The present case showcases the use of Virtual Reality (VR) for assessing the effectiveness of a mandatory course in Workplace Safety and Security.
The greatest threat to the security and privacy of your business comes from the inside, from unsuspecting employees without any malicious intent.
It takes is only ONE employee to leave a confidential document, a USB stick or unlocked laptop on the desktop, let a visitor alone in the office, click on a link, or download an infected file to crack the seal of safety and security of your business.
Security best practices and privacy awareness training provide the needed motivation and wherewithal to recognize, prevent, and manage potential security attacks.
The client has provided mandatory security awareness training to all employees. However, such trainings in the past have not translated into secured practices among employees in the past.
The reason for the futility of these training programs were-
In an oral or written assessment, situational awareness is often missing. Situational awareness (SA) develops when a learner gathers information from the composite surrounding environment, draw inferences, make judgments based on the inferences.
Knowledge Synonyms devised a VR powered, enhanced security assessment model to assess the success of the said training. It employed the virtual reality device- Oculus Go to create realistic workplace experience and test employees with simulated security attacks.
An assessment session included a group of four to five employees at a time. Each employee was given an Oculus Go headset. They were allowed to get familiar with the device before the assessment began.
The simulated realistic workplace scenarios were presented to provide situational context and awareness to learners. Simulated scenarios showing the presence of a visitor in the reception area while the learner (or their avatar) was calling/texting/emailing, a vendor repairing (and accessing) hardware, an email from an unknown source directing to follow a given link, etc. allowed the employees to make judgment calls as they would be required to do in their routine work-life. To make the scenarios more relatable to the participants, these were custom-built based on the spatial and cultural design of the client’s workplace.
The assessment allowed the participants to choose their avatar and interact with other characters in the given scenarios. They could make their avatar act according to one of the given options. For example, if the learner received a phone call or an email, they would need to identify the phishing/pharming attempts. If the learner identified a security attack, then they would be prompted to choose an appropriate response in the given situation.
The model generated possible consequences of the learners’ responses, thus allowing them to understand the consequences of their actions and the gravity of the impact on their safety and the safety of their colleagues and the organization itself.
The model also used ‘Mirroring’, which means the trainers and evaluators could see exactly what the learners were viewing in the virtual world. This allowed the trainers to get a better sense of the most frequently made security mistakes and most security-prone areas.
The model analyzed data and behavior patterns of employees that are hard to detect by human analyst. It also identified vulnerable employees and reported the probability and extent of security risks. The assessment encapsulated all aspects of security related practices including, email, passwords, physical and travel security, mobile security, handling sensitive data and documents, identification and deflection of social engineering attacks, malware, and phishing attacks.
The assessment model also helped in identifying groups and individuals that were more prone to attacks, thus assisting in the selection and design of future safety and security awareness training and making it more relevant and effective.
The assessment addressed the shortfalls of previous training assessment techniques in the following ways:
The Knowledge Synonyms model gave learners kinesthetic, visual as well as auditory stimulation to allow all types of learners to optimally benefit from the experience.
The model required the learners to actively respond to seemingly real-life scenarios. These kept learners engaged and afforded them the opportunity to practically apply the concepts learned in a safe environment.
The gamification activity not only made the experience livelier but also allowed the participants to experience the potential consequences of their actions.
The assessment was based on an entire range of responses and analyzes the exact point of fault, thus indicating where the gaps in learning existed.
Assessments with varying scenarios were periodically administered to refresh concepts and monitor progression in practices and behavior.
The knowledge Synonym Safety and Security Training Assessment solution provides a comprehensive and detailed assessment of the degree of security awareness gaps that exist in an organization. It categorizes individuals and groups most vulnerable to social-engineering or cyber- attacks, thereby identifying the weakest links in the security chain of an organization. It further offers recommendations on areas to focus on in future security training.