hashtalk 007: cybersecurity through the lens of gamification and how ‘playing’ can build better defenses
What if your best defense against cyber threats isn’t more training manuals, but a leaderboard?
By Eva Georgieva
Hi bugs! As the holiday season approaches, so does the security’s teams urge to send phishing awareness tests to employees. It’s like handing out pop quizzes on nutrition right before a holiday feast and expecting everyone to suddenly eat healthy. You get the point — this isn’t training; it’s just a test. Now, as a tiny protest against holiday phishing awareness tests, I am bringing several ideas to the table so the security teams can get inspired on how to deliver a proper, interactive training and be remembered.
Hors d’œuvre
In our hashtalk today:
- The holiday season phish and why traditional training is a flop
- Gamified cybersecurity training, and why it is better than the rest
- Points, badges and bragging rights: building a culture of security
Gamification is the application of game design elements — like points, rewards, and competition — in non-game settings. In cybersecurity, it takes many forms, from Capture the Flag (CTF) challenges to scenario-based simulations and the utilization of training platforms like TryHackMe, Hack The Box, and Let’s Defend.
Innovative Approaches to Gamifying Cybersecurity Awareness in Large Organizations
What if instead of the standard, non-memorable training, cybersecurity teams introduce gamification as form of a training throughout the year? Make it something that employees want to engage with, rather than something they have to endure? Gamification offers a transformative approach by introducing interactivity, competition, and rewards into the learning process. Instead of annual quizzes or dull compliance videos, employees could participate in immersive activities that make cybersecurity relevant and memorable.
Idea 1: Company-Wide Phishing Scavanger Hunt
Imagine a company-wide Phishing Scavanger Hunt in which employees search their inboxes to uncover cleverly disguised phishing attempts. Each red-flag they identify, like a suspicious sender or a too-good-to-be-true link — earns them points. Teams collaborate, competing to climb the leaderboard in a thrilling race for the title of Phishing Detective.
Idea 2: Virtual Cyber Escape Rooms
Virtual Cyber Escape Rooms. Employees work together to crack security puzzles, such as decrypting suspicious file names, spotting malware in decoy reports, or crafting the perfect secure password to “escape.” Each correct solution unlocks the next stage of the game, blending fun with practical learning.
To keep the momentum going, reward progress with dynamic leaderboards, digital badges, and real-world perks.
Idea 3: Monthly Cyber Games
Probably my favorite thing I came up with and the easiest to implement.
These aren’t just dull PowerPoint presentations delivered like a lecture. These are monthly, one hour, interactive, engaging sessions designed to make cybersecurity topics accessible, relevant, and, most importantly, fun.
Each month, the security team picks a hot topic — think “Decoding Ransomware,” “Spotting the Phish,” or “How to Win at Passwords Without Losing Your Mind.” But instead of a standard lecture, the session is gamified. Here’s how:
- Interactive Polls and Quizzes: Kick off with live quizzes on myths vs. facts, where attendees use their phones to answer and compete for the top spot.
- Real-World Scenarios: Present challenges based on real-life cases, such as spotting vulnerabilities in a mock system or analyzing a suspicious email to determine its legitimacy.
- Role-Reversal Games: Let participants “play the hacker,” brainstorming ways to infiltrate systems or craft convincing phishing emails (under the guidance of the security team, of course).
- Mini-CTFs (Capture the Flag): Include bite-sized challenges, like solving a simple encryption puzzle or identifying weak points in a demo application.
To encourage participation, track scores across sessions. Employees who attend regularly and perform well could earn badges, shout-outs in company newsletters, or entry into an end-of-year Cyber Champion Raffle.
These monthly sessions could also be recorded and shared for those unable to attend live, extending their reach while building a library of gamified resources for ongoing learning.
As you can see, if there is a will, there is a way. And cybersecurity training, especially when it comes to non-technical audiences, doesn’t have to be just another check-box.
Gamification within the Cybersecurity Team
At its core, gamification works because it taps into some intrinsic human motivations like:
- Competition: Leaderboards and rankings push participants to perform better and stay motivated.
- Rewards: Immediate feedback, badges, and points create a sense of accomplishment.
- Engagement: Interactive and immersive challenges hold attention better than traditional methods.
And when we think of cybersecurity training, of course, the cybersecurity teams are quite a crucial part of it all. The hands-on practice shouldn’t happen when a real incident occurs, instead we should treat it like a basketball game. The security teams should have more training sessions for the game than actual games. And if there is not enough training, strategy, plays that are already in place, which play does the management call on when the real thing happens?
Use Case
Utilizing different platforms or building one in-house to simulate alert triaging, malware analysis and incident response. For example, analysts might be presented with a set of suspicious activities that need investigation — such as unusual traffic patterns, failed login attempts, or unauthorized data access. They then use tools like SIEM (Security Information and Event Management) systems to perform log analysis, determine the severity of the incident, and decide on the appropriate course of action. This way, by regularly implementing these practices, the SOC teams builds its own playbooks that they can follow when a real incident occurs.
From all I’ve learned, in cybersecurity, the best way to win the game is to keep playing.
Let’s keep in touch
I’d always be willing to discuss more, exchange ideas and continue the hash talk.
- Reach me at: evaincybersec@gmail.com
- Or let’s talk briefly over a coffee, or martini, I don’t judge: https://calendly.com/evaincybersec/h-shtalks