The accelerated digital transformation trend has increased the demand for cybersecurity professionals to mitigate the associated risk and keep systems protected. In fact, the 2021 (ISC)2 Cybersecurity Workforce Study indicated a persistent shortage even after the addition of 700,000 professionals into this space, with 2.72 million openings still unfilled by October.
So as more people seek various levels of cybersecurity education, there’s a growing need to provide training that sticks, since the stakes are high. One emerging approach is the use of gamification, so let’s discuss its effectiveness in cybersecurity training and how to use it:
How does gamification work?
Gamification is all about turning an exercise into a game or incorporating small games at different stages of the exercise. This usually takes the form of a competition where an individual can establish a score, solve a puzzle or discover a hidden element. They may also compete with a group for an ultimate prize. By infusing cybersecurity objectives into a game, students can be more engaged in learning while absorbing information passively.
The prize also gives the student more incentive to get things right, so with sharper focus during the active efforts, they are more likely to retain the knowledge applied. Gamification also encourages the idea of immersing students in real-life situations to build their composure for instances when they’ll have to apply security measures and respond to attacks.
What complicates gamification of cybersecurity training?
Unfortunately, some games are too advanced for students with preliminary knowledge, so they can’t get far into these games without having to first take separate studies.
Whether it’s Defend the Crown, Hotel Hijinks, Network Collapse, Capture the Flag, or some other game, there are always limitations aside from the difficulty level. On that note, here are some essential tips to follow when creating and using games in cybersecurity training:
Select a format
Remember that there are very few new ideas; sometimes, copying well can work better than having an original but lousy idea. Start by checking other games and identify the elements you like, especially those that are similar concept-wise. The format you chose can also be guided by the volume and complexity of the lesson you’re trying to convey. For a procedure with a few simple steps, you can go for something that resembles a basic sliding tile puzzle.
However, if you want to teach students how to respond to an intricate network attack involving numerous assets or a high level of concealment, you definitely need something more captivating. You’ll also need to be able to create an atmosphere of urgency, so you may need a visual story game. Ensure that the objective is clear and that any relevant information regarding the relationship between sub-missions is available.
Establish your target audience
While the knowledge level is integral to picking a target audience, this step is about more than that. You may start with ordinary User Access Control and gradually flesh out the game with more components regarding high-level encryption, authentication and other related topics.
However, you also have to think about categories. Cybersecurity for IoT isn’t exactly the same for smart contracts and blockchain assets. Every industry is unique, so you need to ascertain how specific your game will be or whether it’ll address more universal topics.
Another consideration here is age and educational setting. Are you making a game for university students studying something related, or are you making it for a more random group, like workers trying to reskill? Is your game the kind that requires a more organized environment with an observer and additional hardware, or can it be played from anywhere?
Once you understand who you’re making the game for, you’re more likely to ensure that it gets to them, hooks them, and teaches them in a manner that speaks to their abilities.
Make the game adaptable
Cybersecurity needs are constantly evolving. People find new ways to set up their systems and accommodate their organization’s workflows. As a result, new loopholes arise, and attackers have more ways to compromise systems. Therefore, cybersecurity training must be continuous if experts are to keep up with all the new tricks malicious actors use.
Subsequently, you should reflect this in your game by making it adaptable. For example, HTTP was once the standard, but now HTTPS is the norm. So in the same spirit, you should be able to add or remove certain aspects of the game, whether before or after it’s released. Additionally, adaptability isn’t only about what new cybersecurity technology is out there.
It’s also about tackling misconceptions about how people learn. Some challenges need to be timed. Some should be accompanied by extra instructions while others don’t need them.
In essence, it’s possible to be wrong about what gets people’s attention and keeps them participating. For instance, if there are several goals to achieve within the game but only one reward at the very end, some people may find that less exciting than when there’s a series of prizes. Adaptability also extends to the issue of accessibility. You may need to apply color-coding, audio notifications, simplified labels, symbols, fonts and other features in your game.
Why? Because it should cater to people with dyslexia, ADD/ADHD, photosensitive epilepsy, partial blindness, or other defects or disabilities that complicate learning through gamification.
While gamification is an excellent way to perform cybersecurity training, it has to be extensively examined in context. For example, a game may teach someone how to perform an action, but it can’t simulate every possible scenario in an organization.
People share passwords, bring their own devices to work, log into workplace systems from unsecured public networks, and act recklessly in many ways. It’s crucial to identify the remaining gap that a cybersecurity game may not cover and supplement training with other exercises. However, you should keep enhancing the game to address such eventualities.
Gerald Ainomugisha is a freelance Content Solutions Provider (CSP) offering both content and copy writing services for businesses of all kinds, especially in the niches of management, marketing and technology.