Using gamification to make cybersecurity training compelling drama at ITV
UK’s biggest commercial TV program maker ITV says pandemic ‘Escape Room’ cyber-training turned an unpopular course into one staff now can’t get enough of.
ITV is the UK's main commercial (advertising-led) TV channel, recording £1.59 billion external revenue for the first six months of 2021 through global sales of shows like Love Island, 2.6 million global subscriptions across all its video on demand services and £866m in TV ad sales.
With over 6,700 staff, the company puts a high priority on protecting itself from external cyber-threats, making cybersecurity awareness one of the core five mandatory training modules all colleagues need to take. But how do you make training in cyber as gripping and engaging as one of the channel's true-crime dramas? ITV thinks it may have done just that.
The broadcaster has worked with a specialist London-based interactive and immersive training company called VIVIDA, which claims to create powerful learning experiences that people remember and enjoy. Specifically, ITV uses its virtual ‘Escape Room' interactive experience, which is designed to bring teams together and teach them how to work safely online, by learning about email phishing, social engineering and other hacker attacks. This is done via a 30-45 minute escape room and several 3-4 minute interactive lessons that try and use engaging puzzles to teach candidates to stop the hackers in their tracks.
The result? By using immersive techniques and gamification, one ITV's least popular mandatory training courses has become the most popular - and has consequently raised the company's general level of security competence and protection, according to Deputy CISO for the ITV Group, Jaspal Jandu, and his colleague, Head of Cybersecurity Training and Awareness, Steve Phillips.
Looking at new ways to engage colleagues
Jandu sets the context by informing us that IT, and more importantly secure IT, is critical to the company's operations. He says:
Technology's pivotal to our business, and as we digitize more and more it's only going to become more crucial to the success of our strategic objectives.
Phillips explains the specific business need, and why this form of training was chosen. He adds:
What we've been doing in the training and awareness space is looking at very new ways from the ground up of how to engage colleagues in this subject - not using the traditional methods, essentially. I'd been reading a lot about gamification, reading a lot about immersiveness and how you learn more by doing and practicing doing, rather than watching a video or reading an article: you're likely to retain that information much more, and therefore you're more likely to act on that information.
We'd tried all of the traditional ways to get the messages we need colleagues to be aware of across, via videos, PowerPoints, going to team meetings, et cetera. But it just wasn't engaging enough.
But gamification training at ITV was far from being just some online courses where you win a badge or two - the company actually used a travelling physical Escape Room roadshow that toured around the country to make cyber security training as engaging as possible, states Phillips.
This tool included dressing up a local office as an escape room, challenging teams to solve puzzles and find IT security clues over a period of 20 minutes in order to get the escape code to leave the room. It also, he adds, included other elements of friendly internal workforce competition like a league table of fastest times and prizes for the best team name.
And then the COVID-19 pandemic hit. This meant travelling a physical escape room was no longer possible. But, management decided to make a virtue out of a necessity and offer a virtual one instead to make all that working from home and Zoom time just a little bit more fun.
It's our company policy that all colleagues will go through some form of cyber training, as they all have a part to play in protecting our business. So, what we really wanted to do was take the best bits of our physical escape room experience, virtualize and scale it, and make it as engaging as possible through people's computer screens: to try and shout above the noise of their regular day job, and therefore making the subject much more engaging.
Trying to combat cyber-burglars
On why this particular supplier and approach got chosen to meet these targets, Jandu explains:
We were convinced that what they were doing was very, very different and would really fit into the culture of ITV, which at its core is all about compelling content.
To make that happen the training company usually offered a VR (virtual reality), which wouldn't really work remotely, however - unless thousands of £400 headsets got bought and shipped out. So the experience was instead moved online. What that looks like is an on-screen ‘story', where the learner finds themselves playing the role of being a security professional in a made-up company trying to combat cyber-burglars in a version of the Dark Web. (To further customize it and make it more ITV-relevant, elements of ITV content were added in, including the famous wrong answer klaxon from Family Fortunes.)
Puzzles include getting presented with a list of series of apps that could potentially be downloaded from the Web, with candidates having to decide which were safe and were dodgy, and so on. To pass and ‘escape,' candidates needed to complete a set of tasks in this story that smuggled in all the informational aspects of the mandatory training needed to complete the ITV cyber security training.
The escape room impact
The question now is: did it work? Jandu and Phillips have pretty definitive proof it did. The training was deployed to over 100 ITV offices, with an astonishingly high 91% completion rate, where 96% completed a pass mark in all the required elements of the awareness training. Qualitative feedback the team can quote includes remarks such as, ‘I've just finished the mandatory training modules and the cyber one was brilliant,' and that ‘the cyber security training was actually my favourite'.
Summing up the impact of this novel corporate training, Jandu says:
It's a well-known industry challenge to get all your colleagues to be cyber advocates, so I'm really impressed that this approach means the team has become so engaged with the topic. We all know that, for decades, attackers have recognised that targeting people is the way to go because it's getting harder and harder to attack the technology.
Your people are your biggest asset, but sometimes they are also your weakest link-so your goal really has to be to make the entire company the security team, and this seems to be a really helpful step along the way to that.