How Healthy Gamification Can Raise Security Awareness

At Dolead, we found that integrating security awareness gamification helped to achieve significant outcomes. It led to higher levels of engagement and retention.

Clock Icon
6 minutes
Calendar Icon
8/7/24
Person Icon
Benjamin Milhau
Summary
Summary
Down Arrow
Share this article
Want to join Dolead?
Link Icon

In today's fast-paced digital world, cybersecurity is a critical concern for organizations of all sizes. As cyber threats continue to evolve, it is imperative for companies to ensure that their employees are aware of these threats and know how to protect against them. This requires not only implementing robust security measures but also fostering a culture of security awareness. At Dolead, we faced the challenge of raising security awareness among our employees. This article will explore how we leveraged healthy gamification to significantly improve engagement and learning outcomes, ultimately enhancing our organization's overall security posture.

The Challenge of Security Awareness

Security awareness training is essential for mitigating risks associated with human error, which is often the weakest link in the cybersecurity chain. However, traditional training methods can be dry, uninspiring, and easily overlooked by employees who are already juggling multiple responsibilities. At Dolead, we initially deployed a tool created by Riot Security called Albert, a chatbot designed to deliver periodic courses on security topics. Despite the innovative approach, the results were underwhelming. Employees were reluctant to engage with Albert, leading to poor completion rates and minimal improvement in security awareness.

We also use another tool that come with Albert, the phishing campaign simulator! This tool works by semi-randomly selecting two employees, based on the last time they were tested, and sending them a templated phishing email. The simulator tracks how employees respond to these phishing attempts, providing valuable data on their ability to recognize and handle potential threats.

Introducing Gamification

To address this issue, we decided to implement a gamification strategy. Gamification involves applying game-design elements in non-game contexts to motivate and engage employees. It lays on two principal factors namely intrinsic and extrinsic motivators.

Intrinsic motivation refers to the internal desire to learn and achieve for personal satisfaction, while extrinsic motivation involves external rewards and recognition. By combining these motivators, gamification creates a more compelling and holistic learning experience.

Leading to make the task more enjoyable and rewarding, thereby increasing participation and retention.

We introduced a simple yet effective gamification mechanism at Dolead:

  1. Team-Based Competition: Each week, we compiled and displayed statistics by organizational team, showing the average completion rates of Albert's courses. This introduced a competitive element, as teams could see how they ranked against each other.
  2. Wall of Shame: We also created a "wall of shame" that highlighted the employees who were most reluctant to complete the courses. While this may seem harsh, it’s important to keep in mind that it was a lighthearted nudge and didn’t lead to any punitive measures.

The Impact of Gamification

The introduction of gamification had a profound impact on security awareness at Dolead. Within just two weeks, course completion rates increased by 30%. This rapid improvement highlighted the effectiveness of gamification in engaging employees and fostering a culture of continuous learning. Here are some key outcomes we observed:

Increased Engagement

The competitive element of team-based stats and the wall of shame created a sense of urgency and motivation. Employees were more inclined to participate in the courses, knowing that their efforts (or lack thereof) would be visible to their peers and managers. This social aspect of gamification tapped into the natural human desire for recognition and achievement.

Positive Reinforcement

Managers played a crucial role in the success of our gamification strategy.  They began to take an active interest in their teams' performance, not only to avoid the wall of shame but also to showcase their team's achievements. And by actively monitoring and promoting their teams' progress, they reinforced the importance of security awareness. This top-down support was instrumental in sustaining engagement and ensuring that security remained a priority across the organization.

Empowered Employees

In response to growing interest, Riot Security developed a feature allowing employees to request additional courses from Albert. A feature that originally was not intended since the engagement was expected to be low but this empowered employees to take control of their learning and demonstrated their commitment to security.

It demonstrated that security awareness was not just a top-down mandate but a shared responsibility. Employees felt empowered to take charge of their own learning, leading to a more proactive approach to security.

Sustained Improvement

The impact of our gamification strategy was not just a short-term spike in engagement. The sustained interest and continuous participation indicated a lasting change in attitude towards security awareness. Employees developed a habit of regular learning and became more vigilant about security practices. This ongoing commitment to security awareness is crucial in maintaining a robust security posture in the long run.

This is visible especially on the phishing campaign where employees developed an enhanced sense of distrust in front of any suspicious email/sms/message and started to help each other when it was time to assert veracity and authenticity.

They are also more inclined to ask security referent help or advice when a doubt remains.

Challenges and Lessons Learned

While the gamification strategy was largely successful, it was not without its challenges. One of the initial hurdles was ensuring that the gamification elements were perceived positively and not as punitive measures. The wall of shame, in particular, had to be carefully managed to maintain a lighthearted tone and avoid any negative impact on employees morale.

Another challenge was keeping the competition healthy and ensuring that it did not lead to undue pressure or stress among employees. We addressed this by emphasizing the importance of learning and improvement over mere competition. Regular feedback and support from managers helped in maintaining a balanced approach.

We also learned the importance of continuous innovation in our gamification strategy. As employees became accustomed to the existing game elements, it was necessary to introduce new challenges to keep the engagement levels high. This included incorporating different types of courses and periodically updating the competition format by example we introduced the same mecanism wish the phising campaign simulator and monthly give statistic on how each team perform against phishing.

Conclusion

The journey at Dolead demonstrates that healthy gamification can significantly raise security awareness and foster a culture of continuous learning. By introducing elements of competition, recognition, and empowerment, we transformed our security training program into an engaging and effective experience. The positive effects of gamification extend beyond improved completion rates; they contribute to a more vigilant and security-conscious workforce, better equipped to navigate the challenges of the digital landscape.

As organizations continue to face evolving cyber threats, investing in innovative approaches like gamification can provide a huge boost, by making security awareness training enjoyable and rewarding, companies can cultivate a proactive and resilient security culture, safeguarding their most valuable assets in an increasingly interconnected world.

Quote Icon