Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

06:00 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Features

Gamification Is Adding a Spoonful of Sugar to Security Training

Gamification is becoming popular as companies look for new ways to keep employees from being their largest vulnerability.

In 1964 the world learned a spoonful of sugar helps the medicine go down. It wasn't the first time a key principle of gamification was said out loud, but it might well be the catchiest.

In 2019 tidying up changed hands from Mary Poppins to Marie Kondo, but the idea that making a task enjoyable makes it more likely to be done has been embraced by the business world — and cybersecurity training.

Merriam-Webster defines gamification as "the process of adding games or gamelike elements to something (such as a task) so as to encourage participation." And for many responsible for turning new hires from security vulnerabilities into security assets, it's a key strategy in keeping them focused on their training.

"There are numerous studies that show that gamification not only increases engagement, but it increases learning retention," says Hewlett Packard Enterprise (HPE) cybersecurity awareness manager Laurel Chesky. She says HPE has increased the degree to which it uses gamification in cybersecurity training because it has seen positive results with the technique.

Within HPE, Chesky says, there is mandatory basic cybersecurity training, but much more training is available on an optional basis. "We want them to come and engage with us and consume the common-sense information," she says. "If we aren't doing that in a fun and engaging way, they simply won't come back to us. So we have to do that through gamification."

How to Keep the Fun Factor Up
Moving training to a gamified basis can be effective, but, like anything, it can become rote and routine if done poorly, some say. "Gamification is great, but you need variety," says Colin Bastable, CEO of Lucy Security. "Variety is the spice of life. So I think that gamification is very valuable as part of a broader strategy."

HPE's training metrics reflect that, Chesky says. "We started off in a very grassroots, DIY-type of gaming, with a Web-based trivia game that we created," she explains. "It's very simple. It's set up like Jeopardy, and we can go online and pick a question for 200, 400, 800, or 1,000 points. It's very, very simple to create, and we did it in-house."

Joanne O'Connor, HPE cybersecurity training manager, created a different game called "Phish or No Phish" that uses the Yammer collaboration system as a platform. She will post an image on a channel and ask participants whether it's from a phishing email intercepted by the company's cybersecurity team. Employees who provide the correct answer win recognition points exchangeable for various prizes.

These games address the kind of training Lucy Security's Bastable believes is most suitable for gamification. "I would say that it works better for the short, sharp, pointed awareness training as opposed to a long and detailed course," he says. "Generally, I would say that what you want to do is create an environment that engages rapidly and that engages people where another format might not."

Many of HPE's games are designed to be completed within about 20 minutes — experiences that allow the employee to engage deeply to learn a single facet of cybersecurity, O'Connor says.

The Science of Fun
Some academic research, like that of Michael Sailera, Jan Ulrich Henseb, Sarah Katharina Mayra, and Heinz Mandla, explores the reasons gamification can be effective in training. They point to self-determination theory, which states three psychological needs must be met: the need for competence, the need for autonomy, and the need for social relatedness.

In their research, the researchers found "…the effect of game design elements on psychological need satisfaction seems also to depend on the aesthetics and quality of the design implementations. In other words, the whole process of implementing gamification plays a crucial role."

Bastable says there's a common assumption that gamification is more effective for younger employees and less so for older workers. But the reality is it can be effective for all employees, though different individuals may respond to different types of game mechanics (the way the game looks and is played).

O'Connor agrees. "It's something that we think about a lot with our new employees being, of course, younger folks, and we need to reach them. But, really, we think it reaches everybody," she says.

Chesky believes the tide has turned toward gamification in all types of enterprise training. "I think you see it now in a lot of corporations on an industry level," she says. "I think you've definitely seen most corporations and, of course, the industry moving toward that for all different kind of mandated company training because it works. It's all about engagement."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
12/5/2019 | 2:51:55 PM
Gamification is old, misleading, and a joke
Gamification has always been and always will be a WORD. It is based off of Game theory and the fact that people keep using it, shows how much they do not know. Game theroy has been around forever and companies have tried numerous times to add it into their training, but keep failing. I have been part of large, global companies that have tried this approach and have failed. They tie it to regular gaming by offering rewards and contests, but what it does is impact the business in bad ways. Employees would stop working to do these, they would get anxiety, and some would even get obsessed with doing everyone they can find.

What needs to happen is for companies to go away from game theory and have more interactive, real world training. It doesn't need to be game like, but more virtual were your actions can lead to the success or failure of the event. I have done a few training where every thing in the training was clickable and interacting with it brought curiosity and uncertainity. Not once did I feel like I was playing in a game ( I have been a gamer since 1980, so I know), but more of me finding out what my strength and weakness.

Old school training is still the best training companies can do. We all need to know and understand whats what. We are adults and need to be treated as professionals, not kids. Universities and Colleges are changing their teachings to be more interactive, but they still guide you back to the book.

In the end, when it comes to figuring out what action you need to take. Playing a game isnt going to help you, but knowing where to go to get the answer will.
Name That Toon: The Lights Are On ...
Flash Poll