Security Isn’t a Game—Our Data Shows Traditional Security Awareness Training May Be More Effective Than Gamified

Your employees, like those at most companies, probably wait for that final reminder to take their security awareness training. And once they do, they click through the slides as fast as they can, answer a few test questions, and check the box for another year.

Let’s face it—security training isn’t exactly exciting. In fact, three in five employees (60%) consider their security training to be “dull,” according to our recent survey. (See our survey methodology at the end of this piece.)

For many companies, the answer to mundane training is gamification. But does gamification make your security awareness training more effective? Our research says maybe not.

In this report, we’ll explore the results of our security training survey and explain what you need to focus on to protect your business against formidable cyber threats—whether you gamify your security training or not.

We asked respondents to rate their level of engagement when completing security awareness training and the clear winner was gamified. A whopping 90% of gamified security respondents report being at least moderately engaged compared to only 62% of non-gamified.

The split is just as apparent among those who report being very engaged (39% to 18%). Clearly, gamification improves engagement to some extent.

The problem is, engagement doesn’t necessarily mean employees are retaining more knowledge. It could be that gamified training is simply more entertaining.

As mentioned earlier, 60% of employees describe their security training as dull. Intriguingly, there’s very little difference in opinion when broken down among our two groups—57% of gamified training recipients compared to 63% of non-gamified consider their security training dull. So whether training is gamified or engaging, or not, about the same percentage still find it dull.

While gamification can make training more entertaining and thus more engaging on some level, in the end no amount of dressing it up will make your employees forget they’re taking security awareness training.

Security breaches occur more often at companies that use gamified security training compared to those that use traditional methods, according to our survey.

Phishing attacks, in which someone at the company clicks a malicious link in an email, are suffered by 82% of companies that use gamified security training, compared to only 67% of those that employ traditional training methods. In the case of ransomware attacks and data breaches, the difference is even starker.

These are alarming statistics that must be considered by any company that engages in gamified security awareness training.

But it gets even worse. Not only is gamification apparently less effective at preventing security incidents, companies are putting significantly more resources into it than those providing traditional training.

More than two in three employees (65%) who take gamified training report doing so more than once per year, compared to only 39% of non-gamified. One explanation could be that the relatively high cost of developing gamified training programs (33% of gamified training involves virtual or augmented reality) is prompting companies to leverage it more often in an effort to realize more value. But in actual reality, these companies may be doubling down on a failing strategy.

Our research finds that companies engaged in gamified training tend to overlook fundamental topics. We asked about the subjects covered by each survey respondent’s security training and found very close percentages on topics such as remote work and social media guidelines, but as you can see below, other subjects diverged sharply.

Non-gamified training comes out well ahead on password policy, data privacy, acceptable use policy (AUP), and onsite security training. Social engineering is the only topic that gamified training covers to a higher degree than non-gamified. This makes sense. Social engineering is conducive to an array of gameplay elements such as simulations, puzzle solving, and social interactions.

But other important topics are less conducive to gameplay. Take AUPs, which tend to be dry documents distributed among a dozen others documents upon hiring. Your AUP serves as the broadest level of IT security policy for your business and defines the proper use of all IT systems including hardware, mobile devices, software, internet, and Wi-Fi. And while it might be difficult to gamify an AUP, there are ways to make it more employee-friendly. To help, we’ve created a unique resource: "Developing an Acceptable Use Policy Employees Will Actually Read."

Another area of concern is onsite security. Also known as physical security, this covers facility access along with the protection of computer hardware and other information assets. All the cutting edge cybersecurity software won’t help a bit if someone walks in and grabs an unlocked laptop from the breakroom or snaps a picture of your product pipeline on a whiteboard.

Admittedly, these are correlations and there could be other factors at play that are affecting the above statistics. But this data strongly suggests gamified security training is often less effective than traditional training methods.

This leads us to three important takeaways:

1. Gamification can improve engagement, but not enough for most employees to rate security training as anything but dull.

2. Security incidents are reported at a much higher rate among employees who receive gamified security training.

3. Gamified security training tends to overlook basic security topics such as password policies, data privacy, AUPs, and onsite security.

Taken together, these points should prompt you to reevaluate your training strategy to ensure that all relevant topics are covered, while infusing it judiciously with gamification to add dynamic elements that boost engagement.

Another way to optimize engagement is to focus on what employees want from their training.

Employees prefer monetary rewards, simulations, and individual training

It’s not a game without some sort of reward, whether it’s in the form of a monetary prize or some type of formal recognition. If you think that a gift card is more desirable to employees than a pat on the back, consider our research a confirmation.

Our respondents prefer monetary rewards, but not by much.

When asked which elements would improve interest in security awareness training, the top responses are monetary rewards (57%), leaderboards (51%), and achievement badges (43%). Non-monetary prizes (such as company swag or special privileges) and recognition awards trailed behind with 37% and 35% respectively. It should be noted that only 2% prefer not to have a reward system.

The most popular gamification methods are real-world simulations (54%), puzzle solving (53%), and virtual or augmented reality (45%). Personalization and social elements are each favored by 39%.

Competitive elements are not popular, with only 22% of employees indicating interest in adding competitive elements into their security training. It follows, then, that most employees prefer individual training (58%) to team-based challenges (42%).

Gamification is known to have clear benefits when it comes to incentivizing employees to increase productivity or boost sales. But when gamification is used to guide behaviors, it must be designed very carefully to avoid blind spots and prevent unintended consequences.

Gamification has its place. Just don’t expect it to be a silver bullet for your security woes—and be prepared to be disappointed if you don’t also supplement it with some good old-fashioned “dull” security training.