Amidst all the news of advanced cyber attacks, vicious malware, and government-sponsored black hats, it’s easy to forget that the vast majority of data breaches come from the inside. I’m not just talking about malicious insiders, either. While disgruntled staffers with a chip on their shoulder are definitely still dangerous, the biggest risk comes not from malice but from simple ignorance.
An otherwise well-meaning employee forwards sensitive information to someone who isn’t supposed to see it. An unsuspecting remote worker downloads a keylogger from a compromised website. A tired employee accidentally opens a phishing email.
These are incidents that happen with troubling frequency. And while prevention should be a simple matter, often it’s anything but. Education and mindfulness coaching on their own simply aren’t enough to make people care.
Instead, what you need to do is take things a step further. Before you can educate anyone, you need to catch everyone’s attention. You need to make cybersecurity education entertaining and exciting.
The best way to accomplish that, as noted by Information Age’s Kate O’Flaherty, is through gamification.
“Many businesses [are adopting] gamification: educating workers to be more cyber-aware by using elements of game-playing,” she writes. “Some games are complex, with levels to pass and coins to earn. But it can also be as simple as sending out ‘test’ phishing emails and rewarding staff for not falling for them.”
A gamified approach to cybersecurity works for a few reasons. First, it gives your employees greater ownership over their own cybersecurity education. Instead of being forced to sit through a boring training video or made to slog through countless pages of dry, boring copy, they’re able to take an active role in their security training.
They can proceed at their own pace, and have fun while doing so.
Gamification also provides a sense of achievement far beyond what an ordinary training program can offer. Providing your staff with certain milestones or rewards as they proceed through their training is an excellent way to keep them playing – and more importantly, learning. These milestones can also provide a measure of progress, showing an employee how much they have left to go before completing the program and possibly even inspiring them to keep going when they might ordinarily sign off for the day.
A cybersecurity training game can also be a great way to provide workers with a break from the day-to-day of their job. Even someone who loves their work can sometimes grow tired of it. Even someone with a great deal of passion can sometimes start to get frustrated with the drudgery and stress.
A gamified cybersecurity program provides an escape from all that. It lets your employees get lost in a new world where they have complete control. That it educates them while they do so is a side benefit.
Finally, by gamifying your cybersecurity program, you’ll help your staff associate good security practices and mindfulness with positive experiences. Rather than look at measures like authentication and safe browsing as some draconian restriction, staff are likelier to understand the reason they’re necessary.
The Challenges of Gamification
Effective gamification isn’t simply a matter of throwing together a platformer or puzzle game and throwing it at your staff. It requires a nuanced, personalized approach. It requires you to understand your organization’s culture, and develop an educational program that meshes with that culture.
It also requires that you overcome internal resistance. There are plenty of people who will look at a gamification program and consider it little more than a distraction. They’ll wonder aloud what the benefits could be.
- Through gamification, the SAP Community Network reworked its reputation system and increased usage by 400%.
- An organization known as Omnicare gamified its IT service desk and gained a 100% participation rate from team members.
- Gamification of Keas’s wellness program increased engagement with health-conscious activities by over 100x.
- By teaching a journalism course through gamification, Professor A.L. Penenberg saw a sharp increase in student performance, with an average increase of more than a letter grade.
- Simply through the addition of a reward system, e-learning provider OTT saw a 65% increase in overall user engagement.
- Devhub gamified feedback on its website and saw completion percentage increase from 10% to 80%.
Basically, there’s a huge body of evidence suggesting games have very real applications in employee education and training. The links above represent only a small portion of that evidence. I’m certain there’s more to be found.
Of course, internal resistance isn’t the only roadblock to overcome. In order to introduce an effective gamification program, you’ll need to get every department in your organization on-board. IT will need to work closely with human resources, and leadership buy-in across silos is an absolute must.
It’s essential too that you establish open communication throughout the implementation process. Everyone involved needs to be aware of your specific reasons for introducing gamification. Why are you undertaking these initiatives? How will information gained through the program be used, and what rewards exist for employees who complete it?
Finally, gamification is an ongoing process. You need to ensure you have the necessary resources to regularly revisit and refine your program. If you simply deploy a game and forget about it, chances are it’s going to fail – user feedback and a continuous development cycle are essential.
You aren’t going to make employees care about cybersecurity simply by telling them it’s important. That isn’t how it works. Instead, you need to take a subtler, more nuanced approach – like turning education into a game.
If your staff enjoy their cybersecurity training enough, they’ll end up becoming cybersecurity experts without even realizing they’ve done so.