TRAINING WITHOUT GETTING BORED:
Gamification of training

The cybersecurity market continues to grow steadily. Practically every week there are new cases of data leakage, companies attacked by ransomware, and new TTPs (Tactics, Techniques and Procedures) that increase the need for organizations to train their personnel to be prepared against unexpected events. The underlying problem is that new situations lead us into the realm of the unpredictable, and there operational capabilities lose effectiveness.

How do we deal with the unpredictable?

The answer to this is simple, but its application is not. In short, the trick is not to focus on predicting, but on being prepared. Similarly, instead of preparing to lift a heavy load someday, we train all our muscles to lift any kind of load, any day. But of course, preparing for things we don't know sounds incompatible with the operational tasks of technology and business, which circulate in the realm of the known. For this reason, many organizations in search of constant innovation are focusing on training and coaching based on new dynamics to make it easier for their staff to face critical situations where a decision can affect business continuity, or bring major problems that had not been contemplated. This applies mainly to incident response teams (CSIRT) and technology teams, but also to non-technical personnel who are part of the response at different levels (press, legal, communication, etc.).

What is training gamification?

Gamification is the use of game mechanics in non-game environments, with the objective of practicing critical thinking and testing oneself in simulated and controlled situations, which generates a better interaction between people, and a better attitude, because after all, who doesn't like to play a little? However, this is not as simple as including playful dynamics; academic studies indicate that better designs can be obtained from more scientific research, so a light approach could leave us more on the side of entertainment than learning. Among the main uses of gamification in business and organizational environments are personnel selection, training, and performance management.[1] The aim is to maintain the essence of gamification as a learning process.

Thus, it seeks to maintain the essence of the game environment, generating an environment with less stress than in a real situation, making it possible to think and/or act in a more natural and calm way, in a psychologically safe environment. In addition, evidence shows that employees feel more motivated to train in this way than in the conventional way, which deserves to be analyzed as a way to increase knowledge. On the other hand, learning by playing develops "muscle memory" more easily - after all, we are complex repetition machines. This allows us to prepare ourselves to respond better to risky situations or situations that require immediate action. Thus, as in martial arts, where a movement is repeated until it becomes an automatic reaction, we seek to spend our energies on decisions that have nothing to do with what we can train.

The benefits of this new way of learning are many, and it is a win-win for both parties. From the employee's perspective, knowledge is acquired in a more entertaining and practical way. From the company's side, incidents and response times are reduced, and employees' willingness to train is also improved, without the premise that it will be a boring and repetitive task.

Training, cybersecurity, and games

Cybersecurity itself is very much a game, as there is a standard "cat and mouse" structure in this industry where one side attacks and the other defends, and this facilitates the creation of games based on natural dynamics. With this premise, in some areas of cybersecurity gamification seems to be an option that is, to say the least, quite reasonable. And despite the fact that when proposing gamified trainings we call them "exercises" to achieve a better acceptance in the traditional market, deep down we know that it includes playing.

But we can go a step beyond gamification, since we not only seek to add game dynamics to known processes, but also to build new dynamics created from design to facilitate learning processes, based on playful methods to give them a more entertaining context. This is probably the basis for the future of training (and why not education) not only in cybersecurity.

Indeed, perhaps the main environment in which the world of training, cybersecurity and games converge are the so-called "Tabletop Exercises" (TTX) that served to train military strategy skills for centuries, and derived from traditional board games. This type of exercise allows exposure to simulated situations through which the most appropriate responses and actions to deal with problems and situations, both known and unknown and unexpected, are practiced. This form of training is not only focused on personnel with technical knowledge, but also for executives and managers of all levels, including top management, oriented to decision making. Everyone can experience it. Indeed, research suggests that training using Tabletop Exercises improves the levels of awareness, understanding and preparedness of cybersecurity incident response teams (CSIRTs) and strategic decision making, enabling better preparedness to deal with real incidents.[2] The topic has only been around for a few years.

While the subject matter has only been in development for a few years and has a long way to go, gamified training and game-based learning experiences will be a central part of training programs for cybersecurity personnel in the not-too-distant future.