In 2017, human error accounted for 28 percent of all data breaches worldwide, as reported by the Ponemon Institute. The findings reveal that human error is one of the top three root causes of data breaches, preceded only by malicious or criminal attacks. While the majority of employees don’t set out to cause harm, many of them inadvertently do — through bad password habits, unrestrained web browsing or engagement with a malicious email. As a result, employees (and hence their employer) can quickly become victims of social engineering or phishing attacks, or worse.
While many employers claim to have established effective policies to help employees manage cyber threats, reality paints a different picture, with some studies showing that as many as two-thirds of cyber breaches are caused by employee negligence or malfeasance. As Nick Wilding, head of cyber resilience at AXELOS, told SC Media, “They (employers) often underestimate the role that their own employees – from the boardroom to the front line – can play: staff should be their most effective security control but are typically one of their greatest vulnerabilities.”
As cyber crime continues to intensify, certain organizations and governmental agencies are seeking out ways to better engage their employees in truly effective cyber security training — and recruit qualified cyber security candidates — despite the many challenges. One strategy being relied on more and more is gamification.
What is Cyber Security Gamification?
Gamification is the use of game mechanics and game thinking to engage users in solving problems and to motivate them by introducing elements of competition and reward.
Many companies are already using gamification to assist with onboarding and customer engagement, but now they are realizing the benefits that gamification may also have for company-wide cyber security training.
According to a study by Pulse Learning, 79 percent of participants (both corporate learners and university students) said they would be more productive and motivated if their learning environment was more like a game. The same study noted that the benefits of gamification include improved motivation, increased engagement, better performance feedback and enhanced productivity.
“Gamification has a tremendous opportunity to revolutionize the speed, efficacy and relevancy of training in the quickly‐evolving landscape of the Cybersecurity sector,” wrote Circadence, a software development firm and recognized leader in the federal cybersecurity community.
How Companies are Using Gamification for Cyber Security Training
Price Waterhouse Cooper developed Game of Threats™ to help senior executives and boards of directors test and strengthen their cyber defense skills. “At its core, Game of Threats is a critical decision-making game that has been designed to reward good decisions by the players and to penalize teams for making poor decisions. Players walk away with a better understanding of the steps they need to take to better secure their companies,” explained PwC. The game has been so successful since its launch that the company is now considering developing additional games specifically for financial crime and crisis management.
The Digital Guardian developed its game, DG Data Defender, to help other companies engage every employee in data security. By using positive reinforcement to reward good behavior, the game strays from traditional methods of security enforcement which centered around identifying negative behavior and reporting that behavior to higher-ups. “Eventually, continued use of good security practices will earn employees prizes, such as e-store gift cards,” explained TechCrunch.
Beaumont Health Systems introduced game-based learning in 2014 when it realized it needed a better way to engage employees. “Our previous security training was death by PowerPoint,” Scott Larsen, manager of cybersecurity operations and architecture at Beaumont Health Systems, told Mobi Health News. “It was very non-interactive, very sterile and uninteresting. It did not capture the interest of the end user.” Using a combination of gamification, interactive content and traditional teaching, Beaumont has been able to improve its cyber security training effectiveness and now finds that employees are much more proactive in their approach to cyber security.
Gamification is also being used to recruit cyber talent in an extremely competitive market. Cyber Security Challenge, a UK-based organization, holds yearly competitions in order to find, test and recruit cyber security candidates. “We’ve seen that traditional recruitment methods, used in other industries, just don’t work in cyber security,” Stephanie Daman, CEO of Cyber Security Challenge U.K., told Tech Crunch. “However, there is a noticeable pattern between gamers and those that show significant skills in the industry.”
Elements of a Successful Gamification Strategy
For businesses looking to infuse gamification into their cyber security training, it can be helpful to understand what makes for the most successful game-based training.
Use Visual Aids
Pictures and videos can help to get a point across, fast, while keeping employees engaged.
Keep Training Short and to the Point
The most effective trainings are short. Ten-minute sessions every other day for 6 weeks can be far more effective than a single, three-hour session.
Games are supposed to be fun, but it can be easy to ignore this critical element when you’re so focused on designing a thorough training strategy.
Using rewards is one of the most important elements of a game-based approach, as rewards keep users motivated and incentivized.
Consider Using AI and Machine Learning
The world of cyber security is constantly evolving as hackers learn new and more sophisticated approaches. To keep up with cyber criminals, some companies such as Circadence Corp., are infusing AI and machine learning into their game-based cyber training. The technology allows Circadence to continually update the gaming environment based on new problems and data.
Know the Audience
To get engagement, it’s important to design a game that will resonate with the intended audience. Researching what employees like, what motivates them and what devices they use most frequently will provide a solid foundation from which to design an effective training.
Ensure That Training is Ongoing
Training should be continuous and not limited to a one-time event. Keeping track of an employee’s progression through a game, with rewards at certain milestones, can help to keep employees engaged over the long-term.
Gamification is changing the way organizations think about and roll out cyber security training. Not only are businesses using game-based approaches with internal training, but some are even using gamification to launch “bug bounty programs.” These programs reward ethical hackers and researchers who are able to find and report bugs in an organization’s system. As TNW reported, “One of the most interesting bug bounties belongs to Uber, which has thrown in competition and gaming touches to keep the best researchers engaged. Participants can earn up to $10,000 for the discovery of critical bugs.”
The importance of innovative learning techniques in cyber security is imperative as the nation struggles to fill thousands of open cyber security positions and effectively fight cyber crime. For individuals and organizations looking to improve their cyber security awareness and skills, understanding cyber theory can be beneficial. Yet, the most profound and effective way to learn is through doing, which is why gamification is so effective.
Discover the fully online Master of Science in Cyber Security Operations and Leadership or learn more about our fully on-campus Master of Science in Cyber Security Engineering.