Use gamification to boost cybersecurity
Immersive game worlds like escape rooms and haunted houses are a great training tool
By Tanja Schaetz-Kruft, Security Communications and Gamification Chief Expert at SAP
It’s just a fact of life: Whether on the job or at home, people will do almost anything to avoid boring content. That’s a problem for learning organizations, which are tasked with training employees on topics that are critical but not natively interesting to most.
Take cybersecurity, for instance. It’s hard to imagine anything more essential to operations. No business wants to end up in a headline after the latest security breach. But most people find cybersecurity rules and responsibilities pretty dry and unappealing. So a few years ago, we started to complement our e-learning program with gamification to increase cybersecurity awareness among our employees.
How we turned a “must do” into a “wanna do”
My colleague Gilles Montagnon and I recently wrote for SAP Insights about how companies can take advantage of the powerful combination of microlearning and gamification.
The roots of using gamification at SAP go back several years.
Gilles, who is global head of application security engagement and enablement at SAP, helped use an online version of Capture the Flag to engage a very targeted group – software developers – and raise their awareness of product security best practices. The results were impressive from the beginning. Our developer community embraced the games in high numbers.
Then, in 2018, our security organization began using an escape game to teach cybersecurity to a much broader group – our whole SAP employee base. In the game, the players are captured by a crazy doctor and locked in the Horror Hospital. To survive, they have to solve nine security challenges in four rooms. For each correct answer, they collect one letter toward spelling a password to get out.
But each time they give a wrong answer, they lose a part of their (virtual) bodies!
You can see a couple of the Horror Hospital rooms in these screenshots:
It was early days for gamification of business content, but we quickly discovered that employees liked having a fun little break from their workday. People perceive games as fun, not as training, so they’re more willing to participate.
For the next few years, we developed more sophisticated game worlds to give a more immersive experience for learners. Last year, we launched a game that features 11 rooms and 28 challenges in which people hunt Dracula, as well as a few virtual multiplayer games to teach specific things such as how to deal with ransomware.
It’s not just participation that matters. It’s been estimated that teaching through the use of game-like elements improves retention rates to 75%, compared to 5% through traditional learning methods. The concept is simple. People assimilate information faster and retain it longer when they learn by having fun.
Playing games and competing are part of human nature, common to all human cultures. Gamification motivates learners. When they play, they get immediate feedback. It’s less discouraging for learners to realize their mistakes right away as opposed to later. Learners also need to see how they’re doing on their overall journeys, so our online games make it easy to see progression. In a real classroom, you might get a sticker or a lollipop for finishing the training module, so we use things like that, too.
Catering to different personalities and motivations
People are motivated by different things in a game world. Toward that end, we worked with some established user personas, called Bartle’s player types, for gamification.
- There are “killers,” highly competitive players who get a thrill from earning points and winning status.
- There are “achievers,” who like to collect badges and rewards.
- Then there are “explorers,” who want to discover secrets, reveal hidden challenges, and uncover cool things like ‘Easter eggs’ – apple-eating koala bears was one we used recently.
- Finally, there are the “socializers,” people who love to interact with others. Richard Bartle’s research suggests that this is a primary motivation for about 80% of gamers.
If you hit the right mix of game elements that resonate with these different types of users, the payoff is high engagement rates. For example, more than 7,000 people played the Horror Hospital escape game, solving 56,000 challenges in two weeks. We were very happy with that. For a voluntary game, this is an excellent number.
Another proof point: We offered people a gamified version of our cybersecurity e-learning with similar content. The participants’ feedback showed that they learned more from the game than from the traditional training format. Just about everyone wants to disconnect from their daily work and environment at times.
This brings up another important lesson: Traditional e-learning and game-based learning complement each other perfectly.
The reason is that if we learn something new but then make no attempt to relearn that information, we remember less and less of it. The biggest drop in retention happens very soon after learning. This means that you should not only offer one main training for your employees but also further assets, such as games that repeat parts of what participants learned in the training.
And that’s what we do with our games.
Sometimes we talk to learning development professionals at other companies, and they tell us their management does not understand the value of using gamified training – that people will have so much fun they won’t do their jobs. With four years working on this, we have put those concerns to bed. We understand the value proposition of gamification. We’ve seen our gamified cybersecurity environment pay off in increased engagement and retention.
We get a lot of positive feedback from our learners. I especially like this one: “Great idea to use gamification to turn a boring topic into a breathtaking challenge. Well done, guys!”
– As told to Lauren Gibbons Paul
The original version of this column was published on SAP Insights and can be seen here.