Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Let’s face it, no one likes cybersecurity training.
The fake phishing attacks have made us all paranoid. The online courses are boring and, even though cybersecurity is critical, the time it takes to complete the training courses take away from the mission.
But what if—think about it for a moment—cybersecurity training was interactive, collaborative and — hold on — even fun?
That’s what the Department of Health and Human Services attempted to do by hiring a vendor to run a cybersecurity escape room during Cybersecurity Awareness month.
“We [did] an escape room to teach the basics,” said Janet Vogel, the HHS chief information security officer, at a recent AFCEA Bethesda event. “We have these windows of opportunities that we have to take advantage of like where people will rotate and observe at the security operations center or network operations center and get some experience so they understand it better. That sparks some excitement and they’ve learned something that they can apply. It also gets cyber into the language that everyone is using and their habits.”
HHS had eight teams, 72 employees, participate in the escape room training from eight operating divisions.
“Each escape room training session was one hour, consisting of a five minute introduction briefing, 20 minutes to complete the hands-on exercise, a five minute quiz and 30 minutes of discussion on how to implement cybersecurity best practices covered in the training, into daily work tasks,” a HHS spokeswoman said in an email to Federal News Network. “The escape room challenges included how to identify and use two factor authentication, recognize phishing emails, identify personally identifiable information, find unsecure WiFi access points and physical computer security.”
Conrad Bovell, the director of information system security for the Financial Management Systems Group at the Centers for Medicare and Medicaid Services, said after the AFCEA event that the escape room concept was intriguing.
“It got my folks excited. They asked if they could do it,” Bovell said. “It’s a good thing to put them in a situation where they have to make decisions under a little bit of pressure.”
The HHS spokeswoman said the escape room concept is part of the agency trying to use different approaches to training.
“The idea to explore using a live interactive training exercise to reach more HHS employees is an expansion on the HHS Cybersecurity Awareness program, which already includes online training modules, in-person lunch-and-learn sessions, webinars, cybersecurity awareness articles, question of the week and ethical phishing exercises,” the spokeswoman said.
HHS followed the lead of the Federal Housing Finance Agency (FHFA), which also hired Living Security to conduct an escape room training earlier this year.
The HHS spokeswoman said the CISO’s office met with Taryn Jones, the senior IT specialist and cybersecurity awareness training lead at FHFA, to better understand how FHFA implemented the escape room concept.
Jones “provided a wealth of insight and knowledge about how to successfully operate the escape room experience. She also provided an outstanding demonstration to HHS Leadership, which was very well received,” the spokeswoman said. “Taryn emphasized the importance of all team members to participate in the training exercise and added value to the group discussion after the activity. Group discussion gave the participants an opportunity to discuss real scenarios where they had encountered the cybersecurity topics reviewed in the training and how the scenario played out.”
A FHFA spokesman declined to comment on its cyber escape room experience.
Along with Living Security, there are a handful of other federal cyber companies offering similar experiences. The Thales Group offers a “mobile box” that is a 10-minute experience that uses clues, hints and strategy to help participants complete the puzzle. The SANS Institute also offers a similar experience to reinforce and teach cybersecurity best practices and principles.
This concept is becoming more and more attractive to other agencies.
Adrian Monza, the deputy CISO and chief security architect in the Information Security Division at the U.S. Citizenship and Immigration Services, said after the AFCEA event Vogel’s mention of the escape room concept was the first he’d heard of it.
“It seems to create engagement and the opportunity to form relationships that may not happen otherwise,” Monza said. “I plan to reach out to Janet to find out more.”
The Massachusetts National Guard also hired a vendor to create a cyber escape room earlier this year.
Gathering feedback on escape room
As for HHS, the spokeswoman said the agency will measure the impact of the escape room exercise in a variety of ways.
She said the CISO’s office took participant feedback and conducted an online survey shortly after the exercise finished.
Some of the participants offered these comments:
“It was extremely interactive and I very much liked the discussion at the end. The discussion reinforced and explained some of the rules that I would have otherwise discarded as too burdensome or no true added security.”
“Very involved and nuanced; it showed that a lot of work had gone into the training and developing the tools; let me cover the content of a normal training in a much more engaging way.”
“The activity was fun and I liked working with a team. I also liked the post-test and discussion that followed the exercise.”
The spokeswoman said HHS will continue to elicit comments from participants.
“HHS will again survey the participants three weeks later by sending the participants 10 knowledge check questions to gauge retention of training concepts covered in the escape room exercise. Surveys will be emailed to each participant to obtain feedback and interest in this interactive learning approach,” she said. “Participant feedback will play a large part in the long term decision to continue the initiative. If participants provide positive feedback, I believe the escape room will become a part of the long term HHS cybersecurity awareness training and education strategy.”