Cybersecurity is no game, unless you visit the district of Innovative Leadership in technology and Learning Award winner Eva Mendoza.
Mendoza, director of information technology for the San Antonio Independent School District (SID), which serves 45,000 students in 70 schools, is known for her creative attempts at teaching cybersecurity, such as her popular “Phish Market” poster and the PSA video contest in which the winner’s artwork appears as the lock screen on the district’s Chromebooks and school monitors. She also offers a professional development version of a popular television show.
“It’s a standard ‘Family Feud’ with a cybersecurity theme,” says Mendoza, who was recognized for her efforts during a technology and learning event. regional leaders summit“We followed the basic rules of the game, where you survey 100 people and the participating teams guess the most common answers. We happen to have 100 people on our IT staff, so it worked out pretty well.”
Surveys are created using simple Google Docs or Microsoft Forms, free options that any district budget can handle.
“We send out a survey with questions like, ‘What is the most used password?’” Mendoza says. “Then, we take the game to different departments that are specific to the data they handle and get some volunteers to form two teams. We usually try to turn everything related to HR and Finance into a game. It’s really interesting when you add competition.”
Mendoza believes that this style of participation helps important information to be assimilated by both the game participants and the audience.
“We could say, ‘We asked a hundred people what their most commonly used passwords are.’ And the answers are, ‘1234,’ or ‘pet’s name,’ ‘birth year,’ all these things that people do, but are very easy to guess or find,” he says. “There will be some funny answers and then there will be some funny answers.” 'The survey says—And the results can be revealing. We want to hit them with that real-world surprise. “Wow, we all do that or know someone who does that.”
Some of the answers are entertaining, such as during the actual show, which keeps the audience engaged rather than the distracting dynamic seen all too often in professional development sessions. Mendoza then has the director or a technical director give a short line of actual information, enough to emphasize the lesson without ruining the fun and interest of the activity.
“We created it within PowerPoint, using the graphics and the theme song. It took a little work, but now that it’s established, we can take it to our different departments to participate in the game,” she says. “Personally, I think cybersecurity is cool and fun, but not all of my colleagues in the district may think the same. Sometimes people think it’s a little intimidating or they think ‘It’s not part of my job. ’ Cybersecurity is a shared responsibility. We all participate in it, and we want them to learn and understand the important role they play in cybersecurity.”
Gamification is not just for students
Most Texas school districts are required to have state-approved cybersecurity training.
“These were formal, traditional, and sometimes boring videos that we had to watch,” Mendoza says. “But if you can go beyond that traditional training, you can have a big impact.”
It doesn't matter how secure and advanced your system is if those who use it make it vulnerable. This can be a real problem when human error leads to leaks of sensitive student data, such as social security numbers, grades, health issues, personal phone numbers and addresses, and other family information.
“When it comes to cybersecurity, the primary way people hack systems is by hacking people, not technology,” Mendoza says. “They go after those who are not cyber-aware, and they take advantage of human error and carelessness. We need to make sure educators and staff are aware of the threats that exist and that they are one of the most important parts of the strategy to keep our environment safe for our students.”
This kind of fun exploration of cybersecurity can even be a unique way to engage students in assemblies, encouraging teacher teams as they learn.
“Hackers don’t care if the target is a six-year-old, it’s just an account to access,” Mendoza says. “Kids need to learn just as much as our staff. Our students are growing up in a digital age from day one. Even if you’re very young, you have a digital footprint and you need to learn how to stay safe and protect your data. We did a little lesson with all the kids from kindergarten through 12th grade. Some of the feedback we got from teachers was stories of ‘My Roblox account got hacked and they took all my points. ’ They’re in their own world, but it could be a lot bigger if they’re not taught early and ready for the future.”
Tips for creating your own cybersecurity training games
Create real-life activities. Mendoza says, “We did a tabletop exercise for staff to go through a full-day scenario of what it’s like to suffer a ransomware attack. For example, at 9:13 a.m., teachers were complaining that they couldn’t log in or access their email. How were they going to get through the day without a system? What happens if someone picks up their child early? What happens at dismissal time? Now let’s extrapolate that to a system that’s down for three to five days. It was supposed to be an exercise for staff, but it became a great resource for us to document and come up with a plan for everything the schools would need from us and the central office to get through. Suddenly, it came full circle and staff said, “I couldn’t make that connection, that clicking on a phishing link could cause the entire district to be down for five days.” We were able to make it a reality for them.
Share why. “A lot of times we have processes for the evaluation process of technology or digital tools,” Mendoza says. “Sometimes apps or software get rejected. Educators see something on social media, a blog, or a seemingly useful app and they don’t really understand why: ‘It’s free! I don’t see why!’ It all comes down to privacy and data protection. We have to read all the terms and conditions. At the end of the day, the ‘No’ is for the students and for our staff, so that we can be in a good digital environment.”
Focus on people. “It’s very important to have people as part of the strategy,” Mendoza says. “You have your processes, you have your technology, all your cybersecurity systems and solutions. But you need people as part of your strategy to make sure your cybersecurity posture is strong.”
