What Mary Poppins Can Teach Us About Information Security Training

The explosion of new technology (seems to me like there’s something new every day!) is generating more data in more places than ever before. Combine this with a rise in the value of stolen data - a single pilfered record can fetch as much as $45 on the black market - and the rising costs of data breaches and you can see why information security is becoming such a big deal for our organizations. 

Of course there is no shortage of technology solutions to help mitigate risks, but are they enough?

While technology can help protect and monitor your systems it doesn’t do much to address the human issue. Roughly a quarter of all data breaches are caused by human error, making people one of the biggest liabilities in any organization. So, all we need to do is train our people to convert them from liabilities into assets, right?

Easier said than done I’m afraid.

The Trouble with Info-Sec Training

What we’ve found in developing information security training programs is that employees are generally apathetic about information security. Why?

Most people assume there is a team of Information Technology (IT) folks who have their back on security.

They also don’t understand the grave consequences associated with a breach and how their actions can put the organization at risk.

Making matters worse, people are busy. In a world where employees are constantly asked to “do more with less”, who has time for information security training?

Even if we can make people understand the importance of good information security practices, we still have a major hurdle in front of us. The fact is, information security training is flat out boring. Sure, we can cram our content into a variety of formats and portals, and make people go through them, but will they retain any of the information?

Probably not. 

Making Info-Sec Palatable with Game Based Training

To make information security training more palatable, we should take a page from Mary Poppins who proclaimed; “A spoonful of sugar makes the medicine go down.”  What was Mary’s insight? It was her understanding that there needs to be “something in it” for a person to take that medicine.

So the question is, how do we add the necessary value to motivate people to get up to speed on information security? 

The answer: gamification and game-based training!

By now you’ve probably heard of gamification, but for those who haven’t, gamification is the process of adding game elements to a task to make it fun and engaging. Things like dividing tasks into levels of increasing difficultly, awarding badges for completing tasks, or featuring leaderboards to add an element of competition to our programs.

Game-based training is using games themselves to teach, and to make training more compelling. This can range from simple quiz games, to elaborate role playing games, to simulations.

The best training games have players learning without realizing it.

So how does this apply to information security training? Both gamification and game-based learning can make information security training a heck of a lot more fun.

Of course there are folks who will claim that information security is serious business that shouldn’t be trivialized by games. But with all due respect, they couldn’t be more wrong.

Information security is so important that we need to use any tactic that drives results. And for this, gamification and game-based learning can’t be beat.  

Benefit #1: Increased Participation

As mentioned earlier, driving participation is especially challenging when the subject matter is information security. As a quick litmus test, which call to action is more likely to get you to participate in a training program:

“Here is a link to our new information security training course.  Please be sure to complete the training before March 31st.”


“Take the Security Challenge! Play now to see how you stack up!”

Sure, there’ll be a few curmudgeons who claim that the first option is more compelling but the overwhelming majority will be more likely to click on the second one. Why? Because it sounds fun which means there’s something in it for the end user. We’ve added some sugar!

Benefit #2: Improved Engagement

So gamified training can help drive participation but what about engagement? Again, where engagement is concerned, the gamified program will crush traditional training methods, hands down. 

Gamified programs appeal to many of our innate characteristics like our competitiveness, and our desire for completion, as well as our perfectionist urges. In doing so, they evoke an emotional response from end users, where users are deeply engaged.

Game elements like scores, leaderboards, levels, and achievements help sustain that deep engagement as users strive for better results. As an example, gamified information security programs we’ve run for our clients have kept users voluntarily engaged for more than 60 minutes. That’s an eternity in information security training years!

Benefit #3: Better Retention

While participation and engagement are important metrics for any training program, comprehension and retention are a better measure of a program’s efficacy.

This is where gamified training programs really shine.

A recent program we ran for a government client saw a 25% average increase in knowledge and understanding of the organization’s information security protocols.

The program got those results for a number of reasons.  The game-based learning modules were fun and addictive (which meant end users spent more time interacting with the course materials), and the modules included scoring and leaderboards which prompted users to learn in order to post better scores.

Benefit #4: Low Risk, High Reward

Another advantage of game-based learning is that it allows users to make mistakes while only incurring a virtual cost. 

I don’t know about you, but I barely ever do things right the first time. I usually screw it up once or twice before I get it right.

In a game-based simulation, users can make mistakes and only suffer in-game consequences like losing points, or failing to complete a level. In fact, unlike real world mistakes which can be very expensive, in-game mistakes provide us with an opportunity to make users aware of the grave consequences associated with a data breach. 

They give us an opportunity to explain why good information security habits are so important to the organization.  And because those mistakes impede the user’s progress in the game, the lessons are more impactful than those taught within a PDF or classroom environment. 

The Bottom Line

One objection to a gamified training approach that I frequently hear is, “games are great for teenage boys who live in their parents’ basements but they won’t work for our demographic.  Our people are a bit older and we have lots of women on staff.” 

While this stereotype might have been true in 1990, it’s pretty outdated. Forty-eight percent of North American casual gamers are women, sixty-five percent of whom are between the ages of twenty and fifty. Gaming has gone mainstream, and as millennials (the first generation to grow up gaming) take over the workforce, the demographics skew even more in favour of gamification and game-based learning.

As data breaches become increasingly common, organizations are realizing they need to educate their employees about information security. For busy employees, carving time out of their frenetic schedules is a bitter pill to swallow.

I know how Marry Poppins would have solved the problem.