What tips can you offer leaders who are looking to incorporate gamification into security awareness training? Is there a simple way to do this internally or is it typically best to seek out a third party service provider?

We have not yet incorporated gamification into our security awareness training. Instead, we have organized cybersecurity events featuring knowledge-sharing sessions and various security game booths. However, we have found that conducting phishing exercises yields significant results. The Risk Management Department conducts phishing tests for all staff and targeted groups several times a year. Employees who fail these exercises are required to complete an online cybersecurity awareness course. We also report the results, along with our KPIs, to the Risk Committee.

There are simple ways to use gamification when embarking upon organizationally wide security awareness training.

Some healthy and harmless inter-organizational team based competition is a good way to ramp up engagement that supports a communication strategy aimed at bringing focus to the issue.

A quiz based based game that tests team member knowledge is also a very light touch way to rollout such a competition.

Applying a localised and/or industry culturally relevant theme to the branding can add some much needed flavour to a topic that some might consider quite bland. Think Moto GP, Wimbledon Championships, Tour de France with some clever word play.

We don't currently have a gamification program in place, but I think the facility exists within one of our third party providers.

We're going to explore this further. We do already award employees with points, which they can redeem for material rewards. I think this could be easily incorporated into our organization. We might even trial it in October, which is Cyber Security Month. During that month, we send out weekly messages to all employees.

From my perspective, I think seeking a third party service provider is the best route. I have a tendency to outsource a lot in my business, so that might be influencing my opinion. However, if you have in-house expertise in gamification, then it would make sense to utilize that. Unfortunately, we don't have that expertise in-house, and there are plenty of companies out there that specialize in this area.

I've seen some programs that have successfully incorporated gamification, but the challenge lies in maintaining the momentum. Once a scenario is completed, what comes next? How do you progress to the next level? How do you continue to earn points? Just like any game or system, you need to keep feeding into the gamification machine. You need to reach the next level, earn that badge, and gain recognition. That's why, if you lack the necessary skill set, I would recommend going with a third party.

I believe this approach is particularly effective for technical teams. For instance, gamifying the 'red team, blue team' dynamic in a simulated environment can be a great strategy. Having your network or dev team engage with these solutions can help them identify bad code or network attacks, thereby preparing them for real-life situations.