Gamification can enhance cybersecurity training in your organisation – Badges and leaderboards are just the first step

OutThink Gamification can enhance cybersecurity training in your organisation

Authored by Rory Attwood, Head of Content at OutThink

This week Fortune’s Kylie Robison reported that Slack (the creators of the workplace chat app) have given several core teams a week ‘off’ to catch up on overdue training. It’s a striking initiative, and Robison’s article contains some interesting discussion of the company’s possible motives. To address the issue of disengagement in employee training, consider this: Gamification can enhance cybersecurity training in your organization – Badges and leaderboards are just the first step.

For learning and development professionals, especially those of us focused on the critical area of cybersecurity, it’s an alarming headline but not necessarily a surprising one. We’ve all encountered our fair share of click-next e-learning, delivered via a creaky LMS, that no one could be blamed for putting off. But that’s not the story here. What really piqued my interest was learning that Slack uses the gamified learning platform Trailhead. 

Gamification is often mooted as the way to improve employees’ engagement in cybersecurity, and at OutThink, we believe it has a part to play. Indeed, gamified training is a key component in our product. Deployed in sync with targeted phishing simulations and our real-time data on actual user behaviours, gamified learning experiences enable us to deliver a measurable impact on the human element of cyber risk. But as Slack’s story shows, gamification is neither a magic bullet nor a one-size-fits-all solution.

Trailhead and gamification

Trailhead (which like Slack is owned by SalesForce) provides employees access to a wide range of professional development materials, including training in soft skills, guides to using popular digital tools, and intros to topics like generative AI and data science. Learners can follow pre-designated “Trails” or curate their own personal “Trailmix.” 

Every aspect of the experience is hooked into the platform’s gamification engine, which incentivises learners by rewarding their efforts with points and badges. These points eventually translate into new status levels. 

For their training week, Slack’s employees have been tasked with earning “Ranger” status. To become a Ranger requires 100 badges and 50,000 points, which is estimated to require at least 40 hours of learning. 

Given that Slack’s employees have been granted a full working week to catch up, it seems a safe assumption that many of them have put in very few of these 40 hours so far. Nor is it simply that Slack employees have been too busy to get started. Robison reports that already, employees with the technical know-how have begun writing scripts to automate their progress through training, while less technical employees share lists of the quickest and easiest modules on the platform. Even with dedicated time off to pursue gamified training, employees are avoiding it. 

Slack is just one company, and undoubtedly there are other contexts in which Trailhead is embraced with enthusiasm by learners, but the key takeaway here is that points and badges are sometimes—perhaps often—not enough to guarantee engagement or motivation to learn.

Beyond points and badges

There’s a tendency to think about gamification primarily in terms of points, badges, and leaderboards. This is natural: they’re the most obvious and visible signs that an experience has been gamified. 

However, it’s important to recognise that these things are the result of gamification, not gamification itself. If you’re a gamer or have gamers in your life, you’ll know that people who love games don’t love points and badges. They love the experiences and achievements that lead to them. 

Truly gamified training content replicates those thrilling experiences and hard-won achievements, not just the badges.

Gamifying cybersecurity awareness training

Can security awareness training (SAT) be compelling and fun? At OutThink, we believe the answer is yes. Our training content earns overwhelmingly positive feedback from learners precisely because “compelling and fun” is the standard we aim for. But achieving this requires a deeper commitment to gamification. 

Academics and L&D practitioners have identified a plethora of ways that game mechanics and dynamics can be incorporated into learning experiences. Here are just a few that we have explored at OutThink.


One of the things that makes games compelling is that they offer easy access to flow states. The psychologist who developed the concept of the flow state, Mihály Csíkszentmihályi, found that a crucial component in the induction of a flow state is challenge. 

Unfortunately, a dense block of text setting out cybersecurity policy is not the right kind of challenge. This is because it requires only patience (some might say endurance) to overcome. It does not require skill or thought. 

Games present us with obstacles we have to test ourselves to overcome. It’s when we feel we’ve excelled that we really value the points or badges we earn as a result. At the same time, it’s important that the obstacles not be too challenging, or the game becomes frustrating instead of fun. 

In the context of cybersecurity training, we can replicate the challenge of a game by building realistic security situations and decisions into a training experience. To find the right response, learners must apply what they know. It works best if the challenge is based on a situation which is not covered directly by the training material: this means that learners must use imagination and conceptual reasoning to solve the problem, not just remember an answer.

The difficulty for the learning designer is to calibrate the level of challenge correctly, especially when rolling training out to many thousands of learners. At OutThink, we address this by building difficulty levels into our challenges. Stronger learners might find themselves competing against the clock, while less confident learners have access to helpful hints. In combination with the other ways in which our training is customised to individual users, these difficulty levels enable us to provide not only a game-like challenge but also a more immersive and effective learning experience. 

At the same time, gamified challenges allow us to test learners’ security knowledge with something a bit more probing than a multiple-choice quiz.


Most games tell a story. The challenges and activities of the game engage the player because they’re part of an unfolding narrative. The player wants to find out what happens, and they want to shape the outcome of the story. 

Narrative is a huge and often overlooked opportunity for cybersecurity awareness professionals. While many outside the discipline think of security as a dry topic, we know that it’s the stuff of Hollywood blockbusters: spies, villains, whodunnits, and heroes trying to solve them. Like all the best stories, cybersecurity is about doing the right thing. People are harmed by cybercrime, and good security practices are a force for good. Cybersecurity training helps us grow into good citizens of our workplace and our broader community. 

As well as drawing out these real-life human elements, effective gamified cybersecurity training should put learners at the centre of a meaningful narrative, where their actions have high-stakes consequences. 

These principles can be implemented at the level of campaign design as well as in learning experiences. Theming security training around stories of cybercrime—real or imagined—can provide a powerful context for content that could otherwise seem dry.


In games, the player’s choices affect the outcome. This is their major differentiator from movies and TV. In simple games, the player’s choice makes the difference between winning and losing; in more complex games, like RPGs, player choices can have complex ramifications. This is a big part of what makes games compelling. 

Again, there’s powerful synergy with cybersecurity training, which is primarily about encouraging the right choices. Training that presents learners with choices not only engages them: it provides a teaching opportunity, showing learners what happens when they click the wrong link or handle personal data too carelessly. 

At OutThink we’ve found that training which offers learners a choice in this way—especially a challenging decision in the context of a meaningful narrative—consistently results in high engagement and better knowledge retention.

The core of effective gamification 

The above are just a few ways we can learn from games as we design and implement cybersecurity training. OutThink’s learning team continue to explore these and many others, including collaboration and competition. 

We do this primarily because our product collects real-time data on learners’ responses to training experiences, and over time this data has encouraged us to move further and further in the direction of gamification—but that means real game-like experiences. 

Gamification offers rich possibilities to security awareness professionals, but to unlock them we have to be willing to ask for more than badges and leaderboards. These things are certainly an improvement on click-next elearning modules without badges and leaderboards, but we shouldn’t expect them to drive huge increases in engagement or knowledge retention—not by themselves. 

The brain learns best through play. Play requires activity, not passive consumption, and participating in stories, not receiving information. Training that delivers these experiences can help us solve the human risk element of the cybersecurity puzzle.

If you’d like to learn more about how OutThink can help your organization consistently achieve high engagement and improve knowledge retention through training, get in touch.