Boost your security training with gamification -- really!

Don't scoff; rewarding good deeds actually works.

1 2 3 Page 2
Page 2 of 3


Spitzner at SANS notes that security awareness gamification is not a mature field yet, and the few organizations that have done it have targeted only a few behaviors. Nevertheless, there are success stories, such as what happened at

"We wanted to see what would happen if we created a program where employees wanted to do the right things, rather than being pushed to do so," explains's Heim. After consultations with heads of business units, "We came up with a short list of behaviors that we believed would have the biggest impact, including optional security training, reporting phishing emails and preventing badge surfing" or tailgating.

Security training at the firm is mandatory, but participation in the corporation's gamified security awareness program is not, adds Heim. But employees get points and recognition if they do participate and take security-related actions, like reporting phishing attempts, he explains.

At Family Insurance Solutions, Schroeder says he relies on positive feedback when users do the right thing (in response to phishing and break-in attempts, real or drills), and showing them correct behavior when they do the wrong thing. Unlike at, there are no points, badges, levels or prizes, he says. "I am not convinced of the effectiveness of giving away physical things," in a small organization, he adds.

He was not able to supply specific metrics, but he notes that users no longer hide what they did wrong for fear of reprisals. "If they are confident of a positive response they want to elicit that response strongly, and will report emails hoping to get that response. People who are normally reticent are now openly engaging with me, asking if this or that is OK. It's exciting watching them educate themselves. People who were my biggest concerns are now my number one partners in security. I have been shocked at how successful it has been with people who I did not think it would be successful with."

Middle-aged office assistants tend to be the most responsive, while the ones he has the most trouble reaching are younger people who play computer games, he says. "They tend to see through the gamification, but do respond to challenges," he notes.

Tips and traps

Winkler adds that, before launching a gamification program, it is important to first establish the level of security awareness in the organization, to avoid wasted effort. Then, it is important to set up a rewards structure based on the culture of the organization and its business goals.

"You don't want to reward behavior that has no value," he notes. And "you need rewards that the people actually want." Handing out rewards that rank them as Star Wars Jedi knights may work with programmers, but not with investment bankers, he notes.

Points that can be exchanged for small prizes may prove motivating, or just putting names on a leaderboard may work, Winkler notes. Companies with offices in multiple locations, particularly internationally, may find it best to adopt different strategies in different locations. For instance, in some Asian countries, a chance to shake hands with the CEO may be more compelling, Winkler adds.

Gaming security

Points, if used, should be increasingly harder to get, by adding a ladder of levels, also called badges or titles, he explains. Points should be easy to get at the first level, and involve basic steps, such as attending seminars. Points at the next level should require spontaneous activity, such as reporting a phishing email or security incident, and points at higher levels should reward complex security activities, such as participating in drills, he indicates.

"Even if there is a failure (such as falling for a phishing email) you need to reward them for reporting the failure," Winkler adds. "If I know about it I can warn the rest of the firm. Gamification makes it seem that the security department is not there to punish people, but if all their interactions with security are negative, they are less likely to report incidents."

"Never release the names of the victims," Spitzner adds. "Let everyone know that if they fall victim their names will not go to their manager. If they think they will be reported, they will resent the program, since it will impact their career. The only time the manager is informed is if the person is repeatedly falling victim and represents a high risk. But do identify those who do something good," he adds.

Drills of some sort (such as sending out fake phishing emails or having agents attempt tailgating) should be done once a month. "But if it is weekly it becomes noise," Spitzner adds.

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon