The Proven Value of Gamification in Security Culture

Games have the potential to strengthen security culture, especially when deployed as part of a broader program of interventions.’ That is the conclusion of Cybersecurity and human behavior: the added value of games for a strong security culture by Suzanne Janse and Annebeth Erdbrink. We’d love to take a few minutes to tell you all about it.'

The Human Factor
The fact that the human factor has a leading role in security awareness campaigns that actually work, is familiar ground to Janse and Erdbrink. “Where security experts used to focus on awareness campaigns, the effect of these campaigns – the actual behavioral change and the impact on the organizational culture – is getting more and more attention.”

Their article discusses how the impact of interventions can potentially be enhanced from behavioral psychology and game science, two of Awareways’ pillars. It’s also precisely why the Human Firewall training of Awareways was made into a case study to show that games have potential, particularly as part of a larger, broader program of interventions.

Gamification in security awareness
Gamification as an application in learning programs offers creative opportunities to make topics more interactive and challenging, so that you engage with them in a stimulating way. The social element of gamification as an application in training (processing learning material in groups and/or in the form of competition) is an additional factor of stimulation, as social interaction promotes engagement as well. On top of this, game elements – winning, positive feedback and the social interaction with, in this case, colleagues – further increase the effectiveness of learning.

Gamification has a positive influence on the attention span of participants, thanks to interaction, dynamics and engagement. The competition of a game environment provides an ongoing stimulus to work with the material – resulting in an enhanced focus on the content and a more effective retention of the material. Elements such as immediate feedback and earning badges for successful completion of challenges affect motivation, drive and the degree to which the material sticks.

The study is still ongoing, so an attitude effect measurement cannot yet be looked at, but the completed interviews are already providing valuable preliminary results and insights;

• many players indicated that the game made them more aware of the importance of handling information safely (“There were questions about opening emails that I thought – yes, I can do something with this. That made me extra aware. Of am I going to open this or not open this?”);
• as expected, the personal assistants didn’t think very differently about the subject (because it was already clear beforehand that they thought it was important), but awareness was definitely heightened (“People tend to shrug their shoulders and think: it’s always going to be okay. But it only has to go wrong once. So awareness is step one. That’s what landed with me in particular.”);
• for instance, during and after the game, players began to think more about how they handle confidential data. Not so much new topics came up for them in the game, but players realized that they can be sharper, more alert and consistent and need to take responsibility more often;
• In addition, people liked the confirmation of what they were already doing well (“It’s just good to be reminded of the facts. Most people know it. They also know it’s still relevant. You think you’re doing good – and you probably are – but it’s nice to get confirmation.”);
• specifically, players became aware of the importance of a password manager, computer screen locking and the vulnerability of an open workplace (“My friend always has a VPN on and such a password manager. I myself didn’t weigh it that heavily. They are small things, but when you don’t pay attention to this, it can go enormously wrong for an organization. As a result, I am more aware of it now. And it’s often a small effort.”);
• one player became aware through the game that it is important to report unsafe situations and discovered for the first time (!) where to do so within the organization.

If you would like to know more about the role of gamification in strengthening security culture or have any questions regarding our managed security awareness training, please feel free to contact Awareways.