Finally, Winkler warns that gamification is not the answer for every organization, especially if security is a regulatory requirement and participation is not voluntary.
Corporate security pros aren't laughing at gamification.
"Gamification is something we are looking at," confirms Ahmad Douglas, senior director of security awareness at Visa Inc. in Ashburn, Va. "There is a presumption that if we hold security awareness week and have a talk and give away pens that somehow it had an impact on people's behaviors. We have not made that presumption." Instead, Visa has brought in a cognitive psychologist to examine how to counter threats by measurably alterin sg behavior.
"Gamification is a tool, but I don't want to presume that it is the solution," Douglas adds.
Gamification, or storytelling, or putting cartoons in bathrooms, whatever channels work for people, that is how we are going to get to them. Ahmad Douglas, senior director of security awareness, Visa
"Gamification, or storytelling, or putting cartoons in bathrooms, whatever channels work for people, that is how we are going to get to them," Douglas adds. "Whatever we do, it will be tied to a specific threat, it will have measurable outcomes and it will be based on real psychology."
The awareness problem actually has two segments, Douglas says. "Do they know what action you want them to take? Are they willing to take some action? You can't solve both with the same solution. If they don't know [something], you have to assess if it is realistically knowable and what is the best way to teach it. If they don't care to take action, you have an incentive problem and need to offer a reward."
Not all security professionals are fully buying into the gamification idea. "We use it to a certain degree, but not to the extent of having levels and points," says Jonathan Feigle, director of information security at Hyatt Hotels Corp. in Chicago. Awarding points to a global staff speaking many languages would involve numerous complications, he notes.
While Winkler and others emphasize that gamification does not mean the users play a game, others are willing to cross the border to actual games. For instance, start-up Apozy is developing a cloud-based computer game to teach security awareness, says co-founder Rick Deacon, who was previously a corporate penetration tester.
"We want to get the users engaged with something they enjoy using," he explains. The game simulates a corporate environment and the users take the part of attackers, who plan attacks based on what they learn during the course of play. Meanwhile, the software analyzes the users' decisions to make sure they understand the situation, he explains.
Sign up for CIO Asia eNewsletters.