A lot of people play video games. According to NewZoo’s article “Video Game Industry Statistics in 2020“, in 2019 over 2.7 billion people played video games. That’s more than 1 out of every 3 people who voluntarily spend their leisure time pursuing video games. Gamification is about trying to use game design principles on non-games in order to get people to voluntarily engage in those non-game activities more. Now, I don’t want to get into an academic definition battle of what a “game” is specifically, rather, let’s take the approach of U.S. Supreme Court Justice Potter Stewart in that most people probably recognize a game when they see one.
Gamification – the good, the bad, and the ugly
We should, however, differentiate between good gamification and bad gamification. You’ve probably seen bad gamification – it usually happens when a company decides to take an existing process and just tack on points and “achievements” in the hopes of accomplishing Skinner Box-like effects on their customers. Those kinds of “solutions” happen when people who see studies that show gamification increases customer engagement but don’t understand game design have sway over the marketing department. There is more to games than points and achievements. Well, at least there’s more to good games than that. Or perhaps you’ve seen things like gamified education where kids can play a few minutes of a game if they solve some math problems. Rather than making learning fun, all that does is teach the kid that math is the obstacle to fun, assuming that the game they get to play is any good.
A good game
Good games involve meaningful decisions that affect outcomes that players care about. They involve a delicate balance between challenge and player skill, keeping the player in the flow channel.
They involve progression systems and providing players with a sense of mastery. They tend to involve UI systems that operate on very different principles than typical desktop application or web application UI system design. It is very difficult to add these things onto an existing business process or training program without making major changes. The alternate solution is to start with something new that is designed, up front, to be game-like.
Since I work on ThreatGEN® Red vs. Blue and it is gamified training, let’s focus on comparing gamified training to games. Games seek to provide intrinsic rewards through presenting the player with challenging problems and allowing the player to achieve a sense of mastery – that mastery can be of any type of skill whether it be physical, mental, or social. The skills can also be real (e.g. eye-hand coordination) or virtual (e.g. fire magic +2). Gamified training also seeks to give the player a sense of mastery, and while providing challenges through problems to solve is helpful for keeping players psychologically engaged, it is not necessarily a goal of gamified training. Though keeping players engaged is important. So, it’s optional…but not really. The key difference between a pure game and gamified training is that the mastered skills (or acquired knowledge) must translate to the real world in a context that exists outside of the training. The more direct that translation is, the better.
Additionally, there should be a direct correlation between success in the training and success in the real world. For example, with ThreatGEN® Red vs. Blue, we designed the game so players who exercise real-world cyber security best practices will do better than those who don’t – that isn’t to say that if players use best practices then they are guaranteed to win as that isn’t how things work in the real world. Sometimes attackers get lucky. Maybe a well-trained, security aware employee had a night of poor sleep and was in a hurry to clear out their email inbox and clicked on a link in an email that only appeared to be from their boss. Stuff like that happens.
Games and Gamification diverge
This is where games and gamified training diverge. A good game will usually provide a reliable pathway to player success – do these things, get those results. That kind of reliability feels good to the player, psychologically. Because gamified training needs to correspond to reality and reality is often unkind to our psyches, gamified training sometimes needs to present the player with situations in which they did the right things but they were just unlucky or things didn’t go their way. Ideally, that will cause the player to question what they would do in real life with that scenario. Even vast and immersive games (like Eve Online) only simulate a limited subset of realistic interactions. Players should get to a point where they bump up against the limitations of the training and start thinking of solutions in the real world that aren’t possible in the gamified training. Once people have internalized the lessons that the training provides and have graduated to a point of thinking of solutions beyond what is possible in the training, then they are well on their way to mastery of real life skills.
About Aaron Shbeeb
Aaron is one of ThreatGEN’s founders and our Chief Software Architect.
Aaron has worked for more than a decade in a variety of programming and security positions, including ICS/SCADA and specializes in secure programming practices.
From “About the Authors” on Aaron Shbeeb’s co-authored book “Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions“
With interests in video game development and gamification, Aaron’s interests span from martial arts to tutoring in STEM related subjects to implementing the next generation of OT training solutions.
About ThreatGEN
Founded in Sugar Land, Texas in 2017, ThreatGEN delivers a solution to bridge “the ICS Cybersecurity skills gap” utilizing its ThreatGEN® Red vs. Blue training and ThreatGEN OT Security Services. ThreatGEN® Red vs. Blue training uses cutting-edge computer gamification in ThreatGEN® Red vs. Blue to provide an exciting & modernized approach to cybersecurity training, both practical and cost effective! ThreatGEN OT Security Services are delivered worldwide by world-renowned Operational Technology (OT) cybersecurity experts (we literally wrote the books industry uses) using strategically chosen partnerships to create a holistic service offering.
For more information, visit our company website at https://ThreatGEN.com, follow us on LinkedIn at https://www.linkedin.com/company/threatgenvr/, or follow us on Twitter at https://twitter.com/ThreatGEN_RvB.
For further sales information, send an e-mail to sales@threatgen.com.
Derezzed Inc. D/B/A ThreatGEN
140900 Southwest Freeway #300
Sugar Land, Texas 77478
+1 (833) 339-6753
#gamification #cybersecuritytraining