Gamifying security awareness: Your secret tool for training users

Studies show that 95% of cybersecurity breaches are due to human error. Unfortunately, that’s also the hardest problem to rectify — unlike other vulnerabilities, you can’t just upload a patch to people’s brains to fix this. The best you can do is schedule some cybersecurity training, but for some people, the lessons just don’t stick.

However, there is a tried and tested way to solve this, and that’s by gamifying your training. In this article, I’ll cover what gamifying is, and explain how you can apply this to your current and future cybersecurity training.

What is gamification?

Gamification is when you add game-like elements — such as points and awards — to non-game tasks, like education or work. This makes an otherwise boring task more fun, so people are more engaged and motivated to interact with it. In short, routine tasks are transformed into exciting challenges.

Take Pluralsight Skills, for example, an education platform for technologists. Normally, learning new skills can be a real headache — a boring slog of memorization and repetition. However, Pluralsight has gamified its platform using weekly goals, badges, and leaderboards to keep users engaged. One example is the Stack Up game in Pluralsight’s mobile app.

Another great example of a company who has done this is Duolingo, the language-learning app, which has pathways for users to follow and gems to collect, truly making the process game-like!

While gamification can be applied to practically any task — sales, healthcare, onboarding, recycling — education is hands-down one of the best places to apply it. This includes your cybersecurity awareness training!

Gamification is a proven success strategy

The great thing about gamification is that in 2023, it’s well-trodden ground. There’s a number of research studies that show it’s an effective learning method, including for cybersecurity:

• Gamification results in a 60% increase in user engagement for training courses

• Companies that have gamified training saw a 43% increase in employee productivity 

• Research shows when users take gamified cybersecurity awareness training, they gain a stronger understanding of the fundamentals, such as password security

How gamification can be applied to cybersecurity

There are three ways you can apply gamification to your cybersecurity training: use an existing training platform, gamify your existing materials, or run new game-like events. Each approach has its pros and cons, so you may want to use a mixture of these approaches.

1. Using a gamified training platform

There’s a number of benefits to going with an out-of-the-box solution for your cybersecurity training:

• It’s all built in: You don’t have to come up with the gamification yourself, such as building leaderboards, badges, or tracking progress.

• Turnkey and user-friendly interface: These solutions are designed to be plug and play, making it easy to roll out across your organization.

• Standardized, expert training: Training is produced by cybersecurity leaders, who often align their modules to industry standards and regulations, and are aware of the latest threats.

• On demand, remote learning: Users can learn at their own pace, instead of having to attend fixed seminars at physical locations.

• Certifications: There’s often pathways for users to get recognized certifications, should staff want to pursue them.

• Tracking: Depending on the platform, you can assign lessons and track their progress individually.

All of this sounds great! So what are the cons? 

• Financial investment: These platforms aren’t typically free, so you will need to take this into account.

• General material: If your company has specific needs or vulnerabilities, a general learning module may not cover this.

When to use this approach

A gamified training platform is ideal for driving a basic level of cybersecurity awareness in medium to large enterprises. These types of organizations have the budget to spend on them, as well as a larger employee base that can benefit from standardized training. Organizations with overworked L&D and IT teams also significantly benefit from these solutions.

These platforms are also great for providing intermediate and expert cybersecurity professionals with avenues to upskill, so they can further their knowledge and career. If you are struggling to train or retain cybersecurity professionals, providing them with this sort of platform is beneficial to both them and the business.

2. Gamifying your existing training materials

When a gamified training platform doesn’t fit your needs, or you're working on a shoestring budget, you can gamify your own training materials. It’s not that hard, either!

Points and Rewards system

Assign point values to different training modules or quiz questions. Employees can accumulate points for completing tasks or answering questions correctly, redeemable for small rewards like swag items, stickers, coins, or digital team badges.

Badges and Achievements

Reward employees with digital badges for completing certain modules, like "Phishing Prevention" or "Password Best Practices." 

Leaderboard challenges

Introduce a leaderboard to foster a healthy competitive spirit among employees. As they progress through training modules, earn badges, or achieve high scores on quizzes, their rankings on the leaderboard improve. Monthly or quarterly champions could be recognized and rewarded with a small prize.

Real-World Missions

Send out simulated phishing emails and reward those who flag them as suspicious. Consider this a 'real-world quest' and offer a badge for successful detection.

Flash Cards and Microlearning

Gamification includes analog games! Create flash cards or microlearning modules that employees can quickly go through during breaks. Gamify these resources by incorporating point systems, time challenges, or peer challenges to make learning bite-sized yet effective.

Make your own game

Perhaps the most resource-intensive solution, but certainly effective. If you’ve got the ability to create a “choose your own adventure” style solution (perhaps using a fairly easy game-making tool such as Twine), you can build your own in-house gamified training resource.

A case study: How the NSW Government used gamification

In Australia, the NSW State Government was experiencing bad actors targeting their behavioral vulnerabilities, such as being busy and preoccupied with work. They developed an in-house training game to reinforce their cybersecurity learnings called “Tour de Phish.”

The results of this were incredibly positive:

• All the users (100%) felt more confident in identifying phishing emails after completing the Tour de Phish.

• 89% of users preferred it compared to online courses or face-to-face workshops

• 92% of users simply enjoyed playing the game

When to Use this Approach

Gamifying your existing training materials is a budget-friendly and adaptable way to spice up your cybersecurity education program, especially for smaller outfits or those watching their pennies. Plus, if your organization faces unique cybersecurity hurdles that off-the-shelf platforms don't address, going DIY with your training materials can help shore up these gaps. 

Note that for this approach to work, you’ll need the in-house know-how to craft and upkeep these gamified elements. You’ll also need to set aside time to keep them going and create a cybersecurity awareness culture.

3. Running Game-like Events

Creating a lively and engaging cybersecurity culture can sometimes require thinking outside the conventional training box. Hosting game-like events is an imaginative way to keep your cybersecurity training fresh and engaging. Here’s how you might implement this approach:

Cybersecurity Competitions

Hold regular Capture the Flag (CTF) challenges where teams or individuals can compete in a friendly environment to solve real-world cybersecurity challenges. These challenges can range from identifying vulnerabilities in a network, responding to a simulated data breach, or solving crypto-puzzles. 

The spirit of competition can ignite a passion for learning and applying cybersecurity concepts in a practical and enjoyable setting. Pluralsight’s internal security team and content authoring teams compete in CTF challenges to upskill throughout the year, and it has been a highly successful initiative.

Escape Room Scenarios

Design cybersecurity escape room scenarios where teams have to solve cybersecurity puzzles to “escape” from a simulated threat or to prevent a mock data breach. This hands-on, pressure-driven environment can be both fun and educational, helping to solidify cybersecurity concepts in a memorable way.

Scavenger Hunts

Create a scavenger hunt where employees need to find and solve cybersecurity challenges within the workplace.

Hackathons

Organize hackathons where employees can work together to solve cybersecurity challenges or develop new security solutions. Besides promoting a deeper understanding of cybersecurity principles, hackathons also encourage creativity, teamwork, and innovation.

Role-Playing Games (RPGs)

Develop role-playing scenarios where employees assume different roles within a cybersecurity incident response team. These RPGs can help individuals understand the various responsibilities within a cybersecurity team and how coordinated efforts are crucial in managing cyber threats.

When to Use this Approach

Game-like events are perfect for organizations that have a culture of continuous learning and enjoy a bit of competition. They are particularly useful when you want to foster a deeper understanding of cybersecurity concepts, encourage teamwork, and promote a proactive cybersecurity culture.

Moreover, these events offer a more hands-on and practical approach to cybersecurity training, which can be invaluable in preparing your team for real-world cyber threats. They also provide an opportunity for individuals to apply what they've learned in training in a more dynamic and realistic setting.

Conclusion: The best approach is all of the above!

If you want to create a truly robust cybersecurity culture in your organization, use a mix of the solutions above. By using gamified platforms, gamified existing materials, and game-like events, you can create a robust and engaging cybersecurity training program. 

Each of these gamification methods caters to different learning styles and organizational needs, making it possible to create a well-rounded cybersecurity education initiative that’s both effective and enjoyable. By fostering a fun and interactive learning environment, you not only improve cybersecurity awareness and skills but also create a culture of continuous learning and improvement, which is crucial in the fast-evolving world of cybersecurity.

Want to get started with a gamified learning platform?

Pluralsight Skills offers a fully gamified learning experience for learners of all levels — beginners, intermediate, or expert — offering weekly goals, badges, and leaderboards to keep them engaged. It has thousands of on-demand, expert-led courses as well as hands-on labs, quizzes, and Skill IQ tests. It’s perfect for increasing your organization’s cybersecurity awareness. Sign up for a 10-day free trial to check it out with no commitments