Gamifying Security
Gamification is a powerful thing. Applying elements of gaming—like rules, score-keeping and friendly competition—to other activities is a solid strategy for boosting engagement and motivation.
Take Pokemon Go, for example, which inadvertently gamified the act of walking when the walk-as-you-game app exploded in popularity several years ago. Collectively, the Pokemon Go community has walked over 14.2 billion miles as of 2019.
Gamification is also an effective way for organizations to strengthen their security posture. When developers receive a feature request from a product manager, there are many things to take into consideration (localization, infrastructure, etc.) and security can sometimes become an afterthought, especially if it’s not part of the product requirements and developers aren’t being measured on it.
Let’s explore how gamification is bridging the gap between developers and security, and how companies can start incorporating elements of gamification into their everyday activities to create a security-first culture.
The Perks
One benefit of gamification is that it increases engagement, motivation and productivity. Things like OKRs and KPIs can be hard for developers to personally connect with, but by gamifying the activities that tie back to those results, developers (and other roles within an organization) can clearly see how their work is contributing to the company’s larger goals. One study found that 83% of people who received gamified training reported feeling more motivated, and 89% said they’d be more productive if their work was more gamified.
Gamification encourages employees to learn new things, and exposes them to opportunities they may not otherwise be privy to in their current role. For example, if a company opts to run an internal bug bounty program, anyone from QA people to product managers who are semi-technical, to junior developers, can get involved and learn something new. This is especially important given today’s current talent shortage.
It also creates a sense of community by fostering connections between people who don’t typically work together. Later, people can leverage these connections to collaborate and improve upon their own work. It’s a fun and accessible way to reinforce the importance of security so that it becomes a shared value company-wide.
Most importantly, gamification bolsters security. Salesforce, for example, has seen quantifiable improvements in security as a result of implementing gamification strategies. When a phishing attack was attempted on two groups of people within the company—those who had received gamified training and those who hadn’t—the former group was 50% less likely to click on a malicious link and 82% more likely to report it.
Getting Started With Gamification
The first step for implementing gamification strategies is determining what the process should look like. For security-related initiatives, this means there should be one place where all of your vulnerabilities are, whether that’s a ticketing system or vulnerability aggregator.
Then, you can move on to determining your areas of focus. It might be internet-facing applications, support systems, knowledge bases—anything that is exposed. (Think bigger than just the flagship product). Tap the hive mind in your organization to better understand where your blind spots are by reaching out and asking what employees think.
Gamification is such a successful strategy because it’s fun. So, getting people excited is a critical step for making your efforts successful. Think about it as if you’re planning an event: Create buzz, get people talking, and brainstorm innovative ways to bring the community together over a shared goal. This might look like printing out posters to hang around the office, sending out promotional emails, or handing out some awesome swag.
Once underway, continually send organization-wide updates on progress and celebrate successes. One example of how this can be done is by putting up a leaderboard that shows which team is discovering the most security issues. And when the event comes to an end, it’s vital to keep nurturing the community that participated. Keep the momentum going by planning new events, assigning community leaders, handing out badges—whatever it takes to empower community members.
Lastly, gamification requires resources and time, so it’s essential to demonstrate how it’s benefiting the company at large. It’s no different than implementing any new process or tool—you’ll need to get buy-in from management. To achieve this, consider pointing back to things customers care about. Perhaps you choose to run a contest focused on support tickets or calls customers made that relate to security.
Strengthening security and keeping employees engaged should be top priorities for every organization. Gamification is a creative and fun way to accomplish this, while simultaneously bringing people together and shining a spotlight on security.
