Community News Security

Is gamification the answer to all our problems? – Games and security awareness

Whether you play chess, Taboo or Tomb Raider, games are entertaining and hold the attention. For a moment in time, the world of the game becomes reality, and its rules become the law.

By Katja Dörlemann, security awareness specialist at SWITCH

A game has everything that it takes to convey educational content. Playing is fun and it increases participants’ willingness to engage with the topic being taught (awareness). To play a game, you have to learn the rules and the objective of the game (training) in order to apply them directly (practice). ‘Gamification’ is the buzzword on everyone’s lips right now – an exciting concept, but one that is often misunderstood.

‘Gamification is bulls*it’

Learning through play and effortlessly acquiring knowledge sounds very enticing. Gamification promises to solve all manner of problems. Often, this means adding game elements – (virtual) badges, scoreboards, quizzes and the like – to existing training measures, such as e-learning courses or face-to-face events. In return, employees are expected to be enthusiastically engaged and to maintain their interest long-term. In reality, however, attention and engagement often wane swiftly after a brief initial peak. The points become uninteresting, the badges old hat and the scoreboard unexciting.

Gamification has long been a thorn in the side of games experts. In 2011, the US game developer Dr Ian Bogost declared in that ‘gamification is bullshit’, accusing marketing consultants of exploiting the appeal of games to their own ends.

What makes a game a game are the complex operational elements that can evoke interest, fascination and a range of other emotions – the world of the game, its rules and its characters, which for a time become reality. With gamification, however, simple functions such as the awarding of points and badges, division into levels or scoreboards are elevated to the fundamental elements of the game, because these are much easier to apply to existing corporate structures.

Gamification lite – learning content with game-like elements

An e-learning course with a points system is not a game. It remains an e-learning course with a game-style element. What can be expected is increased employee interest in the short term, and in some cases an uptick in participation. Depending on how such a point or reward system is set up, built and maintained, there are certainly opportunities to ‘entertain’ employees over the long haul. If you include a team challenge, offer the prospect of a prize or provide an opportunity for self-expression on a social intranet, you expand the playful elements and increase the chances of attracting greater attention. However, it would be a mistake to expect employees to feel directly involved or for knowledge to be imparted in a way that will endure.

Game-like elements support the teaching of learning content, but their impact falls short of what a game can potentially achieve.

Gamification pro – games incorporating learning content

Games are a tough sell in the organisational context, because they do not fit easily into business management structures. A game is rarely scalable, is not necessarily cheap and does not conform to established notions of work. Management is often skeptical when employees are asked to play. Nevertheless, play does have the potential to convey messages in a way that sticks in the mind and to positively influence employees’ perception of an issue.

Developing a good game is hard. Developing a good game that teaches its players something specific is even harder. It is best to bring in professionals who can use their experience to respond to individual requirements. At the same time, it is always wise not to reinvent the wheel. Choose a tried-and-trusted game (Taboo, escape room, scavenger hunt, etc.) and adapt it to your theme. Furthermore, it is advisable to clearly distinguish between the learning objective and the game objective. The learning objective is the knowledge or behaviour that is to be taught. The game’s objective is the state that must be achieved in order to win. For instance, a toddler’s shape sorter toy has the game objective of finding the right geometrically shaped block to fit each hole, and the learning objective of promoting motor skills. The game objective in an e-learning course with a point system is mundane and therefore dull: you win simply by completing the course material. The content is irrelevant for the game objective, and key elements of play, such as trying things out, solving puzzles or applying creativity, do not take place.

An example: Hack The Hacker – the escape room

In August 2018, we launched ‘Hack The Hacker – the escape room’ at SWITCH. This is a physical escape room with a security awareness theme. The participants work their way through three stations. An introduction provides basic security knowledge, which must then be applied practically during the game. Finally, a debrief session makes the connection back to the topics discussed at the beginning.

We defined the following learning objective for ‘Hack The Hacker’: the players understand and use password managers and can better assess the risks posed by cybercrime. Meanwhile, the objective of the game is to crack a code and hack the hacker. Through the escape room concept, we have created a playful learning experience that lets participants try things out, solve puzzles and get creative.

To date, around 500 people have successfully managed to hack the hacker. Feedback, both from participants and information security officers, is consistently positive. Interest in password managers is growing, as is the buzz around information security.

However, as you can well imagine, a gamified security awareness experience like this is not cheap, and is very resource-intensive. It took several months to develop and required some testing. Two game leaders and two hours of time are required per event, and the number of participants is limited to six due to the size of the escape room and the structure of the puzzles.

Not every organisation is willing or able to make such an investment.

Conclusion: Engagement or scale?

So, is gamification the answer to all our problems? No, at least not to all of them. It is actually quite simple: a game is a game. An online course, an intranet presence or a face-to-face event are not a game – even if you hand out badges. If you want to use gamification for your teaching, you have to be clear about your expectations. Am I going to remain within the bounds of traditional business training? Then I will probably choose to build game-like elements onto existing education measures. I can expect increased interest from staff and good scalability, but no improvement in lasting knowledge transfer. Am I going to choose a game concept as the basis for a novel learning approach? Then I can expect a project that is resource-intensive, but can deliver an enduring effect. If employee engagement and enthusiasm are the goal, then time and money must be invested.

In short, badges and points are not a substitute for immersion in a game world, but they can provide incentives and support the success of existing measures.


Author

Katja Dörlemann

Katja Dörlemann

Katja Dörlemann is a security awareness specialist at SWITCH. She supports internet users to be security-aware online and to make informed decisions about how to handle their own data. As part of the CERT, she supports the Swiss education, research and innovation community in dealing with the human factor in information security.

Katja has been gaining experience in the field of security awareness for 10 years and holds a PhD in General and Comparative Literature from the University of Zurich.