View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 24, 2021

Is ‘gamification’ key to better cybersecurity training?

A new approach is required to cybersecurity training, experts believe. Gamification techniques could help make courses more engaging.

By Claudia Glover

Common faults in cybersecurity training are continuing to put companies at risk, delegates at the Cybersecurity in the Financial Industry conference hosted by the New Statesman this week were told. This is, in part, down to the low levels of engagement achieved through traditional training. Gamification of such cybersecurity training courses, where a competitive element is added, could be the solution to making it more impactful.

Ed Bishop, the co-founder and CTO of email security company Tessian explained at the two-day conference that cybersecurity training, while well intended, is often “executed fairly poorly.” Bishop added that there is a need to move away from the “non-engaging, boring, and ineffective approach to security training.”

Bishop believes “gamification” could help achieve better employee engagement in cybersecurity training and deliver lower risk of a breach for businesses. Other security experts agree that different techniques are required to foster a more positive relationship between staff and security teams.

How effective is cybersecurity training?

Cybercrime has grown rapidly in recent years, particularly during the Covid-19 pandemic, with criminal gangs often targeting human, rather than technical, vulnerabilities. Nearly 85% of successful data breaches in 2021 have involved duping humans into giving up crucial information, so-called phishing attacks, rather than exploiting flaws in code, according to a report from Verizon.

Though this demonstrates a need for effective cybersecurity training, many companies are failing to deliver what their staff need. A report by Capgemini found that 52% of those surveyed did not think their company’s cyber training programs gave them any new digital skills, and 45% found the training “useless and boring”.  A Helpnet Security survey revealed 61% of employees who had undergone cybersecurity awareness training failed basic tests afterwards.

You need to flip [training] so it’s more empowering and gamified and relevant to their work.
Ed Bishop, Tessian

Speaking as part of a panel looking at how to be secure in the age of rapid digital transformation, Bishop said the traditional method he calls “training through trickery”, where staff are persuaded to click on fake phishing links and are redirected to a cybersecurity awareness course, is outdated. “You need to flip it so it’s more empowering and gamified and relevant to their work,” he said.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

What does the industry think of cybersecurity training gamification?

Gamification is a way of designing training which uses interactive elements to help those taking part retain more information. “By adopting gaming mechanics like competition, points, badges, leader boards into their corporate training programs, organisations can make learning a fun immersive experience and nudge behaviour in a desired direction,” a report from security company Cyberrisk explains. So, to use the phishing attack example, a gamified training course may use a quiz to test whether participants can spot fake emails or other phishing attempts, with prizes on offer for those who score highest.

When employees are forced into training due to a mistake, their engagement is often low says Jake Moore, cybersecurity specialist at security company ESET. “Sneaky tactics are increasingly becoming outdated and can even frustrate staff as they are seen to attempt to catch people out,” Moore says, adding that gamification “is a more proactive approach and can make people aware of the fast-moving threat landscape in shorter spaces of time, ensuring the awareness sticks when needed. High-quality education can avoid the curse of the dreaded compulsory courses, which often have no value.”

In fact, levels of deception sometimes involved in this sort of training are increasingly viewed as permanently destructive to the relationship of trust between management and employee, explains Javvad Malik, lead security awareness advocate at security training provider KnowBe4. “When security teams go out of their way to trick their colleagues, it can lead to resentment,” Malik says. “It’s important for the security department to foster good relations with their colleagues. If they are perceived as the department of no, then any number of approaches will likely fail.”

Positive relationships through engaging experiences will yield better results, Malik adds. “Security teams should focus on building positive relationships with their colleagues and explain the dangers of phishing” he says. “In instances where a collaborative approach is used, and staff are informed in advance of simulated phishing exercises taking place, then any emails that are received are more likely to be viewed as a learning experience, and they will be more open to further education.”

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.