Gamification is Adding a Spoonful of Sugar to Security Training
In 1964 the world learned that a spoonful of sugar helps the medicine go down. It was not the first time a key principle of gamification was said out loud, but it might well be the catchiest. In 2019 tidying up has changed hands from Mary Poppins to Marie Kondo, but the idea that making a task enjoyable makes it more likely to be done has been embraced by the business world — and cybersecurity training.
Merriam-Webster defines gamification as “The process of adding games or gamelike elements to something (such as a task) so as to encourage participation.” And for many responsible for turning new hires from security vulnerabilities into security assets, it’s a key strategy in keeping them focused on their training.
“There are numerous studies that show that gamification not only increases engagement but it increases learning retention,” says Hewlett Packard Enterprise (HPE) cybersecurity awareness manager Laurel Chesky. She says that HPE has increased the degree to which it uses gamification in cybersecurity training because it has seen positive results with the technique.
Within HPE, Chesky says, there is mandatory basic cybersecurity training but much more training is available on an optional basis. “We want them to come and engage with us and consume the common-sense information,” she says. “If we aren’t doing that in a fun and engaging way they simply won’t come back to us. So we have to do that through gamification.”
How to Keep the Fun Factor Up
Moving training to a gamified basis can be effective but, like anything, it can become rote and routine if done poorly, say some. “Gamification is great, but you need variety,” says Colin Bastable, CEO of Lucy Security. “Variety is the spice of life. So I think that gamification is very valuable as part of a broader strategy.”
“I think our training metrics definitely reflect the larger engagement,” Chesky says. “We started off in a very grassroots, DIY type of gaming, with a web-based trivia game that we created. It’s very simple. It’s set up like Jeopardy and we can go online and pick a question for 200, 400, 800, or a thousand points. It’s very, very simple to create and we did it in-house,” she explains.
Joanne O’Connor, HPE cybersecurity training manager, created a different game called “Phish or No Phish” that uses the Yammer collaboration system as a platform. She will post an image on a channel and ask participants whether or not it’s from a phishing email intercepted by the company’s cybersecurity team. Employees providing the correct answer are able to win recognition points exchangeable for various prizes.
These games address the kind of training that Bastable believes is most suitable for gamification. “I would say that it works better for the short, sharp, pointed awareness training as opposed to a long and detailed course,” he explains. “Generally, I would say that what you want to do is is create an environment that engages rapidly and that engages people where another format might not.”
O’Connor says that many of their games are designed to be completed within about 20 minutes — experiences that allow the employee to engage deeply to learn a single facet of cybersecurity.
The Science of Fun
Some academic research, like that of Michael Sailera, Jan Ulrich Henseb, Sarah Katharina Mayra, and Heinz Mandla, explores the reasons that gamification can be effective in training. They point out that self-determination theory says that three psychological needs must be met: The need for competence, the need for autonomy, and the need for social relatedness.
In their research, the researchers found that, “…the effect of game design elements on psychological need satisfaction seems also to depend on the aesthetics and quality of the design implementations. In other words, the whole process of implementing gamification plays a crucial role.”
Bastable says that there’s a common assumption that gamification is something that is effective for younger employees and less so for older workers. He says the reality is that it can be effective for all employees, though different individuals may respond to different types of game mechanics (the way the game looks and is played).
O’Connor agrees. “It’s something that we think about a lot with our new employees being, of course, younger folks and we need to reach them. But really we think it reaches everybody,” she says.
Chesky believes that the tide has turned toward gamification in all types of enterprise training. “I think you see it now in a lot of corporations on an industry level,” she says. “I think you’ve definitely seen most corporations and of course the industry moving towards that for all different kind of mandated company training because it works,” Chesky says. “It’s all about engagement.”
Related content:
- How HR and IT Can Partner to Improve Cybersecurity
- How Data Security Improves When You Engage Employees in the Process
- How Gamers Could Save the Cybersecurity Skills Gap
- 3 Tips for Driving User Buy-in to Security Policies
- Email Threats Poised to Haunt Security Pros into Next Decade
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Home Safe: 20 Cybersecurity Tips for Your Remote Workers.”
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio