Leveraging a spirit of competition to drive engagement and create a security culture
Gamification is a popular concept these days, and for good reason. With gamification, you can develop a game for learning more about a serious topic while also getting the learner to approach winning that game with the same fervor they would when playing for entertainment. So what happens when you integrate gamified learning into security awareness training?
Ultimately, you get a way to reduce the complexities of information security and effectively help cyber security professionals promote learning and new skills by coupling game mechanics with a user’s natural human need for competition, achievement or status.
For cyber security awareness training, gamification can create a playful yet highly engaging way to deal with the critical organizational need to promote and create a security culture.
The concept combines play with the educational objective of making training about security and compliance more appealing. Play provides a type of experiential learning that fits especially well with the learning profile of the current generation of workers. Gamified elements stimulate learning by making the user more receptive to, concentrated on, and engaged in the activity.
Much more than simply a means of transmitting information, gamification first raises awareness, so that learners are able to understand the issues and to change their perceptions and habits. The concept also helps develop knowledge and practices through interactivity and simulation. The learner’s experience is captivating and the interactivity holds their interest throughout the training. These factors engage users, thus increasing the effectiveness of the training.

Here are five benefits of adding gamification to your security awareness training program.
1. Low risk
Cyber security threats put users and organizations in high-risk situations. One bad decision could bring a company down for hours, days or even weeks, resulting in loss of revenue and operations.
One click of a bad link in a phishing attack can do just that.
But when you gamify your cyber security training and learning, you can engage users in a low-risk way.
Let’s take the phishing example. Gamified learning can let users feel the reality of something in a low-risk environment.
An example of that is any activity that requires a user to make a decision, like a phishing awareness module. If an organization is looking to train its users on the threats of phishing, they could present scenarios in the training that require users to look at an email and the way it’s presented to them and identify whether it’s a phishing attempt or an authentic email. If they identify it correctly, they get points.
2. Human need to win drives behavior change
Gamification plays on the need for humans to win or achieve something. When training includes rewards such as points, badges, a leaderboard or the ability to trade any of those in for a prize, it helps drive behavior change.
But this human need is also rooted in science. Winning creates dopamine – the feel-good hormone – in our brains. It makes us want to reach the next level, to get placed on the top of a leaderboard, to do whatever we have to in order to keep that feeling going.

As users are playing a game – or rather, completing their cyber security training presented as a game – they are focused on making the right decision to win. That all happens while learning the lessons they have to apply to make those right decisions to win are sinking in.
When users leave the low-risk gaming environment and enter the high-risk real world where they are forced to make decisions that have larger consequences, the lessons they learned in the game have likely stuck with them.

3. RULES. There are rules to all games and rules for implementing gamified security awareness training
Rules keep us in check. They keep us in line. They help guide our decision making.
The same is true for gamified security awareness training. Establishing the right set of rules before implementing gamification into an organization’s security awareness program helps further extend the program’s long-term benefits.
What are the rules? Set goals, create value, keep it simple, communicate the program clearly and always be willing to modify and adjust.
Organizations should also set goals for what they want to achieve with a gamified security awareness training program. Gamification shouldn’t be implemented simply because it’s a trend or because it sounds good. Doing that won’t attract the user buy-in that you need. There has to be a purpose for it.
Gamification programs should have value. Users will feel special and will want to succeed in their cyber security training because they “win” something.
Gamifications features should be incorporated into the courses in a way that is transparent. That is, the game of training should be effective without being noticed. It should be delivered subtly in the background of the training and not get in the way of learning.
Keep it simple. You can’t create a training that has so many rules of how to win, or a reward system that users have to calculate. Users shouldn’t have to focus more on the rules and the set up than the information they should be absorbing.
Communicate clearly. Communication around the gamified security awareness training programs should be in place before rolling out any new training. Be prepared to communicate clearly how the training works, what the rewards can be, what users can gain from it and why it’s important.
Stay flexible and make it customizable. More on that next…
4. Training that can be flexible and customized
What works for one company may not work for another. Organizations tend to have their own unique cultures and the training programs rolled out to their team members should reflect that.
Among the ways gamification of cyber security training can be customized includes the ability to:
- Turn the game features on and off
- Choose what the point scales will be for selecting the right answer or making the wrong choice
- Decide whether users can go back and retake a training course to earn extra points or get a better score.
Depending on the culture of a company, information security leaders should be able to determine how they want to motivate users in a way that makes the most sense for their organization.
In security awareness, the human factor is generally the weakest link.
5. Interactivity holds attention and drives engagement in security
Many security problems or incidents are the result of inattention or a lack of awareness. Security awareness training can help turn this situation around, helping employees develop appropriate knowledge and expertise to become strong links.
But in an age where training is commonplace and users have to balance the time needed to complete required training – whether for cyber security or some other job need – how do you ensure they pay attention? How do you ensure they don’t just mindlessly click “next” on a series of slides?
You make the training interactive.
Interactivity is at the core of the most effective gamified training programs. This type of training requires the user to interact with the page or activity before advancing to another level or section.
For example, a training module could have a situation where there are safe security procedures that have to be matched to their correct definition, or a scenario where the user has to place the steps for how to respond to a security breach in the right sequence.
People learn by doing. They want to do something, try something, test something. They want to win and see their results. Gamified security awareness training allows them to do just that.
  
Gloria Cormier Product Director Terranova Security
Responsible for managing the development of the security awareness training library to train the world's cyber heroes

Integrating gamified learning into your security awareness program is a good way to offer high-quality content, the first of five elements for phishing simulation and security awareness training success.
Get more information on the five people-centric elements that will help instill a security culture in your organization with the Definitive Guide To People-Centric Security Awareness.