The human factor in organisations is the cause of the majority of data breaches and security incidents globally. Human error, whether intentional or due to inattention or ignorance, leads to more security incidents than cyber attacks that directly target a company's IT systems.
And while the vast majority of employees do not want to cause harm, many do so unintentionally through poor cyber hygiene, including poor password habits, careless web browsing or clicking on links in phishing e-mails.
Cyber criminals know about these bad habits, which is why employees are often the primary targets of social engineering attacks like spear phishing.
Strong cyber security starts with employees
While many companies claim to have effective policies and procedures in place to help their staff avoid and deal with cyber threats, the stories of data breaches that fill the headlines on a daily basis paint a very different picture, as they often describe how cyber criminals have gained access to company systems and data through an unwary employee.
Too often, employers underestimate the role that their own employees, from customer service to the boardroom, can play. Any chain is only as strong as its weakest link, and while employees have the potential to be a very effective security measure, they are usually one of the biggest vulnerabilities to potential attack.
Furthermore, cybercrime is currently intensifying as threat actors become more determined and aggressive, and their methods more complex and sophisticated. This means that private and public organisations need to find better ways to engage their employees when they participate in awareness training.
What is gamification?
Gamification is a description of taking classic game mechanics and transferring them to a situation, medium or action that does not normally contain those elements. These are typically elements from computer and video games with which the vast majority are familiar.
Gamification can take the experiences and rewards that make games fun and engaging and apply them to everyday situations and scenarios to motivate people to behave in a certain way or achieve a certain goal.
Gamification can be as simple as adding a leaderboard to a training exercise so employees can compare results, or as complex as using a role-playing game with levels and challenges to help players build solid habits and achieve different goals.
Gamification in cybersecurity and awareness training
Gamification is being used more and more in education and can be used in many ways, from second language acquisition to engineering degrees. Gamification is ideal for learning as it transforms passive learning into interactive learning. Instead of learning solely through teaching materials and lecturers, users become part of the learning through interactive exercises.
Traditional awareness training has a reputation for being boring and heavy - and is seen as a chore for employees. In many industries, awareness training is mandatory for all employees. This means that safety or training teams typically assign employees to a training session once a year, and they then have to make sure that all employees complete the mandatory training.
Unfortunately, it can be a difficult task to motivate employees and get them to engage in awareness training so that they can retain the knowledge they have acquired and convert it into behavior that helps the organisation detect and avoid security threats.
Therefore, all organisations should use gamified elements in their awareness training to ensure that the training actually works and creates new habits.
Gamified elements include:
- Time limits
Using multiple elements to create a coherent and meaningful training is extremely effective.
Gamification = effective training
When used for awareness training, gamification has been shown to increase employee participation and engagement, boost knowledge retention and reinforce safe behaviors - behaviors your employees can use to keep your organization well protected.
A key reason games capture players is that they contain recognisable, exciting and relatable elements that keep players coming back for more.
Adding gamification to cybersecurity awareness training makes it a fun team activity and introduces some healthy competition between participants. It's also a positive way for employees to engage with cybersecurity. Employees acquire a large amount of knowledge without thinking about it, as it feels more like entertainment than actual training.
If employees have fun while learning about cybersecurity, they are much more likely to complete the training sessions and may even look forward to attending the next one.
Gamification has proven to be very effective in ensuring employee participation in training because it encourages them to perform certain actions by appealing to the part of them that cares about competition and self-development. For gamification to be effective, companies need to make participation an easy and fun part of the user experience.
Higher engagement among all employees
Traditional awareness training typically follows the same model: introduction, teaching and finally a quiz that tests employees on their new knowledge. This model rarely leads to high engagement. Gamification does, however, as it makes training interactive and immersive without feeling like heavy teaching.
Gamification gives employees more reasons to participate in the training, making it far more motivating and rewarding for each employee.
Awareness training should be continuous and not limited to a few training sessions a year. Part of gamification is that employees can see how they are getting better and better, and this reinforces continuity. Continued participation in training, as well as the personal motivation to learn and thus improve, naturally leads to higher learning. And the knowledge that employees gain is retained through repetition.
Facilitating behavior change
A major problem with most awareness training campaigns is that employees do not believe that the content and exercises are directly targeted at them. Although they participate in the training programmes, they do not see the relevance and therefore do not convert their knowledge into action.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.