GAMIFICATION: Trigger “HAPPY” Chemicals with Your Cyber Security Training Program
If you have ever filled out a complete profile on LinkedIn (because you wanted to reach that 100% on the profile completeness) or finished a never-ending survey because you were promised a prize at the end, you’ve been gamified.
Gamification is a not so novel expression that is used to describe the act of infusing gaming techniques into non game (business) scenarios with the intention of driving audience engagement and changing specific behaviours.
It is an effective social learning technique that has proven hugely successful in building efficient teams across cultures and industries, which is why you have companies like Google, Facebook, Verint and IBM making heavy investments in gamification.
The idea of gamifying corporate training was birthed out of the inefficiencies of existing approaches to engaging people and the need for an improved training experience guaranteed to make trainees/employees a little more motivated and happier about completing a training process. Games are generally known to release feel good hormones and that is in fact what makes them very popular. By adopting gaming mechanics like competition, points, badges, leader boards into their corporate training programs, organisations can make learning a fun immersive experience and nudge behaviour in a desired direction.
As human errors continue to account for a large part of security incidents in many organisations and companies, providing effective and behaviour-changing training for employees is crucial. Gamifying cyber security training, has immense benefits both for the organisation and the individual:
Communication is a two-way street which sees only one lane utilised during traditional classroom style training sessions. Gamified training on the other hand is more engaging and requires participation of both the instructor and the trainee. In gamified training, employees are encouraged to engaged with the training content and material as typified in the example below.
This Cyber Risk Aware example, is an activity in the password protection training course. Here trainees are encouraged to apply what they have learned so far in the course by participating in a simulated hacking exercise. Progress cannot be made until the trainee actually participates in the activity and engages with the training content. This guarantees that employees are not just passively clicking through training content but are paying keen attention to and applying the knowledge that is being disseminated.
Bite-sized & Digestible Content
The attention spam of the average person is getting shorter and shorter. In the workplace there are already a lot of tasks vying for employee’s attention , as such, most do not want to be hassled with a long-form PowerPoint or video. To deliver security awareness training in this context, what is most effective is micro-content delivery and short-form challenges. Employees will be better engaged, and you will record higher retention by shortening each lesson and turning them into employee missions, for example, eight minutes of training each week for six weeks instead of one hour (or more) at a time.
Giving trainees feedback during their learning experience has the effect of deepening their understanding and ensuring they don’t reinforce incorrect ideas or habits. And it has been shown that Individuals given immediate feedback show greater increases in performance and understanding compared to when feedback is delayed.
Users don’t get real-time feedback in most corporate training programs as assessments are only done at the end of the program when all the training materials are assumed to have been fully assimilated. However, a gamified security awareness training program can give learners instant gratification with scores or other systems that update as they progress.
These kinds of programs also make liberal use of scenario-based learning which captures some of the usual threats that employees would/might encounter in their day to day activities on the job. Employees are encouraged to learn and make mistakes all within a controlled environment. This can lead to improved confidence and knowledge of what and what not to do when faced with a real life situation.
Rewards & Recognition
Everybody loves to be recognised for their achievements and gamification allows for this to happen without bias. The prospect of being rewarded at the end of training sessions would not only motivate but also increase the performance of your employees.
Several human psychology studies have revealed that the anticipation of a reward in exchange for a certain action typically functions as a strong incentive to carry out said action, regardless of how objectively small or minor the reward may be. For example, in a cyber security training program, the reward for completion may simply be giving trainees a wrist band or a badge (like the Cyber Risk Aware Human Firewall Award) that acknowledges their new knowledge. In absolute terms, this may be a relatively minor reward, but the desire for this reward creates a powerful incentive to perform as instructed because the human brain is hard wired to crave such recognition and rewards.
Also, with the Cyber Risk Aware award badges shown above, line managers can set training goals/expectations at the start of the period and monitor how employees are performing against set goals.
Completely eliminating the human aspect of cyber risk is a challenge, but with the right tools and programs, organisations can make tremendous progress in this area. A necessary first step is equipping employees with the knowledge they need to stay safe online. And delivering security awareness training in a game-based learning environment that enables your employees to work toward a goal, choose actions and experience consequences, all in a risk-free setting, can result in behaviour change that actually reduces risks.
Furthermore, gamified cyber training is only effective if employees apply the skills they have learned and acquired to real-world scenarios. For this reason, it is advisable that you measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of your organisation.