Human errors are present in most cyber attacks says Dr John Blythe; and standard prescriptive training programmes are not proving to be very effective in improving this situation. In this article he explains why gamification can improve employee learning, outcomes, and overall cyber resilience.
Nearly 82 percent of the breaches last year were a result of human errors, according to Verizon’s latest research. Whether it’s an employee unintentionally clicking a malicious link, keeping weak passwords, publicly exposing their IP addresses, or not updating software in time - human errors are present in most cyber attacks.
So, no matter what tools and technology businesses adopt, they alone won’t be enough to ensure true cyber resilience – due to the important role people play in cyber security. That’s why businesses today have to give equal, if not more, focus on developing the cyber capabilities and confidence of their entire workforce, both at the individual and team levels.
An effective way to achieve this is by replacing your legacy prescriptive training programmes with gamified learning - an engaging, interactive, and simulation-driven approach to cyber security upskilling.
Legacy awareness training and its pitfalls
The problem with traditional security training is that such programmes focus on building awareness rather than actual capabilities. Most security awareness training (SAT) sessions include hours of dry presentations and click-through e-learning courses, which causes nothing but fatigue and frustration for the employees. In most cases, employees will just sit through these sessions for the sake of compliance. Such legacy SATs cannot keep pace with today’s rapidly evolving cyber threats and, therefore, have little to no impact on securing the entire workforce.
Knowing information and acting upon it are two very distinct functions. For instance, almost every organization and workforce today knows about the threat of phishing attacks, but it’s still one of the most successful attack tactics. That’s because knowing about phishing threats and being capable of detecting, and reporting such attacks are very different.
This legacy approach has made cyber security training a negative experience among employees, where they are forced to participate as a captive audience. The end result is a more disengaged and insecure workforce, waiting to be picked apart by threat actors. If businesses want to achieve cyber resilience, their learning programmes must be engaging, interactive, and focused on developing capabilities, rather than just providing information.
This is where gamification can add significant value.
Understanding the psychology of gamification
Gamification is the application of game-like elements, mechanics, and design to non-game contexts or activities to increase user engagement, motivation, and participation. The goal of gamification is to make non-game activities, like cyber security training more enjoyable, motivating, and rewarding by tapping into the human desire for competition, achievement, and recognition. This encourages individuals to transfer their in-game learning experience to the workplace.
The core psychological benefit of gamification is the development of motivational challenges. Motivation in fact, plays a huge role in creating security risks for an organization. A demotivated and unengaged workforce means that developers might not be vigilant enough in mitigating vulnerabilities, or employees might fail to report a phishing email in time. This lack of motivation creates a wider workforce perspective that security is someone else’s responsibility.
As traditional SATs are prescriptive, they focus on delivering information for the sake of awareness, which rarely translates into actual behavior change. On the other hand, gamification is a motivational driver that creates feelings of empowerment, making security more attractive and promoting cooperative work and effort between people.
The benefits of gamification are well documented in scientific research. Studies have found gamification to have a significant effect on digital learning outcomes. This is because gamification engages people into problem-solving scenarios. Whether it's a pen-test simulation, actively communicating or reporting during crisis scenarios, individuals are always engaged to put a practical effort into the training session, which makes them more confident and motivated when facing real-life security incidents.
How gamification can build cyber workforce resilience
When employees are included in gamified learning sessions, they develop the three psychological states of motivation: competence, autonomy, and connection.
By continuously participating in competitive simulation-drive exercises, employees start believing that they can accomplish a task because they have mastered it or can at least perform the actions to complete it. For instance, gamification places individuals and teams in a challenge-based learning environment. Here they practice different tasks and actions in simulated attacks or black box exercises according to their roles. Over time, this develops lateral thinking and creative problem-solving, meaning that when faced with a similar attack scenario in real-life, they know how to effectively act and respond.
It also drives connection amongst employees and teams. It’s important to understand that cyber security is an organization-wide responsibility, not just an obligation of the IT and security teams. Every security incident requires a collective response, where each team needs to collaborate on different aspects. Gamification brings different teams and departments into cooperative exercises.
Implementing gamified training solutions allow colleagues to actively collaborate through cyber team simulations or multiplayer crisis simulations. By cooperating to complete tasks, employees develop relatedness, which helps each other master challenges collectively. This increases competence for both individuals and teams, thus enhancing human cyber capabilities across the entire workforce.
Lastly, there’s autonomy. As employees undertake technical challenge exercises and upskill in specific security areas, they develop a positive sense of autonomy. So, when a security incident breaks out, employees are more confident in making independent decisions, thus ensuring quick and efficient responses.
How to get started with gamification
When shifting from traditional awareness training to gamification, it’s important to choose the right solution that has all the required elements under one platform. Each exercise must be fun and interactive, while also endorsing collective participation. The simulations should be based on real-world responses to real-world situations. Most importantly, gamified security trainings should be automated, so that simulated scenarios are regularly updated to meet today’s constantly shifting and dynamic threat landscape.
Using automated, gamified solutions, employees can improve their skills on their own terms without the need for disruption to company operations. This doesn’t only save time and money; it also allows for greater training frequency and, in turn, greater learning.
The author
Dr John Blythe is Director of Cyber Workforce Psychology at Immersive Labs.
