26 October 2023 • Cyber security
Most entrepreneurs and security experts understand the importance of improving the security awareness of employees. 95% of all hacks and data leaks are caused by human error, and without the involvement of your team, it’s almost impossible to bring this number down.
However, many organizations that try to introduce awareness training have a continuous struggle to get their employees onboard. Not everybody understands the necessity of security awareness programs.
In a study on information security awareness, Bulgurcu found that awareness training is often experienced as an obstruction in professional environments. Employees are often busy and yet another task that doesn’t directly help them to achieve their goals can feel like a waste of time.
So how do you get your organization to engage with your security awareness efforts?
In this article, we’ll explain why we believe that gamification is the missing link to turn your security awareness program into a success and how you can get started today.
What is gamification?
Gamification is the addition of game elements into non-game environments to increase participation. This motivates people to do things they have to do, but don’t necessarily want to do.
A great example that illustrates this is the Piano Staircase Initiative by Volkswagen. To get people to start taking the stairs instead of the escalator, they turned the stairs into a big piano. They called this ‘The Fun Theory’, but it’s a great example of gamification in action.
An early example of an app that used gamification to engage users is Foursquare. Around 2011, their app enabled users to check in to different public places and businesses, such as coffeeshops, local parks, or restaurants. Users could share these check-ins with their friends, so they would know how to find them.
What made Foursquare so popular was the game elements that they added to their application. After checking into a location, the user would receive points. You could compare the number of points you had on a leaderboard, to see how you were doing compared to friends.
When you checked into special places such as a cruise ship, you could win special badges. And the icing on the cake was that if you checked in to a certain location more than anybody else, you would become the official Foursquare mayor of that place.
Gamification quickly became a key element of many other applications and is now widely regarded as a solid strategy to attract, engage, and retain users.
Gamification in cyber security: 8 core drives
As gamification pioneer Yu-kai Chou mentions in his TED Talk, gamification is about more than points, leaderboards, and badges. Because all games have these elements, but most of them are still boring. According to Chou, what makes gamification powerful isn’t necessarily the game elements, but the core drives. He developed the Octalysis framework, which consists of eight core drives, to explain this.
Below, we’ll discuss each core drive from this framework.
1. Epic meaning and calling
The ‘epic meaning’ is the core drive that makes gamers believe they are working on something greater than themselves. The player must be the lead character in a story and have a mission to achieve something meaningful. In games, an often-used epic storyline is basically as follows: the world is about to end and you’re the only one qualified to prevent that from happening.
In security awareness, an example of a storyline could be that you are the CISO of a fictional business and you need to keep it safe from hackers. If you fail, your organization goes bankrupt. This is a big responsibility with high stakes that gives the player a sense of calling.
2. Development and accomplishment
The next core drive centers around the idea of making progress and overcoming challenges. What’s key here is that there is first a sense of development and only then accomplishment. Without development, any rewards such as a trophy or badge are meaningless.
3. Empowerment of creativity and feedback
This core drive is about players being engaged in a creative process where they need to figure things out and try multiple combinations. Besides being creative, players need to see the results, get feedback, and be able to respond again.
When looking for a security awareness game, pick the one where direct feedback and the ability to try again later have been implemented.
4. Ownership and possession
Ownership and possession are again about the player being involved in the story. They need to feel like they own something and are responsible for it. When a player truly feels ownership, they will feel motivated to improve their possession. In many games, this is simply stimulated by the ability to earn virtual money or goods.
5. Social influence and relatedness
This drive is all about social elements that drive people to do better. This includes social responses, companionship, and acceptance, but also competition and envy. Once you see that your colleague is outperforming you in a certain area, you become motivated to reach their level.
When looking for gamification in security awareness programs, look for solutions where there is an easy way for users to track each other’s progress. This can often be done in a leaderboard.
6. Scarcity and impatience
The next core drive revolves around making players want something because they can’t yet have it. Many games use so-called appoint dynamics to achieve this. This is where a player is asked to come back the next day to play a bonus challenge or receive a reward. We also see this phenomenon with a lot of new social platforms, such as Clubhouse. If you wanted to get into Clubhouse when it first started gaining traction, you needed to be invited by existing members.
7. Unpredictability and curiosity
The next drive is the primary drive that makes people binge Netflix series but also get addicted to gambling: unpredictability and curiosity. The cliffhanger that makes you wonder what’s next is a powerful driver to engage users. A prime example of this drive is the Skinner Box experiment, where an animal keeps pressing a lever because it gives them results they can impossibly predict. And the less predictable the outcome, the more they want to know.
If pressing the lever always produces food, the animal will only push it when it’s hungry. But if the lever only produces food on a randomized schedule, the animal will obsessively press the lever — even if it’s not hungry at all.
8. Loss and avoidance
The last core drive in this framework is based upon avoiding something negative to take place. An easy example of this is the loss of previous work. In many games, you lose all progress you’ve made unless you reach a certain checkpoint. This motivates players to play ‘for just a couple minutes more’, which often results in playing longer than intended.
Another way to establish this feeling is by offering opportunities that only last for a set amount of time. For instance, if a bonus challenge can only be done in the coming five minutes, chances are you may act immediately and not procrastinate.
To learn more about the Octalysis framework, I highly recommend the TED Talk below.
How to implement gamification into your security awareness program
If you want to implement gamification into your security awareness program, the first and most important step is to find the right security awareness game.
At Guardey, we built a security awareness game with as much of the above mentioned core drives in mind. Here’s how it works in a nutshell:
- Players start their own fictional organization that they need to keep safe from cyber threats.
- Every week, they get a 3-minute challenge in which they can improve their reputation and win money. If they don’t do well, they lose money and their reputation gets a hit.
- In the leaderboard, they can see how well they are doing compared to other players within their organization and even worldwide.
- Once their skill level improves, users can win badges.
- The content is updated every week in collaboration with educationalists and ethical hackers
The bottom line
Security awareness is not a top priority for most people in an organization. That’s why gamification can be a great way to motivate people to participate in training.
Guardey offers the most complete security awareness game on the market. You can now try it out for free.