How To Gamify Cyber Security At Your Workplace — By Running a Cyber Scavenger Hunt

Photo by N. on Unsplash

A new gamified security activity made its way into Cyber Awareness Month 2020 at SEEK — a Cyber Scavenger Hunt for all employees across Asia-Pacific as a fun way to gain new security insights as well as test their security awareness skills.

“Scavenger hunts are a fun and engaging way to train your workforce on key security behaviors, policies, or resources. They are low cost, customizable and scalable, require very few technical resources, and can be great fun. [They] are similar to Capture the Flag (CTF) events. However, instead of capturing flags your goal is to solve a series of clues by finding answers across the Internet.” (SANS)

Internal scavenger hunt promotion

Inspiration to run our own Cyber Scavenger Hunt came from the SANS Global Awareness Scavenger Hunt in July 2020, right on time for us to utilise the idea for Cyber Awareness Month of October. We closely collaborated with the Victorian Department of Premier and Cabinet’s Cyber Security Unit to create an even better outcome for both our colleagues and the broader security community through a plan to open source the Cyber Scavenger Hunt in the near future.

Inspiring Positive Change

One of the objectives of Security Awareness Education is to provide knowledge in a way that inspires positive change in people’s security behaviours. BJ Fogg’s behaviour model, “shows that three elements must converge at the same moment for a behavior to occur: Motivation, Ability, and a Prompt. Motivation is your desire to do the behavior. Ability is your capacity to do the behavior. And Prompt is your cue to do the behavior. When a behavior does not occur, at least one of those three elements is missing.” (Minds for Change)

Fogg Behaviour Model (BJ Fogg, behaviormodel.org)

The scavenger hunt itself serves as a prompt, making it easy to do for everyone and caters to the ability aspect of Fogg’s behaviour model. The scavenger hunt’s gamified nature serves as motivation to participate, adding an additional challenge for those who enjoy a little competition by the chance to win prizes.

“It was a really fun and engaging way to expose us to this information. I found myself reading way past what I had to in order to answer questions. Super interesting and informative.”

To provide a good experience and increase the chance for the information to stick, we embedded various resource types, from text over videos and podcasts to more interactive online tools and even a phishing game for people to test and improve on their skills.

Videos embedded in our scavenger hunt made for a more engaging experience

Creating Principles for Our Scavenger Hunt

As good Security practitioners, we created some principles to guide our approach for the Cyber Scavenger Hunt:

1. Make it fun and engaging
   (variety of resources and answer types, videos that make people laugh)
2. Provide a learning activity for every employee
   (previous knowledge or technical skills not required)
3. Make it easily accessible, yet secure
   (regions, tools)
4. Apply fairness and integrity to prizes
   (offer cross-region prizes, drawing winners)
5. Offer Reach and usability over sophistication
   (no gates to progress to different levels)
6. Make the clues inclusive across the regions where possible & practicable* (relevance of questions, language).
7. Design it with open source in mind
   (provide Security Awareness benefits to the wider Security community)

* We came across two challenges of translating these subject matter topics into different languages as well as finding relevant resources in the different regions. Given our short lead time until Cyber Awareness Month we made the conscious decision that this principle wasn’t practicable for us for SEEK’s 1st Cyber Scavenger Hunt.

Structuring the Clues in Tiers

Our scavenger hunt had 3 tiers of questions, each tier increasing in involvement to solve all clues. Despite making all tiers optional, 100% of our submissions ended up containing answers to all 3 tiers.

The tiers contained clues across the following security areas:

• Social Engineering
• Phishing
• Device and Password Security
• Cyber Threats
• Cyber Support Resources.

Awareness areas were chosen based on a variety of local and global resources, outlining the top key issues, vulnerabilities and scams facing people (especially during a pandemic). These security areas are broad, so selecting high risk categories helped shape the learning outcomes by introducing people to terminology and threats faced online.

Each question served as the clue itself as well as a little nugget of learning before even hunting for the answer. (See here for a sneak peak into our Tier 2 clues).

Example of a question that was both the clue as well as a little nugget of learning

As well as the tiers, all questions were optional to serve our principle “Reach and usability over sophistication”. We wanted to ensure everyone had the chance to participate in as many questions as they were interested in.

At the end of the scavenger hunt we invited people to rate their experience and provide feedback through 2 questions.

Questions we asked to gather feedback for improvement

Running the Scavenger Hunt

After designing and testing the scavenger hunt questions, we were ready to roll it out to the business for Cyber Awareness Month. Our scavenger hunt ran for 1 ½ weeks, enough time and focus to participate.

After the submission period we analysed all submissions, filtered the ones with correct answers and drew the 2 respective winners per tier from Asia and from Australia/New Zealand. The winners were announced and celebrated on the intranet as well as on our internal communications platform.

An example of the voucher to celebrate our winners

So How Did It Go?

We were happy to see about a 2% participation rate from 8 unique locations across Asia Pacific, all of which chose to complete all 3 tiers of clues. Even though we had hoped for a higher participation rate, we gained a lot of insights to improve on, which will enable us to factor them into our open source guide for the Cyber Scavenger Hunt.

Here are the stats:

• 3,120 minutes total time participants spent completing this Security Awareness activity
• 69 Net Promoter Score
• 52 submissions
• 47 individuals provided feedback
• 34 people are keen to get involved in improving our company’s security culture
• 31 clues over 3 tiers
• 8 unique locations across Asia Pacific
• 6 winners
• 4 different locations across Asia Pacific amongst our 6 winners
• 1 hour average effort per participant over the 3 tiers

What Did Our Participants Say About Their Experience?

Most of the people who submitted their results enjoyed the scavenger hunt, leading to a Net Promoter Score (NPS) of 69, just 1 shy of an overall rating of “excellent”. We’re pretty happy with the result for our first Cyber Scavenger Hunt.

“It’s a challenging and fun experience because I love to solve some problems or any mystery or puzzles.”

“I really enjoyed the content and media. It provided security training in a fun way.”

“Incidentally, your scavenger hunt (which I thought was brilliant), helped me realise that that’s what I really want to do — I enjoyed it so much that it encouraged me to enrol in a cyber security course and I’ve been studying each evening ever since.”

But we can do better! In addition to hearing our colleagues’ positive experiences with the Cyber Scavenger Hunt, we appreciated the feedback which gave us clarity on the biggest areas for improvement — the time it takes to do the scavenger hunt due to the large number of clues we chose to include in our scavenger hunt. Plus the relevance of some of the Australian security resources for our colleagues in Asia. We will feed these valuable insights into our next scavenger hunt, and more importantly into our ongoing work to open source the Cyber Scavenger Hunt to the wider Security community.

The biggest insight for us was somewhat invalidating our initial hypothesis that people will be motivated enough by the gamified activity and the prizes to dedicate 30–60 minutes of their time to work through our 30 engaging clues. We may have also been biased by the various clues over different security awareness areas we created for the open source Cyber Scavenger Hunt question catalogue. Given this, we recommend reducing the amount of clues in a scavenger hunt, and increasing the frequency of utilising the clues in your Security Awareness program.

Using the Scavenger Hunt Clues for Ongoing Security Awareness Micro-Comms

One of the ideas that came out of our scavenger hunt endeavours is to use the gamified approach for more frequent nudges to employees. This can be anywhere from running it once every quarter on specific awareness topics to micro comms every other week via newsletters, emails or messages.

Designing with Open Source in Mind

One of our objectives was to design this engaging activity with the goal in mind to open source it to the wider Security community. Whilst this is still work in progress, our hypothesis is that this will enable companies of differing sizes to run their own Cyber Scavenger Hunt with little effort and budget.

Our collaboration with the Victorian Department of Premier and Cabinet’s Cyber Security Unit enabled us to consider insights from different environments for the development of the questions and structure of our open source scavenger hunt, from a public Government agency as well as a private Technology company.

The biggest milestone for open sourcing was creating a catalogue of Cyber Security Awareness clues. This included correct answers, recommended answer types and most importantly a goal for each clue. We wanted to ensure that the awareness areas provided the right security insights i.e. the ones you’d like your teams to walk away knowing more about.

Extract from our Cyber Scavenger Hunt question catalogue

Want to Participate?

We’re still working on open sourcing the scavenger hunt. If you’d like to participate in a pilot, please comment below or reach out & we’ll be in touch. What we’d ask for is a willingness to provide feedback on your experience of customising it for your environment.

A Team Effort

A big thanks to a great team who worked hard and brought in a lot of passion and creativity to put this engaging experience together for our colleagues, and hopefully soon to the wider Security community. Thanks to my core team mates Rebekah De Iulio, Yianna Paris, Daisy Wong and Lorena Gibson. And another big thanks to Shamini Sugananthan and Shehmala Lachumanan for ensuring a joint experience for our colleagues in SEEK Asia, as well as Liam Connolly & John O’Driscoll for sponsoring this initiative and joining in the passion for sharing our work more widely.

Further Reading

• SANS Global Awareness Scavenger Hunt (Event Information & Questions)
• Online Digital Scavenger Hunt: Engaging Security Awareness (Talk)
• How To Build a Global Digital Security Awareness Scavenger Hunt (Video)
• Tiny habits and the Fogg Behavior Model (Article)
• Tiny Habits, BJ Fogg (Book)
• ScamWatch top 10 scam statistics