Spotlight: Gamification Helps Our Employees Learn Cybersecurity

It’s just a fact of life: Whether on the job or at home, people will do almost anything to avoid boring content. That’s a problem for learning organizations, which are tasked with training employees on topics that are critical but not natively interesting to most.

Take cybersecurity, for instance. It’s hard to imagine anything more essential to operations. No business wants to end up in a headline after the latest security breach. But most people find cybersecurity rules and responsibilities pretty dry and unappealing. So a few years ago, we started to complement our e-learning program with gamification to increase cybersecurity awareness among our employees.

How we turned a “must do” into a “wanna do”

My colleague Gilles Montagnon and I recently wrote for SAP Insights about how companies can take advantage of the powerful combination of microlearning and gamification.

The roots of using gamification at SAP go back several years.

A screenshot from SAP's Horror Hospital security training game

Gilles, who is global head of application security engagement and enablement at SAP, helped use an online version of Capture the Flag to engage a very targeted group – software developers – and raise their awareness of product security best practices. The results were impressive from the beginning. Our developer community embraced the games in high numbers.

Then, in 2018, our security organization began using an escape game to teach cybersecurity to a much broader group – our whole SAP employee base. In the game, the players are captured by a crazy doctor and locked in the Horror Hospital. To survive, they have to solve nine security challenges in four rooms. For each correct answer, they collect one letter toward spelling a password to get out.

But each time they give a wrong answer, they lose a part of their (virtual) bodies!

You can see a couple of the Horror Hospital rooms in the screenshots accompanying this article.

Gain key insights by subscribing to our newsletter

Subscribe to our newsletter for up-to-date insights on technology information and connect with us on Twitter.

It was early days for gamification of business content, but we quickly discovered that employees liked having a fun little break from their workday. People perceive games as fun, not as training, so they’re more willing to participate.

For the next few years, we developed more sophisticated game worlds to give a more immersive experience for learners. Last year, we launched a game that features 11 rooms and 28 challenges in which people hunt Dracula, as well as a few virtual multiplayer games to teach specific things such as how to deal with ransomware.

A second room in the Horror Hospital game

It’s not just participation that matters. It’s been estimated that teaching through the use of game-like elements improves retention rates to 75%, compared to 5% through traditional learning methods. The concept is simple. People assimilate information faster and retain it longer when they learn by having fun.

Playing games and competing are part of human nature, common to all human cultures. Gamification motivates learners.

Playing games and competing are part of human nature, common to all human cultures. Gamification motivates learners. When they play, they get immediate feedback. It’s less discouraging for learners to realize their mistakes right away as opposed to later. Learners also need to see how they’re doing on their overall journeys, so our online games make it easy to see progression. In a real classroom, you might get a sticker or a lollipop for finishing the training module, so we use things like that, too.

Keeping different personalities and motivations in mind

People are motivated by different things in a game world. Toward that end, we worked with some established user personas, called Bartle’s player types, for gamification.

If you hit the right mix of game elements that resonate with these different types of users, the payoff is high engagement rates. For example, more than 7,000 people played the Horror Hospital escape game, solving 56,000 challenges in two weeks. We were very happy with that. For a voluntary game, this is an excellent number.

Another proof point: We offered people a gamified version of our cybersecurity e-learning with similar content. The participants’ feedback showed that they learned more from the game than from the traditional training format. Just about everyone wants to disconnect from their daily work and environment at times.

We’ve seen our gamified cybersecurity environment pay off in increased engagement and retention.

This brings up another important lesson: Traditional e-learning and game-based learning complement each other perfectly.

The reason is that if we learn something new but then make no attempt to relearn that information, we remember less and less of it. The biggest drop in retention happens very soon after learning. This means that you should not only offer one main training for your employees but also further assets, such as games that repeat parts of what participants learned in the training.

And that’s what we do with our games.

Sometimes we talk to learning development professionals at other companies, and they tell us their management does not understand the value of using gamified training – that people will have so much fun they won’t do their jobs. With four years working on this, we have put those concerns to bed. We understand the value proposition of gamification. We’ve seen our gamified cybersecurity environment pay off in increased engagement and retention.

We get a lot of positive feedback from our learners. I especially like this one: “Great idea to use gamification to turn a boring topic into a breathtaking challenge. Well done, guys!”

– As told to Lauren Gibbons Paul