Gamifying cyber training can improve your defenses

Security training serves as the fundamental component of any cyber defense strategy. In light of the constantly escalating online threats, the importance of making such training an engaging experience is now greater than ever before. In this vein, every employee must develop an acute awareness of cyber security risks and learn basic actions they should take, such as appropriately reporting suspected phishing attacks. For others, such as IT personnel, more extensive training is required.

Conventional approaches to educating staff about security mindfulness, such as presentations, may often elicit boredom and apathy. Some may view security training as a mere box-ticking exercise. As such, organizations need to devise new and captivating methods to deliver cybersecurity training that will resonate with employees.

One widely employed technique to enhance engagement is to include a test after a training session. When participants are informed that they will be required to answer a series of questions to complete the training, they tend to exhibit heightened attentiveness. Without a concluding test, people are often inclined to complete the training as quickly as possible.

Gamifying cybersecurity training

Gamification is a technique that involves applying game design elements and principles to non-game contexts to enhance user engagement and motivation. It has been shown through research to have positive effects and can leverage our natural desires for socialization, learning, mastery, competitiveness, achievement, and other factors. By incorporating meaningful choices, tutorials, challenges, and narratives, gamification can improve user engagement and interest.

While some have dismissed gamification as a fad, its application of game-playing elements, such as competition and collaboration, can be effectively translated into staff training and other areas. For instance, traditional cybersecurity training methods have been deemed ineffective, such as sitting people down for a one-hour course every year, with organizations merely trying to achieve 100% compliance. This approach results in employees merely going through the motions and ticking boxes rather than engaging with the subject.

Collaboration in training

Collaboration is an effective gamification technique for enhancing engagement, as it encourages participants to work together towards a common goal. Team-building exercises often involve group tasks that require collaboration, and this approach can be extended to cybersecurity training. One example is a Top Trumps-style card game, in which players have a set budget and must create a cybersecurity capability encompassing people, technology, and processes. Once each player has finished and each strategy is assessed, the strongest capability wins.

Gamification techniques can enhance the learning experience by embedding principles of cybersecurity into a medium that is more accessible and engaging. Players can engage with the subject without feeling overwhelmed or intimidated, making understanding and retaining the information easier. However, it is important to balance making the training enjoyable and keeping it serious, particularly in cybersecurity.

Simulated disaster management is another effective gamification technique in which cyber incidents are simulated to give staff practical experience of a hack without any risk to the network. Staff can be scored based on their actions during the simulation and how well they collaborate. By assessing the results, organizations can identify key areas for training to focus on.

Finally, video games that teach security concepts can also be effective. One example is CyberCIEGE, structured similarly to the Sims video games. In CyberCIEGE, players take on the role of an IT manager for a small organization and must defend against different types of cyber-attacks. They purchase and configure workstations, servers, operating systems, applications, and network devices while balancing productivity and security within strict budgetary constraints. Players advance through a series of stages in longer scenarios and must protect increasingly valuable corporate assets against escalating attacks. Overall, gamification techniques offer a promising avenue for improving engagement and effectiveness in various training and educational contexts.

Personalized training

It is important to tailor the training to the specific needs and skillsets of the audience to optimize the effectiveness of cyber security training. It is essential to ensure that the training is pitched at an appropriate level, as training that is too basic can be tedious for those with more advanced knowledge. At the same time, too advanced training can overwhelm those with less experience.

It is also important to identify those who require more in-depth training and to provide targeted training to those individuals. Scoring and assessments can assist in identifying areas where individuals require further training.

While those in the security sector, particularly those involved in operations, may be comfortable with gamified elements and language in training, it is possible that individuals outside of this sector may be unfamiliar with gaming and may not fully appreciate the methodology used or the benefits of gamification in training.

Incorporating gamification techniques in cyber security training can enhance engagement and interest and provide a more interactive and effective learning experience. However, it is important to balance making training enjoyable and maintaining the seriousness and importance of the subject matter.

Online security training

The shift to online security training has been accelerated by the COVID-19 pandemic, allowing for greater collaboration between teams across geographic boundaries. While virtual settings may reduce face-to-face interaction, focusing on a shared goal can facilitate better teamwork. Nevertheless, it is important not to lose sight of the primary objective, and to implement an effective training regime, even if it is not gamified. Entertaining elements can be secondary to the need for effective training.

As the cyber threat landscape continues to evolve, it is crucial for cyber security training to adapt and become more engaging. By incorporating competition or taking learners on a journey, they can become more invested in the subject matter. It is important to tailor training to the specific needs and skillsets of the audience, with in-depth training targeted to those who require it most. In addition, scoring and assessments can provide valuable insights into the effectiveness of the training and areas that may require further improvement.