What is gamified learning? Before we dive into that question, let’s discuss some of the ways we currently learn about cyber today. Traditional cyber training has been conducted in the same way for years, comprised of static, classroom-style settings complete with a teacher lecturing and passive listeners. This model causes people to forget:
- 40% of what they’ve learned after 20 minutes
- Between 50-80% of what they’ve learned after one day
- 77% of what they’ve learned after six days
- 90% of what they’ve learned after one month
In addition to forgetting material learned, there’s minimal opportunity for the student to proactively solve problems, think critically, and analyze material. Instead, they superficially understand concepts without truly learning their application to real-world situations. This leaves the trainees disengaged, disempowered, bored, and unmotivated.
We believe there’s a better way to deliver information security training—a way that engages teams in healthy competition and in critical thinking and problem-solving activity. Through active learning, studies show learners are more engaged, empowered, excited, and possess deep, conceptual understandings of topics learned. Active learning involves collaborating with teams and applying concepts to real-world exercises and scenarios, which improves retention rates to 75%, compared to 5% through traditional learning methods.
So why is active learning so important for cybersecurity professionals?
Because the undeniable jobs shortage affecting the industry is prompting CISOs to take a closer look at ways in which they can close the skills gap. The first step involves leveling up existing cyber teams by equipping them with the tools and skills they need to do their jobs better. Without proper cyber training and skills development, professionals can’t keep pace with evolving cyber threats, causing teams, organizations, and companies to succumb to hacker attacks.
How significant is this issue? According to a recent ESG/ISSA study, 70% of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage, with ramifications such as an increasing staff workload, hiring and training junior personnel rather than experienced professionals, and situations where teams spend most of their time dealing with the emergency du jour, leaving little time for training, planning, strategy, etc.
So what can we do about this?
Consider gamified cyber training
Not only is hands-on, active learning important but we believe that gamification is the natural, logical step in training the next gen learner (born after 1980), who has never known a world without video games. Gamification is often defined as the process of adding games or game-like elements to something. The term was originally coined in 2002 by a British computer programmer named Nick Pelling. When we think about the benefits of gamification of cybersecurity training, it is a learning style best suited for today’s learner who grew up playing video games and being motivated by elements like leaderboards, competition, collaboration, and social proof/progression.
Even academic institutions across cyber schools are exploring cybersecurity games for students to complement their classroom learning. Some institutions like CU Boulder have even crafted an entire class around gamified cyber training using Project Ares in their syllabus.
Unlike compliance-driven teaching methods, gamified teaching engages practitioners individually and in teams, through modern learning strategies. It works by deploying connected, interactive, social settings that allow learners to excel in competitive, strategic situations. Further, it enables learners to apply what they know to simulated environments or “worlds,” creating a natural flow that keeps learners engaged and focused. Organizations that offer gamified exercises to teams report that 96% of workers see benefits including increased awareness of weaknesses, knowledge of how breaches occur, improved teamwork and response times, and enhanced self-efficacy.
In gamified environments, trainees are typically:
- rewarded for good behavior
- incentivized to maintain good behavior
- encouraged to dialogue about their lessons learned with peers
- reminded of what they don’t yet know and held accountable
- engaged in their progress thanks to leaderboards
- prepared to participate in simulated threat situations that further prepare them when real-world situations occur
Active, gamified cyber training is only effective if employees apply their skills learned and acquired to real-world scenarios. For this reason, cybersecurity leaders are encouraged to measure the effectiveness of training efforts through regular audits and assessments to determine which employees may still pose a risk to the overall security posture of the organization.
“Keeping our workforce engaged, educated and satisfied at work is critical to ensuring organisations do not increase complexity in the already high-stakes game against cyber crime,” Grant Bourzikas, chief information security officer at McAfee. (ComputerWeekly)
Great, there are clear benefits. Now what?
Now it’s time to reflect on how your organization can benefit from gamification in cybersecurity training. First, look at what training (if any) is currently occurring. Then, speak with teams about where they’d like to improve and draw clear parallels between the investment in training and desired business outcomes. And of course, when you’re ready to learn more, contact us to see how gamified training actually works through our Project Ares® platform.