Studies reveal that effective cyber security awareness programs provide the highest return on security investments. But let’s face it, most security awareness programs still suck. To many, they are as boring as filing tax returns. Worse still, non-compliance is often met with severe consequences, including dismissal.
To many, cyber security training is a dull business that reminds them of some security expert repeating the same messages year after year: use alphanumeric passwords, do not write them on small pieces of paper, and lock your screen before dashing to the bathroom. Their jaws clench at the mere mention of the phrase.
Even worse are mandatory cyber security training modules inundated with negative messages, with warnings of severe consequences for non-compliance. Consequently, the messages never stick, and employees often fall for disappointingly unsophisticated phishing scams or copy volumes of sensitive information to unencrypted USBs soon after scoring 100 percent in a mandatory training module. This ought not to be the case.
Cyber security awareness, if implemented correctly, is a high-impact control. To reverse these long-held stereotypes, forward-leaning enterprises are embracing a business trend called ‘gamification’ — leveraging concepts from the gaming world and applying them to business situations.
Gamification seeks to create similar experiences to those experienced when playing games while affecting user behaviour. And it has some pretty compelling results. According to Gabe Zichermann, author of Gamification by Design, the gamification of training increases employee retention by 40%.
Gamification works by using reinforcements and emotions to tap into motivational drivers of human behaviour. It relies on the repetition of desired outcomes. The use of game elements — such as competition-oriented points and external rewards like online badges— motivates employees to embrace cyber security values proactively and repeat learned behaviours in everyday tasks. Employees can openly celebrate their accomplishments by displaying their badges on their desks or on their intranet profiles.
Gamification is effective because it transforms mundane cyber security tasks into enjoyable, appealing and sticky activities, reinforcing learning and understanding while also enhancing motivation.
Gamification is also a powerful mechanism to boost productivity. A study in 2019 found that 83% of respondents who received gamified training felt more motivated. A separate study found that 89% of employees cited gamification increased their happiness and productivity.
Employees who are publicly recognised for high performance are naturally inclined to repeat the same behaviours or aim higher. At the same time, it motivates peers to emulate strong performers, building a culture of high performance.
On the other hand, by deducting points from teams or individuals that consistently violate established procedures, such as emailing unencrypted sensitive information to external parties, gamification reveals employee segments that require additional training or targeted messages. The process of gamification allows participants to make decisions and consider complex processes and concepts in a safe environment.
A recent case study on the effectiveness of gamifying cyber security reported that 4.2 out of 5 participants found the process educational and engaging. Chief Information Security Officer Peter Bouhlas, suggests gamification is successful as “It broke up the routine, it raised awareness, it got people engaged, there was good discussion amongst themselves and with us.”
Perhaps the greatest desired outcome of gamification is to achieve intrinsic motivation. Intrinsic motivation is defined as taking an interest in the task and feeling enjoyment while engaging, regardless of rewards. It is deemed superior to extrinsic motivation. Edward L. Deci and Richard M. Ryan state that intrinsic motivation increases the likelihood of repeated behaviour, thus entrenching learning.
Intrinsic motivation for the task is reportedly developed when the Basic Psychological Needs of competence, autonomy and relatedness are satisfied. Competence is satisfied when an individual feels capable, autonomy when personal freedom is experienced and relatedness when an individual feels connected to others. Gamification that fulfils these Basic Needs of Psychology is more likely to become a repeated behaviour.
Gamifying cyber security can be used in several ways. Here are just a few examples:
» Software developers accumulate points by baking cyber security into new programs and consistently delivering bug-free code. Conversely, points are deducted from programmers who ship code with critical security vulnerabilities. Gamifying secure coding motivates programmers to learn and embrace the principles of secure coding by their own will, rather than treat it as a necessary evil. Knowing what’s at stake also encourages project teams to proactively engage security testers, as well as factor security requirements early into the project, including at the budgeting stage. It eliminates the cost of maintaining applications, as baking security controls into new digital platforms is significantly cheaper than retrofitting security into live programs.
» A system administration team that reliably deploys critical patches within required timeframes is awarded points or earns badges. Points can be redeemed quarterly or half-yearly in the form of bowling or golf tickets or other modest rewards. In contrast, teams that short-circuit change management processes and compromise business stability through poorly tested patches have a significant portion of their points deducted. Gamifying core system administration activities has two advantages: it motivates teams to actively maintain a hygienic security environment, and fosters discipline by discouraging teams from prioritising security at the expense of stability, or vice versa. These two risks should be simultaneously managed.
» Customer-facing teams are awarded points for actively embracing the tenets of the enterprise’s data classification and handling policy. For example, teams that encrypt sensitive data prior to sharing it with external parties are awarded points. On the other hand, those that email sensitive data in clear text, as informed by a data loss prevention tool, have points deducted.
Despite its proven record of success across several business settings, gamifying cyber security requires many factors to succeed, in particular, fairness, simplicity and open feedback loops. Gamification fails when it neglects to provide engagement and meaning. Gamification is also not a cure-all and won’t fix entrenched negative cultures and practices. Therefore, it’s important to remember that gamification of cyber security training alone won’t develop a cyber-resilient culture. However, when implemented effectively in a positive environment, gamification can help strengthen your organisation’s cyber resilience.
While extrinsic motivation may be the initial hook in gamified learning, the goal is to encourage intrinsic motivation. To achieve this, security games must be transparent and be supported by senior management. They must also maintain credibility. Rewarding security badges to sub-optimal performance undermines the credibility of the entire process and demotivates high performers. On the other hand, if the process honestly rewards positive behaviours and senior management actively participates in the recognition process, everyone will be motivated to emulate high achievers.
Security games must be simple and resemble real business settings. Success should be based on clear and attainable goals. For instance, measuring progress against critical and high-rated vulnerabilities enables developers and administrators to focus on issues that matter to the enterprise and its customers while minimising the risk of oversaturation.
Games must be developed in collaboration with security teams and not be superimposed on them. Open feedback loops allow game developers to elicit feedback from security teams and constantly refine them to resemble operations on the ground. That way, game creators can gain support from game users and ensure that key pain points are understood. In short, security games should seamlessly aid – rather than distract – individuals from their core security responsibilities.
Finally, cyber security games must carefully consider the user experience. Take time to understand and define user outcomes and what you wish to achieve. And most importantly, make sure your game is actually fun! Consider testing on a small group and listening to their feedback before rolling out organisation-wide. A game that isn’t fun is doomed to fail.
APPENDIX
- What do we want to achieve and why?
- What outcomes are expected, and how do outcomes relate to business processes?
- Do we have the support from senior management?
- Is there open feedback between developers and security teams?
- How does the gamified learning sit within the targeted team’s workflow?
- How is task competence measured?
- What defines completion, and how is this information collected?
- Does it strike the balance between being challenging and attainable?
- Is it enjoyable?
- Is it scalable?