These are new product announcements from my main website (Open 24/7/365). We have a life-time warranty / guarantee on all products. (Includes parts and labor). Here you will find a variety of cutting-edge Surveillance and Security-Related products and services. (Buy/Rent/Layaway) Post your own comments and concerns related to the specific products or services mentioned or on surveillance, security, privacy, etc.

Tuesday, February 16, 2016

How To Maximize Security Training With Gamification

How To Maximize Security Training With Gamification

Rewarding Good Deeds Actually Works!

Getting employees to take security seriously when security is not their job is an old challenge that now has a new answer: Gamification.

That's right; game-like elements can be used to enhance security awareness and modify users' behaviors. The results are tightly connected to the real world.

"Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email". Said a customer describing the results the company saw after the first 18 months of an ongoing security awareness gamification effort that's based on positive recognition rather than negative reinforcement.

Building awareness of physical security was also part of the effort at Salesforce, which has 13,000 employees. A campaign to test "tailgating" (when an unauthorized person sneaks through a secured door by following immediately behind an authorized person) drew 300 volunteers who were rewarded if they successfully slipped through a door and took something.

Generally, before security training, 30% to 60% of users will fall victim to a fake phishing email, says Lance Spitzner, training director at the SANS Institute, a security training vendor. After training and six months to a year of a gamification program, the rate can fall to 5%, he says.


"Gamification has nothing to do with computer games," says Ira Winkler, president of Secure Mentem, a computer security firm in Annapolis, Md. "Rather, it's the application of gaming principles to a business problem."


Winkler says there are four principles to gamification:

* Define A Goal.
Define Rules For Reaching That Goal.
Set Up A Feedback Mechanism.
Make Participation Voluntary.

You can see those principles in action in the game of golf, he notes: The goal is to get the ball into the cup with the fewest attempts, but rules that forbid players from simply dropping it into the cup make the task intriguing. Feedback is provided by the scoring system, and players are there voluntarily.

In the case of corporate security awareness, gamification usually means awarding points to employees who do the right thing, with various forms of recognition, including badges, prizes and a leaderboard listing participants' point totals, he explains.

Security-related behaviors rewarded by such programs include reporting phishing emails, preventing or reporting tailgating, reporting or preventing other attempted intrusions (especially via social engineering), reporting USB memory sticks found on the ground, keeping desktop software properly patched and updated, maintaining strong passwords, attending security seminars, not leaving laptops in parked cars, and (for developers) reporting bugs or vulnerabilities.

But gamification is not a term that has been embraced widely in the business world. "As soon as you use the word 'game' in a corporate environment, there tends to be a lot of pushback, as work is supposed to be serious and games are not," says Jordan Schroeder, IT security administrator for Family Insurance Solutions in Vancouver, B.C. "So I have been using the term 'active feedback' instead. That flew a lot better."


Spitzner at SANS notes that security awareness gamification is not a mature field yet, and the few organizations that have done it have targeted only a few behaviors. Nevertheless, there are success stories, such as what happened at Salesforce.com.

"We wanted to see what would happen if we created a program where employees wanted to do the right things, rather than being pushed to do so," explains Saleforce.com's Heim. After consultations with heads of business units, "We came up with a short list of behaviors that we believed would have the biggest impact, including optional security training, reporting phishing emails and preventing badge surfing" or tailgating.

Security training at the firm is mandatory, but participation in the corporation's gamified security awareness program is not, adds Heim. But employees get points and recognition if they do participate and take security-related actions, like reporting phishing attempts, he explains.

Jordan Schroeder, IT security administrator, Family Insurance Solutions

At Family Insurance Solutions, Schroeder says he relies on positive feedback when users do the right thing (in response to phishing and break-in attempts, real or drills), and showing them correct behavior when they do the wrong thing. Unlike at Salesforce.com, there are no points, badges, levels or prizes, he says. "I am not convinced of the effectiveness of giving away physical things," in a small organization, he adds.

He was not able to supply specific metrics, but he notes that users no longer hide what they did wrong for fear of reprisals. "If they are confident of a positive response they want to elicit that response strongly, and will report emails hoping to get that response. People who are normally reticent are now openly engaging with me, asking if this or that is OK. It's exciting watching them educate themselves. People who were my biggest concerns are now my number one partners in security. I have been shocked at how successful it has been with people who I did not think it would be successful with."

Middle-aged office assistants tend to be the most responsive, while the ones he has the most trouble reaching are younger people who play computer games, he says. "They tend to see through the gamification, but do respond to challenges," he notes.

Tips And Traps

Winkler adds that, before launching a gamification program, it is important to first establish the level of security awareness in the organization, to avoid wasted effort. Then, it is important to set up a rewards structure based on the culture of the organization and its business goals.

"You don't want to reward behavior that has no value," he notes. And "you need rewards that the people actually want." Handing out rewards that rank them as Star Wars Jedi knights may work with programmers, but not with investment bankers, he notes.

Points that can be exchanged for small prizes may prove motivating, or just putting names on a leaderboard may work, Winkler notes. Companies with offices in multiple locations, particularly internationally, may find it best to adopt different strategies in different locations. For instance, in some Asian countries, a chance to shake hands with the CEO may be more compelling, Winkler adds.


Gaming Security

Points, if used, should be increasingly harder to get, by adding a ladder of levels, also called badges or titles, he explains. Points should be easy to get at the first level, and involve basic steps, such as attending seminars. Points at the next level should require spontaneous activity, such as reporting a phishing email or security incident, and points at higher levels should reward complex security activities, such as participating in drills, he indicates.

"Even if there is a failure (such as falling for a phishing email) you need to reward them for reporting the failure," Winkler adds. "If I know about it I can warn the rest of the firm. Gamification makes it seem that the security department is not there to punish people, but if all their interactions with security are negative, they are less likely to report incidents."

"Never release the names of the victims," Spitzner adds. "Let everyone know that if they fall victim their names will not go to their manager. If they think they will be reported, they will resent the program, since it will impact their career. The only time the manager is informed is if the person is repeatedly falling victim and represents a high risk. But do identify those who do something good," he adds.

Drills of some sort (such as sending out fake phishing emails or having agents attempt tailgating) should be done once a month. "But if it is weekly it becomes noise," Spitzner adds.

"Don't expect miracles; you will need to refine your program based on your successes and failures," Winkler warns. One common error involves rewarding the wrong behavior. He recalls an instance where software developers were rewarded for finding bugs, and so were reporting old ones and sometimes writing new ones just to report them.

Finally, Winkler warns that gamification is not the answer for every organization, especially if security is a regulatory requirement and participation is not voluntary.

Wireless Camera Finder

Gaining Traction

Corporate security pros aren't laughing at gamification.

"Gamification is something we are looking at," confirms Ahmad Douglas, senior director of security awareness at Visa Inc. in Ashburn, Va. "There is a presumption that if we hold security awareness week and have a talk and give away pens that somehow it had an impact on people's behaviors. We have not made that presumption." Instead, Visa has brought in a cognitive psychologist to examine how to counter threats by measurably altering behavior.

"Gamification is a tool, but I don't want to presume that it is the solution," Douglas adds.

Ahmad Douglas, senior director of security awareness, Visa

"Gamification, or storytelling, or putting cartoons in bathrooms, whatever channels work for people, that is how we are going to get to them," Douglas adds. "Whatever we do, it will be tied to a specific threat, it will have measurable outcomes and it will be based on real psychology."

The awareness problem actually has two segments, Douglas says. "Do they know what action you want them to take? Are they willing to take some action? You can't solve both with the same solution. If they don't know [something], you have to assess if it is realistically knowable and what is the best way to teach it. If they don't care to take action, you have an incentive problem and need to offer a reward."

Not all security professionals are fully buying into the gamification idea. "We use it to a certain degree, but not to the extent of having levels and points," says Jonathan Feigle, director of information security at Hyatt Hotels Corp. in Chicago. Awarding points to a global staff speaking many languages would involve numerous complications, he notes.

Beyond Gamification

While Winkler and others emphasize that gamification does not mean the users play a game, others are willing to cross the border to actual games. For instance, start-up Apozy is developing a cloud-based computer game to teach security awareness, says co-founder Rick Deacon, who was previously a corporate penetration tester.

"We want to get the users engaged with something they enjoy using," he explains. The game simulates a corporate environment and the users take the part of attackers, who plan attacks based on what they learn during the course of play. Meanwhile, the software analyzes the users' decisions to make sure they understand the situation, he explains.

But whether the choice is gamification or actual games, the implication of the success of these approaches is that the answer to the problem of security awareness is not technology but human behavior. Instead of being victims of social engineering, enterprises are showing that they can protect themselves with their own form of social engineering -- one based on rewarding people for doing the right thing.


Health-Care CIOs Share Security Best Practices To Prevent Rasomware Threats

Hospital chief information officers say the health-care industry now needs to assume attackers are going to get into hospital networks. The key to avoiding damage, they say, is detection, response and containment.

Attackers encrypted data at Methodist Hospital in Henderson, Kentucky and were holding it for ransom, security blogger Brian Krebs reported Wednesday. Additionally, NBC reported that two other hospitals were also recently victims of so-called ransomware attacks. Those attacks comes a little more than a month after Hollywood Presbyterian Medical Center said it had paid hackers 40 bitcoins, about $17,000, after an attack made certain systems unusable for more than two weeks.
Methodist Hospital did not respond to a request for comment.

Traditionally, hospitals have focused on prevention, Darren Dworkin, chief information officer at Cedars-Sinai told CIO Journal. “You still have to do that, but at the same time you need to acknowledge that stuff will come through so you can detect it, catch it, and contain it,” he said.
Another hospital faced a problem with ransomware when a nurse clicked on a bad link, said a CIO who asked not to be identified. By isolating the laptop from the rest of the network, the CIO was able to contain the problem from spreading. These attacks can spread rapidly throughout a network, he said.

The CIO used backups to quickly restore the data. It’s crucial to have data that’s frequently backed up, he said. The difference between a problem that’s caught and quickly handled and one that ends with a hospital paying thousands of dollars to hackers is often good backups.

Malicious software often enters health-care organizations when an employee clicks on a bad link or downloads a bad attachment. The malicious software then targets unpatched software on the victim’s computer. There are many Windows-based systems in health care and the patching of software is notoriously poor, said Scott Donnelly, senior analyst at Recorded Future, a security firm that sells real-time threat intelligence.

According to the company’s analysis, recent ransomware has targeted vulnerabilities in Adobe Flash Player and Microsoft Silverlight. Mr. Donnelly suggests updating that software as well as Web browsers.

The best defense in the short term is to educate employees not to open unexpected attachments, click on any link embedded in an email and not to provide any personal information to unknown callers, said John D. Halamka, chief information officer at Beth Israel Deaconess Medical Center, in an email message.

“Millions can be spent on technical security but you’re still as vulnerable as the most gullible employee who provides their password in response to a phishing email or inserts an infected USB drive,” he added.

Your questions and comments are greatly appreciated.

Monty Henry, Owner


NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA.

Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.

NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA: http://www.dpl-surveillance-equipment.com/wireless_hidden_cameras.html

Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.

• Remote Video Access

• Video is Recorded Locally To An Installed SD Card (2GB SD Card included)

• Email Notifications (Motion Alerts, Camera Failure, IP Address Change, SD Card Full)

• Live Monitoring, Recording And Event Playback Via Internet

• Back-up SD Storage Up To 32GB (SD Not Included)

• Digital Wireless Transmission (No Camera Interference)

• View LIVE On Your SmartPhone!


* Nanny Cameras w/ Remote View
* Wireless IP Receiver
* Remote Control
* A/C Adaptor
* 2GB SD Card
* USB Receiver



Receiver Specs:

* Transmission Range of 500 ft Line Of Sight
* Uses 53 Channels Resulting In No Interference
* 12V Power Consumption
* RCA Output
* Supports up to 32gig SD

Camera Specs:

* 640x480 / 320x240 up to 30fps
* Image Sensor: 1/4" Micron Sensor
* Resolution: 720x480 Pixels
* S/N Ratio: 45 db
* Sensitivity: 11.5V/lux-s @ 550nm
* Video System: NTSC
* White Balance: Auto Tracking

Make Your Own Nanny Cameras:  Make Tons Of Money In A Booming, Nearly Recession-Proof Industry!

Your Primary Customers Include But Are Not Limited To Anyone In The Private Investigator, Government, Law Enforcement And/Or Intelligence Agencies Fields!

* You Buy Our DVR Boards And We'll Build Your Products! (Optional)

Our New Layaway Plan Adds Convenience For Online Shoppers

DPL-Surveillance-Equipment's layaway plan makes it easy for you to buy the products and services that you want by paying for them through manageable monthly payments that you set. Our intuitive calculator allows you to break down your order's purchase price into smaller payment amounts. Payments can be automatically deducted from your bank account or made in cash using MoneyGram® ExpressPayment® Services and you will receive your order once it's paid in full. Use it to plan and budget for holiday purchases, anniversaries, birthdays, vacations and more!

DPL-Surveillance-Equipment's Customers can now use the convenience of layaway online to help them get through these tough economic times.

We all shop now and then just to face a hard reality -- big credit card bills. However, our latest financing innovation can help you avoid that. Find out why more and more shoppers are checking out DPL-Surveillance-Equipment's e-layaway plan.

If you're drooling over a new nanny camera, longing for a GPS tracker, or wishing for that spy watch, but you're strapped for cash and can't afford to do credit, do what Jennie Kheen did. She bought her iPod docking station (hidden camera w/motion-activated DVR) online using our convenient lay-away plan.

Our online layaway plan works like the old-fashioned service stores used to offer. But, in Kheen's case, she went to DPL-Surveillance-Equipment.com, found the iPod docking station (hidden camera w/motion-activated DVR), then set up a payment plan.

"It's automatically drawn from my account," she said. "I have a budget, $208.00 a month.

In three months, Kheen had paid off the $650.00 iPod docking station. She paid another 3.9 percent service fee, which amounted to about $25.35 (plus $12.00 for shipping) for a total of $687.35.

"You pay a little bit each month," Kheen said. "It's paid off when you get it and you don't have it lingering over your head. It's great."

Flexible payment terms and automated payments make our layaway plan an affordable and fiscally responsible alternative to credit cards.

1. Register:

It's quick, easy and FREE! No credit check required!

2. Shop:

Select the items or service you want and choose "e-layaway" as your payment option. Our payment calculator makes it easy for you to set up your payment terms.

3. Make Payments:

Payments are made on the schedule YOU set. Check your order status or adjust your payments online in a secure environment.

4. Receive Products:

Receive the product shortly after your last payment. The best part, it's paid in full... NO DEBT.

More Buying Power:

* Our lay-away plan offers a safe and affordable payment alternative without tying up your credit or subjecting the purchase to high-interest credit card fees.

No Credit Checks or Special Qualifications:

* Anyone 18 years old or older can join. All you need is an active bank account.

Freedom From Credit Cards:

* If you are near or beyond your credit limit or simply want to avoid high interest credit card fees, our e-layaway is the smart choice for you.

Flexible Payment Schedules:

* Similar to traditional layaway, e-layaway lets you make regular payments towards merchandise, with delivery upon payment in full. Payments are automatically deducted from your bank account or made in cash using MoneyGram® ExpressPayment®

A Tool for Planning Ahead:

* Our e-layaway makes it easy for smart shoppers like you to plan ahead and buy items such as bug detectors, nanny cameras, audio bugs, gps trackers, and more!

No Hidden Charges or Mounting Interest:

Our e-layaway makes shopping painless by eliminating hidden charges and monthly interest fees. Our customers pay a flat transaction fee on the initial purchase price.


* You have the right to cancel any purchase and will receive a refund less a cancellation fee. See website for details.

Security and Identity Protection:

DPL-Surveillance-Equipment has partnered with trusted experts like McAfee and IDology to ensure the security and integrity of every transaction. Identity verification measures are integrated into our e-layaway system to prevent fraudulent purchases.

Note: Simply Choose e-Lay-Away as a "Payment Option" in The Shopping Cart

DPL-Surveillance-Equipment.com is a world leader in providing surveillance and security products and services to Government, Law Enforcement, Private Investigators, small and large companies worldwide. We have one of the largest varieties of state-of-the-art surveillance and counter-surveillance equipment including Personal Protection and Bug Detection Products.

Buy, rent or lease the same state-of-the-art surveillance and security equipment Detectives, PI's, the CIA and FBI use. Take back control!


Phone: (1888) 344-3742 Toll Free USA
Local: (818) 344-3742
Fax (775) 249-9320


Google+ and Gmail



AOL Instant Messenger


Yahoo Instant Messenger

Alternate Email Address

Join my Yahoo Group!

My RSS Feed

Bookmark and Share


Post a Comment

Note: Only a member of this blog may post a comment.

<< Home