Why game-based learning is the future of cybersecurity training

The past year has not been kind to organisations in terms of data breaches. For FX-MM, John Findlay, co-founder of Launchfire, provides his answer to reducing the role human error has to play in such breaches.

As Verizon put it, “if you haven’t suffered a data breach you’ve either been incredibly well prepared, or very, very lucky.”

There’s no doubt technology plays a huge role in protecting organisations’ information. But unfortunately, sometimes the error does exist between the keyboard and chair.

Verizon’s report showed that 1 in 14 people are still falling for phishing scams — and 25% are duped more than once.

In fact, human error caused a whopping 28% of data breaches last year, according to the Ponemon Institute.

IT can only do so much. Organisations have to train staff to recognise security threats and prevent incidents in the first place.

However, that’s easier said than done.

The Challenges with Cybersecurity Training

One significant challenge training departments face is raising awareness. Many employees see cybersecurity as IT’s job. They don’t understand the relevance of security protocols to their day-to-day activities.

Compounding that problem is the fact that cybersecurity content is boring. Learning how to securely store, manage, and share information is pretty dry stuff.

Because training is often as boring as the content, employees tend to tune out. They don’t pay attention, and they definitely don’t retain the information — let alone apply it in their daily routine.

To be effective, training has to overcome employees’ apathy towards cybersecurity. It has to hook their attention with engaging content and show them the relevance to their jobs.

One way to accomplish this is game-based learning.

Making Cybersecurity Engaging with Game-Based Training

Just because a topic is serious, doesn’t mean the training needs to be. In fact, the drier the subject the more important it is to inject some fun into your training.

We’ve found that, on average, 77% of employees find game-based training to be more effective than traditional training methods.

That’s because game-based training makes learning enjoyable. It appeals to our innate desires to collect, improve, and compete.

As a result, employees stay actively engaged with training concepts for much longer. They don’t tune out because they’re invested in the game; they want to learn more, improve their scores, and win.

All that engagement means employees learn — and retain — more of the key training concepts.

Conveying Relevance with Role-Play Scenarios

Beyond making training engaging, game-based learning can convey the importance of cybersecurity policies.

One way game-based training does this is through role-play scenarios, like the following:

It’s near the end of the day, and you’re coming down with a nasty flu. You should really head home, but you’re working on a classified document that’s already a week late. Your boss is under a lot of pressure to have the document ready by 9am.

Do you….

Send the file to your government issued iPhone and work on it at home
Email your boss and tell her she has to find someone to cover for you or it’s going to be another day late.

This kind of scenario is effective because it puts policies into context for employees, without risking real data. Employees can decide what to do and get immediate feedback on their decision.

For example, if the employee selected answer A in the above scenario, they’d see a feedback loop like this:

You’re in quite a bit of trouble. A politically motivated hacker managed to get access to your iPhone. They found the classified document which you sent to yourself to work on at home, and posted it on their blog in all its embarrassing detail.

Feedback loops like the one above help illustrate both the personal and organisation wide consequences of not following cyber security protocol. This makes training relevant for employees — showing them why security protocols are important, and their role in upholding them.

The Bottom Line

While it’s impossible to completely eliminate security incidents, there’s a lot organisations can do to mitigate their risk — starting with better employee training.

To protect their data, organisations need to use innovative tactics like game-based training to reach, engage, and educate the people they employ.

Cybersecurity is no game. But training people about it should be.


Leave a Reply