Providing employees with the education and awareness necessary to adequately protect themselves from cybersecurity threats can be a daunting task. It can be difficult to design training in such a way that it is responsive to real-world scenarios, flexible enough to be useful across a target audience of varied experience and education levels, and responsive enough to adapt to the constantly evolving threat landscape facing information security. To meet these demands, companies are turning towards gamification as a means of strengthening their cybersecurity training programs and improving their employees’ digital literacy and cyber threat intelligence. According to Lisa Plaggemeir, Executive Director at National Cyber Security Alliance, these training systems, which incorporate gaming elements such as friendly competition, role playing, and score keeping are “an additional tool in your toolkit. It’s important to consider that not everyone learns from training the same way or pays attention to the same types of content in an awareness program.”
Promoting Digital Literacy through Gamification
Training employees to successfully recognize and avoid cybersecurity threats has always been a major focus for cybersecurity teams. Gamification allows companies to create fun, interactive learning methods for promoting cyber threat intelligence, and creating a better prepared workforce that is more resistant to cyberattack. Gamification can take many forms such as emails designed to entice users to click on links similar to those used in phishing exploits. If users click on the links, they will be immediately directed to a mini training exercise designed to reinforce cyber threat intelligence. In other approaches, trainees may be tasked with assuming the role of hackers looking to penetrate the company’s systems. There are even trainings based on escape rooms and full on table-top card games. Gamified trainings are often tracked with scoreboards or badges as a friendly way of keeping employees engaged and promoting playful competition.
Strengthening Information Security
Gamification looks to strengthen information security by incorporating elements that are engaging, interactive, and make for greater retention of information into cybersecurity training. Employees who are better equipped to recognize potential security threats raise the level of information security for their organization and prevent malicious actors from gaining footholds in a system. In addition to improving overall education and awareness, successful gamification will also provide appropriate engagement for a broad variety of ability levels and help to condition all employees to be more vigilant in looking for cyberthreats.
Measuring Success with Security Metrics
According to Verizon DBIR, 74% of all cybersecurity breaches involve a human element such as social engineering, insufficiently secured accounts, and general user errors. Given this statistic, the importance of effectively training employees to recognize these approaches and avoid these common pitfalls is paramount. Adaptive learning, a central element of gamification training that reinforces learning by allowing participants to actually employ the information that is being delivered, has been shown to improve information retention by as much as 90%. In a study on the effectiveness of gamification in training, KPMG also reported that over 80% of respondents had fun while playing the training games. Gamification can provide novel experiences that allow employees to apply their knowledge in a fun and competitive manner that resonates with many participants. “Gamification has its appeal to employees who enjoy gaming in their spare time–even to those who are by nature competitive,” Plaggemeir continued. “The training is simply more appealing to them, so they could be more likely to engage with the content and keep at it over time.”
RSA Conference 2024: A Glimpse into the Future of Cybersecurity
Although gamification is a highly effective tool in the fight for cybersecurity, it is important to recognize, there is no ‘one size fits all. “It depends on what’s right for your company culture, and I recommend you try to teach the same content through a variety of means, whether it’s gamification or in-person sessions or anything in between,” said Plaggemeir. “The more variety of delivery mechanisms the better to appeal to more people.” This is why gamification is just one of the many concepts that will be covered at RSA Conference 2024, where industry experts will convene to share insights, innovations, and strategies for improving cybersecurity and providing effective approaches to training.