Is Gamification Working in Security Training?

Is gamification just a fun trend that fails to actually score?

Pam Baker

January 3, 2019

5 Min Read

Gamification is a term used in education to mean using game elements to improve knowledge retention. Learning new information, understanding how to use that information, and ultimately retaining that learning is the goal in all education and training programs. But this isn’t recess and not all games are useful. For security training via gamification to be successful, it must be crafted by talented game masters.


AlienVault’s Javvad Malik

“Gamification has made its way into many aspects of technology and security awareness and training is no exception. There are pros and cons to gamification, and success is widely dependent on how it is used and implemented,” says Javvad Malik, security advocate at AlienVault, an AT&T company specializing in unified threat detection.

AlienVault also developed the Open Threat Exchange, which claims to be the world’s largest crowdsourced computer-security platform.

It’s one thing to make the learning experience fun so that students enjoy the encounter and complete their work. It’s quite another matter to make sure they can perform those skills on the actual job later.

“While gamification can be great to engage and create ‘sticky’ content that people come back to repeatedly, care should be taken that the game part doesn’t distract from the overall goals and learning objectives. It’s all well and good having people complete learning modules, but it needs to be effective in educating the participants,” says Malik.

Since security training is vital for both user training and security-professional education, outcomes must be clearly defined and measured for each category. Anything short of that in gamification is gaming, not education.

Gamification Outcomes for User and Executive Training


Digital Guardian’s Tim Bandos

“Gamification can help foster interest in cybersecurity, which is serves as a big advantage to employees that aren’t exposed to cybersecurity practices in their day-to-day tasks. Assurance firm PwC has had success using Game of Threats, a digital game to simulate the experience of executives being targeted by a cyberattack, to teach cybersecurity and measure employee readiness,” explained Tim Bandos, VP of cybersecurity for Digital Guardian, a company that specializes in endpoint detection and response.

User awareness is critical in thwarting phishing attacks, including spear and whale phishing.

“To be effective, any training – especially cybersecurity training – needs to occur on a regular basis. Companies like Omnicare, recently acquired by CVS, Deloitte, and Beaumont Health System, Michigan’s largest health-care system, implemented gamification-style training and improved employee engagement. Teaching users to identify and react to attacks in real time – and enjoy doing so – prevents security from becoming an afterthought,” added Bandos.

It’s vital to instill a sense of joint responsibility for security among all users to prevent them shortcutting and undermining established security protocols in favor of on-the-job convenience.

But while these arguments are sound and well received, the question remains of whether gamification improves security skills among users and executives. Several studies conclude that when done well, gamification does work in fending off attacks. According to a recent study, 77 percent of U.S. companies with interactive employee-training programs have seen a reduced number of attacks.

“That being said, individual organizations won’t know how effective their own programs are until they’ve been audited,” said Bandos. “Monitoring scores and engagement can make it easy to identify employees that need extra education; it also helps identify how effective overall existing security processes are. Companies need to review programs, potentially with the aid of NIST’s National Initiative for Cybersecurity Education (NICE) framework to address skill gaps and ensure gamified exercises are working.”

Gamification Outcomes for Security Professionals

One need only to look at hacker games and competitions to see the compelling allure of gamification in training and practice for security pros. Top competitions in terms of level of difficulty, number of competitors, and security focus include the NSA’s Codebreaker Challenge,  the Center for Internet Security’s US Cyber Challenge, and the National Cyber League’s Ethical Hacking and Cyber Security Challenges. Many such contests are also used for …

… talent scouting and recruitment, a fact not lost on either budding or seasoned security professionals.

But the point here is that the friendly competition in gamified competitions is a great motivator in mastering security skills.

“I’ve met hundreds of security folks over the last 25 years and they’ve all been motivated by breaking into a system and building stronger frameworks to learn what works best. Security is about solving a problem, which makes gamification perfect for e-learning and training,” said Zvi Guberman, CEO of CloudShare, a provider of specialized virtual IT labs.

“The hands-on experience is one of the most effective ways to learn and teach to ensure companies stay ahead of competition and potential threats. It’s why security conferences use Capture-the-Flag-type games for training. In fact, creating and delivering gaming scenarios to educate IT and security pros is a very popular use of our virtual IT labs.”

Things to Look for in Successful Security Training Gamification

All the evidence points to resounding success in using gamification for security awareness and training as long as the gaming elements are smartly designed with specific learning goals in mind. To aid MSSPs in evaluating – or even designing their own – gamified security training programs, here are three things to look for or work towards:

  1. “Key messages are reinforced and become sticky as trainees learn by discovery and problem solving rather than just reading,” says Marie White, President and CEO at Security Mentor, a Pacific Grove, California-based provider of security-awareness training.

  2. “Techniques like awarding points, badges and giveaways provide further positive incentives to complete training, and foster friendly competition between employees,” added White.

  3. “Unlike traditional passive teaching methods, gamification concentrates on content immersion, relevancy and scalability. Gamification, combined with cloud-based platforms allow for constant availability to real day-to-day threats, tactics and procedures,” says Circadence‘s Keenan Skelly, VP of global partnerships and security evangelist. “It has been scientifically proven that learners remember an overwhelming 90 percent through immersive gamified simulations; the ‘learn by doing’ approach works by deploying connected, interactive, social settings that allow learners to excel.”

Read more about:


About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like