While some people assert that there is a single definition (in their mind) of what gamification is, I’ve actually learned that there are several definitions for it. So, for the purposes of awareness, and specifically cyber security awareness, I like to keep it simple.
Gamification for awareness simply means “designing a process to have psychological drivers that create a motivation for people to behave in a desired way”. Sounds pretty simple, right. But that may be a little vague…
I find that it’s useful to think of two kinds of gamification for awareness that use psychological drivers to align behavior…
Business Process Gamification
The first is Business process gamification; and the second is what I call gamified learning. Neither of them is “just playing games”, for fun, as some people may think. Both really have serious purposes.
Business process gamification usually injects some incentives to drive daily work habits for employees, that cause people to work toward one or more objectives or outcomes in their real work tasks or other employment activities (which may not be directly related to their job descriptions).
Outcomes and Rewards
These outcomes could be things like “reducing the number of malware incidents”, or “reporting as many phishing messages to the service desk as possible”. And there are almost always some extrinsic rewards – or recognition for identifiable achievements – which provide the incentives.
Employees may be able to get some public status or recognition for doing better than anyone else. That’s still an extrinsic reward, even if there is no money involved. And in some cases, performance reviews and even bonuses can be tied to those objectives. That’s a great extrinsic reward, but it’s not always easy to give away bonuses or prizes in these days of corporate responsibility and oversight.
There are also other kinds of motivators called “intrinsic rewards”, which are harder to positively identify. These are things like “enjoying the experience” or “feeling a sense of social connection” as a result of an activity. So, intrinsic rewards are excellent tools for influencing employee behavior, because they don’t involve handing out bonuses that may look like extravagances.
Business process gamification is most useful in connecting real outcomes to employee behavior. But it can sometimes be difficult just to find and implement the right metrics or even appropriate incentives or rewards.
And what happens if the employees come up short, but don’t know how to improve? With cyber threats it’s not always obvious to an employee what they could really have done to achieve a better outcome. Where were they supposed to get those skills in the first place?
This is where gamified learning comes in, right at the beginning. In a gamified learning environment, like Click Armor, there are also extrinsic and intrinsic rewards.
What’s great about this kind of environment is that it becomes much easier (and less expensive) to drive behavior with intrinsic rewards, like small challenges to your creativity, or a boost of points or achievements for a few minutes of participation.
It turns out that if you can build in many small rewards within lessons and exercises, it’s possible to motivate employees to move from “understanding” to “knowledge of how to apply concepts” to “proficiency in responding to situations”, all within that one environment.
Why Gamified Business Processes Really Need Gamified Learning First!
So, while gamified business processes can be very good for nudging employees toward good behavior, it’s still essential to have an effective training process that builds proficiency. Otherwise, it will be much less efficient, or even impossible, for people to figure out how to get the desired outcomes in the business processes.
They may try a few times, and flounder, and then give up, either because they don’t know the basic concept or skills, or they may understand them, but haven’t been able to practice them.
So, it makes the most sense to make sure your employees are learning and building proficiency for defending against cyber threats, in a motivating environment. This will help them get more efficiently to a point where it makes sense to gamify the business processes. But both approaches require planning and a good framework.
Getting Some Quick Wins
I happen to believe that with a platform designed for gamified learning, you can get off to a great start, without having to put too much effort into planning. That will come later as you refine and optimize your program. But you can get some quick successes to get buy-in from management, which is critical.
If you are ready to start using gamified learning now, you should try Click Armor’s Active Awareness platform.
You can request a free trial at: clickarmor.ca