The Gamification of Data Loss Prevention: Educating and Enabling Employees with DLP
Applying gamification concepts to your DLP policies can transform a traditional DLP deployment into a fun, educational and engaging employee experience.
At the 2016 RSA Conference in San Francisco I gave a presentation called "The Gamification of Data Loss Prevention." This was a new concept that we came up with at Digital Guardian that can be applied at any company currently running a DLP solution in their environment.
Whether through malicious behavior or inadvertent errors, employees or end users are arguably the point at which sensitive data and systems are at greatest risk. The 2015 Verizon DBIR attributes fully 50% of data loss incidents to insiders. This glaring issue needs to be addressed, but the traditional approach to protecting sensitive data with DLP technology involves policies and controls that focus exclusively on “punishing” the end-user and blocking activities deemed non-compliant. This is the current security professional/end user relationship paradigm which ensures their generally negative attitudes towards one another persist.
At Digital Guardian, we decided to flip this paradigm on its head by creating a fun and interactive way for employees to learn about handling sensitive data properly.
What is Gamification?
According to Gabe Zichermann (a thought leader in the field of gamification) gamification is the process of engaging people and changing behavior using game mechanics in a non-game context. It’s taking what’s fun about games and applying it to situations that maybe aren’t so fun.
The application of game-design elements (e.g., point scoring, competition with others, social badges, rules of play, etc.) in non-game contexts is now common in the workplace. Salesforce.com offers no less than two dozen gaming applications in their AppExchange to increase sales engagement and improve performance and results have proven their effectiveness.
As for security, it seems the only attempts at gamification have come in the security awareness training category. While that approach has been proven successful in increasing engagement in the security awareness training session itself, it falls short at delivering real data protection as the “training game” is not incorporated into the employee’s job or their regular workday tasks. We wanted to change this.
Gamifying Data Loss Prevention: Introducing DG Data Defender
We created our own game for Data Loss Prevention, DG Data Defender, by modifying policies, controls, user prompts, reporting and email alerts.
The objectives of Data Defender were to:
- Address the lack of awareness and individual employee accountability regarding data loss prevention and ultimately change long term behavior.
- Establish a new data protection “language” and encourage open dialogue when talking about data loss prevention.
- Engage end users. Data loss prevention is seen as a dry topic, so we’ll establish dynamic, fun and engaging user communications about their positive user behaviors.
- Measure its effectiveness at reducing real data risk.
The overall game premise included the following:
- Make users aware: encourage every employee to make good sensitive data handling decisions and follow published data protection policies.
- Get them engaged: encourage users to display their badges in their workspace (i.e. print them and post in their cube), in e-mail signatures, etc. and engage managers to recognize the good behavior by publishing a monthly Data Defender Leaderboard.
- Reward good behavior: provide users the opportunity to earn a series of badges to acknowledge their data protection accomplishment(s) and offer modest prizes once key data protection milestones are met.
Employees were awarded badges for completing certain tasks. For example, on sending their first e-mail without triggering a policy violation, employees are awarded the Baby Data Defender badge, which would appear in the form of a prompt.
The user prompt was also followed up with a printable PDF version of the badge automatically emailed from the DLP system to the end user (ideally to be displayed in their workspace).
Another example includes the King’s Guard of the Crown Jewels badge, which is awarded at the first use of data obtained from a secure shared drive and correctly stored back on the secure shared drive by the user. This way the user is notified when they’ve successfully used and managed sensitive data and taken proper steps to ensure it was placed back in its secure location.
After users obtain a certain number of badges, they could be rewarded with a gift card to encourage on-going participation and learning.
For more on how to add gamification scenarios to your existing DLP program – with no extra cost or security resources required – watch our webinar on demand, Call of Duty: DLP - The Gamification of Data Loss Prevention.