How To Gamify Cyber Security Training In 3 Steps

Traditional cyber security training which relies solely on presentations, or videos, is outdated. By using gamified phishing training, you'll significantly improve engagement and knowledge retention.

A graphic saying protect your executives against phishing.
Profile photo of Sebastian Salla
Sebastian Salla August 12, 2023 (Last Updated: August 22, 2023)

Gamification is the process by which we empower learners to educate themselves. In cyber security, gamification is typically done by simulating phishing attacks, assigning short bite-sized training, and using friendly competition between colleagues. In this article, we'll outline how any organization can implement these techniques to provide a fully gamified learning experience.

What You'll Learn In This Article.

  • How to train employees to spot phishing attacks by using simulated phishing exercises.
  • How to use micro-training modules to provide learners with a memorable learning experience.
  • How to use learner badges to initiate friendly competition between colleagues.
  • How to combine phishing, training, and friendly competition to gamify cyber security training.

How Do You Gamify Cyber Security Training?

Let's get straight to it and show how you can use a simple three-step process to engage learners and gamify cyber security training.

Step 1. Simulate Real-World Cyber Security Threats.

When it comes to cyber security, seeing is believing. This statement particularly holds true when it comes to educating employees. For example, if we want to teach employees how to spot phishing emails, we're best off sending them simulated phishing that is as close to the real thing as possible. This allows employees to hone their skills and learn from their mistakes.

Phishing is tricky, and learning how to spot phishing can be even trickier. It often comes down to a gut feeling. Still, employees can use specific techniques to detect whether an email is likely to be phishing before they perform an action, such as clicking a link, downloading an attachment, or responding to an email.

These techniques include inspecting the domain used to send the email or hovering over URLs to see the intended destination. Employees should also always question whether they were expecting the email, if they recognise the sender, if they're being asked to bypass a standard procedure, if the email contains typos or grammatical issues, and finally what action is being asked of them.

An image describing a simulated phishing email.

The best thing about simulated phishing is that it's an active learning process where learners can hone their skills in a safe environment with minimal time investment.

Step 2. Assign Relevant, Engaging, And Bite-Sized Training.

Naturally, simulated phishing on its own won't always provide the best experience for learners. If we don't provide feedback on what could've been done to spot the phish, we're setting learners up for failure.

This is where the second part of gamified phishing training comes in by assigning relevant, engaging, and bite-sized training. This training should relate to a topic that the learner needs to know and will directly benefit them.

Because these learnings take time out of the day, we want to ensure they're clear, concise, and to the point. The training should be designed to be completed in 10 minutes or less. Anything longer, and the learner will shut down, with knowledge retention going downhill with each minute that passes.

An image depicting micro-learning training modules.

It's also essential to switch the training material up. Don't just follow a single pattern, where there's a series of statements followed by a series of questions.

Use a mixture of videos, statements, and images, ensuring questions are spliced between each of these. This forces learners to engage with the educational material and ensures they retain as much knowledge as possible.

Step 3. Add An Element Of Friendly Competition Between Learners.

One of the most essential pieces to gamification is competition. Healthy competition can help to motivate even the most stubborn of learners, and this should be factored into gamified cyber security training programs.

This typically involves a leaderboard where learners are tracked based on positive measures, such as completing training on time on their first attempt, dodging phishing attacks, and much more.

Reward programs can then be established for those with the highest scores while reinforcing those with lower scores to perform positive behaviors in the future.

It's important to refrain from implementing any lasting penalizations, and just because someone has scored lower historically doesn't mean they should be disadvantaged in the future.

How Does CanIPhish Gamify Cyber Security Training?

CanIPhish has developed its entire platform around providing a genuinely unique and gamified phishing training experience. To provide this, we incorporate many of the techniques discussed above.

We Simulate Phishing.

We provide a completely managed phishing simulation platform. We host the phishing email servers and websites and provide all the management capabilities around delivering simulated phishing campaigns, tracking statistics, and providing executive reporting.

Every phishing email leads to some form of secondary payload (e.g., a phishing website, attachment, or simply enticing a response), so we can provide learners with the real-world experience of how an attacker may compromise their computer, harvest their credentials, or perform a business email compromise attack.

We Assign Training To Those Most In Need.

We integrate security awareness training with simulated phishing. When a learner falls for a phishing attack, we automatically assign relevant training to help the employee better spot phishing in the future.

Suppose an employee is particularly prone to phishing. In that case, we increase their business risk score, which is then used to dictate the frequency with which they receive future simulated phishing emails and training assignments.

An image depicting the employee risk scoring process.

We Reward Good Behavior Through A Points-Based Badge System.

When positive or even negative actions are observed, we assign badges that carry points. These badges are assigned based on up to 20 different observed behaviors across both phishing and training assignments. The library of badges have been included below for reference.

Unphishable Learner Badge
50 Points
Never clicked on a phishing email
Swimming with sharks Learner Badge
50 Points
Swimming with sharks
Successfully dodged 10 phishing attacks in a row
Anchor duty Learner Badge
50 Points
Anchor duty
Completed all training modules within 1 day of receiving them
Spam samurai Learner Badge
50 Points
Spam samurai
Successfully reported 5 simulated phishing emails
PhD in Phishology Learner Badge
25 Points
PhD in Phishology
Completed all training modules on the first attempt
Swimming with jellyfish Learner Badge
20 Points
Swimming with jellyfish
Successfully dodged 5 phishing attacks in a row
Phish whisperer Learner Badge
20 Points
Phish whisperer
Successfully reported 2 simulated phishing emails
Marathon swimmer Learner Badge
15 Points
Marathon swimmer
Completed all training modules before the due date
Swimming with dolphins Learner Badge
10 Points
Swimming with dolphins
Successfully dodged 2 phishing attacks in a row
Sonar detector Learner Badge
10 Points
Sonar detector
Completed a training module within 1 day of receiving it
Phish finder Learner Badge
10 Points
Phish finder
Successfully reported a simulated phishing email
Clickbait Learner Badge
10 Points
Clicked on an email but reported it to IT
Swimming with floaties Learner Badge
5 Points
Swimming with floaties
Successfully dodged the latest phishing attack
School of phish Learner Badge
5 Points
School of phish
Failed a training module but then passed with 100%
Phish bait Learner Badge
-5 Points
Phish bait
Fell for two phishing attacks in a row
Overboard! Learner Badge
-5 Points
2 assigned trainings are overdue
Phish food Learner Badge
-10 Points
Phish food
Fell for five phishing attacks in a row
Lost at sea Learner Badge
-10 Points
Lost at sea
3 assigned trainings are overdue
Phish fingers Learner Badge
-25 Points
Phish fingers
Fell for ten phishing attacks in a row
Shipwrecked Learner Badge
-25 Points
5 assigned trainings are overdue

We Track Learners On An Organizational Leaderboard.

To incentivize employees, adding an element of competition is a must. As humans, we're incredibly competitive by nature, and by tracking employees on a leaderboard, we can reward those who consistently demonstrate good behaviors.

An image depicting the CanIPhish badge leaderboard.

Wondering How You Can Get Started?

Simply sign-up for a free account, onboard your employees, and schedule a recurring simulated phishing and security awareness training campaign. From here, the platform will automatically deliver phishing and assign training to those who are compromised. More frequent phishing and training can then be assigned based on the risk profile associated with employees.

Gamification is built-in and requires no additional configuration. You just need to monitor the leaderboard and periodically reward your highest-scoring learners! By following the outlined gamification process, you'll see higher levels of engagement, knowledge retention, and satisfaction with security awareness training in your organization!