Security Awareness Blog

Gamifying Security Awareness

One of the challenges we have with security awareness is when you come down to it, awareness training and education can become boring over time. Yes there are steps you can take to make it exciting, and there are many things you can do to sexy training up, but how often do you have employees bragging about how good their security behaviors are? Or how often do you have employees researching on their own how they could be more secure? While that is not happening for most organizations, it is something gamification could possibly change.

Gamification (as defined at Wikipedia) is applying game and design techinques to non game applications to engage audiences. I'm not talking about creating security awareness related games, such as what Wombat folks did with their Anti-Phishing Phil game. I'm talking about taking the entire concept of security awareness and making it a competition / game. Bruce Schneier has a interesting blog post on how the concepts of gamification even apply to the building of jihadist communities. Examples for gamifying security awareness programs include ...

Leader Board - Have a leader board tracking who are the most 'aware' employees. This could be measured by things such as scores on awareness quizzes or how many months employees have gone without falling victim to phishing assessments. People then compete to be in the lead.

Badges - Have achievement badges for different courses or training levels people complete.

Currency - Have a points or currency system. The more points people earn, the more things they can do (buy company shwag, team lunch, etc). They can earn points by completing more training, reading newsletters, replying to security awareness questions, helping others secure themselves, etc. Then allow people to trade, share or gift these points.

Challenges - Create security awareness challenges between users or even departments.

The end goal here is not to create games for security awareness training, but to make security awareness training (and changing behaviors) a fun game!

6 Comments

Posted January 24, 2012 at 4:50 PM | Permalink | Reply

Terry Olaes

I'm looking at some options to "gamify" our next Security Awareness Training course. I'd be interested in hearing how others have done this with training programs.

Posted January 24, 2012 at 9:44 PM | Permalink | Reply

lspitzner

Terry, I would to. This concept is very new to security awareness programs. I'm cooking up some ideas, I'll blog once I've had a chance to test them out

Posted January 26, 2012 at 1:22 AM | Permalink | Reply

Christopher Sorensen

Ive been thinking a lot lately about ways to gamefy my Security Awareness campaigns.
I got some ideas after reading an interesting article in Wired Magazine about how to get people to do things they might not want to do: http://www.wired.com/magazine/2011/02/st_thompson_living_games/
(Disclosure: I do not own any stock in Wired magazine)

Posted February 6, 2012 at 5:36 PM | Permalink | Reply

Julie Chollet

I created a Bingo card with security terms discussed during my presenation. It encouraged participants to listen carefully to what I was saying and of course, there was a Bingo winner at the end!

Posted February 6, 2012 at 6:11 PM | Permalink | Reply

lspitzner

Very cool idea, I never thought of that one. Thanks Julie!

Posted November 26, 2012 at 12:54 AM | Permalink | Reply

Rick

apozy is trying to tackle this problem with gamification as well:
http://www.apozy.com