You probably keep hearing about gamification, but what is it exactly? And, more importantly, what impact can it have on company’s cybersecurity training?

This article presents a brief overview of gamification’s history and the psychological drivers, deeply seated in human nature, behind its effectiveness. It presents some examples of gamification’s use in training and suggests some ideas for its deployment in cybersecurity training, a field where it is perfectly relevant.

What is gamification?

As long as humans have been around, there have been games : in ancient Egypt and Greece, throughout prehistory, and even before that if we look at the behavior of certain primates.

But why does Man love to play ?

Games rely on deep psychological levers : “intrinsic” motivation, which consists of three broad categories :

  • Autonomy : being the driver of one’s choices
  • Social : interacting with other people
  • Success: reaching goals

Games have the advantage of creating a scenario for a given “goal” (like learning a foreign language), in an evident and understandable manner, and of facilitating engagement.

The concept of gamification is derived from these observations.

The idea is that introducing game-like elements to topics that, without them, would not capture the interest of their targets will make these subjects more fun and engaging.

Today, gamification is ubiquitous on the different websites and apps we use (for example, via goal, progress monitors and rewards and bagdes on the duolingo foreign language app).

But how did we get to this point? What is the impact? And how could this be used in cybersecurity?

A brief timeline of gamification

It all began in 1980, with the publication of an article titled “What Makes Things Fun to Learn, A Study ofIntrinsically Motivating Computer Games” by T. Malone, an MIT professor who analyzed how children could learn from computer games.

The ball was rolling :

  • 1984: publication by C. Coonradt of “The Game of Work: how to enjoy work as much as play”, one of the first books to project games in the business sphere
  • 2002: the term “gamification” is first used by N. Pelling who created a gamified interface for ATMs, vending machines and cell phones. The same year, America’s Army is launched (a learning game and a recruitment tool for the US army)
  • 2007: launch of chore wars (if there was one field to gamify…) with the aim of increasing the implication of both parents and children in household chores
  • 2009: launch of Foursquare (with a gamification component : badges to be collected) and of BigDoor (a loyalty program using gamification)

The 2010s will see an acceleration in the use of gamification:

  • 2011-2021: Conferences on gamification ; Badgeville raises 25 million dollars, Mozilla Open Badges is launched to create a standard for validation of trainings
  • 2016: Pokemon Go is a global success, attributed to the nature of the gamification mechanisms used
  • 2018: gamification is a component integrated in the creation and design logic of the vast majority of apps

Why does it work for training?

A study has shown that close to 90% of employees enjoyed having gamification elements in their day-to-day work, and that these could increase the retention of information by up to 90%. But why is gamification so effective?

Gamification is validated by neurosciences

The reward, attributed based on the achievement of certain objectives, or the validation of trainings, leads to the release of hormones such as dopamine, serotonin, or endorphins. These hormones in conjunction with the feeling of success or personal accomplishment increase the effectiveness of trainings or programs that are then associated with positive emotions (wellbeing, personal satisfaction, happiness)

Gamification relies on a deep-seated psychological lever: reaching goals

The fact of linking trainings or programs with the obtention of rewards increases the engagement of users by moving the goal posts, from “following a training to master a topic” to “obtaining a reward”. This shifts the subject from a business training to reaching personal goals which in turn increases interest and engagement for the topic at hand.

Gamification implies action

Linking action with a concrete result (which differs from previous, entirely passive, trainings), generates motivation and engagement.

Gamification provides real-time feedback

This is probably one of the most underestimated components of gamification, but personal evolution and real-time performance measurement contribute enormously to the success of gamification in training. It is extremely rewarding for users to be able to see their individual performance (in contrast with reporting with a larger granularity, at the team or business unit level for example). It places the individual at the center of the process, allows him to observe his progress, and can be made fun and entertaining (and probably should in order to avoid this performance-monitoring to be source of stress).

Gamification integrates social components

Up to 90% of what we learn is acquired outside of formal training. By incorporating elements of social interaction such as news or activity feeds, chats, or notifications, the social component of gamification increases the effectiveness of trainings.

A few examples

  • A study from the University of Vanderbilt on over 1000 students found “strong benefits in terms of  [student] implication due to game conditions and a strong interest for the use of such games in the future
  • The deployment of gamified trainings at Webhelp helped halve the onboarding time for new employees
  • Game, a video-game vendor in the UK and Spain, saw its average basked size almost double after deploying a gamified training for its sales teams
  • Domino’s gamified its user experience with the launch of Pizza Hero (30% increase in sales at launch) after having deployed gamified micro-learnings which significantly reduced the onboarding time of its new employees
  • And, of course, everyone is familiar with applications that rely on a gamified system of badges and levels to reward reaching certain targets, progress bars, internal forums such as Duolingo (foreign languages), Treehouse (coding), Robinhood (investment)…

Applying gamification to cybersecurity

Cybersecurity seems to be a relevant field for gamification, and yet this mode of training has yet to be regularly employed. Why?

The topic has long been considered as too technical, too complex and complicated for users. Something only for the knowledgeable. This is clearly wrong.

And the cybersecurity industry has long sought to provide a technical solution to weaknesses that derive from the behavior of users. This “techno-centric” approach has relegated employees to the sidelines: the less was asked of them, the better for the company’s cybersecurity.

And yet, cybersecurity is a technical and immersive universe, one which it is possible to discover progressively. It requires users to be active and overall represents a “world” in which gaming components fit in well.

All in all, gamification and cybersecurity are a relevant match!

This is what Beaumont Health Systems understood : they introduced gamified cybersecurity training in 2014.

Their chief information security officer called their previous, dry and rote training, “death by PowerPoint”.

This new approach led to an increase in the retention of information and a more proactive approach to cybersecurity by the company’s employees.

Gamification applied to cybersecurity training touches upon multiple concrete aspects of a company’s cyber defense:

  • Threat and phishing reporting
  • More effective trainings
  • Progress tracking during simulations, penetration tests

All this leads to greater engagement and motivation for the employees, gives them an active role, and makes the topic much more fun to master.