Cybersecurity’s main challenge is the human. Your cyber awareness teams can import mechanics created in the video game industry to create your Cybersecurity Gamification strategy to impulse engagement.
We all know the facts about cybersecurity. Here and there, we’ve talked about them. Rising attacks and rising consequences. Companies have long tried to change human behaviors to reduce the risk. Still, no matter how many training, sanctions, name, and shaming (flogging?) are in place, in 2021, the human factor was responsible for 93% of successful attacks.
Some companies thought that by affording top-of-the-notch technologies, the risks would be reduced to 0. It most certainly helps, sure. But they underestimate their own employees’ role: your employees are the first line of defense. Their behavior needs to change to make your cybersecurity architecture effective truly!
So, how can we change mentalities, this gathering of beliefs and habits, and thus behaviors?
Most of the behaviors are determined by intention and are under the control of our will. Behavior changes can be seen as going through knowledge, perception, belief transformation, and then choosing to act.
Communication is an ideal lever to accompany this process. It informs and convinces, with rational arguments. It modifies perception and encourages action by playing on different emotions such as anger, sadness, joy, and more. It can also combine by stimulating both dimensions.
Still, the fact that it’s necessary or enough to change mentalities to change behaviors is questionable. Bringing knowledge, making perceptions and beliefs evolve isn’t often enough to achieve results. A well-known study showed that although 92% of Americans know the importance of washing their hands after going to the toilets, only 62% do it.
How can we explain this gap between belief, intention, and action? Lack of motivation, bad habits, or cognitive biases (loss aversion or the yearning for the status quo).
Therefore, other behavior strategies have to be planned to transform these behaviors. You have to reinforce intrinsic motivation – by making things playful – to make people act. You know where I’m going: Gamification.
Gamification uses mechanics and design techniques first introduced in games in other contexts. As we said above, it can be a powerful tool to engage your employees to change their behaviors and develop their skills and knowledge.
We’re focused, dedicated, sometimes obsessed, or even addicted when playing games. Games make us want to discover more, keep playing, and get better to go further. To achieve this, games engage us in many unique ways that change our behavior coupled with a playful side to create a feedback loop leading to self-reflection and learning. Examples include competition through leaderboards, collaboration by completing team missions, community by seeing other participants on a news feed, collection when earning unique badges, and surprises by unlocking new missions. Game dynamics are used with game mechanics to foster engagement and motivate participants.
These techniques are bearing fruits. The video gaming industry has been one the most active in growth and revenue growth in the last years. Future revenue growth projections are also high, not seeing a downturn in time spent playing video games.
An interesting study from the Entertainment Software Association in 2021 shows exciting facts about the video game industry in the US:
- 67% of adults are players
- 76% of children are players
- The average player is 31 years old
- 45% of gamers identify as female
- 80% of players are over 18
- 51% of gamers play more than 7 hours weekly
As time played, the revenue growth rose. Other industries started to pay attention to the mechanics used to keep people playing and imported them to their field, mainly in Education.
Let’s have a look a different mechanics and strategies commonly used.
Example of gamification strategies
Visual Aids: a picture or a video can be worth much more when trying to explain something, and they’re often better to keep people engaged.
Short Training: Effective training is quick. Most of the time, the global time dedicated to the training is rather long. In such a case, you would want to divide the program into ten or twenty-minute sessions every other day for 6 to 8 weeks. First, it’s better than a 4-hour course. Second, it allows repetition over time, making people understand and remember better.
Fun: It can be evident to most, but the reality is that when people are designing their training program, their fun side tends to vanish as they’re planning it. Always have the playful side in mind. It’s the main asset keeping people engaged.
Rewards: Of course, rewards are essential. This is one critical element in your approach. Look at the revolution of achievements in the video gaming industry. Multiple, easy and hard, fast and longer to obtain. As they’re starting to pile up, like points or trophies, or both, it will keep people motivated and incentivized.
Badges: You could think that Badges and Rewards are the same. Here, we’re making a slight distinction to give you food for thought. Badges are even more incentivizing as they’re meant to be shown off because of the extraordinary actions needed to unlock them, as a significant milestone achieved by the best participant.
Leveling up: To emphasize the sense of progression, you can also create a progression path based on RPG games. We all know someone (us?) who spent nights on some game to max out their characters.
Leaderboards: Direct competition between players is also an important way of keeping people engaged in your strategy. We’re naturally, at least most of us, prone to comparison and competition and to fulfill the motivational need of “achievement.” It also helps to decipher who’s lagging or isn’t receptive to the strategy.
Know your audience: Games are constantly adapting to their audience. Your strategy has to meet your audience’s tastes to find what motivates them. Matters treated, environment, characters, UX, etc.
Benefits of importing gamification?
Gamification drives engagement to influence results. When people participate and engage with your gamified product, they’re learning faster the best way to interact with your products and your services. It can be applied across a broad spectrum of activities where individuals can use mechanics to stay motivated. Some well-known platforms imported gamification mechanics and took advantage of others to become leaders. Let’s have a few examples.
Reddit used game elements to turn a relatively simple forum into one of the top social networking sites on the planet. How? With awards, points, and badges.
Fitbit or other healthcare apps/devices turned sports into incredibly playful activities with rewards, badges, and leaderboards. They’re multiplying attractive UX and small and fun perks to keep you engaged.
The same goes for lots of other gamified apps. Take even apps that help you quit smoking. They’re also introducing gamified elements such as leveling or rewards to keep you incentivized.
Last but not least, take your Subway fidelity card. Yes, the one sitting on your desk or deep into your wallet. You’re waiting for the last tampon to have your free sandwich. This is also a gamified strategy to keep you engaged.
Yes, gamification is everywhere.
6 mechanics for your Cybersecurity Gamification strategy
Most cybersecurity awareness training follows the same introduction, proper training, and a quiz. A not so much playful design. As a result, one of the main struggles is to get employees to finish the content. A new way of approaching cybersecurity awareness training leading to better engagement is found in gamification.
Below, we’ve gathered six mechanics and strategies to improve your training. Some of them require a specific platform to execute and need more work to be implemented. Others are, on the contrary, reasonably easy to incorporate. A simple quiz will be much more engaging if you add a time limit, points according to the time and the correct answer given leaderboards and badges. This will infuse a sense of competition among users to remember the solution in time and score better than others.
Awarding points for each correct answer in your quizzes is a great way to get users to finish the course. It encourages them to go through all the content to later compare their score with their coworkers and further increases the immersion in the content. You can also award points during your phishing campaigns.
One remark. You should award positive points only, no negatives, as it can foster shaming phenomena that make people wrongly answer questions more prone to quit. More, starting from 0 instead of starting at 100 offers a sense of achievement and progression.
Piling up points combines perfectly with a leveling system when talking about progression. Points score should lead to an increase of levels. This fulfills the competitive and motivational need of achieving better than your neighbor.
Each level achieved could lead to a reward. More generally, Rewards are essential in your strategy. Create a wide variety of them to set goals and increase the sense of accomplishment. Accompany them with narratives to clearly describe the plan to achieve to make the understanding and the work easier for your employees.
Of course, points, levels, and rewards deliver their best engagement qualities compared to other participants. Weekly or monthly leaderboards are one of the best-performing and most exciting features to add to motivate your teams. Even physical leaderboards could add to the impact.
Badges and titles could be awarded for most challenging rewards achieved or temporary leading position on quizzes scores, phishing campaigns, training streaks, and so on. As for the rewards, badges also fulfill the motivational need of achievement.
Overcoming a challenge always makes you feel you have done something useful for yourself. It also makes you want to do better the next time, even more, when combined with the mechanics above.
Use this by throwing minor and temporary challenges on a scheduled basis, like a timed quiz or a phishing hunt. Timed training popping up on a random topic or recently trained, for instance, is a great way to engage people and challenge their recall abilities, especially if the rewards are more significant than those earned on usual quizzes.
The correct game mechanics can help a great deal in nudging employees effectively. They need to be selected based on a thorough understanding of players, overall objectives, and the human motivations you are looking to fulfill.
As a final point, let’s look at some successful strategies in the cybersecurity field.
The Digital Guardian developed DG Data Defender to help companies engage every employee in data security. It differs from traditional methods of security enforcement centered around identifying negative behavior and reporting it by using positive reinforcement to reward good behavior. One exciting feature is rewarding good security practices by awarding employees prizes such as e-store gift cards.
Finally, gamification has also been used to recruit talents in cybersecurity. Several prominent organizations organize specific events or permanent bug bounties to find cybersecurity candidates.