Gamify your cybersecurity awareness training
Clifton Sigler
Cybersecurity, at its very core, is a competition. On one side, we have defenders trying to maintain the confidentiality, integrity and availability of their digital assets. On the other side, we have attackers with differing motives vying to control the same digital assets. This adversarial cybersecurity narrative is rife with the kind of conflict and tension that makes for a thrilling movie, video game or television plotline.
Unfortunately, traditional cybersecurity awareness training rarely delivers the same level of excitement that we find in more dramatic and entertaining depictions of cybersecurity. For the most part, awareness training still relies on rote learning. The conversation is too often one-sided and incentivizes learners to spend as little time as possible with their training materials. Instead of educating and empowering employees to be cybersecurity superheroes all year long, cybersecurity awareness training becomes a quickly forgotten nonevent.
So how do we close the engagement gap? Can we make cybersecurity awareness training more appealing? The answer is an unequivocal yes. To do so, we need to recover some of the intensity lost when moving the cybersecurity conversation from complex, real-world adversarial competition to the more theoretical business education environment. We need to create a more meaningful and immersive learning experience. What we need is gamification.
Gamification, as defined by the Merriam-Webster dictionary, is "the process of adding games or gamelike elements to something (such as a task) so as to encourage participation." A popular taxonomy of gamification elements for education has five different categories that we can apply to cybersecurity awareness training.
#1 Performance elements
Performance elements provide feedback to learners, help learners understand where they are on their educational journey, and encourage progression.
A practical example that leverages many performance elements is the venerable Capture the Flag (CTF) contest. If you've never participated in a CTF contest, don't worry; they are relatively easy to understand. Players find a flag (a piece of not-easily guessed information) by solving a puzzle or doing a cyber scavenger hunt. They submit the flag to the submission system, which gives players or teams points based on how difficult the flag was to find and how quickly it was "captured." A scoreboard keeps track of point totals and typically includes a colorful graph showing points over time.
CTFs are underutilized as training tools as not everyone is aware of how easy it is to separate the content from the format. We can create a CTF focused on cybersecurity policy and best practices as easily as one about exploiting web application vulnerabilities. Keeping score, varying problem difficulty degree, showing progress over time — all these elements can combine to turn the most mundane subject into an engaging game.
Acknowledging participation and rewarding winners is also an important part of what makes CTFs fun. In 2021, e-gift cards and NFT-based badges or rewards are the way to go.
#2 Fictional elements
Fictional elements help learners focus on content and more easily remember complex ideas.
Unfortunately, the scenarios in traditional cybersecurity awareness training are often disjointed. We hop from one group of new characters to another without a transition. We usually aren't provided with much of a backstory, and there is little character development.
A good alternative is to leverage popular fictional characters and storylines. Staying with the same story and characters throughout a training course can also be very helpful. A consistent, well-known storyline is easier to build on and allows for the rapid introduction of more complex ideas without wasting time on unnecessary exposition.
#3 Personal elements
Personal elements help learners by providing meaning.
As mentioned earlier, one of the failings of traditional cybersecurity awareness training is that it is a one-sided conversation where the same information is imprinted on learners over time using rote learning. The only tasks that ask for learner participation are typically multiple-choice quizzes.
Instead, we should encourage more active learner participation. We can do this by ensuring content is up-to-date and relevant. Introduce novel ideas, scenarios and technology. Leverage puzzles, scavenger hunts and other fun cognitive tasks where you can. If possible, try to engage more of the learner's senses: Think virtual or augmented reality, music, food and so on.
#4 Social elements
Social elements help keep learners from feeling isolated.
Having learners belong to a team as part of their training encourages cooperation between individuals. Competition between individuals or groups encourages awareness of others and helps learners stay focused on their goals.
#5 Ecological elements
Ecological elements help create an exciting learning environment.
Whatever puzzles or games you employ, consider adding a bit of randomness or chance. Easter eggs, bonuses, and random or variable point scores can keep outcomes unpredictable. Adding a time constraint to challenges is also helpful as it can create a sense of urgency.
Gamifying cybersecurity awareness doesn't happen overnight. Introduce different aspects over time and tailor them to what works best for your company. Make sure to survey participants after each training event. Most importantly, have fun. If you aren't having fun putting together your cybersecurity awareness training, then your employees will not have fun receiving this training.
How can Rackspace Technology help me gamify my cybersecurity training?
Cybersecurity training loves the cloud. It’s easy to create fully automated, isolated and ephemeral learning environments. Whether you are looking to host a single-instance CTF dashboard, leveraging Kubernetes to host web based puzzles, or provisioning a 1000 virtual desktops, Rackspace Technology has over 3,000 certified cloud professionals who can help you automate and manage your infrastructure so you can focus on making engaging content.
Recent Posts
Dispelling Myths About Running OpenStack Clouds
August 19th, 2024
Why You Need Proactive Modern Operations in a Complex IT World
August 7th, 2024