Client: CIO Platform NederlandEvery organisation owns information that needs to be protected. If this information were to end up in the wrong hands, it could lead to large (economic) damage or dangerous situations. In today’s world, the risk of information security incidents – such as an attack by cyber criminals – is constantly increasing. Studies show that employees and management are often unaware of their ‘insecure’ behaviour. The CIO Platform Netherlands (the independent organisation of the people with final responsibility for digitalisation and/or ICT of large private and public organisations in the Netherlands) decided to do something about this. With input from nearly forty members and in collaboration with IJsfontein, CIO Platform Netherlands created a co-op turn-based game that makes employees aware of security risks.
The game in short
Elevator is a puzzle game that is not about learning rules. It is about discovering risks before an incident occurs. The player takes the role of a secret agent in the field of cyber and data security. The agent exposes the weaknesses of an organisation by cracking the security and reaching the elevator. To do this, the player must not only take advantage of the technical options, but he/she must also manipulate other people. Therefore, players always work in pairs. One of the players is good with computers and the other is socially inventive. Both require each other to complete the mission.
The conversation gets going
The aim of the game is to bring discussions about cyber security to the forefront and to alert and motivate employees to talk to each other about ‘insecure’ behaviour. Because you always play the game in pairs, the conversation naturally gets going. Even outside the game; by the coffee machine, for example. The game already proved to be successful during the test phase. There was more involvement with the subject and the conversation between employees came naturally. The organisations who already play the game can confirm this.
Because there are many stakeholders involved in this project and the game is played by a diverse target group, we chose to first implement a comprehensive analysis phase. During this phase, we conducted surveys, created focus groups and interviewed experts.
The aim of this comprehensive analysis was to research whether there were common denominators within the various target groups on the basis of which a game could be created. It soon became clear that one important common denominator was that the target group had little or no understanding of why it is dangerous to face the issue of cyber security in a careless way. Employees, often mistakenly (and unconsciously), think that their data is ‘secure’.
On the basis of the results, we decided that the game shouldn’t be about rules but more about awareness; an alert attitude. The analysis phase was concluded with the development of a paper prototype that could be used for testing.
‘Throughout the development process there was an intensive collaboration between professionals from the participating organisations, representatives of the target groups and the designers and creators of the game. This led to the development of a game that is broadly supported and the contents of which are of unparalleled quality in terms of cyber and data security. Furthermore, the entire project was also a kind of training project. Everyone learned a lot!’ Foppe Vogd, programme director and project leader of the game and CIO Platform Netherlands.
Whatever the quality of a game is, the ease of implementation determines its success. Therefore, implementation is an important topic from the start. Every organisation in which the game is introduced forms a ‘game action team’. This team is responsible for the implementation within their own organisation. The team can make use of a comprehensive communication kit, including a framework for a plan of action, posters and inspiring communication examples. In short: maximum efficiency with minimal effort.
The most tangible result of the game is the increase in the number of reports of suspicious cases and insecure situations to the safety supervisor. In practice, this does not mean that there are actually more suspicious and insecure situations, but instead that employees are generally more alert. People now recognise the purpose of the game in advance. Furthermore, the diversity of reports is also a good indicator. Before the introduction of the game, most reports were about suspicious emails from unknown senders. Now people look beyond suspicious emails and recognise more potential risks than they did before.
Some notable figures
- The conversion of registration for completing level 1 is up to 200% for some organisations. This means that, on average, every player has completed level 1 two times. An exceptional achievement for a puzzle game. Because there are different roles (with different options in the game) and a level can be solved in a multitude of ways, it becomes especially interesting to play the game more often.
- The percentage of registered players that have completed all available levels ranges up to 76%. This is a high percentage (on average it is approx. 30%). Especially for a game that requires several days of your time. The co-op turn based aspect of the game stimulates players to continue playing.
- For each level, on average, a turn is passed on nine times from one player to the next. This is more often than necessary. It shows that people are actively collaborating to solve the levels.
Want to participate?
At present, the game has been introduced (rolled out or in implementation phase) within nearly fifty organisations, including government, multinationals and Dutch companies. The reactions are unanimously positive; on average receiving scores of 8 out of 10 or higher.
“Elevator is the perfect way to alert employees to security issues without patronising them.”
“The coolest project I’ve ever worked on. I can’t wait until we go live and colleagues get to play it!”
Want to participate? The Elevator game is licensed in both English and Dutch. Feel free to contact us for more information or a demo account.
What can we do for your organization? Contact us at firstname.lastname@example.org or +31 (0)20 33 00 111.