Gamified Cybersecurity Education and Awareness in the Enterprise


Addressing the difficult challenges in cybersecurity requires alignment from all stakeholders in an organization. It is a complex topic, and disconnect in many areas can hinder this effort.

This misalignment can be found between:

  • the skills imparted by courses, and the skills actually required by organizations.
  • candidates and HR executives, in terms of skill validation and demonstrating continued professional development.
  • employees getting work done and IT, who expect them to make well-considered trust decisions.
  • security professionals and managers, regarding the tools, training or power that will allow them to be effective in their roles.
  • management and the board (sometimes due to the lack of a shared vocabulary), which may prevent important issues from being discussed at the highest level.

I believe that implementing a continuous, gamified cybersecurity education throughout the organisation can help to provide this alignment.

For potential IT security hires, achievements on a competitive, gamified learning platform allows them to attest to their skill and continued professional development, while gaining CPE credits in the process. Providing existing employees with this gamified hands-on training can keep their skills relevant in a fast-moving environment, identify areas for improvement and reduce churn. They can immediately apply gained knowledge of the latest vulnerabilities and attack paths to their role of defending the organization.

Knowledge is empowering, and gamification is motivating.

We can also imagine how the reduction of risk and technology debt internally could be gamified. Identifying security vulnerabilities is one thing, but having the political power to coordinate remedial efforts in production environments is another. Systems administrators and developers with an eagerness to address these issues, and an awareness of how misconfigurations and vulnerabilities can be introduced, exploited and mitigated are worth their weight in gold.

On the user side, the standard compliance-driven cybersecurity training is often not very engaging, and itself leads to gaming, with employees seeing if they can pass the assigned “training” using trial and error. Providing this in a gamified, interactive format, instead of just multiple choice questions would definitely lead to greater user engagement. General user engagement on cybersecurity issues is so important; the organization benefits massively if they are willing contributors to an organization’s cybersecurity regime.

Implementing a programme of simulated phishing is also very important to an organization’s security posture, and is arguably itself a form of gamification. However, care should be taken to ensure that employees feel empowered by this process, in order to make the right trust decisions and seek appropriate advice (without seeing it as entrapment). Simulated phishing platforms could offer a truly gamified experience, offering rich content to users who at that point are offering their full attention after failing the test. Instead, many serve up the standard multiple choice approach to learning.

Let’s include the board in gamified learning too, and build out a common cybersecurity vocabulary, so all levels of the organization have a shared understanding and ask the right questions. Additionally, short reads such as “Whaling for Beginners” provide executives and board members alike with an excellent and accessible introduction to cybersecurity. An understanding of the threat landscape and how they also could introduce cybersecurity risk to the organization should help to ensure that change comes from the top-down and well as the bottom-up.

What is your take on this? How else can we improve engagement and alignment on enterprise security issues? Do you see any other areas that could be enhanced through gamification?

Written on May 12, 2020