Anecdotally, you can see people out and about, playing Pokemon Go, who would otherwise apparently be playing video games in their home. Corporate wellness programs would be strongly advised to take advantage of the game’s phenomenon, and encourage people for reporting the distance traveled.
When I consider most of the self-proclaimed security awareness gamification efforts, I see that they do not truly understand gamification. Gamification is not providing information through a game. Gamification is again rewarding people for exhibiting the desired behaviors in actual circumstances.
In Pokemon Go, the goal is to level up and catch Pokemon. You are informed how many points you need to level up, how to earn points, and how to catch Pokemon. This includes visiting real-world locations and walking/biking/skating/etc. certain distances. You are constantly informed how many points you have earned, which Pokemon you caught, and where you are compared to your goals. And, nobody is forcing anyone to play the game.
While many vendors, as well as security practitioners, want to describe their gamification products/programs as a fun way to learn, the effort to provide information is not gamification. Again, gamification is about rewarding actual behaviors, not achieving a specified learning objective.
All security practitioners should be aware that just because a user knows what is proper behavior, it doesn’t mean that they actually practice that behavior. For example, some vendors created games about how to tell if a password is strong. They then have in-game contests to tell if a student can tell which passwords are strong and which are weak. If a student knows that a good password has eight or more characters, the “game” issues them a certificate deeming them security aware. However, the only real judge of knowing if a person practices good security behaviors is to try to crack their password to see if it meets the specified procedures. Even then, it is difficult to tell if they reuse the password on multiple accounts, which is a weak security behavior.
Again, knowledge of desired security behaviors is not an indication that the individual will practice that behavior.
In another article, I wrote about the ABCs of behavioral science. Specifically, antecedents (in this case information) influences behavior. Behavior creates consequences, which in turn reinforces or discourages the behavior.
For example, if you burn your hand, you are significantly less likely to recreate the behavior that caused the burn. Science indicates that telling someone that they can burn their hand is only 20 percent likely to generate the desired behavior, while the consequence of burning their hand will influence 80 percent of future behavior.
Most of what vendors refer to as gamification is actually just a simple game. They are using a game to convey information. Even if there are in-game rewards, it is still not gamification, as rewards in gamification must be conveyed for real-world behaviors.
Sign up for CIO Asia eNewsletters.