How gamification can boost your cybersecurity training

(Editor’s note: contributed blogs like this are part of’s annual sponsorship program. Find out more here. This article was originally posted to the ESET site We Live Security by Amer Owaida, security writer, ESET.)

Since 2017, each April 21st we mark World Creativity and Innovation Day. It’s a day dedicated to celebrating creative and innovative thinking, but it doesn’t mean it has to be limited to the creative industry and arts. Applying that creativity and innovation to every field is essential – especially to ones that may be viewed as highly technical and a bit dull, such as cybersecurity.

Since human errors and mistakes are often to blame for many breaches, improving employee cybersecurity awareness should be at the forefront of most companies’ security training. And not just companies; millennials who grew up with the internet permeating all aspects of life are now raising children who can’t imagine a world without computers or the web. So, millennial parents should probably teach their children how to be safe on the interwebz and who knows, that may even motivate them to consider a career in cybersecurity.

Giving lectures or endless PowerPoint presentations doesn’t cut it anymore for many employees, since more often than not your audience members won’t keep their attention throughout the whole thing. The key isn’t to demonstrate examples of phishing attacks or types of malware, but to have your attention while making the whole exercise creative: that’s where gamification comes in.

The dictionary definition of gamification would be the adding of game principals, game thinking or game logic to a task to encourage participation – long story short, make training a game. By making learning more interactive and fun, you motivate the participants to engage more with the material and to practice. Since they try it out themselves, they can learn faster and commit the material to long-term memory.

One of the simplest examples of gamification when it comes to cybersecurity is phishing attacks. Instead of just demonstrating examples of phishing to your employees, you test them using a game or quiz where they’ll have to catch the phish.

To make the exercise even more rewarding, you can add points … and once employees have accumulated enough points, they can exchange them for prizes. Rewards keep them engaged and motivated to do their best while mastering the skills you want them to acquire. To put it in numbers: 8 in 10 employees feel more motivated when their training is gamified.

To up the stakes, you can also add leaderboards so that the employees are competing against each other. Healthy competition never hurts, and it also adds incentive since everybody wants to perform at least on the same level as their colleagues.

Gamifying training does bear fruit: the employees not only remain motivated and engaged, but their organization sees results as well. “Over the course of this last year, we had a 10% reduction in end user risk. Most organizations, when they get compromised, it happens because an end user has a weak password, gets phished or downloads malware. The amount of education you need to do around these things is incredible. One percent to 2% is a win, but a 10% reduction is remarkable,” George Gerchow, the chief security officer at Sumo Logic, told InfoSecurity Professional Magazine.

Employees are on the frontlines and mistakes are costly; in the event of a major cybersecurity breach or incident, though, it’s usually the executives who have to act and deal with the fallout. They are the ones who need to identify threats and make decisions, especially when time is of the essence. So, they need to train as well. And what better way to train than to experience a cyberattack – a simulated one, that is. You may have heard of the concept of war games; these are used by militaries all over the world to test out their theories and strategies without having to engage in actual hostilities.

A cyberattack simulation operates on the same premise: the company gets to test out its reaction times and defenses without incurring damage of any kind. Based on its results, it can then analyze the areas where its policies and skills were lacking and improve them. First and foremost, it is an educational exercise – but since it mimics real-life scenarios, it is easier to comprehend (simulated) attacks once you experience them than just reading about them. One such game was developed by PricewaterhouseCoopers.

Having a basic understanding of cybersecurity is a must in this day and age, and companies have to continuously train their employees and raise their awareness of the threats they face. Having a creative and innovative approach to training can make a huge difference – not only will it be engaging for employees, but it is more likely they will be more proficient in identifying cyber-threats.