Part 1:

Background

You are the chief technology officer (CTO) of an international bank. A key component of your job is to manage risk within the bank related to information technology (IT). Banks face significant regulatory oversight and must have well-functioning internal controls to prevent and detect any problems related to IT. Within the IT area, data security and privacy are high-risk areas. As such, you must design and implement internal controls to reduce risk. One key preventive internal control that your bank has implemented is employee training.

As part of this control, all bank employees must complete regular IT trainings. The feedback you have received about past trainings is that they are tedious and boring. You are concerned that employees may not engage fully in the trainings and, thus, the control is not helping reduce the risk of an IT security incident. If there is a significant IT security incident on your watch, you are likely to lose your job.

At a recent conference, you heard of a new way to increase interest in and learning from training: gamification of training. Gamification is the application of gaming techniques like using points, badges, leaderboards, stories, etc. to non-game scenarios. As one gamified vendor representative explained, We take traditional training courses and make them more fun by making them a game. Your employees will engage at a deeper level, learning significantly more than in any traditional training session, and have fun while doing it!

The possibility of making IT security training more interesting has perked your interest. You need to make a recommendation to the rest of the executive team about whether you will purchase and implement gamified training for your next wave of IT security training or go with a traditional training module. To help you make an informed decision, you reach out to a friend at another bank who recently implemented a gamified IT security training module at her bank. She sends you a data file and memo for you to analyze to help inform your decision.

Before you go any further, you remember your training about the importance of using an analytics mindset. You decide to review the training material before continuing.

Implementing an analytics mindset

Having and using an analytics mindset are critical in accounting and business. An analytics mindset is the ability to:

• Ask the right questions
• Extract, transform and load relevant data
• Apply appropriate data analytics techniques
• Interpret and share the results with stakeholders

In this setting, using an analytics mindset means using data to inform your decision, rather than going with your gut feeling, another persons recommendation or using another way of deciding. Given that you have data from a similar bank, it makes sense to see what you can learn (and recognize what you cannot learn) by using their data.

Required

1. As a CTO, there are many things you need to consider when choosing the best IT security training program for your employees. Develop a list of questions (at least five) for which you want answers to make the best decision about whether you should implement a gamified training model.
2. Review the memo and descriptions of the data sent from your friend in the appendix. Also, review the data and consider the following:
   • Which questions that you generated in the first requirement can you answer and or not by using the data?
   • What additional data would you need to answer the questions you developed?
   • What are the limitations of the data provided by your friend?
3. Prepare a recommendation for the rest of your organizations executives about whether your organization should use gamified training.
   • Use Tableau to create a story that can be sent to everyone before the meeting. Give thought to how you will display your analyses so that it is understandable and convincing.
   • Make sure your deliverable clearly states the problem, your recommendation, the reasons supporting your recommendation, and any key questions and issues that you were not able to address (and what you would need to address them).