Fun Ways to Change Behavior and Improve Security

Fun can act as positive reinforcement for security behaviors—more powerful than negative reinforcement. Ideas include rewarding badge swipes with jokes, entering complex password users in raffles, testing policy knowledge with prize quizzes, and using comic strips for security awareness messaging.

How can we use fun as a motivator for changing the behavior of computer users to improve information security? I started thinking about this after I read about the Fun Theory project, “dedicated to the thought that something as simple as fun is the easiest way to change people’s behaviour for the better.”

Non-Security Examples

One of the project’s experiments influenced people to take the stairs instead of the elevator by turning the stairway into a musical piano keyboard. Take a look at this 2-minute video:

Another experiment encouraged drivers to wait at the traffic light by displaying trivia when the red light was on. Another motivated people to throw trash into a bin, rather than on the floor, by emitting funny sounds when objects were placed into the receptacle.

In these examples, fun acts as positive reinforcement, which is often more powerful than negative reinforcement in changing behavior.

Ideas for Security Scenarios

Here are a few ideas that came to mind for using fun as a motivator to improve information security:

If tailgating is a problem, reward people for closing the door behind them by announcing a fun fact or speaking a one-line joke (using recordings).
Such rewards might also work when encouraging people to swipe their badge at the door, rather than walking behind someone.
Encourage people to check the SSL certificate of the web server by having the browser display a funny picture or a trivia note as part of the certificate properties dialog box.
Reward people who select complex passwords by automatically entering them in an office raffle.
Encourage people to report security concerns to the help desk by rewarding them with raffle tickets.
Make security awareness training sessions less boring by using fun graphics, personally-relevant facts and an engaging presentation style.
Test employees’ knowledge of security policies with short quizzes, where winners receive awards.
Use comic strips and fun posters when displaying security awareness messages.

OK, I’m just brainstorming here. Are these practical ideas? Do you have others? Have you, perhaps, already implemented an approach along these lines?

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →