Article

Start enabling your human firewall

Using gamification to make compliance training stick

Published

August 2021

Author

Christian Lykke-Rasmussen

Do you want to reduce the risk of cyber security attacks in your organisation? Then you must start taking human engagement seriously in your compliance training. We know that humans are the main risk factor, and only by making security training fun and engaging can you enable the human firewall in your organisation.

Looking at cyber security attacks, humans are the main risk factor. Social engineering and exploitation of human psychology are used to aim at the weakest link in the organisation: the least resilient, busiest and most vulnerable employees1. The result is costly loss of control over data and potentially data breaches. And the situation will remain status quo if we do not start taking the need for engagement in security training a lot more seriously.

We must start enabling the human firewall by employing a new approach to compliance training2. We need to create active engagement by delivering training in small bites that are spaced over time – and frankly, raise the bar in terms of how to design security training and allow people to have more fun. Because fun, engagement, spacing and repetition are the scientifically validated recipe for making learning stick and turning knowledge and awareness into actual behavioural change. In short, stop box-ticking and start enabling the human firewall.

At this point, you might think: “this all sounds very good, but … how do we know it really works?”

We have helped forward-thinking organisations use gamification to enable the human firewall using our learning platform comPLAYance – and the impact speaks for itself.

What is comPLAYance?

comPLAYance is a training app that turns learning into a game based on the principles of gamification. It creates a safe and involving environment for the participants to learn new skills, acquire new knowledge and practise new behaviour.

Using a scoreboard, the app helps create a fun and competitive atmosphere involving the participants, which leads to far better retention of knowledge while at the same time making the acquired knowledge more operationally applicable.

18,000+ security scenarios covered and substantial knowledge lift in 10 days – in a voluntary game!

One of our clients in the financial sector needed to increase awareness of fundamental cyber security to reduce risks and avoid big costs related to breaches, leaks and hacks. We collaboratively developed a digital cyber security game turning hard-to-understand legal and technical content into real-life scenarios.

The voluntary training was rolled out on our digital learning platform comPLAYance without classroom training or e-learning modules – only accompanied by an awareness campaign about the availability of the security game. The learning platform encouraged employees to play together by making choices to act in real-life cases in interactions of maximum 90 seconds at a time.

The impact was remarkable! 30 employees played 18,000+ of 90-second knowledge bites spaced out over 2 weeks. That is 600+ per employee. The knowledge lift was raised from 95% accuracy to 99% with the highest measurable knowledge lift from 47% to 82%. What really surprised us was that 50% of the interactions were voluntarily conducted after working hours or at the weekend. We do not encourage people to work out of working hours – however, this shows very high engagement!

On average, each employee played together with 15 different colleagues across the organisation. New relations were formed. Continuously, we were able to measure the knowledge lift and identify knowledge gaps, which made a baseline for further training going forward.

Was this just a stand-alone case? No!

Making even GDPR fun and engaging with gamified learning

Another client in the public sector decided to change their compliance training approach to increase engagement and impact. The aim was to lift the knowledge level within GDPR and information security using a format that motivated employees to learn and provided measures for the training impact.

Two games were collaboratively developed and rolled out via the comPLAYance platform assisted by a 3-week awareness campaign.

On average, employees played almost 40 games during the voluntary training. This was 52,000+ interactions in total where each employee invested energy in having around 340 interactions each with colleagues. The average knowledge level was raised from 90% to 96% accuracy. And 40% of the interactions were after working hours and at the weekend.

Three drivers of magical learning experiences

Compliance training does not have to be a box-ticking exercise. We need to turn our perspective on compliance upside down. You do not need to pass on hard-to-understand GDPR rules and regulations as a one-off training package. Instead, try to break it down into understandable bites that are relatable to everyday work situations and deliver it in an intrinsic and motivating way, for example inspired by gamification.

Based on our experience creating learning impact at our clients, we suggest three important learning drivers:

  1. Make compliance content relatable by creating real-life scenarios – this way, it will stick to existing experiences.
  2. Space out learning interactions using small bites of learning content – repetition is key.
  3. Deliver training with focus on intrinsic motivation and social learning – fun and engaging training has higher impact.

Do you want to be part of the movement? Let us help you turn mandatory compliance training into a magical learning experience that your employees want to repeat again and again!

Sources

1. https://www.computerweekly.com/news/252470384/Social-engineering-a-factor-in-virtually-all-cyber-attacks-report-claims 

2. https://implementconsultinggroup.com/no-more-mandatory-compliance-training/