‘Games have the potential to strengthen security culture, especially when deployed as part of a broader program of interventions.’ That is the conclusion of Cybersecurity and human behavior: the added value of games for a strong security culture by Suzanne Janse and Annebeth Erdbrink. We’d love to take a few minutes to tell you all about it.

The article appeared following an evaluative study that PhD student Erdbrink (TU Delft) is currently conducting using a training game that is frequently used by a variety of companies: Awareways’ Human Firewall training.

“Games can not only reinforce awareness, but also trigger small changing actions. For more lasting behavior change, a game should ideally be part of a bigger picture, a broader program of interventions. Concretize what behavior is desirable, measuring, analyzing and adjusting the intervention program in advance and on an ongoing basis are important prerequisites for this.”

The Human Factor

The fact that the human factor has a leading role in security awareness campaigns that actually work, is familiar ground to Janse and Erdbrink. “Where security experts used to focus on awareness campaigns, the effect of these campaigns – the actual behavioral change and the impact on the organizational culture – is getting more and more attention.”

Their article discusses how the impact of interventions can potentially be enhanced from behavioral psychology and game science, two of Awareways’ pillars. It’s also precisely why our Human Firewall training was made into a case study to show that games have potential, particularly as part of a larger, broader program of interventions.

Awareways specializes in strengthening security culture through managed security awareness programs. These are interactive, guided campaigns with insightful reporting and dynamic adjustment to achieve measurable results. Interventions are combined in an innovative learning experience platform, which we are happy to tell you more about on this page

Gamification in security awareness

Gamification as an application in learning programs offers creative opportunities to make topics more interactive and challenging, so that you engage with them in a stimulating way. The social element of gamification as an application in training (processing learning material in groups and/or in the form of competition) is an additional factor of stimulation, as social interaction promotes engagement as well. On top of this, game elements – winning, positive feedback and the social interaction with, in this case, colleagues – further increase the effectiveness of learning.

Gamification has a positive influence on the attention span of participants, thanks to interaction, dynamics and engagement. The competition of a game environment provides an ongoing stimulus to work with the material – resulting in an enhanced focus on the content and a more effective retention of the material. Elements such as immediate feedback and earning badges for successful completion of challenges affect motivation, drive and the degree to which the material sticks.

With her research, Erdbrink wants to see how these types of cybersecurity games work (in terms of attitude and behavioral change), how they are perceived and what can be adapted so that their impact can be further increased.

About 60 personal assistants from TU Delft volunteered to participate in the experiment so far. Before and after the game, they filled out questionnaires and, in addition, several interviews were conducted.

The Human Firewall training is a collective crisis exercise for the entire organization, in which every employee is part of the security chain – not unlike in the real world. The training simulates an attack on the network, after which employees have to work together to build the human firewall. Realistic (cyber) risks and threats are combined with work situations and facilities of daily practice.

The assignments or “microlearnings” include strong passwords, data classification and minimization, vishing and (spear)phishing, but also physical threats. They are always introduced by videos (in which players are addressed personally) and pieces of ‘theory’. Afterwards, short feedback follows explaining why certain behavior is – or isn’t – the desired outcome.

Find out more about our Human Firewall training

The study is still ongoing, so an attitude effect measurement cannot yet be looked at, but the completed interviews are already providing valuable preliminary results and insights;

• many players indicated that the game made them more aware of the importance of handling information safely (“There were questions about opening emails that I thought – yes, I can do something with this. That made me extra aware. Of am I going to open this or not open this?”);

• as expected, the personal assistants didn’t think very differently about the subject (because it was already clear beforehand that they thought it was important), but awareness was definitely heightened (“People tend to shrug their shoulders and think: it’s always going to be okay. But it only has to go wrong once. So awareness is step one. That’s what landed with me in particular.”);

• for instance, during and after the game, players began to think more about how they handle confidential data. Not so much new topics came up for them in the game, but players realized that they can be sharper, more alert and consistent and need to take responsibility more often;

• In addition, people liked the confirmation of what they were already doing well (“It’s just good to be reminded of the facts. Most people know it. They also know it’s still relevant. You think you’re doing good – and you probably are – but it’s nice to get confirmation.”);

• specifically, players became aware of the importance of a password manager, computer screen locking and the vulnerability of an open workplace (“My friend always has a VPN on and such a password manager. I myself didn’t weigh it that heavily. They are small things, but when you don’t pay attention to this, it can go enormously wrong for an organization. As a result, I am more aware of it now. And it’s often a small effort.”);

• one player became aware through the game that it is important to report unsafe situations and discovered for the first time (!) where to do so within the organization.

Annebeth Erdbrink is currently completing her PhD research Game Design for Sustainable Societies at TU Delft.

A very extensive article about the (first) findings has been published in the Monthly Journal of Accountancy and Business Economics (in Dutch).

If you would like to know more about the role of gamification in strengthening security culture or have any questions regarding our managed security awareness training, please feel free to contact us.