Cyber protection through play

Anete Poriete at CyberSmart explores a human error epidemic and asks: Can gamification boost cyber-awareness?

 

Human error, and other associated human factors are significantly important considerations in cyber-security. The University of Stanford recently suggested that 88% of data breaches were caused by human error. Therefore, practitioners need to not only think of the best technical advancements but also how to best influence security behaviours.

 

Gamification of cyber-security

One way which is being explored (primarily in the field of academia) is to move away from mundane cyber-security training and compliance policies. Instead, practitioners need to seek opportunities to implement more creative motivational design solutions like gamification that could help drive engagement in cyber-security.

 

Gamification in cyber-security can be defined as “applying game-like design artefacts and system processes to strengthen employees’ motivations to encourage learning, efficacy, and increased employee compliance with organisational security initiatives”. These artefacts could be points, scores, leaderboards, storytelling, levels or badges.

 

The majority of foundational work on security gamification has focused on cyber-security awareness programmes. However, some researchers have explored gamification in security behaviour change.

 

In 2021, Yelena Petrykina et al, MA students at Tel Aviv University, applied gamified design to specific security software downloading by showing security scores of download options – which reduced real-time malware downloads. Zimmermann et al. (2022) explored scoring of password security with a visualisation of an avatar reaching the finish line, with a perfect score leading to more secure password creation.

 

Gamification can benefit an individual’s attempts to learn by simulating real-life experiences and increasing enjoyment by using less formal, entertaining approaches to cyber-security training.

 

Gamified cyber-security awareness can use actual gaming as a delivery of training or an awareness programme with gamification design artefacts, and by providing a safe space for training in a simulated environment, providing opportunities to engage with a mix of defensive and attacking approaches.

 

More impactful still is that these games can also be personalised to the individual, which in turn helps them to be more engaging, offer better opportunities for knowledge retention and provide instant feedback without the fear of facing actual consequences for failing to engage to an adequate standard in security training.

 

Gamified awareness programmes with scores and storytelling are shown to be more likeable than traditional methods, lead to better training satisfaction, and increased compliance, motivation and engagement in security behaviours.

 

The shortcomings

While there is clearly much excitement regarding gamification in academic circles, this remains a relatively new approach to a complex, multi-billion-dollar problem.

 

Although gamification is shown to have some positive effects, existing research falls short on how individual gamification artefacts interplay with each other. It also doesn’t show if there are any unwanted effects, and remains relatively inconsistent as to how these artefacts can be applied to specific behaviours or cyber-security threats.

 

This is a particular problem for a security solution looking for a potential go-to-market strategy: those buying, marketing and maintaining the product will need to understand how it relates to specific threats, behaviours or security vectors in order to understand where it fits within an already-convoluted industry, and within an organisation’s existing security or training stack. 

 

Similarly, there is a lack of research on design processes and artefact selection in cyber-security as well as “real-world” application, or long-term effects on behaviour change.

 

Aside from these practical considerations, the gamified approach also has various ethical considerations: Would any such tool be developed with privacy in mind? What could be the unintended consequences of providing such a tool, such as increasing the likelihood of employee distraction? Could they present or raise questions of gender/racial inclusivity, or even adverse effects on employee mental health?

 

At the most serious end, consideration needs to be given that such an approach could be manipulated or compromised by threat actors, as we have seen with other reverse engineering techniques.

 

A step worth taking?

Gamification is a complex approach to a complex problem. On one hand, the evidence suggests it can increase user engagement and motivation in cyber-security compliance. However, such an approach cannot be oversimplified as a “silver bullet” approach to human error and security.

 

Before suggesting this as an appropriate tool in the fight against cyber-crime, it’s important to assess individual differences, context and suitability for gamification, research the most appropriate artefacts, consider unwanted effects and ethical considerations and make sure that gamified cyber-security is most beneficial to the individual.

 

Despite these hurdles to jump, gamification is effective in making more mundane security activities enjoyable, and is shown to generate positive feedback. Beyond awareness raising, gamification could aim to help solve compliance issues in organisations and offer real-time support for individuals struggling with security concepts.

 

This is a problem which is only going to get more severe as cyber-crime continues its growth trajectory, to a projected $10.5 trillion annually by 2025. If these numbers are to be believed, then it is the responsibility of security researchers, academics and professionals to engage in any potential solutions - including gamification

 

---

 

Anete Poriete is Senior Cyber-psychology and UX researcher at CyberSmart,

 

Main image courtesy of iStockPhoto.com