Security awareness

Gamification of Security Awareness Campaigns

Andrei Antipov
May 13, 2016 by
Andrei Antipov

Game On

People like playing games. It’s a fact. We can leave the “life’s a game” discussion to philosophers and turn to some hard numbers. The 2015 research by the Entertainment Software Association shows that 155 million Americans regularly play video games [1]. Not surprisingly, the adoption rate of gamification in corporate training environments keeps growing rapidly, with its market share projected to reach USD 11.10 billion by 2020 [2]. When applied to training and education, gamification can be defined as using gaming principles and elements to provide engaging, immersive, and effective learning experience. Which is exactly what you want your phishing awareness campaigns to be (with emphasis on effective). There are two important sides to gamification. First is the learning process itself: what learners experience when they are going through the awareness modules. The other side is gamification of your awareness campaign on the organizational level: leader boards, competition individual learners and groups, etc. In this article we will look at both sides and see how gamification can be easily and effectively incorporated into your security awareness campaigns with InfoSec Institute’s SecurityIQ.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.


Here are some sad statistics: 70% of employees are disengaged from their work [3]. “Death by PowerPoint” is still the preferred technique for corporate training, with 47% of training hours delivered by instructor-led classroom setting. Many companies “adopted new technologies” by forcing their dated training materials into the online format, so instead of falling asleep in classroom looking at the projector screen, employees can now comfortably fall asleep at their desks looking at the monitor. How many learners are engaged… in other activities (including playing games) during such training? How many employees whish that training was more like a game? We actually have the answer to the second question: 75% of learners would be more engaged if learning included gaming dynamics [3].

So how do you include gaming dynamics? Introducing challenges is one of the popular gaming techniques that makes training more engaging. Multiple-choice questions that follow a slide presentation are challenges. Very boring ones. What you (and your employees) really want is something like InfoSec Institute’s SecurityIQ AwareEd offers. AwareEd modules include challenges (exercises) that require actions that resemble actual adventure video gaming, such as dropping them to the correct spot (see Figure 1) or selecting the correct elements in a given scenario (Figure 2).

Floor safe and desk depicting where it is and is not safe to store passwords.

Figure 1. SecurityIQ AwareEd Written Passwords exercise.

Man sitting at a table with a security camera mounted on the wall behind him and a woman standing behind him on the left.

Figure 2. SecurityIQ AwareEd Shoulder Surfing exercise.

On the campaign side, you can ensure engagement by introducing competition, with whatever commendations your organizational culture finds appropriate. This is for you to decide, while SecurityIQ makes it easier by providing you with scheduled detailed reports and allowing you to view campaign progress information for each learner group or individual learner (Figure 3), providing all the information you need for your leader boards right at your fingertips.


Figure 3. SecurityIQ AwareEd campaign run infromation.


To immerse means to engage wholly, meaning that gamification helps to ensure that when your learners are engaged in learning activities, they are really paying attention. defines ‘immersive’ as something that “may create an altered mental state” [4]. Altered mental state! That’s what we need: a mental state of being constantly aware of phishing and other cybersecurity threats. Not an easy goal to achieve, certainly almost impossible with traditional training techniques. A talking head reading from slides is the opposite of immersive. The key to making your security awareness training immersive is to make it engaging (which we already took care of) and to make sure that training is relatable. "Gamification is most successful when you are engaging with employees to help them complete their own individual goals, not organizational goals," says Brian Burke, Research Vice President and analyst at Garner Research (quoted by, "Shared goals are achieved as a consequence"[5]. Gamification elements that are built into SecurityIQ AwareEd modules ensure that learners have their hands doing some work when completing exercises, while offering scenarios that employees may actually experience in their everyday life, thus keeping them immersed in the process. On the company level, nothing makes your campaign more relatable than a nice award (even monetary, if that’s something your organization implements) or commendation for completing all modules earlier or reporting the most phishing emails. Again, SecurityIQ AwareEd and PhishSim (its comprehensive phishing simulation component) allow you to easily access all needed information or will deliver it directly to your mailbox.


Einstein said: “Learning is experience. Everything else is information.” Undoubtedly, learning by doing is the best way to acquire skills and knowledge. Learning by doing while having fun is proven to be even more effective. According to a study conducted by the University of Colorado, learners who participated in gamified eLearning programs scored 14% higher in skill-based knowledge assessments, 11% higher in terms of factual knowledge, and showed 9% increase in retention rate [6]. You can further enhance the overall learners’ experience by running simulated phishing campaigns as part of your security awareness program. Repeated phishing campaigns combined with awareness education will not simply test the awareness level of your employees, they will provide a comprehensive multi-step skill-building experience. In addition to gaming elements included in the awareness modules, phishing campaigns will extend the gamification element to the everyday work tasks of your learners by turning reading emails into a micro-challenge that requires applying critical thinking plus the knowledge they acquired from awareness training. Additionally, on the company side, phishing statistics can be used (either on their own or in combination with awareness training reports) as criteria for competition, thus increasing the level of motivation to not only participate in the awareness training, but to be more diligent when it comes to opening email messages.

Go Play

InfoSec Institute’s SecurityIQ is not a toy (even though it is so easy and exciting to use that it may feel like one). It is a sophisticated tool that will help provide the engaging, immersive, and effective security awareness training for your employees. Gamification will help with further enhancing the learning experience. Some gamification elements are already built into the platform, others are made easier to implement by robust reporting features and easy to configure campaigns. The ball is in your court.


See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


Andrei Antipov
Andrei Antipov

Andrei is a security engineer. He holds a cybersecurity degree from Bellevue University and is an Associate of (ISC)² toward CCFP and a Metasploit Pro Certified Specialist. Andrei is interested in reading and writing about all things cybersecurity, with a focus on security governance, penetration testing and digital forensics. In his spare time, he enjoys spending time with his family and talking about weird movies and trip-hop.