Can unmotivated employees respond to a security breach effectively? Such events are infrequent, meaning defenders rely on muscle memory when they occur. But preparing for something that may take years to arrive and days to unfold isn't easy, which is why security needs motivated humans.
Inspiring employees is crucial then, but that doesn’t mean dishing out cash bribes. Instead, organizations should look to build a cybersecurity culture from the ground up, satisfying their employees’ technical appetite with engaging learning material. Unlike dry eLearning, which harms motivation, interactive content is fun and yields consistent results.
And cyber needs people who continually develop skills – something you can encourage by gamifying learning. This increases motivation in 83% of employees, keeping them coming back for more. But how does it work?
Motivations for behavioral change
In learning and cyber workforce development terms, motivational factors play a critical role in behavioral change. BJ Fogg devised a model explaining how behavioral change and motivation are connected, which implies three things must be present for behavioral change to occur: prompt, ability, and motivation.
Without all three people either do not, cannot, or will not change their behavior. Remember the adage "you can lead a horse to water, but you can’t make it drink"? Well, it’s a bit like that. Organizations face cyber threats continually, and these threats are the "prompts" for their workforce’s behavior to change. If workforces want to evolve their behavior but lack the skills to do so, change can't occur, meaning they will be unable to mitigate the latest attacks. In this scenario, a learning need is identified.
Imagine a workforce is asked to develop cyber skills (the prompt) and assigned relevant learning content. If this is not engaging, fun, or experiential, they will not be motivated to complete it. Behavioral change will not occur (or will do so with reluctance), meaning critical learning doesn’t stick. In essence, even with a prompt and the ability to change behavior, employees won’t necessarily have the motivation required for learning.
To motivate a cyber workforce, you must first engage it.
Extrinsic and intrinsic motivations
Motivation can be split into three categories: extrinsic, intrinsic, and addiction. The first two are healthy types of motivation that an organization wants to see in its workforce.
Extrinsic motivation is an external incentive that can be negative or positive – you’re no doubt already familiar with the "carrot and stick" approach.
One example of a negative extrinsic motivating factor is the need for compliance: all employees must complete "X" training to ensure we are compliant with "Y" legislation. In this instance the extrinsic motivating factor is the legislation. Now, how motivated do you think employees would be to complete the compliance learning package?
There are examples of positive extrinsic motivational factors in many aspects of our lives: remember the pocket money you received as a child for doing chores? Think about the rewards and recognition required to motivate people. Positive extrinsic motivating factors are excellent stimuli – but only if they are not removed.
Intrinsic motivation, such as striving towards a goal for personal satisfaction or accomplishment, is a far more powerful motivating factor. In some circumstances, you may work towards a long-term goal which could be work or non-work related.
In terms of learning, there are many ways that positive extrinsic and intrinsic motivational factors work. Employees may task themselves to master a subject or attain a skill, and this happens for reasons such as recognition, progression, or promotion. Incorporating intrinsic and extrinsic motivational factors with gamified learning, as we do at Immersive Labs with points and leaderboards, develops and maintains employee motivation long term.
A gamified experience does more than just motivate someone to learn; crucially, it allows them to enjoy the process. American author Dianne Ackerman said, "play is our brain’s favorite way of learning" – this is because gamification impacts the brain positively, triggering the four major chemicals that induce happiness: dopamine, oxytocin, serotonin, and endorphins. These chemicals create desirable emotional states and get people hooked on learning. Your brain releases dopamine, for instance, whenever you are rewarded for a particular task. Gamification provides learners immediate feedback through virtual rewards when a goal is achieved, so they begin to associate learning with feeling good. This prompts them to persist with, and even seek out, learning experiences.
Applying gamification to cyber training is therefore a no-brainer, especially automated solutions that allow employees to upskill on their own terms. This enables greater training frequency and, in turn, greater skills development – the reason 77% of senior security managers say increasing gamification would help protect their organization from cyberthreats. After all, attackers never stop innovating, so why would defenders?
The mechanics of gamification
Despite its name, gamification is not strictly about games. It is the act of taking something already in existence – a website or application for instance – and increasing engagement using game mechanics, such as those laid out below (via BI Worldwide):
· Fast feedback – Immediate feedback or response to actions
· Transparency – Where everyone stands
· Goals – short- and long-term goals to achieve
· Badges – Evidence of accomplishments
· Levelling up – Status within your community
· Onboarding – An engaging and compelling way to learn
· Competition – How you’re doing compared to others
· Collaboration – Accomplish a goal working with others
· Community – A context for achievement
· Points – Tangible, measurable evidence of your accomplishments
Game mechanics compel people to act, and when that action is improving the way we learn, mechanics are a force for good. Learners who are satisfied by their education and gain a sense of accomplishment from it will perform better. So by incorporating some of these game mechanics – it needn’t be all of them – into cyber skills content, we can motivate learners to develop continually.
Gamification in cyber
Gamified cybersecurity exercises such as capture-the-flags double up as great team-building activities because of their social nature. McAfee found 96% of organizations that hold such events report tangible benefits; they can even help in the search for hidden talent, with many self-taught or uncertified participants using the exercises to prove their worth.
Here are some ways Immersive Labs is already utilizing gamification.
Learn by doing
Nothing compares to getting hands on, which is why we give our users every chance to learn by doing. This means getting to grips with the latest attacker tools, tactics, and techniques.
We know that perseverance is a key quality in cyber talent, so our platform lays down the gauntlet. Our capture-the-flag labs, for instance, allow advanced learners to find their own way to the finish line.
Curiosity and self-research
If learning wasn’t compelling, would you want to do it? At Immersive Labs we invite the user to take control of their development and get active, using everything at their disposal to complete our labs.
We instantly reward learners with points and badges for progressing through our exercises. This helps them to climb the leaderboard and earn bragging rights over their friends. It also keeps them coming back for more.
If you want a full-spectrum look at the gamified content on our platform, book a demo with one of our experts today.
1 September 2020
Immersive Labs Cyber Learning Consultant
Immersive Labs Copywriter
Latest Blog posts
Patch Newsday: 14 September 2021 – Lousy Browsers and Arsey RCEs
15 September 2021
Analyzing the CVE-2021-40444 exploit
13 September 2021
Take the power back: Tool-up against a notorious global threat group with our new FIN7 series
13 September 2021
Episode 44: Rotten Apple or Privacy Nuts?
2 September 2021
Patch Newsday 10 August: Ironic exploitation and the spectre of PrintNightmare
10 August 2021
Kaseya supply chain attack: Prepare to respond with the Cyber Crisis Simulator
27 July 2021