Cybersecurity, at its very core, is a competition. On one side, we have defenders trying to maintain the confidentiality, integrity, and availability of their digital assets. On the other side, we have attackers with differing motives vying to control the same digital assets.
This adversarial cybersecurity narrative is rife with the kind of conflict and tension that makes for a thrilling movie, video game, or television plotline. Unfortunately, traditional cybersecurity awareness training rarely delivers the same level of excitement that we find in more dramatic and entertaining depictions of cybersecurity. For the most part, awareness training still relies on rote learning. The conversation is too often one-sided and incentivizes learners to spend as little time as possible with their training materials. Instead of educating and empowering employees to be cybersecurity superheroes all year long, cybersecurity awareness training becomes a quickly forgotten nonevent.
So how do we close the engagement gap? Can we make cybersecurity awareness training more appealing? The answer is an unequivocal yes. To do so, we need to recover some of the intensity lost when moving the cybersecurity conversation from complex, real-world adversarial competition to the more theoretical business education environment. We need to create a more meaningful and immersive learning experience. What we need is gamification.
Gamification, as defined by the Merriam-Webster dictionary, is “the process of adding games or gamelike elements to something (such as a task) so as to encourage participation.” A popular taxonomy of gamification elements for education has the following five categories that we can apply to cybersecurity awareness training:
Performance elements provide feedback to learners, help learners understand where they are on their educational journey, and encourage progression.
A practical example that leverages many performance elements is the venerable Capture the Flag (CTF) contest. If you’ve never participated in a CTF contest, don’t worry—they are relatively easy to understand. Players find a flag (a piece of not-easily guessed information) by solving a puzzle or doing a cyber scavenger hunt. They submit the flag to the submission system, which gives players or teams points based on how difficult the flag was to find and how quickly the team captured it. A scoreboard keeps track of point totals and typically includes a colorful graph showing points over time.
CTFs are underutilized as training tools because many people are not aware of how easy it is to separate the content from the format. We can create a CTF focused on cybersecurity policy and best practices as easily as one about exploiting web application vulnerabilities. Keeping score, varying problem difficulty degree, showing progress over time—all these elements can combine to turn the most mundane subject into an engaging game.
Acknowledging participation and rewarding winners is also an important part of what makes CTFs fun. In 2021, prizes based on e-gift cards and non-fungible tokens (NFT) are the way to go.
Fictional elements help learners focus on content and more easily remember complex ideas.
Unfortunately, the scenarios in traditional cybersecurity awareness training are often disjointed. We hop from one group of new characters to another without a transition. We usually aren’t provided with much of a backstory, and there is little character development.
A good alternative is to leverage popular fictional characters and storylines. Staying with the same story and characters throughout a training course can also be very helpful. A consistent, well-known storyline is easier to build on and allows for the rapid introduction of more complex ideas without wasting time on unnecessary exposition.
Personal elements help learners by providing meaning.
As mentioned earlier, one of the failings of traditional cybersecurity awareness training is that it is a one-sided conversation where the same information is imprinted on learners over time by using rote learning. The only tasks that ask for learner participation are typically multiple-choice quizzes.
Instead, we should encourage more active learner participation. We can do this by ensuring content is up-to-date and relevant. Introduce novel ideas, scenarios, and technology. Leverage puzzles, scavenger hunts, and other fun cognitive tasks where you can. If possible, try to engage more of the learner’s senses: Think virtual or augmented reality, music, food, and so on.
Social elements help keep learners from feeling isolated.
Having learners belong to a team as part of their training encourages cooperation between individuals. Competition between individuals or groups encourages awareness of others and helps learners stay focused on their goals.
Ecological elements help create an exciting learning environment.
Whatever puzzles or games you employ, consider adding a bit of randomness or chance. Easter eggs, bonuses, and random or variable point scores can keep outcomes unpredictable.
Adding a time constraint to challenges helps by creating a sense of urgency.
Gamifying cybersecurity awareness doesn’t happen overnight. Introduce different aspects over time and tailor them to what works best for your company. Make sure to survey participants after each training event. Most importantly, have fun. If you aren’t having fun putting together your cybersecurity awareness training, then your employees will not have fun receiving this training.
Cybersecurity training loves the cloud. It’s easy to create fully automated, isolated, and ephemeral learning environments. Whether you are looking to host a single instance CTF dashboard, leverage Kubernetes to host web-based puzzles, or provision 1000 virtual desktops, Rackspace has over 3,000 certified cloud professionals who can help you automate and manage your infrastructure so you can focus on making engaging content.
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.