Boost your security training with gamification -- really!

Don't scoff; rewarding good deeds actually works.

1 2 3 Page 3
Page 3 of 3

"Don't expect miracles; you will need to refine your program based on your successes and failures," Winkler warns. One common error involves rewarding the wrong behavior. He recalls an instance where software developers were rewarded for finding bugs, and so were reporting old ones and sometimes writing new ones just to report them.

Finally, Winkler warns that gamification is not the answer for every organization, especially if security is a regulatory requirement and participation is not voluntary.

Gaining traction

Corporate security pros aren't laughing at gamification.

"Gamification is something we are looking at," confirms Ahmad Douglas, senior director of security awareness at Visa Inc. in Ashburn, Va. "There is a presumption that if we hold security awareness week and have a talk and give away pens that somehow it had an impact on people's behaviors. We have not made that presumption." Instead, Visa has brought in a cognitive psychologist to examine how to counter threats by measurably alterin sg behavior.

"Gamification is a tool, but I don't want to presume that it is the solution," Douglas adds.

"Gamification, or storytelling, or putting cartoons in bathrooms, whatever channels work for people, that is how we are going to get to them," Douglas adds. "Whatever we do, it will be tied to a specific threat, it will have measurable outcomes and it will be based on real psychology."

The awareness problem actually has two segments, Douglas says. "Do they know what action you want them to take? Are they willing to take some action? You can't solve both with the same solution. If they don't know [something], you have to assess if it is realistically knowable and what is the best way to teach it. If they don't care to take action, you have an incentive problem and need to offer a reward."

Not all security professionals are fully buying into the gamification idea. "We use it to a certain degree, but not to the extent of having levels and points," says Jonathan Feigle, director of information security at Hyatt Hotels Corp. in Chicago. Awarding points to a global staff speaking many languages would involve numerous complications, he notes.

Beyond gamification

While Winkler and others emphasize that gamification does not mean the users play a game, others are willing to cross the border to actual games. For instance, start-up Apozy is developing a cloud-based computer game to teach security awareness, says co-founder Rick Deacon, who was previously a corporate penetration tester.

"We want to get the users engaged with something they enjoy using," he explains. The game simulates a corporate environment and the users take the part of attackers, who plan attacks based on what they learn during the course of play. Meanwhile, the software analyzes the users' decisions to make sure they understand the situation, he explains.

But whether the choice is gamification or actual games, the implication of the success of these approaches is that the answer to the problem of security awareness is not technology but human behavior. Instead of being victims of social engineering, enterprises are showing that they can protect themselves with their own form of social engineering -- one based on rewarding people for doing the right thing.

This article, Boost your security training with gamification -- really!, was originally published at


Copyright © 2014 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon