Cybersecurity is no game, unless you visit the district of Tech & Learning Innovative Leadership Award winner Eva Mendoza.
Chief Information Technology Officer at San Antonio ISD, serving 45,000 students in 70 schools, Mendoza is known for creative attempts to teach cybersecurity, such as her popular “Phish Market” poster and PSA-video contest with winner’s artwork appearing as the lock screen on the district’s chromebooks and school monitors. She also offers a PD version of a popular television game show.
“It’s standard ‘Family Feud’ with a cybersecurity theme,” says Mendoza, who was honored for her efforts during a Tech & Learning regional leadership summit. “We follow the basic rules of the game, where a hundred people are surveyed and participant teams guess the most common responses. We just happen to have a hundred people on our IT staff, so it worked out great.”
Surveys are created with simple Google docs or Microsoft forms, free options that any district budget can handle.
“We send out a survey, asking questions such as, ‘What is the most commonly used password?’” Mendoza says. “Then we take the game around to different targeted departments because of the data they handle, and get some volunteers to make up two teams. We usually try to gamify anything within HR and finance. It’s just really engaging when you add in competition.”
Mendoza finds this style of engagement helps important info sink in, both for participating game contestants and the audience.
“So we might say, ‘We asked one hundred people, what are the most commonly used passwords? And the responses come — ‘1234’ or ‘pet’s name,’ ‘year of birth,’ all of these things that people do, but are super easy to guess or find,” she says. “There will be some funny responses and then ‘Survey says— ‘ and the results can be eye-opening. We want to hit them with that real-world shock. ‘Oh, wow — we all do that or know someone who does.’”
Some of the answers are entertaining, such as during the real show, which keeps the audience attentive rather than the dynamic of zoning out, too often seen in PD sessions. Mendoza then has the principal or a tech director give a short one liner of actual information, enough to drive home the lesson without ruining the fun and engagement of the activity.
“We created it within PowerPoint, using the graphics and theme song. It took a little bit of tweaking, but now that it’s established, we can take it around to our different departments to take part in the game,” she says. “I personally think cybersecurity’s super cool and fun, but you know, not all my colleagues across the district may feel that way. Sometimes people think it’s a little intimidating or they think ‘It isn’t part of my work.’ Cyber safety is a shared responsibility. We all play a part in it and we want them to learn and understand the important role they play in cybersecurity.”
Gamification Isn’t Just For Students
Most school districts in Texas are required to have cybersecurity training approved by the state.
“These were often formal, traditional, sometimes boring videos that we were required to watch,” says Mendoza. “If you can reach beyond that traditional training, however, you can make a serious impact.”
It doesn’t matter how secure and advanced your system is if it is made vulnerable by those using it. This can be a real problem when human error leads to leaks of sensitive student data such as social security numbers, grades, health matters, personal phone numbers and addresses, and other family information.
“With cybersecurity, the No. 1 way people hack into systems is to hack the person, not the technology,” says Mendoza. “They go after those without cyber awareness, capitalizing on human error and carelessness. We need to ensure educators and staff realize the threats that are out there and that they are one of the most important parts of the strategy to keep our environment safe for our students.”
This sort of fun exploration of cybersecurity can even be a unique way to engage students in assemblies, cheering on teacher teams while learning.
“Hackers don’t care if a target is a six-year-old, it is just an account to get in,” says Mendoza. “Kids need to learn just as much as our staff. Our students are growing up in a digital age from day one. Even if you’re itty bitty, you have a digital footprint, and you need to learn to stay safe and how to protect your data. We did a little lesson with all K through 12. Some of the feedback we got from the teachers were stories of ‘My Roblox account was hacked and they took all my points.’ They are in their own world, but that could be so much bigger if they’re not taught early and are ready for the future.”
Tips When Creating Your Own Cybersecurity Training Games
Create real-life activities. Mendoza says, “We did a tabletop exercise to take staff through a full-day scenario of what it’s like when you go through a ransomware attack. For example, 9:13 a.m., teachers complaining ‘I can’t log in or get to my email.’ How are you going to get through the day without no system? What happens if somebody picks up their kid early, what happens at dismissal? Now extrapolate that into a system down for three to five days. It was meant to be an exercise for staff, but it turned into a great resource for us to document and make a plan of everything schools would need from us and the central office to get by. Suddenly, it comes full circle and we have staff saying, ‘I couldn’t make that connection, that my clicking a phishing link could lead to the whole district being down for five days.’ We were able to make it real for them.
Share the why. “A lot of the time we have processes for the vetting process on technology or digital tools,” says Mendoza. “Sometimes applications or softwares are denied. Educators see something on social media, a blog or a seemingly helpful app, and don’t really understand why— ‘It’s free! I don’t see why!’ It comes down to data privacy and protection. We have to read all the terms and conditions. At the end of the day, the ‘No’ is for the students and for our staff so we can be into a good digital environment.
Focus on the people. “Having the people part of your strategy is so important,” says Mendoza. “You have your processes, you have your technology, all your cybersecurity systems and solutions. But you need that people piece to make sure that your cybersecurity posture is strong.”