Part 2: How to Use Fun and Games to Make Your Security Awareness Program a Success

Part 2: How to Use Fun and Games to Make Your Security Awareness Program a Success

5 Creative Ideas to Gamify Your Awareness Training

In part one of our blog on security awareness training, we revealed that most internal training programs that rely on passive listening/lectures and reading PowerPoint slides do little to engage employees and promote behavioral change. With the addition of humor and games—aka fun—security awareness training can be quickly transformed into a successful program that resonates with employees and gets them to change their behavior in a positive direction.

Why does “fun” work? Cognitive research shows that retention of knowledge increases with the level of effort students put into learning it. In other words, the more they work at it, the more they learn and retain. Fun, engaging activities that require participants to think and work to accomplish, are far more effective than standard training media. Privacy and security training games can encourage participants to become stronger critical thinkers and to make more strategic decisions about their actions.

Research Shows that Fun Increases Engagement

There are a lot of creative things you can incorporate into your training  for little or no money. The trick is to look for ways to incorporate fun elements that will be relevant and meaningful to your audience. Perhaps they will allow you to reach an audience that has been resistant to your past messages, e.g. the Accounting department finally remembers not to post their passwords on sticky notes under their keyboards or the Marketing team learns to think before they click on phishing emails.

Here are five fun ideas to consider:

  1. Leader Board – Create a leader board to track who are the most “aware” employees. Create point values for awareness activities, quizzes and/or how many months employees have gone without falling victim to phishing assessments.  Use the Leader Board to show overall scores for top employees. If employee privacy is a concern, give your employees the option to opt out of having their score published on the Leader Board.
  2. Traveling Trophy – Reward departments for their security awareness vigilance by awarding a traveling trophy to the team who most consistently reports phishing, security violations, unprotected documents, etc.
  3. Games/Challenges – Create security awareness challenges between participants or even departments. Games engage problem solving and critical thinking skills in ways not possible through traditional learning formats, such as PowerPoint presentations, lectures, and standard multiple-choice quizzes. The objective is NOT to create games for security awareness training, but to make security awareness training (and changing behaviors) a fun game! Here are a few ideas:
    • Scavenger Hunt: Everyone loves a good treasure hunt. Teams locate required items that help reinforce security best practices such as good password hygiene, clean desk policy, or good physical security practices. Departments can also be tasked to find as many sensitive documents or unlocked computers in another department’s workspace. The department with the least amount of unprotected information wins.
    • DIY Escape Room: Create scenarios from scratch or search online for ideas. Develop puzzles that reinforce good security practices or illustrate how bad practices can be exploited.
    • Catch a Phish Game: Use simple props like a kids’ fishing pole and magnetic fish in an inflatable wading pool. Dressing the part can add to the fun. A stripped-down version uses sets of laminated emails from which the player selects one. After an employee decides if the example is phish or real, they flip over for the correct answer and explanation.
    • Quiz Night: Organize fun, competitive, informal quiz sessions pitting different departments against one another (think Family Feud). Offer a reward to the team that gets the most answers right. You could also have an individual reward for outstanding personal performance.
  4. Badges – Have achievement badges for different courses or training levels that employees complete. They can display them on their office doors or cubicle walls or create an Honor Wall to display everyone’s badges.
  5. Currency/Points Systems – Introduce a reward system where employees can earn points or currency for completing training, reading articles, answering security awareness questions, reporting security violations, helping others secure themselves, etc. Allow them to apply the points/currency toward company swag, team lunch, or in-office perks.

Fun Should Be an Alternative, Not an Add-On

Lack of time and/or money to revise training can be a frequent pushback from leadership. While many of the ideas presented above have little to no cost to create, time is required to develop them. However, implementing them should be considered a replacement to some of the current training and other knowledge/information practices, not an additional component.  

Take a moment to consider whether all training activities, in their current format, are required. If not, try offering fun activities as an alternative, such as allowing a team to complete a digital scavenger hunt for examples of security best practices in their work area (directly relevant to them and their work) instead of watching a PowerPoint presentation on the same information. In one activity that has no financial impact, you have reinforced your top security best practices, offered a free team building exercise, and fostered a stronger security awareness culture through friendly competition.

Download our primer on How to Sell Leadership on a More Engaging Security Awareness Program.

Get the Guide


Part 1: How to Use Fun and Games to Make Your Security Awareness Program a Success
Managing Cybersecurity Training and Awareness with a Remote Workforce