This is a guest post of Christian Tijsmans is founder of Connect the Dotz and Paul Wilkinson is the owner/director of GamingWorks, at the occasion of the business game they ran at the CIONET conference "Optimising Security and Risk Awareness" of March 8th.

How vital is cyber security training for organisations?

On March 8th, CIONET Belgium  held a conference about ‘How to optimise risk and security awareness’. Over 40 IT executives gathered to exchange thoughts and best practices about this vital subject. The first half of the meeting was spent on two eye-opening cyber security and resilience business simulation games. The aim was to show how a business simulation can create awareness and change attitude by creating new insights, and capturing new behaviours. Security awareness should result in behaviour change to prevent the human factor being the most damaging security risk.

The goals of the simulation sessions were to explore:

• What is the role of an executive manager in understanding the issues and of setting strategy and policy?
• What should leaders be doing to ensure a change in attitude and a discipline in behavior?
• What should leaders do to balance the right investments in cyber security and cyber resilience?
• What actions can be taken away and initiated in an organisation?

[gallery size="medium" columns="2" ids="20420,20419"]

Oceans 99 Business simulation

In the game the various stakeholders make use of information systems for planning, managing, transporting and monitoring three world-renowned objects that the Bank of Tokyo is exhibiting. The challenge is to bring the objects to Tokyo, on time, safely and securely. However, there are rumours that Oceans 99, a criminal organization, wants to steal the objects.

The two teams were tasked with designing a security policy, performing a risk assessment and developing a strategy for investing in security counter measures, all this in a very limited amount of time.

This business simulation was both fun and insightful. Even in this intense, time-pressured situation it was interesting to see how an IT-related set of stakeholders and decision makers all focused on ‘technology solutions’ and not the ‘human factor’.

At the end of the game, we asked the attendees to share their key learning points and take-aways of the session. You might share some of them, others might come as a surprise perhaps. Here they are:

1. Identify your ‘crown-jewels’ (critical information assets) before writing your security policy. It isn’t all about systems and servers and technology.
2. Security policy is a team effort – not only IT – that needs advance preparation.
3. Create more security and risk awareness of threats, vulnerabilities and business risk among both the board and employees; people awareness is key, especially with social engineering as the current threat.
4. Create a structured approach for risk assessment and a security roadmap for everyone. Organize the business to listen and actively steer the risks while involving business leaders in the risk management process. Work with all key stakeholders to define a risk strategy and prioritise appropriate investments.
5. Users are the most vulnerable assets who need awareness training and control systems (including clear consequences) to mitigate risk.
6. You need to balance security with end-user requirements for flexibility.
7. Governance is the basis of an information security programme and the board needs to take ownership and the lead in getting approval for, communicating, implementing and enforcing security governance. The board needs to recognise the risks their business is facing today and whether these risks are well mitigated or managed.
8. Roles and responsibilities are key to any project.
9. Technology is not the solution.

[gallery size="medium" columns="2" ids="20423,20421"]

Click here for the slides used in the presentation of the Security business game.

Click here to learn more about the business game itself!