No more mandatory compliance training

It is time for a learning revolution!


September 2020

Download the article


The greatest threat to our digital assets is no longer technological. It is human.

Nine out of ten data breaches are caused by human error1. 99% of email attacks rely on victims clicking links2. In fact, exploitation of human psychology, so-called social engineering, is a factor in 99% of all cyberattacks3.

People are the main attack vector and the primary cause of costly data breaches. Advanced technology and security practices, no matter how sophisticated, will always be constrained by the human factor. This is true for all organisational levels, not least the C suite4.

We need to take this seriously – right now. In a thoroughly digitised world, security-conscious organisations must work to install and maintain a culture that promotes security as a collective responsibility rather than an “IT problem”.

It is not easy to make IT security a collective responsibility. But with the right approach to training, you can transform employees at all levels in your organisation from the weakest link to the strongest. Yes, you can enable the human firewall.

No more e-learning modules, please!

Of course, modern organisations bolster themselves against data breaches by investing heavily in technical and judicial controls to increase system security. But aside from this, they also pour huge funds into training their employees in exhibiting compliant behaviour.

In theory, this training should encourage certain types of behaviour and discourage others in the learner. And with the new possibilities of e-learning, theoretically, employees can access all the learning they need whenever and wherever they want. The behavioural impact ought to be huge.

Sadly, this is not the case.

Mandatory compliance training is about compliance – on paper and in theory. It provides documentation that the employees are informed about the organisation’s data protection policies. It allows organisations to tick boxes. But mandatory compliance training does not in itself instil a different behavioural pattern and thus does not enhance robustness or resilience against data breaches.

Instead, millions of employees worldwide sit hours on end alone in front of a computer screen, struggling to complete an entire battery of e-learning modules in mandatory compliance and awareness training programmes. This is boring and unengaging for the individual employee, a bad user experience that does not ignite employee engagement. And even more depressingly, the training does not lead to the intended change in awareness, knowledge and behaviour either5.

People end up feeling unsure of their role in security, and they have no idea what an attack would look like, let alone how to prevent or report one. In effect, mandatory compliance training leaves organisations vulnerable with humans as the weakest link.

Why? Exactly because mandatory compliance training is boring and unengaging!

Learning is doing

Some experts simply argue that, due to lack of uplifting results, training users is a waste of time. They argue that security budgets could be better spent on more rigorous technical controls6.

We do not believe that is the case. Since technical controls are never perfect, and threat actors consistently target people via technology, user training is essential in creating a strong security culture. There is no question: we need people to become the strongest link.

People are not to blame for the lack of uplifting results. Instead, the problem lies in the way we conduct traditional compliance training, which oftentimes is:

  • Passive and non-actionable – you receive information, but you don’t DO anything.
  • Out of context – it is up to you to translate the learnings into everyday working situations.
  • All content at once – you are provided with all the information in one time-consuming course.
  • Hit and run – training is a singular event.
  • Solitary – you complete the training alone.
  • Motivated by tick boxing – modules are not evaluated on behaviour or knowledge but on completion.

Nobody learns anything that way. From decades of psychological research, we know that learning is only effective when the training is active, actionable, continuous, in context, bite-sized, collaborative and measured on behavioural impact.

Your brain generally assumes that the information it encounters passively (i.e. without taking any action) is not that important, and cognitively, you are much less engaged in solitude than in collaboration with others.

Let us take people away from just passively receiving information from a screen, often in isolation, and start dramatising the actual steps they are expected to take in each situation to create a gamified experience. Let us make compliance training fun and engaging. But how?

Use gamification to enable the human firewall

If employee training should ever be fun and engaging, we need to revolutionise the way we teach awareness and compliance in our organisations:

There are several ways to do this. When we look at it, we see a very promising way in using game elements such as competition, points, levels and badges in corporate training. 

That is why we have tried to gamify the field of compliance training by developing comPLAYance, a digital learning platform based on game dynamics. The game-based learning platform is created in collaboration with Kammeradvokaten/Advokatfirmaet Poul Schmith and Peytz & Co and consists of an app for asynchronous gaming and a physical board game for real-time engagement.

We have tried out comPLAYance in the field of GDPR, and the results are very surprising. We see high motivation as participants voluntarily use the app in their spare time, and the board game is even in demand as an energiser at large-scale events.

This is not because we have sugar-coated the content in any way. Compliance training is compliance training – there are clear rights and wrongs.

The only difference is that in comPLAYance, you get a learning experience that is transformed into a game. And that is, in itself, creating engagement and motivation!

Furthermore, since comPLAYance is a digital platform, you can do direct measurements on the go, and within a week of gaming, you have established a baseline that enables you to target the learning content relevant for exactly you and your organisation.

If you do it right, you can use gamification to enable the human firewall better than traditional employee training for at least three reasons:

  1. It puts your employees in control, and spark intrinsic motivation as they are having fun and gaining competences.
  2. It is easily accessible and facilitates everyday learning in bite-sized pieces.
  3. It increases retention and relatedness with social rewards, i.e. challenges, high scores and in-game rewards.

Of course, successful gamification is not the only answer to the challenge of making compliance training fun and engaging. But one thing is for sure: we cannot continue to do mandatory compliance training that disengages employees and has no measurable effect.

We need more fun, engagement and gamified elements. 😊