With threats escalating and employee vulnerabilities still the key target of attackers, it’s time for a new approach to delivering security awareness training.
by Scott Wright
Introduction
As organizations come to realize that automation and outsourcing of routine tasks have left their employees responsible for more important decisions, they will begin to recognize the important distinction between “task-based skills” and “general risk management skills”. “Task-based skills” are those for which employees feel they were hired, while “general risk management skills” are often considered to be vague and incomprehensible. These general risks are the reason organizations choose, or are sometimes forced (depending on regulations), to require “awareness training” for their staff.
For over a decade, some “security professionals” have said that it is a waste of time to try to teach every employee about risk management. This is often because they feel that “employees shouldn’t have to worry about whether or not a link is safe. The technology should make that level of decision-making unnecessary.”
This is a viewpoint that tends to minimize how hard it is to keep security technology ahead of attackers. It also ignores the increasing need for employees to make more important business decisions, as automation and outsourcing of their “once easy” tasks increase.
While you may be familiar with “live phishing assessments” or “mock phishing campaigns”, a gamified phishing assessment is a very different way to measure human vulnerability to phishing risks, without many of the disadvantages of sending live simulated phishing messages.
A gamified phishing assessment allows team members to test their skill at spotting suspicious or safe messages in a quick and fun way.
They are presented with a series of simulated messages to sort as safe or suspicious. They can be shown immediate feedback, or it can be done as a “blind” assessment that presents their results at the end of the series of messages.
Live phishing simulations are easy to deploy, but they are actually more difficult to administer in a way that provides actionable information about a team’s vulnerability to phishing.
- Employees are starting to rebel against being targeted with live phishing simulations, causing harm to the corporate culture. Gamified phishing assessments are a fun and positive way for employees to learn about their proficiency and areas for improvement.
- It is hard to get a proper trend analysis with an “apples to apples” comparison, especially when different message topics are used in each campaign. Gamified phishing assessments provide much more meaningful data.
- The “click through rate” is often treated as a sacred metric by management, when there are actually many variables that make this number unreliable. Gamified phishing assessments provide multiple perspectives on proficiency and vulnerability of a team.
A gamified phishing assessment is based on a consistent set of simulated phishing messages, where each one can exercise employees’ analytical skills, to provide a richer set of data about whether employees are actually careless, overly cautious or know exactly what to do to avoid phishing messages.
We have several options for you to try:
- Try our free “Can I Be Phished?” self-assessment (START NOW)
- Try our free, gamified phishing assessment for your team (START NOW)
- Try a 7-day single-user trial in our Community organization (START NOW)
- Try a 7-day full-trial in your own organization, with your own leaderboard (CONTACT US)
If you’re tired of security awareness training that doesn’t work and live phishing simulation campaigns that are more trouble than they are worth, we guarantee our gamified, immersive phishing awareness training will reduce your phishing vulnerability by at least 60%, or your money back…
Assuming that awareness training is required within organizations, and that most organizations now have some form of security awareness training already in place, it’s significant that over 90% of security breaches still involve employees being tricked by phishing or social engineering attacks.
Traditional security awareness training is based on the assumption that people will follow a rational (left-brained) process of making the conscious effort to connect the logical series of thoughts to acquire the knowledge they need, in order to defend against cyberattacks. In reality, individuals need to experience more than just a series of logical statements to fully absorb the intended learning content. They often need engagement in the form of “unexpectedness”, “challenges to their creative thought processes” and even “social reflection” in order to remain engaged through the process of learning defensive techniques. This is where gamification plays a critical role – more on that below.
How the traditional approach pits Compliance against Risk Management
Today’s traditional cybersecurity awareness training programs are primarily built to address the need for compliance rather than risk management. The organization needs to fill the checkboxes that show employees have been given training on a number of important areas. But compliance standards rarely specify how training should be delivered and what kind of evidence is needed to show that training was delivered effectively. IT compliance auditors may also have varied interpretation of some checkbox requirements, and may not dig deep enough to see if the requirements like training are actually being done effectively. A revealing Harvard Business Review article explains why compliance programs fail .
Many organizations are so concerned about the amount of time employees spend in awareness training, that employees are limited to extremely small time allocations for compliance training – often only 60 to 90 minutes per year. This amounts to less than two minutes per week! This limit is likely due to the expecation that the training will not have a measurable positive impact on the organization. Logically, the thinking by these managers seems to be: “Why waste any more time than necessary on activities that bring no value? They are simply a cost of doing business and should be minimized.”
The conventional hope among managers is that compliance-focused training provides enough evidence of due diligence that the organization won’t be found totally negligent in the event of a security breach. But in 2019, according to Mark Adams, Executive Director of the Office of the CISO at the global security integrator Optiv, the truth is that, “Attackers are not significantly deterred by security compliance certifications when choosing their targets. Furthermore, where information security risks are dependent on employees’ on-the-job decisions, the use of only a compliance-focused training program is becoming a less legally defensible strategy since it does not help with learning or practicing risk decisions.”
So, today, threats are increasing rapidly while training time is reduced. The solution to this paradox lies in the underlying delivery platform and mechanisms for training content. Employees and managers first need to have an expectation that training will be effective before they will invest their time, money and attention into it.
Research has shown that for training to be effective, there are some fundamental elements that need to be in place. However, for security awareness training solutions, these elements have been slowly eroded over the years, in favor of a simplified, compliance-focused approach.
It’s time to make the case for effective security awareness training that is based on “general risk-based skills” of employees. This approach requires that employees be motivated to learn the skills that will protect their organization, and their jobs.
A delivery methodology that uses the full range of proven gamification techniques is necessary to align employees’ interests with those of the organization. A gamification platform designed for risk management skill development creates better engagement, knowledge retention and immediate feedback for employees, while also providing a safe environment for practicing risk decisions, and providing analytics to management about proficiency and vulnerability.
Click Armor’s “12 Principles of Motivated Learning for
Gamification for Security Awareness Training”
To provide a practical basis for efficient and effective awareness training, Click Armor has identified a set of guiding principles that are the basis for “Motivated Learning”. These principles were derived from work published by Kraiger and Mattingly in 2017 , as well as from the Yukai Chou’s Octalysis Framework for gamification. These underlying models were identified as a result of a broader survey of research initiatives sponsored by Click Armor which studied how gamification affects motivation and knowledge retention in training programs.
This set of training guidelines has been developed by Click Armor to address the fact that employees need to be motivated to learn “general risk-based skills” such as cybersecurity awareness. Traditional security awareness training may attempt to use some of these elements to make training content more consumable. But without using a gamified learning methodology, successful learning of defensive skills is more difficult to achieve.
Try our gamified Gone Phishin’ course now!
1 – Make learning content engaging through a different conceptual user experience
If employees are not engaged, their ability to comprehend the training content is impaired. They must be immersed and active in the learning experience. So, the content must be organized and presented in a way that gets their attention and requires them to shift their thinking into a more active learning mode.
Engagement can be achieved by applying a completely different user experience than any other task they perform on a daily basis, right from the beginning of a learning session, as well as with interesting storylines within the content, to keep the level of conceptual engagement high. This approach reflects one of the inherent advantages of gamification.
2 – Add another dimension of engagement by using enhanced visuals
Using only static, text-based (or clip-art based) training content and delivery methods can quickly cause employees to tune out. Without visual engagement, their attention can easily be drawn to other tasks.
Beyond the conceptual flow of the user experience, the basic impact of a visually appealing user interface or training setting is key to maintaining engagement. The use of different colors and visual user interface elements will also provide engagement.
Within exercises, the content should be incorporated into an appropriate visual context such as the simulated use of a software program like email, or an office setting where devices are in use. Strong visual context design is another element that can be effectively added with gamification.
3 – Make the learning context meaningful through facts and consequences
If employees don’t feel the training content will be relevant to them, they will only engage at the bare minimum level to complete the program. As a consequence, anything remembered will likely only reside in short term memory and will be forgotten within days.
Making training meaningful isn’t accomplished simply by presenting employees with a case study. It requires that they first understand the potential impacts of their future decisions. “Why should I learn this content?” So, employees should initially be provided with some unexpected facts and realistic examples that illustrate the connection between poor decisions and undesirable outcomes, and vice versa. Strongly tying together decisions and outcomes is fundamental to motivated learning through gamification.
4 – Provide meaningful examples of characters, situations and information
Examples that don’t reflect the employee’s normal types of interactions are harder for employees to relate to and can be forgotten more easily.
Wherever possible, examples should use characters, situations and the types of information employees encounter on a daily basis, to immerse them into scenarios and increase their ability to recognize risky situations. Gamification provides the opportunity to integrate all of these elements.
5 – Replicate the work environment in games and exercises
The content delivered should be shown in a context that connects with the employee’s work environment. Otherwise the employee won’t be as likely to make the connection when they encounter the situation in the future.
This means providing as many specific, recognizable names of people, groups, locations, tools, processes, etc., as possible. This will increase the employees’ ability to recognize future risks in the context of their daily work experiences.
To replicate the work environment doesn’t necessarily mean that every aspect of an exercise must match the employee’s job. However, using immersive simulations of interactions will allow employees to more easily recognize the situations where threats are likely to appear. This approach is not practical in traditional video-based learning and quizzes, but it can be implemented through a gamified platform like Click Armor.
6 – Personalize content for increased relevance and engagement
When the training content is referring to “staff” or to “random, instantaneously created characters” that employees aren’t familiar with, they may miss the relevance to their own job situation.
Inserting the employee into a character role within an exercise scenario provides an immediate, immersive perspective that triggers more direct engagement, and results in enhanced knowledge retention. This is another commonly used capability of gamification platforms like Click Armor.
7 – Reduce cognitive load during learning
When an individual feels pressured by multiple inputs, they are less likely to learn basic concepts. So it is important not to provide too many inputs when employees are expected to develop new conceptual skills.
Employees require dedicated time to focus on learning fundamental concepts such as how to look for specific clues about risks. They need to know that they are not being tested, or under stress, in order to absorb and learn the basics, or else they will become pre-occupied with worrying about meeting those other objectives, rather than focusing on the fundamental concept. Gamification can support this approach through learning challenges, and through visually focusing on a limited set of interactive elements within the user experience.
8 – Provide the opportunity to practice each new skill
Learning basic concepts without practicing them is less likely to result in the employee being able to use their knowledge in a practical risk situation. Nobody remembers every piece of information the first time they are exposed to it.
Having a single quiz at the end of a learning module provides only one opportunity to practice recalling the fundamentals that have been learned. The marketing “Rule of 7” suggests that most people only retain new messages after hearing them about seven times.
It’s not practical to put employees through a quiz seven times. However, by creating a virtual, gamified environment where they can easily practice recalling what they have learned, in an environment that provides incentives to iterate, they will improve knowledge retention significantly. This is one of the key areas where traditional security awareness training usually lacks incentives for people to practice what they have learned, and gamification provides those incentives
9 – Make training content challenging in a way that triggers creative thinking and teachable moments
Employees may be able to quickly consume training content on the fundamental concepts they need to understand, and quizzing them immediately afterward can show that they have indeed understood the concepts. However, this is much different than being able to recall those concepts and to apply them logically and appropriately during real risk situations.
Instead, providing challenging situations that require more critical and creative thinking are actually more memorable to employees. There is a fine line between motivating employees with challenges and making exercises so difficult that they become discouraged. But if there is engagement and relevance, then a challenge that exercises logic more than memorized facts will drive better defensive behavior in the face of threats in real life situations.
A key part of gamification for motivated learning is to move away from “memorization” of facts by rote, and focus more on retention of decision-making skills, and when to trigger them. The focus of gamified scenarios then, is to provide realistic risk situations that emulate real-world threats.
10 – Provide feedback during learning challenges and exercises
When employees are given challenges, exercises or assessments in a training environment, it makes sense to provide feedback. But having the appropriate degree of feedback is important.
Employees need to be given enough information to understand why their choice was correct or incorrect. However, for awareness purposes, they do not necessarily need to understand everything from first principles. This can lead to disengagement and less effective knowledge retention. Gamification should be used to create feedback in various forms that are meaningful and helpful in making future decisions.
11 – Use practice variability and unexpectedness
When providing exercises for practice, making content too predictable can lead to employees scoring well, but there is less creativity required and less real practice at making decisions in unique situations. So, decision-making skills aren’t really exercised fully.
Providing randomized practice scenarios of equal difficulty will not only trigger more learning, but when employees know that the exercises will be potentially different each time, there is more of an opportunity to motivate them to do repeated attempts, especially if unexpected intrinsic or extrinsic “rewards” can be harvested, which will drive further proficiency.
12 – Test employees’ knowledge of content in aggregate, and to a high standard
Typical security awareness programs only test employee knowledge using a “fixed” set of quiz questions immediately after the learning lesson. This is not a test of their ability to make a decision in the context of several simultaneous inputs and is not a very high standard for proficiency. Simple quizzes do not provide a good indication of how well an employee may perform in a related, real-life risk situation where there are often several unexpected inputs to be considered at one time. In many cases, employees will keep trying the quiz questions with guesses until they get them right, if necessary.
Testing an employee’s ability to recognize risks that may appear in a situation that has multiple different inputs is important. Wherever possible, aggregate tests or assessments should be made using several different situations and should require that most or all of them are handled correctly, in order to provide assurance that the employee was not just guessing. Gamified exercises can be set up to adjust inputs in various ways and provides a built-in way to obtain consistent analytics about the proficiency or vulnerability of each employee in a meaningful comparison.
If employees are not engaged, their ability to comprehend the training content is impaired. They must be immersed and active in the learning experience. So, the content must be organized and presented in a way that gets their attention and requires them to shift their thinking into a more active learning mode.
Engagement can be achieved by applying a completely different user experience than any other task they perform on a daily basis, right from the beginning of a learning session, as well as with interesting storylines within the content, to keep the level of conceptual engagement high. This approach reflects one of the inherent advantages of gamification.
Using only static, text-based (or clip-art based) training content and delivery methods can quickly cause employees to tune out. Without visual engagement, their attention can easily be drawn to other tasks.
Beyond the conceptual flow of the user experience, the basic impact of a visually appealing user interface or training setting is key to maintaining engagement. The use of different colors and visual user interface elements will also provide engagement.
Within exercises, the content should be incorporated into an appropriate visual context such as the simulated use of a software program like email, or an office setting where devices are in use. Strong visual context design is another element that can be effectively added with gamification.
If employees don’t feel the training content will be relevant to them, they will only engage at the bare minimum level to complete the program. As a consequence, anything remembered will likely only reside in short term memory and will be forgotten within days.
Making training meaningful isn’t accomplished simply by presenting employees with a case study. It requires that they first understand the potential impacts of their future decisions. “Why should I learn this content?” So, employees should initially be provided with some unexpected facts and realistic examples that illustrate the connection between poor decisions and undesirable outcomes, and vice versa. Strongly tying together decisions and outcomes is fundamental to motivated learning through gamification.
Examples that don’t reflect the employee’s normal types of interactions are harder for employees to relate to and can be forgotten more easily.
Wherever possible, examples should use characters, situations and the types of information employees encounter on a daily basis, to immerse them into scenarios and increase their ability to recognize risky situations. Gamification provides the opportunity to integrate all of these elements.
The content delivered should be shown in a context that connects with the employee’s work environment. Otherwise the employee won’t be as likely to make the connection when they encounter the situation in the future.
This means providing as many specific, recognizable names of people, groups, locations, tools, processes, etc., as possible. This will increase the employees’ ability to recognize future risks in the context of their daily work experiences.
To replicate the work environment doesn’t necessarily mean that every aspect of an exercise must match the employee’s job. However, using immersive simulations of interactions will allow employees to more easily recognize the situations where threats are likely to appear. This approach is not practical in traditional video-based learning and quizzes, but it can be implemented through a gamified platform like Click Armor.
When the training content is referring to “staff” or to “random, instantaneously created characters” that employees aren’t familiar with, they may miss the relevance to their own job situation.
Inserting the employee into a character role within an exercise scenario provides an immediate, immersive perspective that triggers more direct engagement, and results in enhanced knowledge retention. This is another commonly used capability of gamification platforms like Click Armor.
When an individual feels pressured by multiple inputs, they are less likely to learn basic concepts. So it is important not to provide too many inputs when employees are expected to develop new conceptual skills.
Employees require dedicated time to focus on learning fundamental concepts such as how to look for specific clues about risks. They need to know that they are not being tested, or under stress, in order to absorb and learn the basics, or else they will become pre-occupied with worrying about meeting those other objectives, rather than focusing on the fundamental concept. Gamification can support this approach through learning challenges, and through visually focusing on a limited set of interactive elements within the user experience.
Learning basic concepts without practicing them is less likely to result in the employee being able to use their knowledge in a practical risk situation. Nobody remembers every piece of information the first time they are exposed to it.
Having a single quiz at the end of a learning module provides only one opportunity to practice recalling the fundamentals that have been learned. The marketing “Rule of 7” suggests that most people only retain new messages after hearing them about seven times.
It’s not practical to put employees through a quiz seven times. However, by creating a virtual, gamified environment where they can easily practice recalling what they have learned, in an environment that provides incentives to iterate, they will improve knowledge retention significantly. This is one of the key areas where traditional security awareness training usually lacks incentives for people to practice what they have learned, and gamification provides those incentives
Employees may be able to quickly consume training content on the fundamental concepts they need to understand, and quizzing them immediately afterward can show that they have indeed understood the concepts. However, this is much different than being able to recall those concepts and to apply them logically and appropriately during real risk situations.
Instead, providing challenging situations that require more critical and creative thinking are actually more memorable to employees. There is a fine line between motivating employees with challenges and making exercises so difficult that they become discouraged. But if there is engagement and relevance, then a challenge that exercises logic more than memorized facts will drive better defensive behavior in the face of threats in real life situations.
A key part of gamification for motivated learning is to move away from “memorization” of facts by rote, and focus more on retention of decision-making skills, and when to trigger them. The focus of gamified scenarios then, is to provide realistic risk situations that emulate real-world threats.
When employees are given challenges, exercises or assessments in a training environment, it makes sense to provide feedback. But having the appropriate degree of feedback is important.
Employees need to be given enough information to understand why their choice was correct or incorrect. However, for awareness purposes, they do not necessarily need to understand everything from first principles. This can lead to disengagement and less effective knowledge retention. Gamification should be used to create feedback in various forms that are meaningful and helpful in making future decisions.
When providing exercises for practice, making content too predictable can lead to employees scoring well, but there is less creativity required and less real practice at making decisions in unique situations. So, decision-making skills aren’t really exercised fully.
Providing randomized practice scenarios of equal difficulty will not only trigger more learning, but when employees know that the exercises will be potentially different each time, there is more of an opportunity to motivate them to do repeated attempts, especially if unexpected intrinsic or extrinsic “rewards” can be harvested, which will drive further proficiency.
Typical security awareness programs only test employee knowledge using a “fixed” set of quiz questions immediately after the learning lesson. This is not a test of their ability to make a decision in the context of several simultaneous inputs and is not a very high standard for proficiency. Simple quizzes do not provide a good indication of how well an employee may perform in a related, real-life risk situation where there are often several unexpected inputs to be considered at one time. In many cases, employees will keep trying the quiz questions with guesses until they get them right, if necessary.
Testing an employee’s ability to recognize risks that may appear in a situation that has multiple different inputs is important. Wherever possible, aggregate tests or assessments should be made using several different situations and should require that most or all of them are handled correctly, in order to provide assurance that the employee was not just guessing. Gamified exercises can be set up to adjust inputs in various ways and provides a built-in way to obtain consistent analytics about the proficiency or vulnerability of each employee in a meaningful comparison.
Conclusion
Employee cyber risk decisions are becoming an increasingly critical factor in reducing impacts to organizations from unexpected security incidents. So, there should no longer be an expectation that awareness training is simply a “cost of doing business” that must be minimized. Employee related security risks now form one of the most important enterprise risk areas to be managed.
Every business is subjected to phishing attacks that try to exploit a lack of awareness among employees. This means that compliance-focused security awareness training is no longer sufficient. Rather, proficiency in “general risk-based skills” should be the new goal, since security technologies have yet to evolve at a fast enough pace to significantly thwart the growth of successful cyberattacks.
Gamification represents a breakthrough in delivering engaged, motivated learning, with endless opportunities to improve proficiency among employees. Each of the 12 Motivated Learning principles discussed above can be implemented in various ways using gamification to reduce employee vulnerability to cyber risks. In fact, the Click Armor Cybersecurity Awareness Platform has been designed to support each of these principles with off-the-shelf awareness training programs, as well as the ability to create and evolve new gamified awareness programs in virtually any risk area.
Interested in implementing your current security awareness program in our gamified platform?
References:
Chen, H., Soltes E. (2018). Why Compliance Programs Fail—and How to Fix Them. Retrieved from https://yukaichou.com/gamification-examples/octalysis-complete-gamification-framework/
Kraiger, K. and Mattingly, V. (2017). Cognitive and Neural Foundations of Learning. In K. Brown (Ed.), The Cambridge Handbook of Workplace Training and Employee Development (Cambridge Handbooks in Psychology, pp. 11-37). Cambridge: Cambridge University Press. doi:10.1017/9781316091067.004
Chou, Y. (2019). Octalysis- the complete Gamification framework. Retrieved from https://yukaichou.com/gamification-examples/octalysis-complete-gamification-framework/
Mann, A. (2020). Motivated Learning Through Gamification. Click Armor.