How can we use fun as a motivator for changing the behavior of computer users to improve information security? I started thinking about this after I read about the Fun Theory project, "dedicated to the thought that something as simple as fun is the easiest way to change people's behaviour for the better."
One of the project's experiments influenced people to take the stairs instead of the elevator by turning the stairway into a musical piano keyboard. Take a look at this 2-minute video:
Another experiment encouraged drivers to wait at the traffic light by displaying trivia when the red light was on. Another motivated people to throw trash into a bin, rather than on the floor, by emitting funny sounds when objects were placed into the receptacle.
In these examples, fun acts as positive reinforcement, which is often more powerful than negative reinforcement in changing behavior.
Ideas for Security Scenarios
Here are a few ideas that came to mind for using fun as a motivator to improve information security:
- If tailgating is a problem, reward people for closing the door behind them by announcing a fun fact or speaking a one-line joke (using recordings).
- Such rewards might also work when encouraging people to swipe their badge at the door, rather than walking behind someone.
- Encourage people to check the SSL certificate of the web server by having the browser display a funny picture or a trivia note as part of the certificate properties dialog box.
- Reward people who select complex passwords by automatically entering them in an office raffle.
- Encourage people to report security concerns to the help desk by rewarding them with raffle tickets.
- Make security awareness training sessions less boring by using fun graphics, personally-relevant facts and an engaging presentation style.
- Test employees' knowledge of security policies with short quizzes, where winners receive awards.
- Use comic strips and fun posters when displaying security awareness messages.
OK, I'm just brainstorming here. Are these practical ideas? Do you have others? Have you, perhaps, already implemented an approach along these lines?