Traditionally, employees do not enjoy corporate trainings, and this perception holds true when it comes to security awareness education. We often hear that our customers do not find traditional methods of training interesting, and they prefer game-based courses that are better able to hold their attention.
However, there are still some employees that do not feel comfortable implementing any gaming techniques in corporate education. As with most strategies, there are positive aspects to each learning technique, which enterprise security leaders should explore.
Are security awareness games enough?
As cyber malefactors continue to complicate and improve upon their means of attacks, covering even the most basic cybersecurity rules and practices is a rather large feat. When translating cyber hygiene best practices into simulation-based trainings, it is important to consider all possible situations to allow employees to consider every option until they came to the most secure decisions; however, this can present a challenge when it comes to the duration of the training.
In addition, as employees become immersed in an artificial environment, gaming techniques require a considerable amount of concentration and involvement. Research shows that the human body reacts to stress in a game the same way as a challenging situation in real life. In gamified training based on cybersecurity basics, the “player” will constantly be faced with situational dilemmas. Therefore, after several hours of such training, it is important for security leaders to remember that employees will need time to recharge before continuing their regular duties.
To determine whether implementing gaming techniques for security awareness training at your organization makes sense, it is important to first understand what the ultimate goal of the security awareness course is.
Companies introduce such trainings to not only encourage their staff to study security rules, but to ensure that employees will gain skills and actually apply them. Best practice guidelines are not always the most convenient to follow, so to change such behavior patterns, it is necessary to not only provide instructions and develop practical skills, but to also work on motivation and inclination.
In this regard, gamification of trainings can be an effective option to encourage employees. Along with encouragement, games also allow for lessons to be taught through mistakes. In the case of cybersecurity, a company cannot afford to let every employee misstep to see how severe the consequences of a cyberattack could be in real life. When putting employees in the situation of a game where they can ‘live’ the experience and the aftermath as if it were happening in reality, this allows them to test their skills without causing any harm or risk to the company.
Successful education on cybersecurity basics should consist of different formats. Gaming techniques are not a silver bullet, and they alone will not solve all issues related to corporate education. To achieve the desired results, they must be appropriately embedded into the whole learning cycle and combined effectively with an information-based course.
Gaming techniques can also help employees overcome initial resistance to learning. Security trainings may be seen as boring, obscure and difficult. However, when employees experience familiar situations in the context of a game simulation, it turns out that such training is not a terrible thing to endure.
But what can training managers do with employees that have already mastered the security or cybersecurity training and skills that you want to impart on the organization? In this case, unique gamification techniques such as short, comic-like tests where employees makes bets for example, may persuade those employees to participate. In general, employees are more enthusiastic with short assessments and training sessions. In doing so, employees may also discover that there are some gaps in their knowledge, which will result in an increased willingness to take a necessary security awareness course.
Security leaders can use gamification training to help with buy-in from other business execs as well. Our experience shows that, despite the doubts of managers responsible for training, business executives get involved in game formats, too. For example, a training that allows C-level leadership to walk in the shoes of the Chief Security Officer (CSO) or Chief Information Security Officer (CISO) allows them to more clearly understand how cybersecurity may affect the business in critical areas such as profit losses.
If employees are able to overcome their training biases, the theoretical course is set on prepared ground and learning becomes more productive. While the initial motivation to take such course can wane over time, adding gaming elements or simulations over time as reinforcement to the curriculum can be helpful as employees continue to go through the training process.