Winning Cybersecurity Like a Gamer


It took the CISO over eight nights to prepare an extensive PowerPoint presentation on cybersecurity for the company’s employee training program. But ten minutes into the session, he noticed the team’s dazed eyes and distracted whispers and knew that the complex slides were hardly being registered. He needed a better approach, pronto.

Witnessing a similar situation was the UK’s main commercial TV channel ITV that has over 6,700 staff, and the company places security at the top of their priority list. When they realised that meetings and PowerPoint presentations would not cut it, they sought a better technique.

ITV began to organise physical Escape Room roadshows that toured around the country for cybersecurity training. A local office would be set up to mimic a cybercrime hotspot with several IT security clues hidden inside the room. The participants have to find the clues and solve them to escape from the room. During the pandemic, the company collaborated with video training company VIVIDA and created a virtual Escape Room interactive experience consisting of 45 minutes of engaging puzzles. The company hit the right strategies to engage their employees and avoid employee-driven cyber vulnerabilities.

One errant click and the company is doling out dollars to fulfil the ransomware demands. 

In 2017, Ponemon Institute reported that 28 per cent of data breaches worldwide are due to human error. Four years later, Researchers from Stanford University revealed that approximately 88 per cent of all data breaches are caused by employee errors. While most employees do not intentionally cause harm, their uninformed actions can become a critical liability for the company.

Cybercrime is not slowing down, and companies are looking for effective strategies to prevent employee-driven mistakes. As demonstrated by ITV, one of the most popular and effective training methods is gamification; and several companies are investing in it. Infosec Choose Your Own Adventure allows learners to play various cyberattack scenarios and make their own choices.

According to The International Information System Security Certification Consortium, or (ISC)² report, there are over four million unfilled cybersecurity positions today. It has become more important to train existing cybersecurity employees and IT teams.

Also Read: Data Professionals To Watch

Why Gamification?

War games help the military train and test their new strategies and theories without engaging in a real demonstration, in the same way, employees can be trained for threats through attack simulations. From reaction time to defences, mimicking possible cyberattack scenarios through gamification can help employees sharpen their skills and learn to emotionally deal with a situation that puts their organisation and their own jobs at risk.

Supporting the theory, Pulse Learning research reveals that 79 per cent of corporate freshers state that they would be more motivated and productive if their learning environment was driven by games.

Price Waterhouse Cooper (PwC) developed Game of Threats to strengthen their employee defence skills. According to PwC, the program is a digital game that simulates the speed and complexity of a real-world cyber breach to help executives better understand how they can protect their organisation. They expanded their gamification program for financial crime and crisis management.

Also Read: Company Closeup: OpenAI – Redefining Artificial General Intelligence

Is CTF Effective?

A classic gamification technique that has existed for long in the cybersecurity ecosystem is Capture The Flag (CTF). Demonstrating hacking and reverse engineering skills, the participants must find the flag and win the content. Experts opine that the CTF is both fun and educational, but it has one major limitation – only a highly skilled professional can play the game and have a winning chance.

According to research by Komodo Consulting, most people who register for CTF score no points. When companies decide to design their cybersecurity training games, they should be thoughtful about the game format. Training games need to be more elaborate with basic, intermediate, and advanced levels. Simulations, puzzles, and adventure games are some of the most common creative styles.

Exploring The Gamified Framework

Using positive reinforcement to reward good behaviour, Digital Guardian created a game, DG Data Defender, to help companies increase employee engagement in data security.

Experts urge companies to develop a continuous gamification program and not a one-time workshop. Keeping track of employee progression through milestones, rewards at certain levels, and a leaderboard can keep them motivated while imbibing better knowledge.

For instance, Inno-Versity’s upgraded Cyber Security Awareness Training (CSAT) consists of three to five levels within each of its six modules. The eLearning program was built around a fictional hacker who had to be defeated through smaller games and puzzles at each level. In the finale (the last module), the participants need to face the hacker and defeat him by applying the techniques and strategies used in the previous levels. Inno-Versity’s gamification system also includes follow ups. Participants receive monthly learning opportunities through their Learning Management System that consists of 80 per cent refresher material and 20 per cent new material.

Also Read: Hybrid Cloud Is The Top Choice For Organisations: Report

Microlearning and Gamification Works

Gamification and microlearning is actually a winning combination. With a better chance at offsetting employee forgetting curves, and increasing learning, gamified microlearning can address a participant’s short attention span. Every module, every level should have a learning objective. It is important to focus on performance-based learning and include real-life scenarios by using characters, content and settings that employees can relate to.

For instance, with over 80,000 licensed users, a microlearning program called Drip 7 allows organisations to gamify their cybersecurity awareness training to increase retention. Additionally, Coreaxis is an award-winning platform that offers companies gamification training solutions.

Beyond Flags, Puzzles and Simulations

Some of the basic cybersecurity gamification essentials include visual aids and reward points. Experts also recommend Artificial Intelligence (AI) and Machine Learning (ML) to bolster company training to handle AI-driven cyber threats. Circadence Corp. infuses AI and ML into their gamification to constantly update game environments based on new hacker knowledge and surfacing problems.

Going after threat actors is not the solution but preventing core vulnerabilities is. Taking an inspiring initiative, the Cytaka platform recently announced that it was going to offer a million dollars every month to participants of its gamified cybersecurity-focused coding education who make it to the live competition. The first competition was recently held in Dubai.

Primary effects of cybercrime are financial, reputation, and legal issues. Cybersecurity Ventures predicted that global cybercrime costs are expected to rise beyond $10 trillion by 2025. If gamification in marketing strategies can increase a brand’s revenue and reputation, gamification of cybersecurity training will certainly help organisations stay away from the hacker radar.