Gamified Behaviour Modification in Cybersecurity Training
According to the Australian Cybercrime Online Reporting Network (ACORN), Victoria accounts for approximately 25% of Australia’s victims of cybercrime. The average cost for individual businesses is around $276,323, depending on the type of attack. Collectively, Australian businesses are out-of-pocket nearly $29 billion annually.
As technology advances and more businesses move toward online models, it’s likely these statistics will increase exponentially in the coming years. Importantly, 53% of the cost for businesses is spent on detecting the breach and recovering data. Cybersecurity training is the necessary response to mitigate this impact and prevent such costs from ever occurring.
The current focus of cybersecurity training revolves around systems tools and technology, yet studies have found that human inefficiencies account for nearly 80% of the vulnerabilities exploited by attackers. These vulnerabilities may include concepts such as undertraining of employees, employee negligence or malicious insiders.
For example, a study of cybercrime conducted across 13 countries in 2013 found that 54% of breaches were the result of employee negligence, and only 6% of these companies had invested in cybersecurity training. All it takes is one employee compromise to give a criminal enterprise complete access to your organisation’s data.
Generally, cybersecurity skills training is available for IT personnel, whereas awareness and education programs are offered to all employees. Methods of educating may be via in-person training seminars, web-based classes, online interactive training modules or teleconferencing.
However, research shows that these approaches are ineffective at reducing the risk of attack as employees are rarely engaged in the learning process. During traditional cybersecurity training (e.g., instructor-led seminars), often too much information is given within a short period of time which leads to a sub-optimal learning environment and an inability to retain the information provided.
Much of this is remedied through gamification. Essentially, this is use of game-based critical thinking in otherwise ‘non-game’ contexts. Game thinking includes the use of progression mechanics (e.g., gaining points for successful completion), player control, team problem solving, competition, and a narrative. The foundation of gamification techniques revolves around motivation being significantly linked to feelings of achievement or distinction. When a game is designed appropriately relative to the individual skill of the employee(s) it can negate the effects of the dull or mundane tasks that are usually associated with traditional employee learning approaches.
In line with contemporary research, Evisent advocates the need for the gamification of employee learning in cybersecurity awareness training. This approach promotes active engagement and motivation in developing their knowledge. Additionally, being engaged in the learning process allows for an increase in retention and therefore greater protection in the advent of an attack.
Elements of Behaviour Modification
Designing games for education and training require clear definitions of desired outcomes. Identifying which behaviour you need to change and how it can be measured will help to achieve this. Building out an engaging process and incentives/disincentives can then be focused on through the four key elements found to be effective for cybersecurity training:
- Progression: a tangible measure of how the individual is performing through the training which influences motivation levels, such as company leader boards, points systems or rewards.
- Player control: controlling a third-person avatar, as research has shown this influences behaviour modification.
- Problem solving: critical analysis of information or situations is significantly correlated with retention which is a major goal of cybersecurity training. Team collaboration can provide a shared sense of purpose which can translate into real world application.
- Story: Narrative learning has additionally been shown to increase learning and retention. It also acts to invest the player in continuing to play the game to reveal the remaining storyline and development of the avatar.
Why This Works
Anyone who has experience with mandatory work or school ‘learning initiatives’ (e.g., diversity training; work safe policies) know they don’t work. They’re check-the-box tasks that your brain is paying about 3% attention to. It’s the same in cybersecurity. You can’t expect that employees will have a genuine interest in cyber defence strategies or even technology in general.
What gamification does is provide motivation to complete a task attentively. Appropriate levels of competition are healthy in the workplace because a sense of winning or accomplishment produces positive emotion. On the other hand, they have something to lose through an apathetic approach to the task and this produces negative emotion.
Through a points system, you can then reward employees with incentives to continue learning. For example, being able to redeem gift cards with the points, or getting a day off. Every game and incentive will be different depending on the employee culture within your organisation. The rewards must be specifically tied to the desired behaviour so that you increase the probability of this outcome occurring again (e.g., you prevented 5 phishing attacks, saving the company thousands!).
Finally, the more you recognise good behaviours company-wide, the more you reinforce them within other employees. If you’re having difficulties training employees, or want to be set up for success right out the gate, then gamification may be the right approach for your organisation.