By Lehan van den Heever, Enterprise Cyber Security Advisor for Kaspersky in Africa

Typically, and traditionally, people don’t enjoy corporate learning. For example, 42% of respondents working in companies with more than 1,000 employees said that the majority of training programmes they attended were useless and uninteresting. And this perception is often true when it comes to security awareness education.

We often hear from our customers that they are tired of traditional, boring security basics training. Instead, they are exploring the use of completely game-based courses, which are fun and entertaining. However, there is also an opposing train of thought: some customers don’t feel comfortable about implementing any gaming techniques in corporate education. They still believe that games are for teenagers and children only, and that it is nonsense to suggest adults – and especially business executives – should play games in order to learn.

In fact, games (formats where a person acts in an imaginary world and/or as another character) and the process of gamification (when only some game elements are added) are great learning techniques. And like any other methods, they work best when specific aims and limitations are included.

Why can’t we just play the security awareness game?

First of all, the extent of even basic cybersecurity rules is rather huge. For example, the content of our security awareness training is almost three times larger than the Forsyte Saga by John Galsworthy. If translated into simulation-based training, the course would have to contain all possible situations to let people ‘check’ every option until they came to the most secure decisions. So, we can only imagine how long it would take to finish such an educational module.

Time is not the only factor to consider. As a person is ‘immersed’ in an artificial environment, gaming techniques require concentration and involvement. Research shows that the human body reacts to stress in a game the same way as during problematic situations in real life. This is why people may even feel tired after playing video games. In a game based on cybersecurity basics, the player will constantly face dilemmas - after all, the decisions could affect their virtual money or career for example. So, after several hours of such training, employees will not be able to simply return to their duties but will need time to rest and recover.

Inspire first

Does this mean that gaming techniques are too hard to implement and learn from? To answer this question, we should understand what the ultimate aim of a security awareness course is.

Companies introduce such training to not only encourage staff to study cybersecurity rules, but to ensure that employees gain skills and actually apply them. Guidelines are not always the most convenient ones – for example, it is much easier to share a confidential document through the same cloud storage that one uses to store photos of their cat, instead of using the secure, corporate specific service. So, to change such behaviour patterns, it is necessary to not only provide instructions and develop practical skills, but to work on motivation and inclination.

In this regard, a game turns out to be the most effective option to encourage employees. The best way to understand why one should act in a certain way is to learn from their own mistakes. In the case of cybersecurity, a company cannot let every employee do something wrong – such as wait until a document is leaked to malefactors – to see how severe the consequences of a cyberattack could be. But they can give them a game, where they can ‘live’ the situation and experience the aftermath as if it is happening in reality, without causing any harm to the company. 

Erasing prejudice

Gaming techniques also help to overcome initial resistance to learning. Cybersecurity training is usually seen as boring, abstruse and difficult. But when employees see funny pictures with familiar situations in the context of a game simulation, it turns out that cybersecurity training is not such a terrible thing.

In addition, there will be some employees who are sure that they have already mastered cybersecurity skills and that the course is a waste of time. With a short comic-like test, where a person makes bets, it’s much easier to persuade them. Usually, employees are more enthusiastic to take part in these short assessments, and gamification makes people more curious to pass the test and find out their results. When people see that there are some gaps in their knowledge, they are more willing to take a security awareness course.

Moreover, our experience shows that, despite the doubts of managers responsible for training, business executives get involved in game formats too. For example, we provide a special game where C-level managers try to walk in the shoes of Chief Information Security Officers (CISOs). As a result, they see how cybersecurity may affect the business, including critical areas such as profit losses.

If employees overcome their biases, the theoretical course is set on prepared ground and learning becomes more productive. Of course, initial motivation wanes over time, so it is not enough just to start with a game. We recommend adding gaming elements or simulations as reinforcement to the curriculum, as employees go through the training process.

Successful education on cybersecurity basics should consist of different formats. Gaming techniques are not a silver bullet, and they alone will not solve all issues related to corporate education. To achieve the desired results, they must be appropriately embedded into the whole learning cycle and combined effectively with an information-based course. A game should act as the dessert course of any education menu that makes everything a little better. But it cannot be the only dish.