasingly using sophisticated techniques, including artificial intelligence (AI)-powered tools, to make their attacks even more potent and difficult to detect. For example, deepfakes (fake videos or audio made using AI) are increasingly being used to deceive audiences and steal sensitive information. With these technologies, even the most cybersavvy can fall victim to social engineering techniques.
Enterprises are becoming increasingly aware of advanced phishing and social engineering attacks, recognizing that a strong cybersecurity awareness culture is essential for defending against these sophisticated threats. A positive cyberculture is one in which personnel consistently value, use, and appropriately protect organizational information and resources. Cultivating such a culture requires deliberate effort, but organizations can take several steps to embed cybersecurity awareness into their everyday operations and mindset.
Gamification of Cybersecurity Awareness Training
The Smithsonian Science and Education Centre published an article that provides insights into the benefits of gamification in education.2 The article cites a study designed to measure the level of engagement students displayed when utilizing gamification in the classroom. The study demonstrated that a game-like atmosphere had a positive impact on students, increasing their productivity. Many of us, as children, are motivated to learn through classroom games and quizzes organized by our teachers. A similar logic can be applied regarding cybersecurity education and training within organizations. The author has experienced the effectiveness of gamification methods to boost participation and enthusiasm in cybersecurity awareness sessions. As per the feedback from the author’s participants, the methods were engaging, and participants felt that they learned new concepts as a result of the exercise.
Several games have proven effective based on the authors' personal experience:
- Cybersecurity jeopardy—Adapted from the television quiz show from the 1960s. As on the TV show, a game board is presented in the form of a 4x4 grid. Each column (category) is labeled with a topic in cybersecurity (e.g., passwords, phishing, mobile security, ransomware, physical security, working remotely, social media, etc.). Under each column are 4 tiles with points increasing in value and difficulty. Upon selecting a tile, a clue appears. Teams must respond in the form of a question. If the response is correct, the team scores the points listed on the tile they selected. Teams alternate in selecting tiles, and the team with the most points wins.
- Cybersecurity blockbusters—In this exercise, teams answer cybersecurity-related questions to complete a path across or down a game board composed of hexagons.
- Cybersecurity escape room—This game involves placing participants in a room. Participants are tasked with discovering clues, solving cybersecurity puzzles, and accomplishing objectives within the room. Participants are allowed to exit the room when they have completed all the puzzles or time runs out.
Cybersecurity trivia questions or puzzles in weekly newsletters are also effective. The speed and number of responses can indicate how enthusiastic employees are about the activity.
Gamifying cybersecurity training enables participants to discuss cybersecurity concepts with peers, fostering a culture where employees feel comfortable discussing cybersecurity in their daily lives, out of the context of the game.
Engagement With Executives
To establish a consistent positive cyberculture across the organization, various executives across the enterprise must be aware of the organization’s risk appetite and have the right attitude toward cybersecurity. The tone of business leaders flows from the top down to their entire team. There are several ways to improve executive engagement:
- Cybersecurity incident simulation exercises—When conducted properly, these simulation exercises are the quickest way for senior executives to understand the possible impacts of a cybersecurity incident. In many cases, these exercises prompt valuable questions such as “What safeguards are present?” or “What controls can be deployed to further improve cybersecurity?” These questions bolster organizational security knowledge and help identify areas for improvement. As an example, at one of the author’s client organizations, a simulation exercise prompted senior executives to become actively involved in reviewing cybersecurity reports and metrics.
- Reporting of key risk indicators and key performance indicators—Executives will take note of key risk indicators (KRIs) and key performance indicators (KPIs) provided they are meaningful and not too technical (e.g., % downtime of a business application, % compliance with cybersecurity regulations). Good reporting should demonstrate how current metrics have shifted from past metrics and what goals management hopes to achieve. Metrics should be captured and verified by cybersecurity teams and reported periodically.
- Cyberrisk heat-mapping session—This technique is most successful in organizations where executives are aware of and understand technology and cybersecurity risk. A heat-mapping session is designed to bring senior business leaders along with cybersecurity threat intelligence experts. During the session, discussions are held to identify the top areas of cyberrisk for the enterprise. Heat-mapping sessions can educate executives on what cyberrisk to prioritize for mitigation and why.
When implemented consistently, these techniques and exercises can bolster executive engagement and improve the cyberculture within the enterprise.
Identify High-Risk Users
Several factors can be used to predict which users are more likely to fall victim to a phishing scam or social engineering (i.e., high-risk users). One factor involves the department or function to which a user belongs. According to a Cyentia Institute study, customer service departments in organizations had the highest number of high-risk users.3 The report provides several explanations for why this is the case, including that customer service department personnel communicate with a wide range of customers, which allows more room for employee error. Furthermore, customer service personnel usually work in an environment where time is limited and responses must be provided quickly. As a result, customer service department personnel are more likely to click on malicious links sent by bad actors or download malicious files.
An organization can identify high-risk users by enabling logs and using data analysis tools to identify any anomalous patterns in employee behavior. Once identified, further controls can be implemented to secure high-risk users. For example, organizations can restrict high-risk employees' access to sensitive resources, block access to file-sharing websites, block access to personal email accounts, restrict access to work hours only, or implement multifactor authentication (MFA) for accessing sensitive data.
By identifying high-risk users and implementing controls to secure them, organizations demonstrate that they take every employee and their security seriously. As a result, individual employees, whether high-risk or not, gain an appreciation for their role in the organization's overall security. Ultimately, this step helps create a positive security culture at the enterprise, one where staff understand their role in cybersecurity and can discuss security issues with other employees without reservation.
Conclusion
A positive cyberculture is one in which personnel consistently value, use, and appropriately protect organizational information and resources. Cultivating such a culture requires deliberate effort to embed cybersecurity awareness into everyday operations and the mindset of employees. Cybersecurity professionals can play an integral role in cultivating a positive security culture by actively engaging with personnel across the enterprise and utilizing initiatives such as gamifying employee cyberawareness training, fostering active engagement with executives, and identifying high-risk users to make their efforts more effective. These initiatives must be tailored to the organization’s specific business needs, while remaining aware of the evolving threat landscape. Enterprises, regulators, and cybersecurity professionals are recognizing that a positive cybersecurity culture goes a long way to defending against sophisticated cybersecurity threats. By adopting the techniques and initiatives discussed in this article, organizations can ensure that their cybersecurity culture remains resilient in the face of an ever-changing digital landscape.
Endnotes
1 Australian Competition and Consumer Commission (ACCC), “ACCC Calls for United Front as Scammers Steal Over $3bn From Australians,” 17 April 2023; Federal Bureau of Investigation (FBI), Federal Bureau of Investigation Internet Crime Report 2023, USA
2 Smithsonian Science Education Center, “5 Benefits of Gamification,” 8 January 2015
3 Mimecast, High Risk Users and Where to Find Them
Syed Salman
Is a risk professional who specializes in technology, cybersecurity, and AI. Syed has been an auditor and consultant with Big4 professional services firms for more than 15 years and has served leading organizations in Asia, the Middle East, and the Oceania region. He recently joined a government entity and leads its information and communication technology (ICT) assurance unit, ensuring that internal policies and complex legislative requirements are consistently adhered to.