Gamification: why it is essential for cyber security awareness training

The nature of everyday work environments has changed … and so too has the way employees learn in the workplace. Organisations must use innovative ways to facilitate these changes and find training solutions that meet the complex needs of all employees.

Traditional methods of cyber security awareness training can fall short in engaging participants effectively, especially when trying to capture an employee base consisting of multiple generations, methods of learning and interests … enter gamification.

Gamification is a dynamic and interactive approach that must be included in your cyber security awareness framework for maximum ROI.

In fact, 72% of people say gamification motivates them to do tasks and work harder on the job. And you can’t stand still in this space; as of now, experts report that as much as 70% of Global 2000 companies (the world’s largest 2,000 companies) use gamification.

In this blog, we will delve into the world of gamification and explore why it is essential for cyber security awareness training. Whether you're a CISO, DPO or SRI, this article will shed light on the transformative power of gamification.

What is gamification?

Gamification is the integration of game-like elements and mechanics into non-game contexts, such as learning and training environments. It leverages the principles of game design to engage and motivate participants, making tasks more enjoyable and encouraging active participation.

In the context of cyber security threats and risks, you will find games that train employees to be better at password management and security, ones that play with data classification protocols, some that simulate phishing scenarios and so on …

Gamifying training requires the transfer of certain gaming elements into the educational and training space. These include:

• Points and scores: Participants earn points or scores for completing tasks or achieving milestones. You can leverage this for an in-house competitive leaderboard to encourage a constantly improving security culture.
• Badges and achievements: Virtual badges or trophies are awarded for accomplishments, fostering a sense of achievement. You can take this one step further by encouraging a champion program with physical prizes for your employees, thus poking your employees towards the behaviours you want to see.
• Levels: Participants progress through levels of increasing difficulty, providing a sense of challenge and achievement. Employees don’t like being coddled; by giving them a challenge, you are respecting their intellect and development and you are more likely to see engagement levels rise as a result.
• Competition: As briefly mentioned, leaderboards and competitive elements encourage healthy competition among participants and will ultimately bring the baseline of your security culture up.
• Narrative and storytelling: Incorporating narratives and stories adds depth and context to the learning experience aiding in information recall and knowledge longevity; employees are far more likely to remember vital information if they ingest it alongside a narrative moment that is easy to remember than a simple slideshow of protocols and best practices.

Conversely, Sailer and Homner recently authored a thorough meta-analysis on gamification in learning. After selecting 38 of the most eligible studies from a total of 1000, they concluded that gamification only requires two things: game fiction and social interaction. Game fiction is the use of narrative tools such as stories, avatars, and an explorable space to immerse and situate learnings in a particular context. Game increases effort and, therefore, increases investment. Social interaction creates a connection in your organisation, a kinship, that leads to healthy competition and collaboration. Features such as a leaderboard can offer a sense of constructive competition as they are understood to be good-natured.

The benefits of gamification

Gamification offers a range of benefits, which is why it has gained popularity in cyber security awareness training:

• Increased engagement: Gamification makes learning fun and interactive. It captures participants' attention and keeps them engaged throughout the training, reducing boredom and distraction. On average, employees experience a 48% engagement increase with a gamified work experience.
• Enhanced participation: Gamified eLearning modules increase participation by capturing employees who would otherwise drag their feet with compulsory one-size-fits-all eLearning. In fact, 67% of employees agree that gamified learning is both more engaging and motivating than traditional classes.
• Enhanced learning retention: The immersive nature of gamification aids in information retention. Participants are more likely to remember key concepts and apply them in real-world scenarios. According to Gabe Zichermann’s Gamification by Design, incorporating gamification into training helps make mundane tasks fun and results in increasing employee skill retention by approximately 40%.
• Immediate feedback: Games provide instant feedback on participants' actions, helping them understand the consequences of their choices and promoting a deeper understanding of cyber security principles.
• Turn the abstract into the accessible: When presenting technical or complicated training, you can lose learners with blocks of text and laborious eLearning. Gamification training transforms abstract technical lessons into practical lessons that are far more accessible and don’t read like a Wikipedia page.
• Motivation and competition: Gamification introduces a competitive element that encourages participants to strive for better results. This competitive spirit can drive better performance.
• Real-world application: Gamified scenarios often mimic real-world situations, allowing participants to apply what they've learned directly to their job roles.
• A happier workplace: Not all the benefits of gamified learning relate to the information or to cyber security directly. For instance, a gamified workplace also increases employee happiness. In fact, this survey reveals that 89% of workers said that gamification makes them feel happier and more productive at work.

Why gamification for cyber security awareness training?

The current challenge:

Traditional cyber security training methods, such as lectures and e-learning modules, can be a struggle for some participants. At their least effective, they can be dry, lengthy, and fail to capture the urgency of the cyber security landscape.

Furthermore, as more and more younger employees enter the workforce, compliance-based learning that simply aims to tick boxes, will be seen as corporate mumbo jumbo that can be ignored and disregarded.

Gamification as the solution:

Gamification addresses these challenges head-on by turning training into an engaging experience. By applying game elements to cyber security awareness, organisations can bridge the gap between theoretical knowledge and practical application. According to a survey conducted by Adobe, 79% of respondents agreed that if learning were more like a game, learners would be more engaged and driven.

Gamification also allows you to capture employees who do not respond positively to passive eLearning modules but are much more receptive to interactive and active materials. Instead of plunging them into a 10-minute course on phishing, why not drop them into a phishing simulation game and teach them with scenario-based training?

While traditional training offers a formally structured environment to transfer a body of knowledge, gamification goes far beyond, offering opportunities to practice in simulated environments safely in immersive, relevant conditions. This is especially important in areas where students may not fully appreciate or understand the need for them to acquire the knowledge and skills being taught – such as cyber security threats and risks.

Implementing gamification

Just wanting a gamified learning experience doesn’t mean it is going to be successful. Poor planning can lead to poor ROI when it comes to gamification and as awareness and behavioural experts, this is frustrating to see. According to Zippia, an estimated 80% of workplace gamification fail to meet company objectives because they have been poorly planned and designed, lacking creativity and purpose.

To truly make the most of gamification, here are some steps to maximise the effectiveness of your implementation.

• Identify learning objectives: Determine the specific cyber security concepts and skills you want to convey through gamification. You may already have anecdotal evidence of what threats and risks need to be focused on. If not, we recommend running a Security Awareness and Behaviour Research (SABR) survey, which will analyse your organisations security maturity across five dimensions and pinpoint weak links, areas of focus and advise on next steps. Our SABR tool is available in a comprehensive 80-question format for large organisations and as a Micro-SABR for medium to small sized organisations who want quality quantitative data on their security culture.
• Choose the right format: Select a gamification platform or format that aligns with your organisation's needs, budget, and preferred employee learning methods. You may elect for interactive digital games, or perhaps an in-person escape room, or a multiplayer cyber maze. The possibilities and variety with gamification are vast.
• Content creation: Develop engaging content, scenarios, and challenges that align with your learning objectives. Working with a tried and tested cyber security awareness partner can help align your organisation’s cyber security protocols with industry best practice. It is also extremely eye-opening enlisting the help of a third-party, absent of bias, to illuminate threats and risks that you may not have even been aware of.
• Feedback mechanisms: Implement immediate feedback mechanisms to guide participants and reinforce learning. You’ll also find that employees are ready to replay games often and promptly because a score is assigned to their effort and their participation.

The Octalysis Framework

The Octalysis Framework, developed by Yu-kai Chou, is a powerful tool for designing gamified experiences. Based on 10 years of research and study, it breaks down motivation into eight core drives, providing a structured approach to designing engaging games:

1. Epic meaning & calling: ‘Call to action’ for a player to do something greater than themselves.
2. Development & accomplishment: Overcome challenges, make progress, and develop skills.
3. Empowerment of creativity & feedback: Creatively solving problems with prompt feedback.
4. Ownership & possession: Ownership increases investment and can be encouraged via customisation or a cumulative score.
5. Social influence & relatedness: Encourage this through competition and workplace mentorship.
6. Scarcity & impatience: Wanting something because you can’t have it is frustrating but encouraging. Induce this feeling with times and prizes for completion.
7. Unpredictability & curiosity: What is going to happen next? Curiosity got the cat to complete his training!
8. Loss & avoidance: The feeling of loss due to inaction can be instigated by playing on FOMO behaviour (Fear of missing out).

Every notch on The Octalysis Framework can also encourage a dopamine release, especially when associated with gaming. The human body releases far more dopamine when it is invested in an enjoyable or challenging or frustrating narrative experience. With gamification, elements such as score, rankings, and prizes to keep players engaged all signal a dopamine release.

The learning mechanics applied by gamification

Gamification employs various learning mechanics to enhance engagement and knowledge retention:

• Spaced repetition: Content is repeated at increasing intervals to reinforce learning. Usually, gamified experiences can be enjoyed quickly, complimenting spaced repetition programs perfectly. You can even run compulsory gaming sessions every week and see the difference in enthusiasm when compared to generic eLearning.
• Microlearning: Information is delivered in bite-sized, easily digestible modules. When you combine this with spaced repetition, you slowly embed new safer behaviours into your employees.
• Feedback loops: Participants receive feedback on their performance, encouraging continuous improvement, continuous gaming, and continuous security maturity growth.
• Narrative storytelling: Learning is embedded within a compelling narrative, making it more relatable.

Gamification examples

Duolingo

Duolingo, a language learning app, effectively utilises gamification by incorporating points, levels, and leaderboards. Users are motivated to learn languages through interactive challenges and progress tracking.

Dmitri Medeleev

The Periodic Table of Elements is attributed to Dmitri Mendeleev, a Russian scientist, and educator from the 19th century. Mendeleev was an avid card player, and he used a card game to organise the elements in a form that made sense to him. He used a narrative device he was already familiar with, a card game, to learn how elements, something he was still learning about, interacted with each other.

Sumo Logic

In 2020, Sumo Logic, a cloud-based management organisation, implemented gamification in its security awareness and training campaign to massive success. George Gerchow, CSO at Sumo Logic, told InfoSecurity Professional Magazine that he had seen a 10% reduction in user risk: “Over the course of this last year, we had a 10% reduction in end user risk. Most organisations, when they get compromised, it happens because an end user has a weak password, gets phished or downloads malware. The amount of education you need to do around these things is incredible. One percent to 2% is a win, but a 10% reduction is remarkable”.

Other types of interactive cyber security awareness training

While gamification is a powerful approach, it's not the only option for enhancing cyber security awareness. Other interactive training methods include:

• Simulations: Immersive simulations recreate cyber threats and require participants to respond effectively. For example, as the metaverse and VR technology works its way into work environments, we created a VR threats simulation game that allows employees to experience scenarios such as avatar creation, metaverse conversations and potential risks such as identity theft and phishing in a controlled environment.
• Capture The Flag (CTF) and Escape Room challenges: CTF challenges and escape rooms involve solving security puzzles and vulnerabilities in a controlled environment. These are extremely helpful and effective for employees who value hands-on and physical training but still yearn for some gamification.
• Interactive workshops: Hands-on workshops allow participants to practice cyber security skills in a controlled setting. Interactive workshops, led by a cyber security awareness and behavioural expert, are extremely effective for organisations and employees that respond more to authority and trust. They are also what we recommend when trying to engage board members and managers as it opens the floor to interaction rather than closed off online eLearning.

Conclusion

90% of employees say gamification makes them more productive at work.

Gamification, with its engaging and interactive nature, offers an effective solution to enhance cyber security awareness training – you simply cannot afford to ignore it.

Whether you are a CISO, DPO, SRI, or simply someone interested in cyber security, embracing gamification can transform the way we educate and prepare our workforce to defend against cyber threats.

By understanding its benefits, implementing effective gamification strategies, and exploring other interactive training methods, organisations can foster a cyber security-aware culture that is vigilant, proactive, and well-prepared for the challenges of the digital world.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your critical infrastructure organisation or if you would like a demo of our games ... please contact our Head of Business Development and Sales,  Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.