Security

Security Isn’t a Game—Our Data Shows Traditional Security Awareness Training May Be More Effective Than Gamified

Dec 12, 2021

Ransomware attacks and data breaches occur far more often at companies that use gamified security training compared to those that use traditional methods.

Zach CapersSr. Content Analyst
Security Isn’t a Game—Our Data Shows Traditional Security Awareness Training May Be More Effective Than Gamified

Your employees, like those at most companies, probably wait for that final reminder to take their security awareness training. And once they do, they click through the slides as fast as they can, answer a few test questions, and check the box for another year.

Let’s face it—security training isn’t exactly exciting. In fact, three in five employees (60%) consider their security training to be “dull,” according to our recent survey. (See our survey methodology at the end of this piece.)

For many companies, the answer to mundane training is gamification. But does gamification make your security awareness training more effective? Our research says maybe not.

In this report, we’ll explore the results of our security training survey and explain what you need to focus on to protect your business against formidable cyber threats—whether you gamify your security training or not.

What is gamification of security training?

Gamification is a method used to improve knowledge retention by making training sessions more engaging through competition, simulation, or other types of game playing. For security training, this might be a choose-your-path role-playing game, an escape-room style puzzle, or a full-blown virtual experience.

Gamification improves engagement—but perhaps not effectiveness

We asked respondents to rate their level of engagement when completing security awareness training and the clear winner was gamified. A whopping 90% of gamified security respondents report being at least moderately engaged compared to only 62% of non-gamified.

The split is just as apparent among those who report being very engaged (39% to 18%). Clearly, gamification improves engagement to some extent.

Security training engagement

The problem is, engagement doesn’t necessarily mean employees are retaining more knowledge. It could be that gamified training is simply more entertaining.

As mentioned earlier, 60% of employees describe their security training as dull. Intriguingly, there’s very little difference in opinion when broken down among our two groups—57% of gamified training recipients compared to 63% of non-gamified consider their security training dull. So whether training is gamified or engaging, or not, about the same percentage still find it dull.

While gamification can make training more entertaining and thus more engaging on some level, in the end no amount of dressing it up will make your employees forget they’re taking security awareness training.

Our research shows a strong correlation between gamified training and higher rates of security breaches

Security breaches occur more often at companies that use gamified security training compared to those that use traditional methods, according to our survey.

Phishing attacks, in which someone at the company clicks a malicious link in an email, are suffered by 82% of companies that use gamified security training, compared to only 67% of those that employ traditional training methods. In the case of ransomware attacks and data breaches, the difference is even starker.

Security-breaches

These are alarming statistics that must be considered by any company that engages in gamified security awareness training.

But it gets even worse. Not only is gamification apparently less effective at preventing security incidents, companies are putting significantly more resources into it than those providing traditional training.

More than two in three employees (65%) who take gamified training report doing so more than once per year, compared to only 39% of non-gamified. One explanation could be that the relatively high cost of developing gamified training programs (33% of gamified training involves virtual or augmented reality) is prompting companies to leverage it more often in an effort to realize more value. But in actual reality, these companies may be doubling down on a failing strategy.

Gamified training tends to be less comprehensive than traditional training

Our research finds that companies engaged in gamified training tend to overlook fundamental topics. We asked about the subjects covered by each survey respondent’s security training and found very close percentages on topics such as remote work and social media guidelines, but as you can see below, other subjects diverged sharply.

Security-subjects

Non-gamified training comes out well ahead on password policy, data privacy, acceptable use policy (AUP), and onsite security training. Social engineering is the only topic that gamified training covers to a higher degree than non-gamified. This makes sense. Social engineering is conducive to an array of gameplay elements such as simulations, puzzle solving, and social interactions.

But other important topics are less conducive to gameplay. Take AUPs, which tend to be dry documents distributed among a dozen others documents upon hiring. Your AUP serves as the broadest level of IT security policy for your business and defines the proper use of all IT systems including hardware, mobile devices, software, internet, and Wi-Fi. And while it might be difficult to gamify an AUP, there are ways to make it more employee-friendly. To help, we’ve created a unique resource: "Developing an Acceptable Use Policy Employees Will Actually Read."

Another area of concern is onsite security. Also known as physical security, this covers facility access along with the protection of computer hardware and other information assets. All the cutting edge cybersecurity software won’t help a bit if someone walks in and grabs an unlocked laptop from the breakroom or snaps a picture of your product pipeline on a whiteboard.

So what does this mean for your security awareness training?

Admittedly, these are correlations and there could be other factors at play that are affecting the above statistics. But this data strongly suggests gamified security training is often less effective than traditional training methods.

This leads us to three important takeaways:

  1. Gamification can improve engagement, but not enough for most employees to rate security training as anything but dull.

  2. Security incidents are reported at a much higher rate among employees who receive gamified security training.

  3. Gamified security training tends to overlook basic security topics such as password policies, data privacy, AUPs, and onsite security.

Taken together, these points should prompt you to reevaluate your training strategy to ensure that all relevant topics are covered, while infusing it judiciously with gamification to add dynamic elements that boost engagement.

Phishing tests are probably the most well-known and effective examples of security gamification. The success or failure of phishing tests provide insight into your company’s vulnerabilities to phishing schemes, which our annual data security report finds are a rapidly growing threat. Check out our free resource to learn how to spot phishing emails and explore our catalog of phishing prevention software.

Another way to optimize engagement is to focus on what employees want from their training.

Employees prefer monetary rewards, simulations, and individual training

It’s not a game without some sort of reward, whether it’s in the form of a monetary prize or some type of formal recognition. If you think that a gift card is more desirable to employees than a pat on the back, consider our research a confirmation.

Our respondents prefer monetary rewards, but not by much.

Security training reward systems

When asked which elements would improve interest in security awareness training, the top responses are monetary rewards (57%), leaderboards (51%), and achievement badges (43%). Non-monetary prizes (such as company swag or special privileges) and recognition awards trailed behind with 37% and 35% respectively. It should be noted that only 2% prefer not to have a reward system.

The most popular gamification methods are real-world simulations (54%), puzzle solving (53%), and virtual or augmented reality (45%). Personalization and social elements are each favored by 39%.

Competitive elements are not popular, with only 22% of employees indicating interest in adding competitive elements into their security training. It follows, then, that most employees prefer individual training (58%) to team-based challenges (42%).

If you choose to gamify, integrate it carefully into your security awareness training program

Gamification is known to have clear benefits when it comes to incentivizing employees to increase productivity or boost sales. But when gamification is used to guide behaviors, it must be designed very carefully to avoid blind spots and prevent unintended consequences.

Gamification has its place. Just don’t expect it to be a silver bullet for your security woes—and be prepared to be disappointed if you don’t also supplement it with some good old-fashioned “dull” security training.

Want to learn more about creating a cybersecurity awareness training program? Read our guide: "3 Essential Elements of an Effective Security Awareness Training Program."

Methodology

GetApp’s Security Awareness Training Survey was conducted November 2-4, 2021 among 573 respondents to learn more about security training practices at U.S. companies. All respondents indicated full employment and that they engage in security awareness training at least once per year.

All respondents were provided with a definition of gamification (the same as provided above) and asked to rate their security awareness training on a scale from not-at-all gamified to very gamified. For the purposes of this report, we refer to the group of 300 respondents who selected very or moderately gamified as “gamified” and those 273 who chose minimally or not-at-all gamified as “not gamified”.

avatar
About the author

Zach Capers

Sr. Content Analyst
I’m a senior content analyst at GetApp where I've been covering security and tech trends since 2018. The one tech trend I think you should keep an eye on: How emerging data privacy laws are impacting the ad tech industry.
Visit author's page
Back to top