If you have ever filled out a complete profile on LinkedIn (because you wanted to reach that 100% on the profile completeness) or finished a never-ending survey because you were promised a prize at the end, you’ve been gamified.
Gamification is a not so novel expression that is used to describe the act of infusing gaming techniques into non game (business) scenarios with the intention of driving audience engagement and changing specific behaviors.
It is an effective social learning technique that has proven hugely successful in building efficient teams across cultures and industries, which is why you have companies like Google, Facebook, Verint and IBM making heavy investments in gamification.
The idea of gamifying corporate training was birthed out of the inefficiencies of existing approaches to engaging people and the need for an improved training experience guaranteed to make trainees/employees a little more motivated and happier about completing a training process. Games are generally known to release feel good hormones and that is in fact what makes them very popular. By adopting gaming mechanics like competition, points, badges, leader boards into their corporate training programs, organizations can make learning a fun immersive experience and nudge behavior in a desired direction.
As human errors continue to account for a large part of security incidents in many organizations and companies, providing effective and behavior-changing training for employees is crucial. Gamifying cyber security training, has immense benefits both for the organization and the individual:
Communication is a two-way street which sees only one lane utilized during traditional classroom style training sessions. Gamified training on the other hand is more engaging and requires participation of both the instructor and the trainee. In gamified training, employees are encouraged to engaged with the training content and material as typified in the example below. In this Cyber Risk Aware example, trainees cannot progress further in the session until they click on the answer, right or wrong notwithstanding.
This ensures that employees are not just passively clicking through training content but are paying keen attention to the knowledge that is being disseminated.
Bite-sized & Digestible Content
The attention spam of the average person is getting shorter and shorter. In the workplace there are already a lot of tasks vying for employee’s attention , as such, most do not want to be hassled with a long-form PowerPoint or video. To deliver security awareness training in this context, what is most effective is micro-content delivery and short-form challenges. Employees will be better engaged, and you will record higher retention by shortening each lesson and turning them into employee missions, for example, eight minutes of training each week for six weeks instead of one hour (or more) at a time.
Giving trainees feedback during their learning experience has the effect of deepening their understanding and ensuring they don't reinforce incorrect ideas or habits. And it has been shown that Individuals given immediate feedback show greater increases in performance and understanding compared to when feedback is delayed.
Users don’t get real-time feedback in most corporate training programs as assessments are only done at the end of the program when all the training materials are assumed to have been fully assimilated. However, a gamified security awareness training program can give learners instant gratification with scores or other systems that update as they progress.
These kinds of programs also make liberal use of scenario-based learning which captures some of the usual threats that employees would/might encounter in their day to day activities on the job. Employees are encouraged to learn and make mistakes all within a controlled environment. This can lead to improved confidence and knowledge of what and what not to do when faced with a real life situation.
Rewards & Recognition
Everybody loves to be recognized for their achievements and gamification allows for this to happen without bias. The prospect of being rewarded at the end of training sessions would not only motivate but also increase the performance of your employees.
Several human psychology studies have revealed that the anticipation of a reward in exchange for a certain action typically functions as a strong incentive to carry out said action, regardless of how objectively small or minor the reward may be. For example, in a cyber security training program, the reward for completion may simply be giving trainees a wrist band that acknowledges their new knowledge. In absolute terms, this may be a relatively minor reward, but the desire for this reward creates a powerful incentive to perform as instructed because the human brain is hard wired to crave such recognition and rewards.
Completely eliminating the human aspect of cyber risk is a challenge, but with the right tools and programs, organizations can make tremendous progress in this area. A necessary first step is equipping employees with the knowledge they need to stay safe online. And delivering security awareness training in a game-based learning environment that enables your employees to work toward a goal, choose actions and experience consequences, all in a risk-free setting, can result in behavior change that actually reduces risks.
Furthermore, gamified cyber training is only effective if employees apply the skills they have learned and acquired to real-world scenarios. For this reason, it is advisable that you measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of your organization.