In 1964 the world learned a spoonful of sugar helps the medicine go down. It wasn't the first time a key principle of gamification was said out loud, but it might well be the catchiest.
In 2019 tidying up changed hands from Mary Poppins to Marie Kondo, but the idea that making a task enjoyable makes it more likely to be done has been embraced by the business world — and cybersecurity training.
Merriam-Webster defines gamification as "the process of adding games or gamelike elements to something (such as a task) so as to encourage participation." And for many responsible for turning new hires from security vulnerabilities into security assets, it's a key strategy in keeping them focused on their training.
"There are numerous studies that show that gamification not only increases engagement, but it increases learning retention," says Hewlett Packard Enterprise (HPE) cybersecurity awareness manager Laurel Chesky. She says HPE has increased the degree to which it uses gamification in cybersecurity training because it has seen positive results with the technique.
Within HPE, Chesky says, there is mandatory basic cybersecurity training, but much more training is available on an optional basis. "We want them to come and engage with us and consume the common-sense information," she says. "If we aren't doing that in a fun and engaging way, they simply won't come back to us. So we have to do that through gamification."
How to Keep the Fun Factor Up
Moving training to a gamified basis can be effective, but, like anything, it can become rote and routine if done poorly, some say. "Gamification is great, but you need variety," says Colin Bastable, CEO of Lucy Security. "Variety is the spice of life. So I think that gamification is very valuable as part of a broader strategy."
HPE's training metrics reflect that, Chesky says. "We started off in a very grassroots, DIY-type of gaming, with a Web-based trivia game that we created," she explains. "It's very simple. It's set up like Jeopardy, and we can go online and pick a question for 200, 400, 800, or 1,000 points. It's very, very simple to create, and we did it in-house."
Joanne O'Connor, HPE cybersecurity training manager, created a different game called "Phish or No Phish" that uses the Yammer collaboration system as a platform. She will post an image on a channel and ask participants whether it's from a phishing email intercepted by the company's cybersecurity team. Employees who provide the correct answer win recognition points exchangeable for various prizes.
These games address the kind of training Lucy Security's Bastable believes is most suitable for gamification. "I would say that it works better for the short, sharp, pointed awareness training as opposed to a long and detailed course," he says. "Generally, I would say that what you want to do is create an environment that engages rapidly and that engages people where another format might not."
Many of HPE's games are designed to be completed within about 20 minutes — experiences that allow the employee to engage deeply to learn a single facet of cybersecurity, O'Connor says.
The Science of Fun
Some academic research, like that of Michael Sailera, Jan Ulrich Henseb, Sarah Katharina Mayra, and Heinz Mandla, explores the reasons gamification can be effective in training. They point to self-determination theory, which states three psychological needs must be met: the need for competence, the need for autonomy, and the need for social relatedness.
In their research, the researchers found "…the effect of game design elements on psychological need satisfaction seems also to depend on the aesthetics and quality of the design implementations. In other words, the whole process of implementing gamification plays a crucial role."
Bastable says there's a common assumption that gamification is more effective for younger employees and less so for older workers. But the reality is it can be effective for all employees, though different individuals may respond to different types of game mechanics (the way the game looks and is played).
O'Connor agrees. "It's something that we think about a lot with our new employees being, of course, younger folks, and we need to reach them. But, really, we think it reaches everybody," she says.
Chesky believes the tide has turned toward gamification in all types of enterprise training. "I think you see it now in a lot of corporations on an industry level," she says. "I think you've definitely seen most corporations and, of course, the industry moving toward that for all different kind of mandated company training because it works. It's all about engagement."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."