Financial services company IAG has used Alice in Wonderland as a metaphor to educate staff about better security.
The company last year created an Escape Room experience in which staff were led into a Wonderland filled with clues and fictional characters and challenged to use their security knowledge and skill to get out of the room.
“Education and awareness have been core tenets of our strategy and people are our best defence,” said IAG chief security officer Jeff Jacobs.
“We are always looking for innovative ways to educate staff.”
The "Alice in Cyberland" experience came about after Jacobs challenged his team to develop an innovative and lighthearted way to teach security principles.
“We saw escape rooms as popular trend,” Jacobs said.
And so his team built one into meeting rooms at IAG. That's the insurance industry for you.
"Staff walked into a huge room set up as an Alice in Wonderland environment," Jacobs said.
“The scenario was that they are employees and had to unlock data that had been ransomed by solving cyber themed puzzles. In one they had to get puzzle pieces and put that together to get the question ‘who do you report breaches to?’"
"In another they had to unlock a locked diary to get a code. In another challenge they had to solve a riddle."
IAG’s board was shown a virtual version of the Escape Room and offered positive feedback.
So did the 50-plus groups of six staff who participated in the 20-minute exercise.
Jacobs said feedback was positive from participants. That outcome, he added, was as valuable as improvements in security knowledge as it showed that the company's staff had engage with the topic at hand.
The Alice in Cyberland escape room is not IAG’s only pop-culture-themed security education initiative. The organisation previously ran a “Game of Codes” exercise, plus more conventional security training such as phishing drills.
“We try to have a combination of signature events that people will remember and mix that up with business-as-usual activity,” Jacobs said.
His overall goal is creating a security-aware culture. ”After a phishing test it is not about rapping people over the knuckles for getting it wrong,” he said. “Everything we do is about culture and education.”
The Alice-themed exercise went down particularly well, and was adopted across IAG ANZ and even repeated in some of the organisation's Asian offices.