12 Ways to Improve Cybersecurity Awareness Training Through Gamification
With threats escalating and employee vulnerabilities still the key target of attackers, it’s time for a new approach to delivering security awareness training.
As organizations come to realize that automation and outsourcing of routine tasks have left their employees responsible for more important decisions, they will begin to recognize the important distinction between “task-based skills” and “general risk management skills”. “Task-based skills” are those for which employees feel they were hired, while “general risk management skills” are often considered to be vague and incomprehensible.
For over a decade, some “security professionals” have said that it is a waste of time to try to teach every employee about risk management, because “they shouldn’t have to worry about whether or not a link is safe. The technology should make that level of decision-making unnecessary.” This is a viewpoint that tends to minimize how hard it is to keep security technology ahead of attackers. It also ignores the right-brained functions wired into every human being.
Traditional security awareness training is based on the assumption that people will follow a rational (left-brained) process of making the conscious effort to connect the logical series of thoughts to acquire the knowledge they need, in order to defend against cyberattacks. In reality, individuals need to experience more than just a series of logical statements to fully absorb the intended learning content. They need engagement in the form of “unexpectedness”, “challenges to their creativity” and “social reflection” in order to remain engaged through the process of learning defensive techniques. This is where gamification plays a critical role – more on that below.
Traditional Approach: Compliance vs. Risk Management
Today’s traditional cybersecurity awareness training programs are primarily built to address the need for compliance rather than risk management. The organization needs to fill the checkboxes that show employees have been given training on a number of important areas. But compliance standards rarely specify how training should be delivered and what kind of evidence is needed to show that training was delivered effectively.
Many organizations are so concerned about the amount of time employees spend in awareness training, that employees are limited to extremely small time allocations for compliance training – often only 60 to 90 minutes per year. This amounts to less than two minutes per week! This limit is likely due to the expecation that the training will not have a measurable positive impact on the organization. Logically, the thinking by these managers seems to be: “Why waste any more time than necessary on activities that bring no value? They are simply a cost of doing business and should be minimized.”
The conventional hope among managers is that compliance-focused training provides enough evidence of due diligence that the organization won’t be found totally negligent in the event of a security breach. But in 2019, according to Mark Adams, Executive Director of the Office of the CISO at the global security integrator Optiv, the truth is that, “Attackers are not significantly deterred by security compliance certifications when choosing their targets. Furthermore, where information security risks are dependent on employees’ on-the-job decisions, the use of only a compliance-focused training program is becoming a less legally defensible strategy since it does not help with learning or practicing risk decisions.”
So, today, threats are increasing rapidly while training time is reduced. The solution to this paradox lies in the underlying delivery platform and mechanisms for training content. Employees and managers first need to have an expectation that training will be effective before they will invest their time, money and attention into it.
Research has shown that for training to be effective, there are some fundamental elements that need to be in place. However, for security awareness training solutions, these elements have been slowly eroded over the years, in favor of a simplified, compliance-focused approach.
It’s time to make the case for effective security awareness training that is based on “general risk-based skills” of employees. This approach requires that employees be motivated to learn the skills that will protect their organization, and their jobs.
A delivery methodology that uses the full range of proven gamification techniques is necessary to align employees’ interests with those of the organization. A gamification platform designed for risk management skill development creates better engagement, knowledge retention and immediate feedback for employees, while also providing a safe environment for practicing risk decisions, and providing analytics to management about proficiency and vulnerability.
Click Armor’s “12 Principles of Motivated Learning for
Gamification for Security Awareness Training”
To provide a practical basis for efficient and effective awareness training, Click Armor has identified a set of guiding principles that are the basis for “Motivated Learning”. These principles were derived from work published by Kraiger and Mattingly in 2017 , as well as from the Yukai Chou’s Octalysis Framework  for gamification. These underlying models were identified as a result of a broader survey of research initiatives sponsored by Click Armor  which studied how gamification affects motivation and knowledge retention in training programs.
This set of training guidelines has been developed by Click Armor to address the fact that employees need to be motivated to learn “general risk-based skills” such as cybersecurity awareness. Traditional security awareness training may attempt to use some of these elements to make training content more consumable. But without using a gamified learning methodology, successful learning of defensive skills is more difficult to achieve.
Try our gamified Gone Phishin’ course now!
1 – Make learning content engaging through a different conceptual user experience
If employees are not engaged, their ability to comprehend the training content is impaired. They must be immersed and active in the learning experience. So, the content must be organized and presented in a way that gets their attention and requires them to shift their thinking into a more active learning mode.
Engagement can be achieved by applying a completely different user experience than any other task they perform on a daily basis, right from the beginning of a learning session, as well as with interesting storylines within the content, to keep the level of conceptual engagement high. This approach reflects one of the inherent advantages of gamification.
2 – Add another dimension of engagement by using enhanced visuals
Using only static, text-based (or clip-art based) training content and delivery methods can quickly cause employees to tune out. Without visual engagement, their attention can easily be drawn to other tasks.
Beyond the conceptual flow of the user experience, the basic impact of a visually appealing user interface or training setting is key to maintaining engagement. The use of different colors and visual user interface elements will also provide engagement.
Within exercises, the content should be incorporated into an appropriate visual context such as the simulated use of a software program like email, or an office setting where devices are in use. Strong visual context design is another element that can be effectively added with gamification.
3 – Make the learning context meaningful through facts and consequences
If employees don’t feel the training content will be relevant to them, they will only engage at the bare minimum level to complete the program. As a consequence, anything remembered will likely only reside in short term memory and will be forgotten within days.
Making training meaningful isn’t accomplished simply by presenting employees with a case study. It requires that they first understand the potential impacts of their future decisions. “Why should I learn this content?” So, employees should initially be provided with some unexpected facts and realistic examples that illustrate the connection between poor decisions and undesirable outcomes, and vice versa. Strongly tying together decisions and outcomes is fundamental to motivated learning through gamification.
4 – Provide meaningful examples of characters, situations and information
Examples that don’t reflect the employee’s normal types of interactions are harder for employees to relate to and can be forgotten more easily.
Wherever possible, examples should use characters, situations and the types of information employees encounter on a daily basis, to immerse them into scenarios and increase their ability to recognize risky situations. Gamification provides the opportunity to integrate all of these elements.
5 – Replicate the work environment in games and exercises
The content delivered should be shown in a context that connects with the employee’s work environment. Otherwise the employee won’t be as likely to make the connection when they encounter the situation in the future.
This means providing as many specific, recognizable names of people, groups, locations, tools, processes, etc., as possible. This will increase the employees’ ability to recognize future risks in the context of their daily work experiences.
To replicate the work environment doesn’t necessarily mean that every aspect of an exercise must match the employee’s job. However, using immersive simulations of interactions will allow employees to more easily recognize the situations where threats are likely to appear. This approach is not practical in traditional video-based learning and quizzes, but it can be implemented through a gamified platform like Click Armor.
6 – Personalize content for increased relevance and engagement
When the training content is referring to “staff” or to “random, instantaneously created characters” that employees aren’t familiar with, they may miss the relevance to their own job situation.
Inserting the employee into a character role within an exercise scenario provides an immediate, immersive perspective that triggers more direct engagement, and results in enhanced knowledge retention. This is another commonly used capability of gamification platforms like Click Armor.
7 – Reduce cognitive load during learning
When an individual feels pressured by multiple inputs, they are less likely to learn basic concepts. So it is important not to provide too many inputs when employees are expected to develop new conceptual skills.
Employees require dedicated time to focus on learning fundamental concepts such as how to look for specific clues about risks. They need to know that they are not being tested, or under stress, in order to absorb and learn the basics, or else they will become pre-occupied with worrying about meeting those other objectives, rather than focusing on the fundamental concept. Gamification can support this approach through learning challenges, and through visually focusing on a limited set of interactive elements within the user experience.
8 – Provide the opportunity to practice each new skill
Learning basic concepts without practicing them is less likely to result in the employee being able to use their knowledge in a practical risk situation. Nobody remembers every piece of information the first time they are exposed to it.
Having a single quiz at the end of a learning module provides only one opportunity to practice recalling the fundamentals that have been learned. The marketing “Rule of 7” suggests that most people only retain new messages after hearing them about seven times.
It’s not practical to put employees through a quiz seven times. However, by creating a virtual, gamified environment where they can easily practice recalling what they have learned, in an environment that provides incentives to iterate, they will improve knowledge retention significantly. This is one of the key areas where traditional security awareness training usually lacks incentives for people to practice what they have learned, and gamification provides those incentives
9 – Make training content challenging in a way that triggers creative thinking and teachable moments
Employees may be able to quickly consume training content on the fundamental concepts they need to understand, and quizzing them immediately afterward can show that they have indeed understood the concepts. However, this is much different than being able to recall those concepts and to apply them logically and appropriately during real risk situations.
Instead, providing challenging situations that require more critical and creative thinking are actually more memorable to employees. There is a fine line between motivating employees with challenges and making exercises so difficult that they become discouraged. But if there is engagement and relevance, then a challenge that exercises logic more than memorized facts will drive better defensive behavior in the face of threats in real life situations.
A key part of gamification for motivated learning is to move away from “memorization” of facts by rote, and focus more on retention of decision-making skills, and when to trigger them. The focus of gamified scenarios then, is to provide realistic risk situations that emulate real-world threats.
10 – Provide feedback during learning challenges and exercises
When employees are given challenges, exercises or assessments in a training environment, it makes sense to provide feedback. But having the appropriate degree of feedback is important.
Employees need to be given enough information to understand why their choice was correct or incorrect. However, for awareness purposes, they do not necessarily need to understand everything from first principles. This can lead to disengagement and less effective knowledge retention. Gamification should be used to create feedback in various forms that are meaningful and helpful in making future decisions.
11 – Use practice variability and unexpectedness
When providing exercises for practice, making content too predictable can lead to employees scoring well, but there is less creativity required and less real practice at making decisions in unique situations. So, decision-making skills aren’t really exercised fully.
Providing randomized practice scenarios of equal difficulty will not only trigger more learning, but when employees know that the exercises will be potentially different each time, there is more of an opportunity to motivate them to do repeated attempts, especially if unexpected intrinsic or extrinsic “rewards” can be harvested, which will drive further proficiency.
12 – Test employees’ knowledge of content in aggregate, and to a high standard
Typical security awareness programs only test employee knowledge using a “fixed” set of quiz questions immediately after the learning lesson. This is not a test of their ability to make a decision in the context of several simultaneous inputs and is not a very high standard for proficiency. Simple quizzes do not provide a good indication of how well an employee may perform in a related, real-life risk situation where there are often several unexpected inputs to be considered at one time. In many cases, employees will keep trying the quiz questions with guesses until they get them right, if necessary.
Testing an employee’s ability to recognize risks that may appear in a situation that has multiple different inputs is important. Wherever possible, aggregate tests or assessments should be made using several different situations and should require that most or all of them are handled correctly, in order to provide assurance that the employee was not just guessing. Gamified exercises can be set up to adjust inputs in various ways and provides a built-in way to obtain consistent analytics about the proficiency or vulnerability of each employee in a meaningful comparison.
Employee cyber risk decisions are becoming an increasingly critical factor in reducing impacts to organizations from unexpected security incidents. So, there should no longer be an expectation that awareness training is simply a “cost of doing business” that must be minimized. Employee related security risks now form one of the most important enterprise risk areas to be managed.
Every business is subjected to phishing attacks that try to exploit a lack of awareness among employees. This means that compliance-focused security awareness training is no longer sufficient. Rather, proficiency in “general risk-based skills” should be the new goal, since security technologies have yet to evolve at a fast enough pace to significantly thwart the growth of successful cyberattacks.
Gamification represents a breakthrough in delivering engaged, motivated learning, with endless opportunities to improve proficiency among employees. Each of the 12 Motivated Learning principles discussed above can be implemented in various ways using gamification to reduce employee vulnerability to cyber risks. In fact, the Click Armor Cybersecurity Awareness Platform has been designed to support each of these principles with off-the-shelf awareness training programs, as well as the ability to create and evolve new gamified awareness programs in virtually any risk area.
Interested in implementing your current security awareness program in our gamified platform?
 Kraiger, K. and Mattingly, V. (2017). Cognitive and Neural Foundations of Learning. In K. Brown (Ed.), The Cambridge Handbook of Workplace Training and Employee Development (Cambridge Handbooks in Psychology, pp. 11-37). Cambridge: Cambridge University Press. doi:10.1017/9781316091067.004
 Chou, Y. (2019). Octalysis- the complete Gamification framework. Retrieved from https://yukaichou.com/gamification-examples/octalysis-complete-gamification-framework/
 Mann, A. (2020). Motivated Learning Through Gamification. Click Armor.