COI Report – Part VII Page 318 of 425 conducted by another external consultant showed that SIRT members did not follow the steps defined in the IR-SOP and SIRF when responding to incidents. 927. Lack of awareness of the organisation’s response plan can hamper timely reporting, or even result in non-reporting. Although speed of reporting is important, it is also important to have a clearly-defined and well-communicated reporting flow, so that uncertainty and confusion is reduced and reporting is encouraged. It is also critically important that staff are rigorously tested on their understanding of the plans, and actually follow the plans when an incident occurs. 928. Vivek’s testimony is that it is important for exercises to have “realistic contours” which bring out the “pressure points” for participants. The Committee agrees with Vivek’s testimony. The Solicitor-General suggested that one novel way of educating staff about IT security would be Gamification. Benefits of Gamification include improved motivation and increased engagement. Games allow for role-playing as both attackers and defenders, and challenges participants to make quick, high-impact decisions, which help them to understand which activities can make the biggest difference during a cyber attack. This can be explored, and should not only involve technical staff, but should also include senior management of an organisation, and can be complemented by other initiatives such as red teaming exercises. 929. Organisations, in particular IHiS, must engage every employee in data security by using positive reinforcement to reward good behaviour, instead of the more conventional approach of identifying negative behaviour and reporting that behaviour to management. This should be led by CEO, IHiS with oversight by the chief executives of SingHealth and MOHH.
