6 myths about using gamification for security awareness training

I have heard many reasons why people are hesitant to use gamification as the basis for their security awareness training programs. But in reality, most of the time, there is a clear argument that favors using gamified learning and assessment. But as with any methodology that has clear benefits, you can find situations where there may not be a good fit. So let’s explore some of the issues with gamification that you might be concerned about.

1 – Gamification is just a fad. This may have been true in the past. In fact, I recall seeing a number of Gartner “hype cycle” diagrams that spanned a few years. In one year’s diagram, gamification was in the first rising part of the curve, on its way up. A year or two later, it didn’t even get mentioned on the curve. But analysts’ views can be overly generalized, or even miss the mark. Nowadays, especially for security awareness, I rarely meet an IT Security manager who doesn’t think that gamification will be needed at some point, to drive the necessary engagement for their security awareness program to be successful. There are numerous proven benefits and logical reasons why it is becoming obvious that gamification is not just a fad for security awareness training. Think of the many ways in which phishing, social engineering, passwords, acceptable use policies, etc. could be gamified to engage employees and improve their ability to practice and defend your organization.

2 – Gamification is just “points, badges and leaderboards” (PBL) to drive participation, and is not really impacting knowledge retention. This is certainly a possibility, especially with security awareness training programs that are based on static model of presenting text and/or videos, and then checking that people were awake by giving them a quiz. Giving people points for their score on a quiz, or a badge for completing a series of modules can motivate some people to participate. Where the more fundamental knowledge retention can really occur is at the lowest level of activities in a security awareness training course. Having immersive, dynamic elements can really trigger more engagement, so individuals can use their creativity and critical thinking skills. Simulation of real risk scenarios like phishing emails or social engineering scams that could provide less predictable responses to employee actions can also make exercises and assessments much more relevant and the scores more meaningful than with static CBT videos and quizzes. So gamification is really about a lot more than Points, Badges and Leaderboards, if it is done right; and security awareness training is where these deeper gamification concepts are needed most.

These are all platforms that can allow you to create gamified learning courses without a need for customization. The benefit that Click Armor has over these platforms for security awareness training is that it is specifically designed to present defensive learning and assessment content that can help people distinguish between the types of phishing messages that are opportunistic and those that are targeted at them, like spear-phishing attacks. This means that you can start immediately with off-the-shelf gamified security awareness content, which can also be modified to meet your specific needs for learning, exercises, simulations and assessments that are all geared to deliver security, risk management, privacy and compliance courses.

4 – Our people aren’t competitive, so gamification won’t work very well. It is very true that not everyone is a gamer. You can’t expect everyone to want to play a game. In fact, I once had an employee of a Click Armor client tell me point blank, “I’m not into games, so don’t be surprised if you don’t see the results you want from me.”  Would you believe that this person now ranks in the top 25% in a field of over 80 employees in the organization, and completed the entire program? We never heard a complaint from anyone in the organization that they found the cyber security awareness program too competitive.

5 – Our people are too serious to spend time playing games. In organizations where there is a very professional culture, and every hour must be accounted for, you might expect that there is no place for gamification. But even here, you might be surprised. Gamified security awareness training for employees doesn’t mean they are playing games for an hour every day. The same HR manager that warned me their staff “might be too serious to spend much time playing games” told me one month later that she was very impressed by how engaged the entire team was in their first phishing awareness course. People were openly discussing their experiences with each other about how difficult some parts were, and how they did. And nobody thought it was a waste of time.

6 – Gamification is an expensive luxury we don’t need. Some organizations that are driven entirely by compliance requirements may feel that security awareness training is a commodity, where you just need to find the cheapest solution that has the right content coverage, and can show some due diligence. For these situations, it may be harder to justify gamification. There is a real opportunity to obtain very high value from an integrated, robust, gamified learning program for your security awareness training. And to be fair, a platform solution that provides such a high level of assurance for providing evidence of behavior change may be out of your budget. But there are much more modest options available, from FREE gamified assessments for large groups of employees, through single courses offered on a monthly basis, and even incremental additions of tailored content, at a very modest cost. In the end, for most programs that have a real need to reduce risk and improve security culture, the cost of gamifying your security awareness training can be surprisingly economical.

What are your concerns about gamification of security awareness training?

I would be very interested in hearing your stories or challenges with using gamification. The trend toward fun security awareness training is growing, and at some point, it is likely that you will be considering trying out some form of gamification. I’d like to have a chance to discuss your objectives and constraints, to make sure you have the right scope in mind to get the best value from any initiative you might want to pursue.

If you think that using any kind of gamification might be of value in your cyber security awareness training program, please contact us or request a trial, to see for yourself how easily Click Armor’s off-the-shelf courses can be deployed, and to see the deep analytics that can be generated about your team’s proficiency and vulnerabilities.