Security Behavior Change

How Gamification Is Changing the Way Employees Engage in Security Training

Masha Sedova

Published on 11 September 2018

Getting your employees to care about security is hard. Not only does security feel irrelevant to them, but they’d much rather be doing their job than going through security awareness training exercises. Video lectures, lengthy quizzes, and brown bag lunch trainings are what paint an image of security in your employees’ minds — and it couldn’t be less enticing.

Truth is, we’ve been doing security awareness training wrong all along. Watching videos, reading course materials, and taking quizzes are all passive training techniques, and studies show that passive learning only has a 20 percent retention rate. As security practitioners, we know that traditional training doesn’t work, but until recently, it’s been the only option we’ve had.

But what if we could have a little fun with security? (Yes, we said fun!) This is where the idea of gamifying security awareness training was born.

You see, traditional training lacks…

  • A real-life connection between security attacks and how they can actually affect people and companies
  • Active engagement in the training, which studies show increases learning retention by 75 percent!
  • Motivation to start and finish the training — and do well in the process

Gamification is the next evolution in security awareness training, and it’s quickly becoming the most popular training technique with both employees and security practitioners. In this post, we’ll dive into why it’s so effective.

Teach Employees in the Context of Their Own Experience

Theoretical concepts are just that: theoretical. “Company A gets hit by a phishing attack and loses important data. List the consequences.” This training question is doing a few things wrong:

  • It’s not personalizing the problem by putting the company name in the scenario or defining what kinds of data their company could lose.
  • It’s not encouraging the employee to step into the shoes of the victim or hacker to really visualize the experience, it’s simply testing on recall, which quickly goes out the door the moment they move on to the next question, hence a 20 percent learning retention rate.

What if, instead, you could put your employees in the driver’s seat to both create and respond to common attacks like phishing, social engineering, and malware to really experience it first-hand? In the Hacker’s Mindexperience, for example, employees participate together in a real-life security scenario, talking through an attack that could actually hit them. They then discuss what the consequences would be to them, the company data, and the company itself.

Seeing their company name in the game, critically thinking about the exact consequences for them, and living the experience through simulated learning is true experiential learning. This type of training has been found to have a 75 percent retention rate, according to The Learning Pyramid, a popular framework for training effectiveness assessment.

If you can get employees to step into the shoes of an attacker, this actually wires their brain for long-term behavior change. Playing Hacker’s Mind, employees get to see firsthand how attacks unfold, how to spot them, and what to do next.

This prepares them for a real-life attack, so that if and when one does come, they’ll have already gone through it in the game via simulation. In other words, they’ll already have the scars.

When we first heard of Hacker’s Mind, we liked that it actually taught users how hackers think and what the impact could be to them. After the first group played, they told everyone else about it and the next day attendance tripled — some even came back to play it again!
-Aika Sengirbayeva, Sr. Information Security Program Lead, Autodesk

Build in Motivation and They Will Come

Another big challenge security practitioners face is actually getting employees to start and finish training. For companies like Autodesk, we learned it can take months of follow-up to get employees to go through training, and this is frustrating — to say the least. After months of preparation to get the right questions and videos into the training…and crickets.

However, in our experience, we’ve learned that their resistance is simply a reflection on the poor quality of training. It’s not tailored to their way of learning, they already know it’s not going to work, and that it’s a waste of time. So, why bother? Companies like Autodesk realized this after feeling the pain for one too many years, and when they rolled out Hacker’s Mind, as Aika Sengirbayeva explained above, employees not only wanted to participate, but they wanted to do it again. Unheard of in security awareness training? Yes! A reality when you gamify the experience? As our customers tell us, absolutely.

During the game, each employee gets to devise a plan to defend what matters most to them, whether it be a customer account, password, file, or anything else. They get to choose:

  • The type of hacker they want to be (e.g. cybercriminal, hacktivist, government-sponsored)
  • A hacker name
  • An attack vector (e.g. phishing, malware, social engineering)
  • A manipulation tactic (e.g. morality, trust, reward)

This is what puts their learning into practice, motivating them to participate, actively learn, and ultimately win the game. The concepts are no longer theoretical, but real information and tools they can use in real-life scenarios.

“Learning about attacks that could really hit our organization gave our employees a real-life scenario they haven’t forgotten, and our security has become even stronger because of it.”
-Redlock Security Team

Competition Rewards Learning

Part of the intrigue and addictiveness of the game is the built-in competition. Not only do players need to internalize what they learn in the game to devise their attack plan, but they’re motivated to do it well so that they have a shot at winning.

After each employee creates their plan, they share it with their training group in a roundtable experience and everyone votes on the best plan.

Autodesk, they gave the winner of each game a “Hacker Hoodie”, as they call it, which everyone wanted! Aika at Autodesk even reported that if employees lost, they came back to play again for a shot at winning not only the game, but the hoodie!

Gamifying Cybersecurity Awareness Month

Cybersecurity awareness month is right around the corner, and with so many unique experiences that go on during this month, adding gamification to the mix can be a great way to bring to life all of your training events. Plus, Hacker’s Mind is an experience that can be scaled across all offices, as it doesn’t require a security professional to run, so even remote offices won’t miss a beat!