Games are designed to be addictive. Ever watch a friend lose themself for hours in a Candy Crush or Call of Duty binge? Games put you in the dopamine-rich headspace of the flow state. Science describes flow state as a state of optimal performance in which you're completely engaged in a task to the point where you stop thinking about time and place. Imagine the things you can learn and the cybersecurity skills you can build when you enter a flow state for security awareness.
Our minds crave achievements and rewards so intensely that success in a game activates behavior-reinforcing brain chemicals. That's what drives us to play more and more.
The mobile gaming industry has effectively hooked millions on games. Social media has hooked millions more by applying gamification principles via Stanford University Professor, B.J. Fogg's behavior model. What do we mean by getting hooked?
When people find something pleasing, they chase that same rush of happy brain chemicals by repeating the behavior. In games, they'll do anything to reach the next level and feel a sense of achievement: even learn cybersecurity skills.
Recently, other industries have also picked up the idea of gamification. For example, companies have been blending gamification into educational applications to improve learning. If you've tried Duolingo, you have some idea of how gamified learning can look.
What is gamification, and why should you use it?
Gamified learning helps you maximize user engagement and measurably change cyber behavior. With 74% of breaches being due to the human element according to the Verizon DBIR, motivating people to spot and report a real phishing attack is a game changer.
Game mechanics should make the learning experience fun and motivating, but gamification is not all about, well, fun and games. Gamification is a scientifically validated model for conditioning desired behavior. Game mechanics reward people for taking specific actions to specific cues. Eventually, cybersecurity behavior becomes a matter of instinct and habit.
Fortune 500 energy company, AES won a prestigious CSO50 award by applying gamification to their cybersecurity awareness and behavior change program. Their engagement skyrocketed from 10% to 70% in just a few months.
Game mechanics and behavioral science
Just because something looks cool and is fun to use doesn't mean that it's "just a game." Social media companies, for instance, have poured millions into creating a sticky UX based on Stanford Professor, B.J. Fogg's Behavior Design model, which rewards users for engagement.
We talked to security awareness expert, Ira Winkler, former Chief Security Architect for Walmart and the author of Security Awareness for Dummies (amongst other titles) for one of our CISO Sandbox webinars. Here's what he had to say about gamification:
"Gamification is not agame. Gamification is actually a very specific business principle that says, "We are taking game principles and applying it to solve a business problem” … [and] rewarding somebody for learning.”
“I appreciate what Hoxhunt does. Hoxhunt sends out the phishing messages appropriate to the level of knowledge of the person. If you don't have a toollike that, you need to figure out, "How am I going to structure phishingmessages that are going across the entire range of potential phishingknowledge?”
… and can tailor what we do to each person.
Structural gamification vs. content gamification
There are two types of gamification: structural gamification and content gamification. Typically, products like Duolingo or Hoxhunt use structural gamification, meaning that they are applying game elements to drive the learning, but they are not changing the content of the learning material. The learning content simulates traditional learning materials.
When gamification is content-based, it means that the learning content is altered. For example, it could be using a story to teach people something new.
In phishing training, the structural gamification approach works best because the aim is to simulate realistic phishing emails so that people can spot them and report them in real-life too. The ideal outcome of a phishing attack is a threat report because it alerts the SOC to danger and accelerates its removal from the system.
By putting the learning content into a gamified environment, it feels more positive and less disruptive for their workflow.
Adaptive learning model
Learning occurs at the boundaries of skill and knowledge. In science, this is known as the zone of proximal development. It's an old and well-established concept that could also be called the Goldilocks zone. The gamified training challenge needs to be not too easy, not too hard, but just hard enough to get a dopamine kick out of an achievement.
To tailor training to individual employees' skill level and background at enterprise scale, AI is necessary. Hoxhunt uses an adaptive learning model to, as Greg Petersen at Avanade says, meet people where they're at and take them to where they need to go to be secure.
For educational software, another important aspect is user-centered design. The UI/UX should always think of the end-user first by recognizing their needs and goals. This is essential for the design and development process.
At Hoxhunt, user-centered design is the alpha and omega of product development. As a people-first cybersecurity training platform, we always think of how we can make the training experience better for the employees.
The CSO50-winning team at AES even brought in their Global Director of Digital Experience, a non-cybersecurity role, to optimize their award-winning program.
Ingraining habits with gamification
By forming habits, our brains can learn to execute complex behaviors with minimal conscious thought. When a habit is ingrained, it turns behavior into a reflex for a certain situation. Think about how a master martial artist reacts when a punch is thrown; instinct kicks in.
Research by USC Professor, Wendy Wood tells us that about 40% of our daily activities are done on the brain's version of autopilot. Old habits are hard to break and new habits are hard to form because it takes repetition and motivation to build the new neural pathways to a healthy behavior.
When we build habits, our brains’ basal ganglia can focus on other things that are not as automatic. When a habit is formed, it’s like the brain takes a shortcut and immediately does the next correct step. There are two essential elements to creating a habit:
- Frequency: how often the behavior occurs.
- Perceived utility: whether we find the task useful and rewarding.
When a certain event occurs frequently enough, we start forming the habit, and we will make it a default behavior. If something doesn’t occur frequently enough, it cannot become a habit. When forming a habit, it’s often an action that is not the most pleasurable for our brains.
Gamification and the Mario Effect
Gamification works best in a safe and positive environment to take learning to the next level. Positive emotions are strong internal triggers, so when we succeed, we will be more likely to go back to the same good experience to satisfy our brains’ cravings for recognition and success.
"I would say we've seen the light. We've seen what's possible with a positive approach to security awareness." -- Garrett Cook, former Head of Information Security at G2
The Super Mario Effect Ted Talk by Mark Rober cites scientific research that shows how much better people learn when they aren't afraid of failure, and are rewarded for success.
“This is what I call The Super Mario Effect: Focusing on the princess and not the pits, to stick with a task and learn more... By reframing the learning process, the fear of failure is often taken off the table and learning comes more naturally.”
Evolution, gamification and phishing training
People generally hate mandatory security awareness training. That must change, as a matter of survival in our digital lives. The workplace and society at large has undergone a digital transformation. Meanwhile, the dangers of being online have exponentiated. But humans haven't had the thousands of years necessary to sense danger online like we did in the forest.
We evolved to see crocodiles in the river, not phishing attacks in our inbox.
Game mechanics hack the brain to accelerate the development of these vital security skills and instincts in a matter of months. Gamification changes the human risk game. Training frequency and the motivational aspects of game elements and rewards can put phishing training in a positive light. Here's what security awareness expert Lisa Kubicki, now at Microsoft, told us when she was the Director of Trust & Security Training & Awareness at DocuSign, when we asked her about what she was looking for in a cybersecurity program:
Employees need to see it, read it,play with it, hear it, and do it daily. This won’t require a huge time commitment by them, but it will require that we have some of their time, shortlittle bites of time on a regular basis. To get them to commit to that time, it must be fun, rewarding, and meaningful. It must connect to what’s important to them and how they are evaluated on their performance. It must overcome elements of how the brain works so that we get a more secure, more trusted, and more committed trust culture. We must both acknowledge and encourage the desired behaviors.
So, what are the main goals of gamified phishing training?
Educate and build security awareness
First and foremost, you want to educate people on the dangers of social engineering, emails, phishing, and on risky online behavior like password management, information sharing, and safe browsing. Show people what sort of threats they could face in real life and teach them how to act appropriately. Phishing takes top priority because:
- It's the perfect cue-response-reward activity for gamified learning and behavior change
- Social engineering is the biggest risk facing the organization
Engage and motivate
Frequent practice reinforces good behavior and builds skill levels. Moreover, without frequent practice, users won’t be up-to-date on all the upcoming and trending threats. To keep them engaged and come back for more, the training must be interesting for them, matching their skill and knowledge level, or even their culture.Motivation is key for engagement and that’s why gamified elements can make training more enjoyable for people. When you reward them, when you positively reinforce that they are taking the right action, they will be delighted to keep participating and learn more.
Create a habit
The goal of phishing training is to change behavior. Phishing training is an excellent application of game mechanics and game design because the user experience is built around a desired action: hitting the threat reporting button. Dozens of simulated phish per year mean dozens of in-game rewards for reporting those emails. In that extended flow state, threat reporting becomes a habit and resilience becomes a reflex.
Hoxhunt research is the first to show a clear connection to gamified phishing training performance, and its impact on real threat detection. Within one year of beginning training with Hoxhunt, 2/3 of employees globally report a suspicious real email. Before gamified phishing training with Hoxhunt, the baseline for real threat detection is scant to negligible.
Build a security culture
With gamified phishing training, you can remove the negative emotions that people associate with security education. Through gamified phishing simulations that occur frequently, they will learn that staying safe online is important and they will most likely start caring more about other aspects of cybersecurity too.When users are on your side, you can expect that they will support your defenses. When they learn the habit of spotting and reporting emails, their chances of falling victim to a phishing attack will be lower. In a positive environment, even if they fall victim, they will dare to come forward, which is great because you can start figuring out what happened and how you can prevent a breach.
Components of gamification
With gamified products, a variety of game elements are implemented as part of the product design. Gamified products typically use level systems, competency levels, rewards, badges, steaks, motivational messages and positive communication, leaderboards, or progress checking.
A careful mix of training and gamification
Gamification is not simple to implement. It needs careful design, a combination of the game-like mechanism and the actual purpose of the product. In order to make your phishing outstanding, gamification has to be carefully integrated into the learning journey in a way that’s not disruptive but instead just helps with reinforcing people’s motivation to participate.
Read more about cybersecurity training
- The Best Attack Simulations For Your Cybersecurity Training
- A guide to effective phishing training
- Positive, Not Punitive Cybersecurity Awareness Training
- The CISO’s Russian Roulette: Not Training Remote Employees
- The Risk Of New Employees And How Security Teams Can Tackle It