You probably keep hearing about gamification, but what is it exactly? And, more importantly, what impact can it have on company’s cybersecurity training?
This article presents a brief overview of gamification’s history and the psychological drivers, deeply seated in human nature, behind its effectiveness. It presents some examples of gamification’s use in training and suggests some ideas for its deployment in cybersecurity training, a field where it is perfectly relevant.
As long as humans have been around, there have been games : in ancient Egypt and Greece, throughout prehistory, and even before that if we look at the behavior of certain primates.
But why does Man love to play ?
Games rely on deep psychological levers : “intrinsic” motivation, which consists of three broad categories :
Games have the advantage of creating a scenario for a given “goal” (like learning a foreign language), in an evident and understandable manner, and of facilitating engagement.
The concept of gamification is derived from these observations.
The idea is that introducing game-like elements to topics that, without them, would not capture the interest of their targets will make these subjects more fun and engaging.
Today, gamification is ubiquitous on the different websites and apps we use (for example, via goal, progress monitors and rewards and bagdes on the duolingo foreign language app).
But how did we get to this point? What is the impact? And how could this be used in cybersecurity?
It all began in 1980, with the publication of an article titled “What Makes Things Fun to Learn, A Study ofIntrinsically Motivating Computer Games” by T. Malone, an MIT professor who analyzed how children could learn from computer games.
The ball was rolling :
The 2010s will see an acceleration in the use of gamification:
A study has shown that close to 90% of employees enjoyed having gamification elements in their day-to-day work, and that these could increase the retention of information by up to 90%. But why is gamification so effective?
The reward, attributed based on the achievement of certain objectives, or the validation of trainings, leads to the release of hormones such as dopamine, serotonin, or endorphins. These hormones in conjunction with the feeling of success or personal accomplishment increase the effectiveness of trainings or programs that are then associated with positive emotions (wellbeing, personal satisfaction, happiness)
The fact of linking trainings or programs with the obtention of rewards increases the engagement of users by moving the goal posts, from “following a training to master a topic” to “obtaining a reward”. This shifts the subject from a business training to reaching personal goals which in turn increases interest and engagement for the topic at hand.
Linking action with a concrete result (which differs from previous, entirely passive, trainings), generates motivation and engagement.
This is probably one of the most underestimated components of gamification, but personal evolution and real-time performance measurement contribute enormously to the success of gamification in training. It is extremely rewarding for users to be able to see their individual performance (in contrast with reporting with a larger granularity, at the team or business unit level for example). It places the individual at the center of the process, allows him to observe his progress, and can be made fun and entertaining (and probably should in order to avoid this performance-monitoring to be source of stress).
Up to 90% of what we learn is acquired outside of formal training. By incorporating elements of social interaction such as news or activity feeds, chats, or notifications, the social component of gamification increases the effectiveness of trainings.
Cybersecurity seems to be a relevant field for gamification, and yet this mode of training has yet to be regularly employed. Why?
The topic has long been considered as too technical, too complex and complicated for users. Something only for the knowledgeable. This is clearly wrong.
And the cybersecurity industry has long sought to provide a technical solution to weaknesses that derive from the behavior of users. This “techno-centric” approach has relegated employees to the sidelines: the less was asked of them, the better for the company’s cybersecurity.
And yet, cybersecurity is a technical and immersive universe, one which it is possible to discover progressively. It requires users to be active and overall represents a “world” in which gaming components fit in well.
All in all, gamification and cybersecurity are a relevant match!
This is what Beaumont Health Systems understood : they introduced gamified cybersecurity training in 2014.
Their chief information security officer called their previous, dry and rote training, “death by PowerPoint”.
This new approach led to an increase in the retention of information and a more proactive approach to cybersecurity by the company’s employees.
Gamification applied to cybersecurity training touches upon multiple concrete aspects of a company’s cyber defense:
All this leads to greater engagement and motivation for the employees, gives them an active role, and makes the topic much more fun to master.
Who are Initial Access Brokers and what do they do? What are some of their techniques, and how can you protect your company against them?
What is the right frequency and timing of your phishing simulation campaigns to make them the most effective? Mantra's data team has a look at this issue.
What are SPF, DKIM and DMARC? How do they contribute to setting up protection against phishing attacks and how can you set them up for your company domain?