Information Security Awareness, Training and Motivation — Native Intelligence, Inc.

Security Awareness Contests

People like to win and most love a good contest. That's why running a security awareness contest is a great idea. The 3 P's of contests are: Planning, Prizes, and Promotion. A contest can be a simple prize draw or a competition with rules for entry and criteria for winning.

Here are some contest ideas:

  • What's That Number? Post a number that relates to security and have people guess how the number relates to security. The number might be the number of password reset requests the Help Desk receives in a week, the number of malware-infested sites blocked by the corporate firewall, or the number of records exposed or dollars lost as a result of a breach experienced by a company in your industry.
  • Catch the Red Team - A Red Team is a group of penetration testers that assess the security of an organization. This contest works by telling staff that a red team will be testing security (for example by making social engineering calls). Staff members who catch the red team and report the potential security violations win a prize. Often these contests result in identifying security vulnerabilities and sometimes in catching intrusion attempts by cyber criminals and not just the attempts of the red team.
  • Nooo Face!Security Awareness Video or Photo (or photo caption) Contest, such as the Annual Security Video Contest held by Educause. off-site linkor Trend Micro's "Nooo! Face" Contest, off-site linkfor photos that capture the feeling you get when you realize your precious data has vanished, destroyed by an online attack.
  • Awareness Materials Contests - Award prizes and recognition for awareness materials by having a contest such as the annual contests held by FISSEA off-site link and ISC2's CyberExchange. off-site linkFISSEA's contest has these categories: Awareness Posters, Motivational Items (trinkets - pens, stress relief items, T-shirts, etc.), Awareness Websites, Awareness Newsletters, and Role-Based Training & Education. The CyberExchange contest accepts posters, presentations, best practices, flyers, white papers, and more.
  • Security Song, Jingle, and Verse Contests - These contests could be for the best security Haiku or Six Word Security Stories (similar to the Six Word Memoir Project by Smith Magazine off-site linkthat resulted in several books). Another option is to challenge people to rewriting the lyrics to a popular song. For example, James Callahan rewrote "The Monster Mash" to become a security-related parody called "The Security Mash." Lyrics included "He Had No Badge. He had no AC-cess badge." An illustrated version of the Security Mash is here.
  • Enticing Email Headers - A contest where entries are headers that would tempt people into opening an email that they shouldn't, such as "Salary spreadsheet for Your Company" with an attached file named "salary.xls." Winners can be selected by judges or by popular vote on your security intranet site. Voting for winners can also be live at events, with audience members using "clickers" to vote.
  • Best Security Analogy - Examples are "Passwords are like bubblegum: strongest when fresh; should be used by an individual, and not a group; if you leave them laying around, you'll create a sticky mess..." and "Backups are like flossing: everyone knows it's important, but few devote enough thought or energy to it."
  • Top Ten Lists - Award a prize for the best Security Top Ten list. Examples are the Top Ten Places Not to Hide Your Password (such as written with a permanent marker on a light bulb in the office lamp, on a white board, as a tattoo) and Top Ten Security Headlines We'll Never See such as, "White House Painted Purple to Confuse Terrorists" or "Courts Close Due to Lack of Lawsuits over Security Breaches."
  • Fact or Fiction - Present facts and altered facts from news articles and white papers on security and ask people to determine if they are Fact or Fiction.
  • White Hat Bug Bounty CardOffer a Bounty for Security Bugs or Suggestions -
    For example, Microsoft's BlueHat Prize Contest or Facebook's White Hat program, which awards a customized "White Hat Bug Bounty Program" off-site link Visa debit card to people for reporting security holes on the social-networking site. The cards, worth as much as $5,000 can be used to make purchases, just like a credit card, or to create a PIN and take money out of an ATM.
  • Jigsaw Pieces Contest - This contest involves players locating pieces of a jigsaw that have been placed on various pages of your security intranet website.
  • Security Stories Contest - Invite people to share their security stories. For example, how a person was affected by identity theft, or how someone refused to share personal data when it wasn't necessary to do so, such as when a healthcare provider's form asks for a social security number. The emotional content makes stories prime material for sharing.
  • Security Trivia Contest - This contest contains questions about security, for example, "What color is Whitfield Diffie's hair?" (...or who is Whitfield Diffie and why is he important to security?) "What was the name of the 1983 movie where Matthew Broderick played a young hacker who gained access to a government nuclear war simulator?" (War Games) Or, for more technically-advanced audiences, "What type of attack against database-driven applications involves the intruder manipulating a site's Web-based interfaces to force the database to execute undesirable code?" (SQL injection.) Or, "What hardware protocol caused the vulnerability where a Firewire device, when plugged in, can overwrite anywhere in memory?" (DMA or Direct Memory Access.)
  • Cryptography Challenge - Publicize an encrypted message and challenge people to decrypt it. As an example, author Simon Singh included a Cipher Challenge - a set of ten encrypted messages found at the end of The Code Book (a history of codes and code breaking). The Cipher Challenge off-site linkincorporated these principles: (1) 10 stages of increasing difficulty so that everybody can take part in at least a few of the stages. (2) A chronological series of cipher techniques; classic substitution, Caesar cipher, homophonic substitution, Vigenère cipher, book cipher, Playfair cipher, ADFGVX cipher, Enigma cipher, and two computer ciphers known as DES and RSA. (3) A variety of languages were used, each language being appropriate to the cipher. For example, in stage 2 a Latin message was encrypted with the Caesar cipher, and in stage 4 a French message was encrypted with the Vigenère cipher.

Planning

Contests can be used to ask questions, collect data, conduct research, inspire ideas, or drive traffic to your security intranet web site. Decide on the goal of your contest, then create a theme. Establish clear rules, including entry procedures and criteria for judging competition entries. You may need to consider your country or state-specific regulations. Some contests and competitions may require a permit, if open to the public and the competition is a random chance draw.

If you run the contest on social media, such as Facebook, Twitter, or Google+, use applications (many are available) to administer the contest. To win, people may have to simply follow, retweet, or answer trivia questions. This type of campaign is often successful because of the ease of entering. Your security "brand" will benefit from the increased engagement.

Prizes

Shiny prizes, such as the latest technology (e.g., an iPad) or money, have mass appeal. You may want to poll your audience to find out what would be valuable to them. Prizes don't have to be expensive to be valuable to your audience. Time-off, lunch with the boss, gift certificates, shredders, security-themed T-shirts, mugs, certificates, and trophies all work. The prize could be intangible, for example, an honor - such as having the winner's name appear in the organization newsletter and on the intranet site. It could also be something that offers a lot of cache to the winner. For example, on NPR’s “Wait, Wait, Don’t Tell Me” the prize is the voice of radio announcer Carl Kasell on the winner's home answering machine. As soon as the contest is over, announce the winner. That's when interest is
the highest.

Promotion

Get the word out about your contest. You can announce your contest with email, posts on your Security intranet site, and posters. You can Tweet it, enlist coworkers to help spread the word, put links to the contest on your Facebook Page, and write press releases.

For more information or to order products