Turning End-User Security Into a Game You Can Win

Share with your network!

Wombat_Gamification2016.jpgGamification, as a concept, is nothing new. (Think back to some of the creative ways your parents and teachers tried to get you to do things, and you’ll know immediately what I’m talking about.) And gamification is certainly not restricted to the electronic realm (I’m looking at you, McDonald’s MONOPOLY). That said, in this day of mobile apps and Xbox One, we are most likely to equate gamification with bleeps, bloops, points, and prizes (real or virtual).

At Wombat, we naturally have a good sense of the positive effects of gamification. After all, several of our employee training modules use gaming techniques like points, lives, and scoring thresholds to teach users how to make good decisions about emails and URLs. And all of our cybersecurity education modules tap into what we feel is the most important aspect of gamification: interactivity. As we’ve noted in the past, interactivity leads to user engagement, and engagement paves the way for knowledge retention.

But beyond what we do inside our tools and platforms, we encourage our customers to think about the potential for gamification within their own security awareness training programs. The idea of “friendly competition” can ignite interest in your end users and lead to a more successful program overall.

A Suggested Gamification Plan (and a Nod to ‘Jerry Maguire’)

1. Get buy-in from stakeholders 

And we don’t just mean C-level decision-makers. Start smaller and get some advocates from elsewhere the organization and encourage them to champion the project with you. (That VP who loves to take the floor at company meetings? He’s a great start.) It’s a “help me help you” kind of thing. After all, everyone’s lunch is on the line when it comes to cybersecurity.

2. Establish the parameters of success

Keep in mind that you’ll have a lot more flexibility if you have reliable measurement tools in place. Here are a few success indicators you could use:

3. Determine your scoring formula

You'll also need to decide whether you’ll have individual winners or “group winners” (by department, office location, etc.). Here are some ideas:

  • Non-clicks on simulated phish earn users a point. Reported emails earn two points. Clicks subtract one point.
  • Users who do not click at all during a series of mock attacks are automatically in a winners’ pool.
  • Users who complete a training assignment within the first week earn 3 points. Those who complete within 30 days earn a point. Those who take longer than 30 days earn no points.

4. Select the awards

Though prizes don’t have to be monetary in nature, the phrase “show me the money” does come to mind. Consider these options:

  • Top scorers (or non-clickers) automatically win or are put in a drawing to win one of a selection of gift cards.
  • The best performing group wins a pizza party or catered lunch.
  • Top performers are recognized at a company meeting, in a monthly organizational newsletter, or some other public forum.

5. Communicate to your organization about the upcoming activities

Do your best to have them at hello. You can be as general or specific as you’d like, but it’s important to set expectations, clearly indicate benefits, and attempt to generate interest out of the gate. (Note: If you are doing simulated phishing attacks, we recommend being at least slightly vague about the start of the program and suggest communicating at least a week in advance of sending your first mock phish.)

6. Game on

After communicating, the only thing left to do is launch your program. Given that cybersecurity awareness and training is treated as a “necessary evil,” a bit of creativity and out-of-the-box thinking can make a world of difference in participation rates and, more importantly, up the attention ante. Customers who have taken a chance on gamification have seen a number of positive personnel results — including more interest in the topics and more conversations about security best practices — that have ultimately paid off in the form of fewer clicks, fewer malware infections, and less employee downtime.


From simulated attacks and knowledge assessments, to interactive training, to positive reinforcement tools, to results measurement and analysis, to award-winning customer service…we can complete your end-user security awareness and training program.