Gamification: A winning strategy for cybersecurity training

Block a hacker and win a gift certificate for a nice dinner out on the town? Absolutely! That’s just one example of how companies are bolstering their electronic defenses by using gamification to engage employees around cybersecurity training.

Studies show that 90% of data breaches are caused by human error, such as an employee opening an email or downloading a document that looks pretty legit but actually contains malware. As a result, end-user employee training has come under sharp focus as companies work to combat the ongoing epidemic of cybercrime, with the estimated annual cost of losses and damage projected to hit $6 trillion ( as per Cybersecurity Ventures) by 2021.

Now, some of the same strategies that many companies use to boost customer engagement — awards, points and loyalty programs — are being deployed to help keep company systems and information assets safe from malicious actors.

Ready, set … Gamification!

In practice, gamification strategies for enterprise organizations can range from employee-focused, such as offering incentives like points, movie tickets or even cash for excelling at training and demonstrating cyber safety in the workplace, to the C-suite, where executives can now participate in “wargaming” simulations designed to prepare them for the most effective incident response in the event of an actual cyberattack.

While it is accurate to view human workers as a potential gap in a company’s defenses, it is equally important to view them as vital players in the overall cybersecurity profile.

As Nick Wilding, head of cyber resilience at AXELOS, told SC Magazine, “(Employers) often underestimate the role that their own employees – from the boardroom to the front line – can play: Staff should be their most effective security control but are typically one of their greatest vulnerabilities.”

What is Cybersecurity Gamification?

Gamification is essentially the use of game mechanics and game thinking to engage users in solving problems and to motivate them by introducing elements of competition and reward.

Now that so many companies use gamification to assist with onboarding and customer engagement, more organizations are also realizing the benefits that gamification offers for company-wide cybersecurity training.

According to a study by Pulse Learning, 79% of participants (both corporate learners and university students) said they would be “more productive and motivated if their learning environment was more like a game.” The same study noted that the benefits of gamification include improved motivation, increased engagement, better performance feedback and enhanced productivity.

“Gamification has a tremendous opportunity to revolutionize the speed, efficacy and relevancy of training in the quickly‐evolving landscape of the Cybersecurity sector,” wrote Circadence, a software development firm and recognized leader in the federal cybersecurity community.

How Companies Are Using Gamification for Cybersecurity Training

Price Waterhouse Cooper developed Game of Threats™ to help senior executives and boards of directors test and strengthen their cyber defense skills. “At its core, Game of Threats is a critical decision-making game that has been designed to reward good decisions by the players and to penalize teams for making poor decisions. Players walk away with a better understanding of the steps they need to take to better secure their companies,” explained PwC. The game has been so successful since its launch that the company is now considering developing additional games specifically for financial crime and crisis management.

“With a huge increase in targeted cybersecurity incidents, organisations need to have confidence that they have appropriate security in place that will enable them to defend and respond to attacks,” said Alex Petsopoulos, PwC’s Financial Services Cybersecurity lead in the UK.

The cybersecurity firm Digital Guardian developed its game, DG Data Defender, to help other companies engage every employee in data security. The game utilizes printable badges to reward good behavior and scoreboards that track data loss prevention leaders to create a positive spirit of competition among employees. Continued use of good security practices can earn employees prizes, such as e-store gift cards.

Gamification is also being used to recruit cyber talent in an extremely competitive job market. Cybersecurity Challenge, a UK-based organization, holds yearly competitions to test and recruit cybersecurity candidates. “We’ve seen that traditional recruitment methods, used in other industries, just don’t work in cybersecurity,” Stephanie Daman, CEO of Cybersecurity Challenge U.K., told TechCrunch. “However, there is a noticeable pattern between gamers and those that show significant skills in the industry.”

Strategy Tips for Successful Cybersecurity Gamification

For businesses looking to infuse gamification into their cybersecurity training, it can be helpful to understand what makes for the most successful game-based training.

Make It Fun

Games are supposed to be fun, but it can be easy to ignore this critical element when company leadership is intently focused on designing a thorough training strategy for such a high-stakes purpose as cybersecurity.

Use Rewards

Using rewards is one of the most important elements of a game-based approach, as rewards keep users engaged, motivated and incentivized.

Keep Training Short and to the Point

The most effective trainings are short. Ten-minute sessions every other day for 6 weeks can be far more effective than a single, three-hour session. Ongoing initiatives that require minimal time commitment are also effective.

Use Visual Aids 

Videos and images can help to get a point across fast, while keeping employees engaged.

Consider Using AI and Machine Learning

The world of cybersecurity is constantly evolving as hackers learn new and more sophisticated approaches. To keep up with cybercriminals, companies such as Circadence are infusing AI and machine learning into their game-based cyber training. The technology enables Circadence to continually update the gaming environment based on new problems and data.

Know Your Audience

To get optimal engagement, it’s essential to design a game that will resonate with the intended audience. Researching what employees like, what motivates them and what devices they use most frequently will provide a solid foundation from which to design an effective training program.

Ensure That Training is Ongoing

Training should be continuous and not limited to a one-time event. Keeping track of an employee’s progression through a game, with rewards at certain milestones, can help to keep employees engaged over the long term.

Not only are businesses using game-based approaches with internal training, some are even using gamification to launch “bug bounty programs.” These programs — now used by organizations like Microsoft, Facebook, the Pentagon and countless others — reward ethical hackers and researchers who are able to find and report bugs in an organization’s system and earn tens of thousands of dollars in the process.

The importance of innovative learning techniques in cybersecurity is imperative as the nation struggles to fill thousands of open cybersecurity positions and employ effective defense strategies. Putting gamification in play is a great way for companies to motivate their employees to beat the bad guys and help keep their organizations safe from cybercrime.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.