The protection of personal data has been the focus of companies that process and store this information for four years now.
Herbert Abben, Director DACH at the SANS Institute
In addition to the much-cited data protection aspects, companies should rely on security awareness training to protect this data four years after the introduction of the GDPR. These training courses not only help employees to understand the legal regulations, but also to be able to implement them accordingly in everyday work. Guidelines are important and correct, but a company culture that promotes data protection without perceiving it as an obstacle is also needed in the long term. This can also be promoted through security awareness. However, this requires regular training sessions with exercises that are best prepared in a playful way. In addition to the repetition, the gamification effect should not be underestimated. This application of game and design techniques to the whole concept of security awareness in a competition can also convey privacy-relevant information. An example of such a playful approach is the “Leader Board”. Here, for example, the score in quiz games could be used to measure how many months the employees have not been victims of phishing attacks. The employees then compete to “take the lead”.
Another option is badges. There are performance badges for various courses or levels of training that employees complete. For achievements, for example, a points or currency system can be introduced. The more points employees accumulate, the more things they can do (for example, buy corporate gifts, team dinners, etc.). Employees can earn points by completing further training courses, reading newsletters, answering questions about security awareness and data protection, helping others to protect themselves, etc. If participants are given the opportunity to exchange, share and give away points, this can also strengthen the team spirit. Challenges, so-called challenges to strengthen security awareness between users or even departments are another example. The goal is not to create games for training security awareness, but to make training security awareness and changing behaviors a fun game.