A common lament among compliance leaders is that traditional training methods don’t work. So it’s understandable that many organizations are adopting novel and modern methods to reach people, including gamification; KnowBe4’s Ani Banerjee explores what gamification looks like in cybersecurity, which seems a natural fit for gamified training.
Editor’s note: The author of this article, Ani Banerjee, is chief HR officer at KnowBe4, a security awareness training provider.
Organizations as varied as Beaumont Health Systems, PwC and The Digital Guardian are using gamification to better engage employees in security awareness training activities — and to boost the odds that what they learn will stick and impact behavior.
Games in the workplace? HR and learning and development professionals are finding that gamification can help them connect with employees through learning activities that are both educational and fun. That can be especially opportune when dealing with material perceived as dry or dull.
Admittedly, much of the training that companies offer on cybersecurity falls into the dry and dull category. But that doesn’t always have to be the case. With interest in gaming at record highs among people of all ages, gamification is becoming a go-to strategy for engaging employees in training initiatives.
HR is an important partner with IT colleagues when it comes to training employees about how to protect company data and systems. Some organizations are required to provide a certain level of training, while others choose to do so simply because it’s in their own best interest.
With the number of ransomware attacks last year more than doubling, it makes sense to take steps to make training more engaging and “sticky.”
How gamification is used in security awareness training
The big idea behind gamification is that learners learn by doing — and playing — instead of by reading or listening. For instance, to train employees in what to look out for in phishing attacks, a gamification strategy could include subjecting them to various interactions and letting them learn for themselves which are dangerous and which are harmless?
HR can use leaderboards and badges to see how participants rank among their peers and to drive a little friendly competition that includes a token reward upon successful completion. Monitoring employees’ progress can help identify areas where content may need to be changed or updated to ensure understanding.
Game-On: Why Tabletop Exercises Are Key to Cybersecurity Resilience
Tabletop exercises testing an organization’s cybersecurity plan can help reveal weaknesses. And they’re also prized by state authorities investigating breaches.
Read moreDetailsBest practices for gamification in cybersecurity training
If your HR team is using or considering using gamification for cybersecurity training and communication efforts, it’s important to adhere to some best practices to help ensure that your training will gain traction.
University of San Diego professor Michelle Moore offers best practices for gamifying cybersecurity training:
- Use visual aids. The more senses you can engage with your training activities, the better. Reading text on a page doesn’t engage the senses as much as incorporating visual elements like photos, images and graphics.
- Keep training short and to the point. Short, 10-minute sessions can capture and engage attention more effectively than one- to two-hour programs.
- Make it fun. That’s what gamification is all about, and you can keep it fun by incorporating elements like challenges, competitions and scoring.
- Use rewards. Rewards are a big part of gaming and what makes it effective. Incorporating rewards into your training efforts can encourage participation and boost learning outcomes.
- Know your audience. In fact, know your audiences. Not all employees will have the same interests or learning needs. Your IT staff, for instance, will require different approaches — and different content — than your customer service, marketing, accounting or HR staff.
- Make it ongoing. “One and done” doesn’t work in training environments and that’s certainly true when it comes to security training. To make it stick, training needs to be part of an ongoing process introduced over time.
Companies should engage employees in the process and seek their input regularly before, during and after training. Test out new ideas through simulations or “sandbox” activities before rolling them out company wide. Solicit feedback from participants at different levels in the organization, from different roles and from different generations.
Finally, listen and learn. Attaching goals and metrics to all your learning activities — including those that involve gamification — can help continually monitor progress to determine what works well and what may need to be tweaked, overhauled or discontinued.
Security training can be fun and inspiring. By incorporating gamification, training can be memorable and compelling. Best of all, you’ll receive better results through gamification as employees engage and long retain the material they’ve learned.
Ani Banerjee is chief human resources officer for 
