publishing date icon
March 8, 2021
read time icon
5 min. read

Gamification in security awareness training

Author image
Barbara Babati
Marketing Manager
Post hero image

People can get hooked on games very easily. We all know people who are addicted to Candy Crush or Call of Duty. Our minds crave achievements and rewards so intensely that when we succeed in a game, the receptors in our brains activate and send positive signals. That is why we will want to play more the next day.The mobile gaming industry has succeeded in getting people hooked on games. What do we mean by getting hooked? When people find something pleasant, they frequently come back for more of that rush and continue to play to get to the next level and feel a sense of achievement.Recently, other industries have also picked up the idea of gamification. For example, companies have been blending gamification into educational applications to improve people’s learning. You’ve most likely tried Duolingo at some point, so you have some idea of how gamified learning can look.

What is gamification, and why should you use it?  

With gamified learning, you can maximize user engagement and retention. Achievements, an excellent user experience, leveling up, leaderboards, and other “fun” elements can encourage people to actively participate in the educational journey. The research article “A Review of Gamification Applied to Phishing” defines gamification as follows: ‘The use of game-based mechanics, aesthetics, and thinking to engage people, motivate action, promote learning, and solve problems.’ Another definition offers a shorter answer: ‘The use of game design elements in a non-game context.’ To summarize, gamification is a method that uses elements of game design for something other than a game to possibly enhance the learner’s motivation and results and encourage frequent participation in learning activities.

Improve training stickiness among users

Gamification can also be considered a strategy for making training stickier by using elements in the UI/UX design that games use, too. Improved stickiness helps with learning because it means that people keep coming back to the product to learn more without difficulty. When people frequently participate in training that doesn’t feel like an obligation, it can result in a behavior change that helps with creating a habit. Using the fun elements of game design integrated into the product will motivate ongoing participation. Frequency is key for shaping a new habit. Fusing a reward system into the gamified product will also strengthen user engagement.

Structural gamification vs. content gamification

There are two types of gamification: structural gamification and content gamification.Typically, products like Duolingo or Hoxhunt use structural gamification, meaning that they are applying game elements to drive the learning, but they are not changing the content of the learning material. The learning content simulates traditional learning materials.When gamification is content-based, it means that the learning content is altered, for example, but it is using a story to teach people something new.In phishing training, the structural gamification approach works very well because the aim is to simulate realistic phishing emails so that people can spot these in real-life too. By putting the learning content into a gamified environment, it feels more positive and less disruptive for their workflow.

User-centered design

For educational software, another important aspect is user-centered design. Planning the UI/UX should always think of the end-user first by researching their needs and goals. This is essential for the design and development process. At Hoxhunt, user-centered design is the alpha and omega of everything that we do in product development. As a people-first cybersecurity training platform, we always think of how we can make the training experience better for the employees.

Ingraining habits with gamification

By forming habits, our brains can learn complex behaviors. When a habit is ingrained, it turns into behavior that requires little to no conscious thought about how we are supposed to act in a certain situation. When we build habits, our brains’ basal ganglia can focus on other things that are not as automatic. When a habit is formed, it’s like the brain takes a shortcut and immediately does the next correct step.There are two essential elements to creating a habit:

  • Frequency: how often the behavior occurs.
  • Perceived utility: whether we find the task useful and rewarding.

When a certain event occurs frequently enough, we start forming the habit, and we will make it a default behavior. If something doesn’t occur frequently enough, it cannot become a habit. When forming a habit, it’s often an action that is not the most pleasurable for our brains. That’s where gamification can step in and take it to the next level, and we may start attaching positive emotions to the actions. Positive emotions are strong internal triggers, so when we succeed, we will be more likely to go back to the same good experience to satisfy our brains’ cravings for recognition and success.

Why do we use gamification in phishing training?

Typically, no one is super excited about their mandatory security awareness training. That must change. As the workplace and society are becoming extremely digital, the dangers of being online are increasing. It’s time for people to take security seriously and learn more about it.When people are not motivated to learn about a certain topic, gamification can really change the game. The frequency of the training and the motivational aspects of game-like elements and rewards can put phishing training in a positive light.So, what are the main goals of gamified phishing training?

Educate users

First and foremost, you want to educate people on the dangers of emails, phishing, and online behavior. Show people what sort of threats they could face in real life. People often feel extremely self-confident about their skills and they think all phishing emails are as equally simple as those DHL scams we all get occasionally. That’s the wrong attitude because some phishing emails can be extremely hard to spot: they are planned carefully and they prey on people’s emotions to make a mistake.

Engage and motivate

Without frequent practice, users won’t be up-to-date on all the upcoming and trending threats. To keep them engaged and come back for more, the training must be interesting for them, matching their skill and knowledge level, or even their culture.Motivation is key for engagement and that’s why gamified elements can make training more enjoyable for people. When you reward them, when you positively reinforce that they are taking the right action, they will be delighted to keep participating and learn more.

Create a habit

Perhaps one of the most important goals of phishing training is to achieve behavior change. When that happens, people pick up the habit of being careful with emails. They will start thinking critically and consider it twice before they click on anything or download an attachment. The end goal is certainly to teach them to report the emails that they find suspicious. During the training that’s the behavior that you need to emphasize. When they learn to watch out for the simulation game and report them for the rewards, they will know they can do it in real life too. Of course, your communication effort will have a big impact on shaping this new habit as well.

Build a security culture

With gamified phishing training, you can remove the negative emotions that people associate with security education. Through gamified phishing simulations that occur frequently, they will learn that staying safe online is important and they will most likely start caring more about other aspects of cybersecurity too.When users are on your side, you can expect that they will support your defenses. When they learn the habit of spotting and reporting emails, their chances of falling victim to a phishing attack will be lower. In a positive environment, even if they fall victim, they will dare to come forward, which is great because you can start figuring out what happened and how you can prevent a breach.

Components of gamification

With gamified products, a variety of game elements are implemented as part of the product design. Gamified products typically use level systems, competency levels, rewards, badges, steaks, motivational messages and positive communication, leaderboards, or progress checking.

A careful mix of training and gamification

Gamification is not simple to implement. It needs careful design, a combination of the game-like mechanism and the actual purpose of the product. In order to make your phishing outstanding, gamification has to be carefully integrated into the learning journey in a way that’s not disruptive but instead just helps with reinforcing people’s motivation to participate.

Read more about cybersecurity training

Subscribe to our newsletter