Cybersecurity's main challenge is humans. Your cyber awareness teams can import mechanics from the video game industry to create your Cybersecurity Gamification strategy to impulse engagement.

We all know the facts about cybersecurity. Here and there, we've talked about them. Rising attacks and rising consequences. Companies have long tried to change human behaviors to reduce the risk. Still, no matter how much training, sanctions, name, and shaming (flogging?) are in place, in 2021, the human factor was responsible for 93% of successful attacks. 

Some companies thought that by affording top-of-the-notch technologies, they would reduce risks to zero. It most certainly helps, sure. But they underestimate their own employees' role: Your employees are the first line of defense. Their behavior needs to change to make your cybersecurity architecture truly effective!

So, how can we change mentalities, this gathering of beliefs and habits, and thus behaviors?

Most behaviors are determined by intention and under the control of our will. Behavior changes can be seen as going through knowledge, perception, and belief transformation and then choosing to act. 

Communication is an ideal lever to accompany this process. It informs and convinces with rational arguments. It modifies perception and encourages action by playing on anger, sadness, joy, and more. It can also combine by stimulating both dimensions. 

Still, the question of whether changing mentalities is necessary or enough to change behaviors isn't clear. Bringing knowledge and making perceptions and beliefs evolve isn't often enough to achieve results. A well-known study showed that although 92% of Americans know the importance of washing their hands after going to the toilet, only 62% do it.

How can we explain this gap between belief, intention, and action? Lack of motivation, bad habits, or cognitive biases (loss aversion or the yearning for the status quo).

Therefore, other behavior strategies must be planned to transform these behaviors. You have to reinforce intrinsic motivation by making things playful to get people to act. You know where I'm going: gamification. 

• What's Gamification

• Examples of Strategies

• What are the benefits of gamification

• Mechanics for your Cybersecurity Gamification Strategy

What's Gamification

Gamification uses mechanics and design techniques first introduced in games in other contexts. As we said above, it can be a powerful tool for engaging your employees to change their behaviors and develop their skills and knowledge.

We're focused, dedicated, sometimes obsessed, or even addicted when playing games. Games make us want to discover more, keep playing, and get better to go further. To achieve this, games engage us in many unique ways that change our behavior, coupled with a playful side that creates a feedback loop that leads to self-reflection and learning. Examples include competition through leaderboards, collaboration by completing team missions, community by seeing other participants on a news feed, collection when earning unique badges, and surprises by unlocking new missions. Game dynamics are used with game mechanics to foster engagement and motivate participants.

These techniques are bearing fruits. The video gaming industry has been one of the most active in growth and revenue growth in recent years. Future revenue growth projections are also high, as time spent playing video games is not seeing a downturn.

An interesting study from the Entertainment Software Association in 2021 shows exciting facts about the video game industry in the US:

• 67% of adults are players

• 76% of children are players

• The average player is 31 years old

• 45% of gamers identify as female

• 80% of players are over 18

• 51% of gamers play more than 7 hours weekly

As time passed, revenue growth rose. Other industries started to pay attention to the mechanics used to keep people playing and imported them into their fields, mainly in Education. 

Let's have a look at different mechanics and strategies commonly used.

Examples of gamification strategies

Visual Aids: A picture or a video can be worth much more when explaining something, and they're often better at keeping people engaged.

Short Training: Effective training is quick. Most of the time, the global time dedicated to the training is rather long. In such a case, you would want to divide the program into ten or twenty-minute sessions every other day for 6 to 8 weeks. First, it's better than a 4-hour course. Second, it allows repetition over time, making people understand and remember better. 

Fun: It can be evident to most, but the reality is that when people design their training program, their fun side tends to vanish as they plan it. Always have the playful side in mind. It's the main asset keeping people engaged.

Rewards: Of course, rewards are essential. This is one critical element in your approach. Look at the revolution of achievements in the video gaming industry. There are multiple, easy and hard, fast and longer to obtain. They will keep people motivated and incentivized as they start to pile up, like points, trophies, or both.

Badges: You could think that Badges and Rewards are the same. Here, we're making a slight distinction to give you food for thought. Badges are even more incentivizing as they're meant to be shown off because of the extraordinary actions needed to unlock them, a significant milestone achieved by the best participant.

Leveling up: To emphasize the sense of progression, you can also create a progression path based on RPG games. We all know someone (us?) who spent nights on some game to max out their characters.

Leaderboards:  Direct competition between players is also essential to keeping people engaged in your strategy. We're naturally, at least most of us, prone to comparison and competition and to fulfill the motivational need of "achievement." It also helps to decipher who's lagging or isn't receptive to the strategy. 

Know your audience: Games constantly adapt to their audience. Your strategy has to meet your audience's tastes to find what motivates them, including the matters treated, the environment, the characters, the UX, etc. 

Benefits of implementing gamification

Gamification drives engagement and influences results. When people participate and engage with your gamified product, they learn faster the best way to interact with your products and services. It can be applied across a broad spectrum of activities where individuals can use mechanics to stay motivated. Some well-known platforms imported gamification mechanics and took advantage of others to become leaders. Let's have a few examples.

Reddit used game elements to turn a relatively simple forum into one of the world's top social networking sites. How? With awards, points, and badges. 

Fitbit or other healthcare apps/devices have turned sports into incredibly playful activities with rewards, badges, and leaderboards. They multiply attractive UX and small and fun perks to keep users engaged. 

The same goes for many other gamified apps. For example, apps that help you quit smoking introduce gamified elements such as leveling or rewards to keep you incentivized. 

Last but not least, take your Subway fidelity card. Yes, the one sitting on your desk or deep into your wallet. You're waiting for the last tampon to have your free sandwich. This is also a gamified strategy to keep you engaged.

Yes, gamification is everywhere.

6 mechanics for your Cybersecurity Gamification strategy

Most cybersecurity awareness training follows the same introduction, proper training, and a quiz. It's a very playful design. As a result, one of the main struggles is to get employees to finish the content. A new way of approaching cybersecurity awareness training leading to better engagement is found in gamification. 

Below, we've gathered six mechanics and strategies to improve your training. Some require a specific platform to execute and more work to be implemented. Others are, on the contrary, reasonably easy to incorporate. A simple quiz will be much more engaging if you add a time limit, points according to the time, and the correct answer given by leaderboards and badges. This will infuse a sense of competition among users to remember the solution in time and score better than others.

1. Points

Awarding points for each correct answer in your quizzes is a great way to get users to finish the course. It encourages them to review all the content to compare their score with their coworkers later and further increases their immersion. You can also award points during your phishing campaigns. 

One remark. You should award positive points, not negatives, as it can foster shaming phenomena that make people wrongly answer questions and make them more prone to quit—moreover, starting from 0 instead of starting at 100 offers a sense of achievement and progression.

2. Levels

Piling up points perfectly complements a leveling system when discussing progression. A higher points score should lead to an increase in levels, fulfilling the competitive and motivational need to achieve better than your neighbor.

3. Rewards

Each level achieved could lead to a reward. More generally, Rewards are essential in your strategy. Create a variety of them to set goals and increase the sense of accomplishment. Accompany them with narratives to clearly describe the plan to make understanding and work easier for your employees.

4. Leaderboards

Of course, points, levels, and rewards deliver their best engagement qualities compared to other participants. Weekly or monthly leaderboards are among the best-performing and most exciting features to add to motivate your teams. Even physical leaderboards could add to the impact.

5. Badges

Badges and titles could be awarded for the most challenging rewards achieved or temporary leading positions on quiz scores, phishing campaigns, training streaks, and so on. As for the rewards, badges also fulfill the motivational need of achievement.

6. Challenges

Overcoming a challenge always makes you feel you have done something useful for yourself. It also makes you want to do even better the next time when combined with the mechanics above. 

Use this by scheduling minor and temporary challenges, like a timed quiz or a phishing hunt. For instance, timed training popping up on a random topic or recently trained is a great way to engage people and challenge their recall abilities, especially if the rewards are more significant than those earned on usual quizzes. 

The correct game mechanics can help a great deal in effectively nudging employees. They must be selected based on a thorough understanding of players, overall objectives, and the human motivations you want to fulfill.

As a final point, let's look at some successful strategies in the cybersecurity field.

The Digital Guardian developed DG Data Defender to help companies engage every employee in data security. It differs from traditional methods of security enforcement centered around identifying negative behavior and reporting it by using positive reinforcement to reward good behavior. One exciting feature is rewarding good security practices by awarding employees prizes such as e-store gift cards.

Finally, gamification has also been used to recruit cybersecurity talents. Several prominent organizations organize specific events or permanent bug bounties to find cybersecurity candidates.