GAMIFYING CYBER SECURITY AWARENESS TRAINING – IN THE WORKPLACE

Games
Gamification by Daniel Cairns (CC BY 2.0)

What is this gamification?

Deterding and colleagues (2011) define gamification by “The use of design elements characteristic for games in non-game contexts” which when you take a step back and look around, is used everywhere. Anything that isn’t a game but has gaming elements such as avatars, ladders, point systems and/or interactive problem solving with reward systems attached can all be considered gamification.

Why Gamify?

For our purposes of educating in the workplace we are using gamification to motivate people to pay attention by making the training interesting and engaging. Our implementation should increase memory retention through habitual learning and make the overall workplace learning more efficient.

What is the problem we are trying to solve?

A lack of competence and awareness of cyber security in a workplace will undermine any well-designed data security control system thus the implementation of an effective security awareness training program is an integral part of an organisations cyber security strategy. (Baxter 2016)

How does gamification help?

Gamification allows us to select appropriate game elements for our target audience to inspire motivation and assist in acquiring knowledge through habitual learning. Adams and Makramalla (2015) proposed implementing the following four elements for a A story, Player Control, Problem Solving and Progress mechanics for a successful implementation of gamification of security and awareness training session. They also suggest implementing a perspective from the different attack agents an organisation faces. The conclusion of their article lacked evidence of a practical exercise to prove the results however gamification in cyber security training is already working in the real world and a revised training session based on Adams and Makramalla’s suggestions is in progress.

By implementing gamification we give participants in our training sessions an interactive method of engagement.  

Does gamification work in the real world?

Gamification needs to be implemented appropriately for the audience and educational topics being taught. I’ve recently run a series of Cyber Security awareness sessions using a gamified application called Kahoots™. I compiled approximately 20 questions tailored to the organisation which participants answered using their phones or similar devices, after each question, I explained why the answer was what it was and engaged in conversation with the group with how it related to their environments. A case study video here:

The post survey results indicated 100% of participants felt engaged, and 100% of the results also showed they enjoyed their session and learnt something from it. This proved undoubtably more effective than previous non-gamified sessions where people fell asleep during the sessions that were delivered with one way communication as participants were lectured to.

Can it be done better?

Gamification, like technology and life, evolves. Implementing strategies and new elements as suggested by Adams and Makramalla and from other similar research should create more interesting, captivating and addictive elements to further create habits that make the boring subject of cyber security interesting and engaging. It is hoped that it will enable participants to make security a default subconscious factor when making decisions in the workplace.

Working together and sharing the results of our implementations will allow us to learn from each other what works in different scenarios.

What now?

My next session I will be researching and developing Cyber Security awareness training programs that are in two parts.

Part one: Online delivery

What I’ve learned is a lot of the content I deliver in my training is universal for all companies I visit, and whilst some participants find it intuitive, others are a little less savvy. The online delivery component will attempt to level that initial knowledge level prior to a face to face training session (more on that in part two).

The Online component will allow a participant to read a short introductory story to set the scene and define a set of security issues for a fictitious company. The player will create and customise their player avatar which they will use in the story to problem solve six threats to the organisation through decision making process online.

Part Two: Group training session

The group training session will be a shorter ~10 question session similar to before, however the participants will use their online profile to answer the questions and work as a team, as long as the group vote is correct they will proceed to the next question, the facilitator will guide them through discussion enabling customised discussion relevant to their organisation.

Results:

We’ll also make the training feedback as part of the gamified process to complete their attendance, the goal will be to obtain a 100% post session feedback result which will enable us to analyse the results of the training better and feed those results back to the community.

If you have had some success or even failures in implementing similar gamified training, or have any questions, I would love to hear from you. I can be contacted in the comments below or @ DanielCairns on Twitter.

References:

Adams, M & Makramalla M 2015, ‘Cybersecurity Skills Training: An Attacker-Centric Gamified Approach’, Technology Innovation Management Review, Vol 5, Issue 1, pp 5-14, retrieved 20 April 2019, http://timreview.ca/article/861

Baxter, J Holderness, D & Wood, D 2016, ‘Applying Basic Gamification Techniques to IT Compliance Training: Evidence from the Lab and Field’, Journal of Information Systems, Vol 30, Issue 3, pp 119-133, retrieved 20 April 2019, DOI: 10.2308/isys-51341

Deterding and associates 2011, ‘Gamification: Toward a Definition’, retrieved 26 April 2019,<
http://gamification-research.org/wp-content/uploads/2011/04/02-Deterding-Khaled-Nacke-Dixon.pdf >

Music and Animation in You-Tube video: audio levels visualisation by Joseph (CC BY-3.0)

Connect with me online:
LinkedIn: www.linkedin.com/in/danielcairns/
Twitter: twitter.com/danielcairns