maxoidos - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The gamification of information security training programs

Just how effective is the gamification of information security training programs? Expert Joseph Granneman looks at this increasingly popular method of employee training.

What is your take on the gamification of security programs within enterprises? Do you think creating an Incentivized Awareness program is an effective way to get your employees involved with security?

Employee training can be a difficult task. In the end, most users will still open the email attachment they have been warned about since the mid-90s. Computer-based learning programs are often used because they make it easy to report compliance, not because the employee necessarily learns or retains anything useful. Security is failing as an industry in this critical area and it needs a new approach.

Gamification has been used successfully in other industries, most notably in marketing new products. It is also being used successfully in other company driven initiatives such as fitness programs where employees collect points for exercising or having a physical. Employees are exercising to collect points to redeem for different products like a tablet computer or single-cup coffee machine. If gamification can motivate people to eat right and exercise, perhaps it can finally motivate them to stop opening that malicious email attachment. 

There are some good and bad examples of gamification in information security awareness training programs. One good example is a company that used a monthly newsletter with definitions and puzzles that could be solved for a $50 gift card prize. The employees did retain the ideas communicated through the puzzles and became proponents of good security practices. Conversely, another company promoting HIPAA awareness had a contest where employees painted ceramic hippos. The employees probably didn't learn anything about information security, and may still refer to HIPAA as "HIPPA."

Current information security training programs are not having the desired impact of improving security practices within companies. Gamification is a good way to supplement an information security program to drive employee involvement and add some excitement to the material. The most successful training programs will use the gaming elements to spark interest while still focusing on the core subject matter. Gamification of information security training should be used as a supplement to an overall training program since this technique may not be popular with all employees. 

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)


Next Steps

The benefits of employee security awareness training.

This was last published in October 2014

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It's an intriguing idea, but as all gamification schemes, what is preventing the user from "gaming the system" themselves? Does it actually help people develop new behaviors, or does it merely give them a public face to show their virtue, while they find other methods to do the same things they always have? Granted if it drives people to use virtual machines to do "bad things" to preserve the virtue, and then they move backwards in time to fix the mistakes, then maybe it is doing something good after all :).
Does it really matter whether the trainees are gaming the system? Greater engagement with the principles and behaviors of the training program sound like ways to improve long-term retention, possibly with fun memories of the process. Not everyone will engage with the game aspect of training, perhaps not those who most need to improve their security awareness, but starting a conversation sounds like improvement that could be lasting.
I'd agree with aclairefication - if users are taking the time to game the system, it at least shows they are engaged and thinking. And they may find that taking the time to game the system is more tedious than just doing things the right way (like a kid learning that faking brushing his teeth is harder than just brushing his teeth). 
I agree with several commenters that games provide a venue for grabbing some precious attention, and if they get that attention on information security, that's probably a good thing. As long as the game content reinforces the core concepts (and doesn't present meaningless distractions like hippos), I'm a fan. The mantra we use at MediaPro is "Training + Reinforcement = Behavior Change." Whatever you use to reinforce is good by me!