Gamification Can Enhance Security Awareness Training – Badges and Leaderboards Are Just the First Step
Jan 31
Rory AttwoodRory Attwood designs and delivers cutting-edge cybersecurity awareness training at OutThink, leveraging generative AI and interactive content to create engaging learning experiences. With expertise in content design, product management, and team leadership, he thrives at the intersection of creativity and technology. Rory holds a Master of Fine Arts in Creative Writing from the University of Michigan and a Double First in English from the University of Cambridge, where he received the University Prize for Shakespeare Studies.
View Profile
In this article
Gamification in Security Awareness Training Gamification and Employee Engagement: Learning from SlackTrailhead and Gamification in SATBeyond Points and Badges: True Gamification in Cybersecurity TrainingGamifying Cybersecurity Awareness TrainingChallenge: Creating Flow Narrative: Engaging Learners Through StoriesReady to transform your security awareness training?Choice: How Decisions Enhance Learning OutcomesThe Core of Effective GamificationThe Future of Gamified Security Awareness TrainingExperience OutThink
Gamification in Security Awareness Training
This week Fortune’s Kylie Robison reported that Slack (the creators of the workplace chat app) have given several core teams a week ‘off’ to catch up on overdue training. It’s a striking initiative, and Robison’s article contains some interesting discussion of the company’s possible motives. To address the issue of disengagement in employee training, consider this: gamification can significantly improve the experience of employee cybersecurity awareness training in your organization, knowledge retention, and secure behavior adoption.
For learning and development professionals, especially those focused on the critical area of cybersecurity, it’s an alarming headline but not necessarily a surprising one. We’ve all encountered our fair share of click-next e-learning, delivered via a creaky LMS, that no one could be blamed for putting off. But that’s not the story here. What really piqued my interest was learning that Slack uses the gamified learning platform Trailhead.
Gamification and Employee Engagement: Learning from Slack
Gamification is often mooted as the way to improve employees’ engagement in cybersecurity, and at OutThink, we believe it has a part to play. Indeed, gamified training is a key component in our product. Deployed in sync with targeted phishing simulations and our real-time data on actual user behaviors, gamified learning experiences enable us to deliver a measurable impact on the human element of cyber risk. But as Slack’s story shows, gamification is neither a magic bullet nor a one-size-fits-all solution.
Trailhead and Gamification in SAT
Trailhead (which, like Slack, is owned by Salesforce) provides employees access to a wide range of professional development materials, including training in soft skills, guides to using popular digital tools, and intros to topics like generative AI and data science. Learners can follow pre-designated “Trails” or curate their own personal “Trailmix.”
Every aspect of the experience is hooked into the platform’s gamification engine, which incentivizes learners by rewarding their efforts with points and badges. These points eventually translate into new status levels.
For their training week, Slack’s employees have been tasked with earning “Ranger” status. To become a Ranger requires 100 badges and 50,000 points, which is estimated to require at least 40 hours of learning.
Given that Slack’s employees have been granted a full working week to catch up, it seems a safe assumption that many of them have put in very few of these 40 hours so far. Nor is it simply that Slack employees have been too busy to get started. Robison reports that already, employees with the technical know-how have begun writing scripts to automate their progress through training, while less technical employees share lists of the quickest and easiest modules on the platform. Even with dedicated time off to pursue gamified training, employees are avoiding it.
Slack is just one company, and undoubtedly there are other contexts in which Trailhead is embraced with enthusiasm by learners, but the key takeaway here is that points and badges are sometimes—perhaps often—not enough to guarantee engagement or motivation to learn.
Beyond Points and Badges: True Gamification in Cybersecurity Training
There’s a tendency to think about gamification primarily in terms of points, badges, and leaderboards. This is natural: they’re the most obvious and visible signs that an experience has been gamified.
However, it’s important to recognize that these things are the result of gamification, not gamification itself. If you’re a gamer or have gamers in your life, you’ll know that people who love games don’t love points and badges. They love the experiences and achievements that lead to them.
Truly gamified training content replicates those thrilling experiences and hard-won achievements, not just the badges.
Gamifying Cybersecurity Awareness Training
Can security awareness training (SAT) be compelling and fun? At OutThink, we believe the answer is yes. Our training content earns overwhelmingly positive feedback from learners precisely because “compelling and fun” is the standard we aim for. But achieving this requires a deeper commitment to gamification.
Academics and L&D practitioners have identified a plethora of ways that game mechanics and dynamics can be incorporated into learning experiences. Here are just a few that we have explored at OutThink.
Challenge: Creating Flow
One of the things that makes games compelling is that they offer easy access to flow states. The psychologist who developed the concept of the flow state, Mihály Csíkszentmihályi, found that a crucial component in the induction of a flow state is challenge.
Unfortunately, a dense block of text setting out cybersecurity policy is not the right kind of challenge. This is because it requires only patience (some might say endurance) to overcome. It does not require skill or thought.
Games present us with obstacles we have to test ourselves to overcome. It’s when we feel we’ve excelled that we really value the points or badges we earn as a result. At the same time, it’s important that the obstacles not be too challenging, or the game becomes frustrating instead of fun.
In the context of cybersecurity training, we can replicate the challenge of a game by building realistic security situations and decisions into a training experience. To find the right response, learners must apply what they know. It works best if the challenge is based on a situation which is not covered directly by the training material: this means that learners must use imagination and conceptual reasoning to solve the problem, not just remember an answer. Research shows that using cybersecurity serious games can result in higher self-reported attitudes and behaviors towards cybersecurity practices, compared to non-cybersecurity games.
The difficulty for the learning designer is to calibrate the level of challenge correctly, especially when rolling training out to many thousands of learners. At OutThink, we address this by building difficulty levels into our challenges. Stronger learners might find themselves competing against the clock, while less confident learners have access to helpful hints. In combination with the other ways in which our training is customized to individual users, these difficulty levels enable us to provide not only a game-like challenge but also a more immersive and effective learning experience.
At the same time, gamified challenges allow us to test learners’ security knowledge with something a bit more probing than a multiple-choice quiz.
Narrative: Engaging Learners Through Stories
Most games tell a story. The challenges and activities of the game engage the player because they’re part of an unfolding narrative. The player wants to find out what happens, and they want to shape the outcome of the story.
Narrative is a huge and often overlooked opportunity for cybersecurity awareness professionals. While many outside the discipline think of security as a dry topic, we know that it’s the stuff of Hollywood blockbusters: spies, villains, whodunnits, and heroes trying to solve them. Like all the best stories, cybersecurity is about doing the right thing. People are harmed by cybercrime, and good security practices are a force for good. Cybersecurity training helps us grow into good citizens of our workplace and our broader community.
As well as drawing out these real-life human elements, effective gamified cybersecurity training should put learners at the center of a meaningful narrative, where their actions have high-stakes consequences.
Ready to transform your security awareness training?
Discover how OutThink’s gamified training modules can engage your employees and drive better results. Contact us today to learn more about our immersive training experiences and how we customize them to your organization’s needs.
Choice: How Decisions Enhance Learning Outcomes
In games, the player’s choices affect the outcome. This is their major differentiator from movies and TV. In simple games, the player’s choice makes the difference between winning and losing; in more complex games, like RPGs, player choices can have complex ramifications. This is a big part of what makes games compelling.
Again, there’s powerful synergy with cybersecurity training, which is primarily about encouraging the right choices. Training that presents learners with choices not only engages them: it provides a teaching opportunity, showing learners what happens when they click the wrong link or handle personal data too carelessly.
At OutThink we’ve found that training which offers learners a choice in this way—especially a challenging decision in the context of a meaningful narrative—consistently results in high engagement and better knowledge retention.
The Core of Effective Gamification
The above are just a few ways we can learn from games as we design and implement cybersecurity training. OutThink’s learning team continues to explore these and many others, including collaboration and competition.
We do this primarily because our product collects real-time data on learners’ responses to training experiences, and over time this data has encouraged us to move further and further in the direction of gamification—but that means real game-like experiences.
The Future of Gamified Security Awareness Training
Gamification offers rich possibilities to security awareness professionals, but to unlock them we have to be willing to ask for more than badges and leaderboards. These things are certainly an improvement on click-next e-learning modules without badges and leaderboards, but we shouldn’t expect them to drive huge increases in engagement or knowledge retention—not by themselves.
The brain learns best through play. Play requires activity, not passive consumption, and participating in stories, not receiving information. Training that delivers these experiences can help us solve the human risk element of the cybersecurity puzzle.
If you’d like to learn more about how OutThink can help your organization consistently achieve high engagement and improve knowledge retention through training, get in touch.
Unlock unprecedented user engagement with OutThink
Rory AttwoodRory Attwood designs and delivers cutting-edge cybersecurity awareness training at OutThink, leveraging generative AI and interactive content to create engaging learning experiences. With expertise in content design, product management, and team leadership, he thrives at the intersection of creativity and technology. Rory holds a Master of Fine Arts in Creative Writing from the University of Michigan and a Double First in English from the University of Cambridge, where he received the University Prize for Shakespeare Studies.
View Profile
In this article
Gamification in Security Awareness Training Gamification and Employee Engagement: Learning from SlackTrailhead and Gamification in SATBeyond Points and Badges: True Gamification in Cybersecurity TrainingGamifying Cybersecurity Awareness TrainingChallenge: Creating Flow Narrative: Engaging Learners Through StoriesReady to transform your security awareness training?Choice: How Decisions Enhance Learning OutcomesThe Core of Effective GamificationThe Future of Gamified Security Awareness TrainingExperience OutThink
Unlock unprecedented user engagement with OutThink
Experience OutThink
Related Articles
Lev Lesokhin
18/07/2024
State-Sponsored Phishing Attacks Target 40,000 Corporate Users: What This Means for Protecting Your Business
Read More about AI-Native Cybersecurity Human Risk Management
Lev Lesokhin
17/05/2024
Password Security: Why the UK is Banning Generic Passwords
Read More about AI-Native Cybersecurity Human Risk Management