How is gamification shaping cyber security?

Gamification, the process of applying gaming elements to other activities, is rapidly becoming a tool to assist cyber security.

There are four main principles of gamification:

• Create a goal
• Create the rules for attaining that goal
• Set up feedback systems
• Make playing the game voluntary

Sports such as football and golf are based on these principles. Online role play games such as Warcraft also have goals, rules, feedback systems and voluntary participation. The rewards of winning games motivate players to increase their skills levels and participation.

Gamification is designed to make modifying human behaviour fun.

Gamification to improve security awareness

Many security incidents are the result of human error. Employees opening email attachments that release malware, clicking on malicious website links, or attaching virus-infected USB memory sticks to a company computer are examples of security lapses by workers that should not happen.

Most companies have rules and policies about how employees can avoid security errors, but simply providing these does not necessarily result in changed behaviour.

Game of Threats is a video game played on tablets that simulates the speed and complexity of a cyber breach. Players form two teams, with one the attacker and the other the defender, and need to make quick decisions based on little information. Good decisions are rewarded and bad ones penalised. The game is designed to put players under pressure and respond to the actions of the opposing team players.

Game of Threats raises awareness about cyber security by giving an insight into how cyber attacks occur and how they can be prevented. After a game, players are encouraged to discuss cyber security issues.

By raising cyber security awareness, Game of Threats hopes to change workers’ attitudes to cyber security and influence their behaviour. Such methods have been known to have an effect; found that after employees had taken part in a cyber security game, they were 50% less likely to clink on a malicious link and 82% more likely to report phishing emails.

Gamification that rewards good behaviour

Many corporate policies are driven by punishment, in that breaking rules comes with repercussions. Gamification reverses this by focusing on rewarding good behaviour rather than punishing bad behaviour.

Gaming mechanics can be introduced in the workplace to reward good security behaviour. Digital Guardian, the cyber security organisation, has created the Data Defender game. Instead of punishing workers for bad security practices, the Data Defender game rewards workers for conforming to security practices.

Workers are awarded points and badges for reaching specific targets. For example, a badge is awarded for sending 1,000 safe emails.

Prizes are awarded for a certain amount of points, and employees compete to earn the most points.

Other rewards are doled out for reporting suspicious emails, spotting unauthorised USB memory sticks, creating secure passwords, and safeguarding laptops away from the company premises.

Gamification and recruitment

There is worldwide shortage of people able to carry out IT security jobs, so businesses are looking at novel ways to recruit extra staff.

The Cyber Security Challenge UK is a game in which players have to combat simulated cyber threats, but players do not necessarily need cyber security experience to compete. To do well in the game requires technical, communication and teamwork skills. The winners of the game are awarded prizes, but most importantly they are given jobs in large firms and government agencies. Past winners have started cyber security careers at GCHQ.

Baroness Pauline Neville-Jones of the Cyber Security Challenge said:

“Cyber Security Challenge UK offers an innovative and exciting way of attracting talented individuals to take up rewarding careers in this field.”

Bug tracing

Many data breaches are caused by software bugs. Despite extensive in-house testing, bugs may still remain. Major companies such as Google, Microsoft and Facebook have launched bug bounty programs where people outside of the companies are rewarded for finding and reporting bugs.

Bug Bounty programs are not games as such, but appeal to gamers, as they are competitive and reward innovative behaviour.

Bug Bounty can also pay well. Taxi booking firm Uber rewards up to $10,000 for people finding critical bugs, and has a rewards program for people who find more than four bugs in a short time. Like the best online games, the reward program keeps people engaged with the Uber bug-hunting program.

Introducing gamification into the workplace

When faced with a proposal to introduce security gamification into a workplace, many managers are suspicious. The word ‘game’, to some, implies not being serious. If the proposal is presented as ‘active feedback’, then it will be more likely to be received better.

Employees who are suspicious of gamification will be reassured when told that joining the game is voluntary. Once the game is underway, and participants are seen to be having fun competing for rewards, then the staff who have not joined will probably be motivated to join.

Some companies find that competition for points is sufficient, but others like to rewards achievements with small prizes.

Although the main principle of gamification is rewarding for good practices rather than punishing, there can be rewards for employees recognising that they have made a mistake, then reporting their mistake, rather than try to cover them up through fear of punishment.

Gamification is in its early stages, so games need to be monitored for their effectiveness and modified where necessary.

Not everyone supports cyber security gamification

It should be noticed that not all companies are convinced that gamification is the best way to change security related behaviour. In the United States, credit card giant Visa has hired cognitive psychologists to research other methods of changing behaviour.

Some cyber security experts, such as Jonathan Feigle of Hyatt Hotels, support using elements of gamification, but do not add levels and points.


What gamification is trying to address is that most of the problems of security awareness are not technology issues, but human behaviour ones.

Gamification attempts to change human behaviour regarding security awareness, but is not the only way to achieve behaviour change.

Gamification will not be effective against expert and determined hackers. Companies will still need to employ highly skilled cyber security personnel to protect their computer systems and networks.

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001





Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?


Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you


Thank you for successfully uploading your CV.

Acumin Alerts


Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.



Thank you for submitting your vacancy.


Create an account to register your contact details, sign up for job alerts and upload your CV


Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management

Submit a Vacancy

Use the form below to submit a vacancy