How To Breathe New Life into Your Security Training Program with Games

Understanding Gamification

Gamification is one of the most effective ways to engage and motivate learners. It allows learners to engage with training material through techniques typically used in games, like high scores, rewards, and team play. Gamification supports a range of training materials from simple content interaction (for factual retention) to immersive simulations (for more complex decision making and analysis).

Learning is a journey, not a single event. In fact, training for the immediate test is not a sustainable approach because it leads to short-term retention for high test scores without lasting behavioural change. Your approach to training should be ongoing and systematic, using gamification for measurable performance improvement over time. As such, gamification should be based on long-term growth and skills development in line with your organizational objectives.

As you add gamification to your security training program, keep three principles in mind:

1. Align motivations between the learner and your organization

To align the motivations of your learner and the organization as a whole, consider your learner and their goals. Examine your organizational goals and what might happen if you don’t meet a goal. How will extrinsic rewards help the learner?

2. Make gamification relevant to the learner’s context

Make the games relevant to the learner by thinking about their day-to-day experiences and how their performance is measured. Analyze the gaps that provide the greatest opportunities for them to learn and grow, and how that growth will look in their current role.

3. Make gamification easy to understand

Consider the basics, like whether the learner will require additional tools or software, and be sure to explain how scoring works. Make a concrete plan for game updates. How will gamification demonstrate performance improvement?

Gamification Techniques

Here are six techniques to use as you integrate gamification into your eLearning program.

1. Leaderboards

Leaderboards are a common way to incite competition and motivate learners to excel past their peers. Display the scores in a centralized location, easily accessible to your learners. Decide on an objective ranking system that ranks learners based on overall training objectives.

Implementing a leaderboard

  • Decide on a clear, measurable goal that will drive the intended behavior.
  • Communicate and track the requirement and progress to encourage completion.
  • On a weekly basis, post a report that lists the number of courses each participant has completed to date (for example), highlighting the top 10.
  • Make this “Leaderboard” available and email it to each participant to track their progress.

2. Milestones / Levels

Milestones and levels give your learners an opportunity to accept new challenges. Start simply so learners can understand what is expected, then introduce more challenges as each level is completed. Establish a significant milestone, target, or progression level and share it with your learners. Assign set titles like Novice, Intermediate, Advanced, and Expert or create a Belt program. For example, a Level 1 achievement, or white belt, is awarded for successful completion of specific basic training courses. Titles are seen as bragging rights and encourage participants to complete more courses.

Implementing Milestones / Levels

  • Assess the learner’s role and skillset, grouping and aligning courses appropriately.
  • Start with the most general courses and, as they are completed, increase the complexity of the next assigned course.
  • At the advanced level, consider how a participant is enrolled in a real-life, hands-on experience (such as an OWASP Virtual Lab from Security Compass).

3. Multiplayer

This approach works well for large organizations or groups of remote employees where team building, bonding, and engagement is needed.  Organize your teams by department or – even better – mix them up. Then challenge your teams to complete the most, be the fastest, or achieve the highest score. This brings a competitive yet fun element to training. You can tie this into levels or leaderboards.

Implementing Multiplayer

  • Decide how your teams will be grouped, perhaps by role or across departments to encourage team building. Build some balance across teams.
  • Encourage each team to create their own team name.
  • Track progress on a leaderboard and create incentives for being near the top of the board.

4. Lives / Chances

In this case, a learner is granted a set number of “lives” or “chances” to complete a level or course. This allows your learner’s freedom to fail by allowing multiple lives, second chances, or alternative methods to succeed. This is an extremely engaging tactic, as it keeps learners motivated to work through a challenge for points or rewards. You can track this or help your learners understand that it is okay to fail once or twice, provided you have learned the concept by the time you pass the level.

Implementing Lives / Chances

  • Decide how many attempts you want to allow for completing a level or course.
  • Look for ways to restore lives as they work through the course.
  • Combine this with multiplayer to encourage team building.

5. Rewards

In this technique, learners receive a gold star, badges, or additional points to unlock a prize. Incentives are historically used as a motivator for learners in any program, and this does not need to be monetary. Understanding your learners and what motivates them is important. Learners who submit Continuing Professional Education (CPE) credits may also opt to submit credits for the duration of time spent completing security training.

Implementing Rewards

  • Implement a points system for rewards. Have each course associated with a set number of points to be collected, and cashed in for items such as lunch with a co-worker or manager, swag, or even paid time off.
  • If possible, use shout-outs at the next company meeting, or simply bragging rights within the learner’s department.

6. Create a Quest

A quest consists of several missions that bring your learner closer to the objective of winning. For security training, the objective is to create secure software. The quest is the journey to get there.

Implementing a Quest

  • Create tailored learning tracks for each learner’s role. For example, a high-level, general security fundamentals course will not provide your developers with all the tools needed to code securely (the quest). You should add more complex coding and framework-specific courses to train your developers.
  • Align a quest (learning track) to certification like SSP certification through (ISC)².

Conclusion

Before implementing gamification into your training program, align the idea with overall objectives. Always provide learners with clear instructions to avoid confusion and optimize your efforts.

Games are fun but losing sure isn’t! For a training program to be successful, learners must be willing to participate, and passing should be seen as a real possibility. It is important that your learners get feedback when they lose – this not only helps solidify learning but also motivates learners when there is a clear direction for improvement. Provide the right courses, associated with the skill set of the participant. Advanced, seasoned learners should not be required to complete very basic courses, and non-technical general staff should not be expected to complete technically complex courses.

Creating a successful gamification program involves many other aspects. You need to consider buy-in from executives, alignment with organizational objectives, appropriate performance metrics, intended impact to the culture, communication, continuous improvement, and much more.

Security Compass has a history of providing security training courses that are independently verified for quality whether you need ISC(2) certification, vetted by industry professionals, or demonstrable use in some of the largest organizations in the world. Your gamification strategy should not be an Adhoc extension to an existing training program. Leverage our experience with eLearning to create a gamification strategy that aligns your learner objectives with organizational objectives.

Your aim is to move your organization’s culture toward accepting security training as part of the job and to see the benefits of keeping software secure. For more techniques aimed at driving the participation of your training initiatives, talk to us.


About Security Compass
Security Compass, a leading provider of cybersecurity solutions, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, allows organizations to balance the need to accelerate software time-to-market while managing risk by automating significant portions of proactive manual processes for security and compliance. SD Elements is the world’s first Balanced Development Automation platform. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries. The company is headquartered in Toronto, with offices in the U.S. and India. For more information, please visit https://www.securitycompass.com/