Try These Security Awareness Contests With Your Staff
Contests are a good way to motivate people. Many people love a good contest. Vince Lombardi, former head coach of the Green Bay Packers, understood this. He once said, “Winning isn’t everything. It’s the only thing.” After criticizing him for this statement, some of his critics put together a new kind of baseball league for children in a Texas community. “It was like the Little League – the same ball, same bat, same number of innings, same playing field – everything was the same except that they didn’t keep score. The idea was that there wouldn’t be any losers because nobody would know who won.” It lasted one and a half innings. After that, the kids went across the street to play sand lot ball where they could keep score.
The 3 P's of contests are: Planning, Prizes, and Promotion. A contest can be a simple prize draw or a competition with rules for entry and criteria for winning.
Contests can be used to ask questions, collect data, conduct research, inspire ideas, or drive traffic to your security intranet web site. Decide on the goal of your contest, then create a theme. Establish clear rules, including entry procedures and criteria for judging competition entries. You may need to consider your country or state-specific regulations. Some contests and competitions may require a permit, if open to the public and the competition is a random chance draw.
If you run the contest on social media, such as Facebook, Twitter, or Google+, use applications (many are available) to administer the contest. To win, people may have to simply follow, retweet, or answer trivia questions. This type of campaign is often successful because of the ease of entering. Your security "brand" will benefit from the increased engagement.
Shiny prizes, such as the latest technology (e.g., an iPad) or money, have mass appeal. You may want to poll your audience to find out what would be valuable to them. Prizes don't have to be expensive to be valuable to your audience. Time-off, lunch with the boss, gift certificates, shredders, security-themed T-shirts, mugs, certificates, and trophies all work. The prize could be intangible, for example, an honor - such as having the winner's name appear in the organization newsletter and on the intranet site. It could also be something that offers a lot of cache to the winner. For example, on NPR’s “Wait, Wait, Don’t Tell Me” the prize is the voice of radio announcer Carl Kasell on the winner's home answering machine. As soon as the contest is over, announce the winner. That's when interest is
Get the word out about your contest. You can announce your contest with email, posts on your organization's security intranet site, and posters. You can Tweet it, enlist coworkers to help spread the word, put links to the contest on your social networks, and write press releases.
Security Awareness Contest Ideas
- What's That Number?
Post a number that relates to security and have people guess how the number relates to security. The number might be the number of password reset requests the Help Desk receives in a week, the number of malware-infested sites blocked by the corporate firewall, or the number of records exposed or dollars lost as a result of a breach experienced by a company in your industry.
- Catch the Red Team
A Red Team is a group of penetration testers that assess the security of an organization. This contest works by telling staff that a red team will be testing security (for example by making social engineering calls). Staff members who catch the red team and report the potential security violations win a prize. Often these contests result in identifying security vulnerabilities and sometimes in catching intrusion attempts by cyber criminals and not just the attempts of the red team.
- Nooo Face! Security Awareness Video or Photo (or photo caption) Contest
A contest such as the Annual Security Video Contest held by Educause. off-site linkor Trend Micro's "Nooo! Face" Contest, off-site linkfor photos that capture the feeling you get when you realize your precious data has vanished, destroyed by an online attack.
- Awareness Materials Contests
Award prizes and recognition for awareness materials by having a contest such as the annual contests held by FISSEA off-site link and ISC2's CyberExchange. off-site linkFISSEA's contest has these categories: Awareness Posters, Motivational Items (trinkets - pens, stress relief items, T-shirts, etc.), Awareness Websites, Awareness Newsletters, and Role-Based Training & Education. The CyberExchange contest accepts posters, presentations, best practices, flyers, white papers, and more.
- Security Song, Jingle, and Verse Contests
These contests could be for the best security Haiku or Six Word Security Stories (similar to the Six Word Memoir Project by Smith Magazine off-site linkthat resulted in several books). Another option is to challenge people to rewriting the lyrics to a popular song. For example, James Callahan rewrote "The Monster Mash" to become a security-related parody called "The Security Mash." Lyrics included "He Had No Badge. He had no AC-cess badge." An illustrated version of the Security Mash is here. (There's an illustrated poster with the lyrics in our poster shop.)
- Enticing Email Headers
A contest where entries are headers that would tempt people into opening an email that they shouldn't, such as "Salary spreadsheet for Your Company" with an attached file named "salary.xls." Winners can be selected by judges or by popular vote on your security intranet site. Voting for winners can also be live at events, with audience members using "clickers" to vote.
- Best Security Analogy
Examples are "Passwords are like bubblegum: strongest when fresh; should be used by an individual, and not a group; if you leave them laying around, you'll create a sticky mess..." and "Backups are like flossing: everyone knows it's important, but few devote enough thought or energy to it."
- Top Ten Lists
Award a prize for the best Security Top Ten list. Examples are the Top Ten Places Not to Hide Your Password (such as written with a permanent marker on a light bulb in the office lamp, on a white board, as a tattoo) and Top Ten Security Headlines We'll Never See such as, "White House Painted Purple to Confuse Terrorists" or "Courts Close Due to Lack of Lawsuits over Security Breaches."
- Fact or Fiction
Present facts and altered facts from news articles and white papers on security and ask people to determine if they are Fact or Fiction.
- White Hat Bug Bounty
Offer a bounty for security bugs or suggestions - for example, Microsoft's BlueHat Prize Contest or Facebook's White Hat program, which awards a customized "White Hat Bug Bounty Program" off-site link Visa debit card to people for reporting security holes on the social-networking site. The cards, worth as much as $5,000 can be used to make purchases, just like a credit card, or to create a PIN and take money out of an ATM.
- Jigsaw Pieces Contest
This contest involves players locating pieces of a jigsaw that have been placed on various pages of your security intranet website.
- Security Stories Contest
Invite people to share their security stories. For example, how a person was affected by identity theft, or how someone refused to share personal data when it wasn't necessary to do so, such as when a healthcare provider's form asks for a social security number. The emotional content makes stories prime material for sharing.
- Security Trivia Contest
This contest contains questions about security, for example, "What color is Whitfield Diffie's hair?" (...or who is Whitfield Diffie and why is he important to security?) "What was the name of the 1983 movie where Matthew Broderick played a young hacker who gained access to a government nuclear war simulator?" (War Games) Or, for more technically-advanced audiences, "What type of attack against database-driven applications involves the intruder manipulating a site's Web-based interfaces to force the database to execute undesirable code?" (SQL injection.) Or, "What hardware protocol caused the vulnerability where a Firewire device, when plugged in, can overwrite anywhere in memory?" (DMA or Direct Memory Access.)
- Cryptography Challenge
Publicize an encrypted message and challenge people to decrypt it. As an example, author Simon Singh included a Cipher Challenge - a set of ten encrypted messages found at the end of The Code Book (a history of codes and code breaking). The Cipher Challenge off-site linkincorporated these principles: (1) 10 stages of increasing difficulty so that everybody can take part in at least a few of the stages. (2) A chronological series of cipher techniques; classic substitution, Caesar cipher, homophonic substitution, Vigenère cipher, book cipher, Playfair cipher, ADFGVX cipher, Enigma cipher, and two computer ciphers known as DES and RSA. (3) A variety of languages were used, each language being appropriate to the cipher. For example, in stage 2 a Latin message was encrypted with the Caesar cipher, and in stage 4 a French message was encrypted with the Vigenère cipher.
If you have an idea for a security awareness contest and would like to see it added to this page, please send it to firstname.lastname@example.org. We'll give you credit on this page.
Security Awareness Contests
Article by K Rudolph, CISSP © Native Intelligence, Inc.