How to Gamify Cybersecurity Learning on a Budget

One of the responsibilities of an information security manager is developing a cybersecurity training program by planning, coordinating and conducting relevant cybersecurity trainings to raise and maintain stakeholders’ cybersecurity awareness levels. With a heightened level of cybersecurity awareness, stakeholders can better understand the importance of cybersecurity, which in turn helps minimize malicious attacks or cyberthreats on the organization’s data, systems and networks.

However, cybersecurity learning is not always engaging. So, how can cybersecurity learning be made more interesting while maintaining cost efficiency? This can be achieved by utilizing gamification techniques.

Gamification is “the strategic attempt to enhance systems, services, organizations, and activities by creating similar experiences to those experienced when playing games to motivate and engage users.”¹ The goal of gamification is to leverage the psychological and motivational aspects of games to make nongame experiences more enjoyable, interactive and compelling. By integrating game elements, gamification aims to increase participation, foster intrinsic motivation and drive desired behaviors or outcomes.

A study conducted among 365 students at the School of Electrical and Computer Engineering of the National Technical University of Athens, Greece found that challenge-based gamification can improve student performance by 89 percent compared to lecture-based education. A survey was conducted among 124 of the same students to measure their behavior and perception of a gamified course as it related to their motivation and engagement levels, and it was found that 68 percent of students felt that the gamified course was more motivating than a traditional course.²

Gamification makes cybersecurity learning more interactive and enjoyable because it adds elements of competition, reward and progression, which can enhance motivation and engagement. In addition, making learning engaging makes it more memorable, helping learners retain information without adding too much cost to the organization.

Types of Gamification

There are two types of gamification: structural gamification and content gamification.³ Structural gamification involves applying game elements to move learners through content without changes or alterations to the content itself. This type of gamification focuses on motivating employees and keeps them engaged by offering rewards.

In the case of content gamification, the training content itself is altered to make it more game-like. It does not necessarily have to become a fully functioning game, but instead games or activities are added to the existing content. The focus is to increase user engagement by attaching interactive elements such as challenges, feedback loops, storytelling and opportunities to learn from mistakes to offer an engaging training experience.

For example, ISACA’s Questions, Answers and Explanations (QAE) Database has full-length timed practice exams intended to mimic the blueprint and feel of an actual ISACA exam and help candidates manage their time when answering questions. It also includes access to a game center, which consists of flashcards and interactive games to help reinforce key terms and concepts for certification exams.⁴

Applying Content Gamification to Cybersecurity Learning

There are many ways to implement gamification to an organization, such as engaging professional organizations (e.g., Designing Digitally,⁵ 360Learning⁶) to provide comprehensive elearning solutions and services based on an organization’s needs. However, such solutions come with a cost.

For organizations with limited budgets or individuals who are looking for cost-effective methods of gamifying their cybersecurity learning, there are three cost-effective approaches to content gamification: game-based learning platforms, word-guessing games and free online games.

Game-Based Learning Platforms
There are several tools available that can help gamify learning and create interactive and engaging experiences for participants. Popular gamification tools and platforms include:

• Kahoot!—This is a widely used gamification platform that allows users to create and participate in interactive quizzes, surveys and discussions. It includes features such as a point system, leaderboards and timed challenges to engage learners.⁷ As with any tool, this should be reviewed for security and privacy. Kahoot! complies with the EU General Data Protection Regulation (GDPR) in the processing of personal data of all users.⁸ Kahoot! has also implemented a set of safeguards and processes covering all parts of the data journey.⁹
• Quizizz—This is a game-based learning platform that enables educators to create and play multiplayer quizzes. It includes features such as leaderboards, power-ups and memes to make learning more engaging and enjoyable.¹⁰ Quizizz is compliant with the Children’s Online Privacy Protection Act (COPPA) and the EU GDPR, which includes generally accepted industry standards to protect the personal information submitted to them.¹¹
• Socrative—This is a classroom response system that can be used to create gamified quizzes, polls and assessments. It provides real-time feedback, tracks student performance and offers features such as team competitions and instant grading.¹² Socrative is compliant to EU GDPR, COPPA, the Family Educational Rights and Privacy Act (FERPA), the Australian Privacy Act, International Organization for Standardization (ISO) 27001, Service Organization Control Type 2 (SOC 2) security principles and is in alignment with the US National Institute of Standards and Technology (NIST) Cybersecurity Framework.¹³

These tools offer a range of features and functionalities that can be used to varying degrees based on need. For example, an organization can start by simply adding interactive quizzes at the end of training modules. These tools could be used virtually or within a classroom as long as the learners have individual internet devices to access the website.

Word-Guessing Games
During classroom-based training, word-guessing games can be played using flashcards that contain only words or phrases related to cybersecurity.

For example, a class can be divided into two teams: Team A and Team B. Each team selects someone to provide a clue in the first round while the other teammates act as the guessers. A timer can be set for the desired duration of each round. The recommended time allowed is approximately one minute, but this can be adjusted based on preference. The clue provider from Team A starts the round by drawing one flashcard and describing the definition of the word or phrase found on the flashcard to Team A’s guessers. Team A’s guessers listen to the definition and try to guess the correct word or phrase within the given time limit. If the guessers correctly guess the word or phrase before the time runs out, Team A scores a point. The teams alternate turns. The game is finished when a predetermined score or time limit is reached. The team with the highest score at the end of the game is declared the winner.

The goal of the game is to familiarize the participant with the definitions of cybersecurity terms and add elements of competition, creativity and interaction, making studying more enjoyable and engaging. However, word guessing games may be better suited for classroom-based learning, because it can be challenging to coordinate word-guessing games that take place in a virtual learning environment.

Free Online Cybersecurity Games
There are many free online games available for learning cybersecurity awareness or acquiring basic cybersecurity knowledge. Three examples include:

1. The Center for Development of Security Excellence (CDSE) created a security awareness game center to provide quick and easy ways to test knowledge and encourage security awareness within an organization.¹⁴
2. Texas A&M University (College Station, Texas, USA) created IT security games for US National Cybersecurity Awareness Month.¹⁵ Each game is designed to be fun and engaging while also educating students, faculty and staff about how to be safe online.
3. The Public Broadcasting Service (PBS) created NOVA Labs, a digital platform where people can actively participate in the scientific process.¹⁶ One of the NOVA Labs is cybersecurity themed. NOVA teamed up with cybersecurity experts to create a game in which players discover how they can keep their digital lives safe and develop an understanding of cyberthreats and defenses. Players advance by using computer coding, logical reasoning, critical thinking and vulnerability detection to solve various problems. These are the same skills employed regularly by cybersecurity professionals.

As the name suggests, free online cybersecurity games do not cost anything to access. This makes them highly cost-effective, especially for individuals or organizations with limited budgets. Other advantages include high accessibility, flexibility and convenience. Regardless of location and time, users can access these games according to their own schedule, as long as they have a device with an Internet connection. However, free online cybersecurity games do not allow for content customization. Hence, this method may not address the needs or goals of an organization that wishes to tailor the training content.

Considerations When Applying Gamification

Organizations should consider the unique needs, prior knowledge and learning objectives of their target audience to create an effective and meaningful learning experience. For example, if the target audience has only limited or basic knowledge of cybersecurity, the trainer could use simple games that start with basic scenarios and progressively introduce more complex challenges to align with the learning objectives of building foundational cybersecurity skills. If the target audience is cybersecurity teams who aim to enhance their incident response skills, the trainer could use gamified training that involves immersive, real-time scenarios where teams collaborate to respond to simulated cyberattacks. The game could provide feedback on their incident handling and decision-making skills, aligning with the learning objective of improving their response effectiveness.

If the target audience is cybersecurity teams who aim to enhance their incident response skills, the trainer could use gamified training that involves immersive, real-time scenarios where teams collaborate to respond to simulated cyberattacks.

Trainers should also take note of any elements that could have a detrimental impact on the target audience’s overall experience and motivation to continue participating in the gamified system, such as:

• Lack of clear instructions or rules—Without clear instructions or rules related to the gamified training, the target audience may not understand the objectives, how to use the tools or what actions to take. This lack of clarity can lead to frustration as participants may struggle to make sense of the training environment, eventually causing disengagement if they feel it is too difficult to comprehend.
• Unrealistic learning curve—If the target audience is new to cybersecurity and struggles to make sense of the training, they may quickly become confused and frustrated, ultimately leading to disengagement as they feel incapable of progressing.
• Monotonous gameplay—If a cybersecurity training game relies on repetitive and monotonous tasks, such as repeatedly identifying the same type of security threat without variation, the target audience may become bored and disengaged due to the lack of variety and challenge in the gameplay. The absence of meaningful progression or new elements can lead to frustration and ultimately disinterest.
• Unfair or unbalanced point scoring system—The target audience earns points by completing tasks or challenges successfully. If the point scoring system is unfair or unbalanced, with easier tasks and challenges offering disproportionately higher points than difficult tasks and challenges, this could frustrate the target audience, making them feel that their efforts are not being fairly recognized, leading to disengagement.
• Lack of feedback—Without feedback, the target audience may not know if they are making the right cybersecurity decisions or improving their skills. The absence of feedback can lead to confusion about their progress and ultimately result in disengagement if they feel that their efforts are in vain.
• Outdated or irrelevant scenarios and examples—The target audience may become disengaged if they perceive the training as irrelevant to them or their organization or if the scenarios and examples given in the training are outdated. This could lead to frustration and confusion about the practical application of the skills being taught.

Conclusion

Gamification in cybersecurity learning has emerged as a powerful tool that harnesses the inherent elements of games to enhance the educational experience. However, it is not a one-stop solution to replace all types of traditional learning approaches. It is meant to provide an additional option to enhance learning, and there are certain considerations that come along with it that must be accounted for.

The effectiveness of gamification relies heavily on the design and implementation of gamified elements. Poorly designed gamified experiences may lead to confusion, frustration or disengagement. Trainers must carefully consider the target audience, learning objectives and appropriate game mechanics to create meaningful and effective gamified learning environments. Hence, feedback on cybersecurity training should be gathered from trainees to improve the cybersecurity training program continually.

In addition to gamification, there are other methods of making cybersecurity learning interesting, such as using real-world examples (i.e., case studies), performing hands-on drills or inviting industry experts to share their cybersecurity experiences and insights. It is essential to critically evaluate whether gamification aligns with organizational learning goals and objectives before implementation. Ultimately, whichever method or combination of methods used, the aim should be to foster a love for cybersecurity learning and positively shape individual behavior and the security culture of the organization. This aids in reducing an organization’s human-related cybersecurity risk.

Endnotes

¹ Hamari, J.; “Gamification,” The Blackwell Encyclopedia of Sociology, 19 November 2019, http://doi.org/10.1002/9781405165518.wbeos1321
² Verma, N.; “How Effective Is Gamification in Education? Ten Case Studies and Examples,” Axon Park, 19 February 2023, http://axonpark.com/how-effective-is-gamification-in-education-10-case-studies-and-examples
³ Designing Digitally, “Gamified Training: Types of Gamification in Employee Learning,” 31 October 2022, http://www.designingdigitally.com/blog/gamified-training-types-of-gamification
⁴ ISACA, CISM Questions, Answers and Explanations Database, USA, 2022, http://store.tamilfolksongs.com/s/store#/store/browse/detail/a2S4w000005D5OiEAK
⁵ Designing Digitally, http://www.designingdigitally.com
⁶ 360Learning, http://www.360learning.com
⁷ Kahoot!, http://kahoot.com/
⁸ Kahoot!, “Kahoot! GDPR Compliance Statement,” 7 July 2021, http://trust.kahoot.com/gdpr-compliance/
⁹ Kahoot!, “Security Measures,” 7 July 2021, http://trust.kahoot.com/security-measures/
¹⁰ Quizizz, http://quizizz.com
¹¹ Quizizz, “Privacy Policy,” 9 January 2023, http://quizizz.com/privacy
¹² Socrative, http://www.socrative.com
¹³ Socrative, “Privacy and Compliance,” http://help.socrative.com/en/collections/1250047-privacy-compliance
¹⁴ Center for Development of Security Excellence, “Security Awareness Games,” http://www.cdse.edu/Training/Security-Awareness-Games/
¹⁵ Texas A&M University (College Station, Texas, USA), “Cybersecurity Games,” http://it.tamu.edu/security/cybersecurity-games/index.php
¹⁶ PBS, “Cybersecurity Lab,” http://www.pbs.org/wgbh/nova/labs/lab/cyber/

TAN SOON CHEW | CISA, CRISC, CISM, CGEIT, CCSP, CISSP, PMP

Is an information security manager at Sita Information Networking Computing (Asia Pacific) Pte Ltd. and an associate lecturer at the School of Engineering and Technology at PSB Academy (Singapore). He can be reached at soonchew.tan@psba.edu.sg.