Security Awareness: Breaking Up with Gamification
Gamification, I think you’re really great. You’re funny, and people seem to really like the idea of you and I. But….I just don’t think I see us being more than friends. I’m sorry.
Like, you’re great for games on my phone - trust me I loooove me some Angry Birds Blast and SimCity BuildIt. But, the truth is that my end users just want to do their job, man. Maybe down the road after you’ve had some time to meet other programs and develop some more engaging skills we can try this again. But for now, I need to protect my end users.
Users are the most primed and ready to learn about cybersecurity than ever before (which still isn't much...am I right?). I can’t risk messing up this opportunity. I need to engage them with unique experiences, give them really high-quality content, and violate their expectations.
I know I know. On paper, you're amazing. Interactive! "Click to learn more"..."Play this Jeopardy style quiz game"...the thing you don't get, Gamey, is that users don't care.
It will actually make them hate security more.
Why? We live in a world where users are used to IMAX, Pixar, Marvel, Call of Duty, Farmville, Angry Birds, etc. That's some high-quality content right there. We just have to face it and admit we will never ever be able to reproduce an experience quite like those. That's the default standard for today.
Have "the talk"
So what can we do instead? Well, let's have "the talk" with our peers.
The QR Code is great on paper - but doesn't scale and adopt in our daily lives and habits. Neither does gamification for security awareness. Can we end this relationship before we're 10 years down the road, unhappy, confused, and hating everything?
It's okay. We'll get through it together. Pull the plug.
Even the experts agree.
There is a really great book that explores how to successfully deploy gamification in a variety of instances, and I highly encourage those interested in gamification in any way to read it. It's called Actionable Gamification by Yu-Kai Chou, and its really really great. What is interesting is he talks about how gamification isn't a great solution for everything, and all but calls out security awareness as being a poor candidate for applying gamification.
Exceptions for every rule.
Now, I'm not saying that gamification doesn't work ever at all. It does. It's great when its been done with UX in mind, and applies both relevant and engaging key features. For instance, I do think gamification is applicable to training game-minded security roles - like appsec, sdlc, developers and the like. Users/roles who are already working within a somewhat "gamie" environment and who are motivated by elements of gamification theory - are great applications of the technique.
In my experience working across a lot of different environments...
If a vendor were to suggest to you that you should push a firmware update to your production environment without first testing in QA first - what would your reaction be?
No, spitting in their face is not appropriate, but I get the emotional connection behind that desire.
Attempting to push gamification into security awareness and on your users is kind of like pushing an untested update to your production environment. Usually the ones being affected the most are the ones it is intended to help.
We don't have a lot of opportunities to impress our users, let's not tarnish our reputation by pushing out some mediocre, industry buzzword, poorly executed hyped-up diet.