How Yu-kai Chou's Behavioral Design Framework Revolutionized Security Awareness Training with Gamification

Imagine if your boring day-to-day tasks and responsibilities--even learning cybersecurity--were as fun as playing your favorite game. Well, you needn't imagine such a scenario because many of your favorite digital experiences, from social media to banking, are built on the design philosophy of gamification.

Gamification is a behavioral-science-grounded approach to product design centered around human motivation that applies the elements of games to real-life activities. It is not, contrary to popular belief, exclusive to games. Anything that involves a specific human behavior you want to see improved can be optimized with gamification.

Enter the world's preeminent gamification guru, Yu-koi Chou. He has helped transform multiple industries--from social media and HR to banking and cybersecurity--with the introduction of game design principles to the digital user experience.

"The number one misconception is that gamification is about making games when in fact gamification is making certain activities more enjoyable, like a game...

The number two misconception is that it’s just slapping on different game mechanics like points and badges...

What’s most important about gamification is that it appeals to your psychological core drives...

You could have game elements here and there like badges and social buttons that you would get for some silly little action, but if the user doesn't feel accomplished then it doesn't mean anything."

There is clear data that shows how integrating Yu-koi Chou's Octalysis Gamification and Behavioral Design Framework into cybersecurity exponentially improves user engagement and resilience. In this article, you will learn what gamification is, and how it can be used to level up a security awareness program.

What led to gamifying cybersecurity?

Around a decade ago, cybersecurity leaders began voicing their frustrations with the security awareness training (SAT) model: it achieved compliance, but not behavior change.

Globally, stagnant participation rates and escalating breaches raised alarm bells that SAT tools weren’t working. Theyt weren't reducing risk because they don’t measurably:

• Motivate engagement
• Build skills
• Change behaviors
• Transform culture

As the threat landscape has become more sophisticated and dangerous, the traditional SAT model has become increasingly less effective. Recent statistics show that:

• 68% of breaches contain the human element (Verizon DBIR)
• 80-95%of all attacks begin with a phish (Comcast Business)
• Since November 2022 (the launching ofChatGPT) malicious emails have increased by 4,151% (SlashNext)

There's consensus that turning around cybersecurity outcomes means changing behavior. But how? The answer is gamification.

Security awareness training has emerged as fertile ground for this proven design process.

[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]"As long as you can define the desired behavior from a human you'd like to improve, this framework applies."[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Yu-kai Chou, Gamification expert, pioneer of the Octalysis Framework[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]

Hoxhunt co-founders Pyry Avist and Mika Aalto tapped Yu-kai’s framework, built on behavioral design concepts, for inspiration back in 2016. The conversation between Pyry and Yu-kai below is equally parts informative and inspirational on the power of gamification for cybersecurity training.

The Octalysis Framework applied to cybersecurity training

Yu-kai saw that making everyday activities as enjoyable as playing a game required tapping into the brain's core drives. These include right-brain vs. left brain (playing for fun vs. playing to win) core drives, and white hat vs. black hat (carrot vs. stick) core drives, all of which must work in concert for optimal results.

The Octalysis Framework breaks down human motivation into eight core drives. Here’s how they look in the cybersecurity training context:

1. Epic Meaning and Calling: People can tap into a higher calling to cybersecurity training when it makes their role in protecting the organization personal and rewarding.
2. Development and Accomplishment:  Gamified cyber security training elements like badges, leaderboards, and levels can make training feel like a journey with tangible milestones, encouraging continued participation and improvement. Some organizations publicly recognize high-performing employees with financial bonuses.
3. Empowerment of Creativity and Feedback: After reporting simulated phishing attacks—and real phishing attacks!—employees must be able to see the impact of their actions in real-time. You caught a phish and kept us all safe: Good job!
4. Ownership and Possession:  Personalizing training and recognizing good performance publicly motivates people to continue to make a positive impact on their org's security.
5. Social Influence and Relatedness: Creating team-based challenges and friendly inter-departmental competitions, and establishing leaderboards, helps build a community around cybersecurity practices. It makes it a water cooler topic and, ultimately, embeds cybersecurity as a shared responsibility in organizational culture.
6. Scarcity and Impatience:  Reward people for acting promptly and correctly without causing undue stress.
7. Unpredictability and Curiosity: Keeping training content fresh and intriguing is crucial for maintaining participation. Randomized, fresh training content and alternating frequency of phishing simulations, unexpected challenges, and mystery rewards can sustain curiosity and engagement over time.
8. Loss and Avoidance: Users are motivated to get maximum points and maintain and elevate their leaderboard status so they continue participation.

Hoxhunt's application of the Octalysis Framework

Hoxhunt, the #1 rated human risk management & cybersecurity training platform, was built back in 2016 using the behavioral design concepts of Yu-kai’s framework.

In a recent webinar, Pyry Avist, Co-Founder and Chief Technology Officer at Hoxhunt, shared his methods of applying gamification to Hoxhunt's core products, underscoring the importance of making cybersecurity training both challenging and engaging.

“We wanted to make even the failure in training an enjoyable and empowering experience so users would feel continuously challenged to improve,” said Pyry. "We did a study that found that as the training got harder and harder, users who occasionally failed a simulation reported a higher NPS score because they actually felt like they are learning something valuable."

Hoxhunt's phishing training utilized gamification to disrupt the SAT landscape and pioneer the Human Risk Management category. Organizations like The AES Corporation won a CSO50 award for the 6X rise in user engagement they achieved with gamified security awareness training.

Qualcomm’s "Worst-to-FirstEmployee Phishing Performance" CSO50-winning initiative transformed their 1,000 highest-risk employees into model cyber citizens via enrollment into the Hoxhunt adaptive phishing training program. These reformed users went from twice as risky to literally twice as resilient as their peers in under 6 months.

Unique game elements of Hoxhunt in cybersecurity training include:

• Behavior-based: The learning experience is built around threat reporting because it is the ideal outcome of a phishing attack and the best measurement of user progress and program success.
• Adaptive: The difficulty level and type of training content automatically adjusts to the user's skill and background as they change over time. This is an essential, differentiating factor of the Hoxhunt training platform. It keeps the experience challenging enough to be interesting and addictive.
• Reward-based: It's all about high fives for success, not finger-wagging for failing tests or phishing simulations.
• Urgency: Dwell time is measured, and users are encouraged to be careful about clicking on suspicious emails, and rewarded for reporting attacks quickly.
• Epic meaning: People are constantly reminded that their training is making themselves and everyone around them more secure.
• Frequent and varied
• Feedback: Users receive instant feedback for reporting both real and simulated phishing attacks.

Examples of gamification for other business applications

Education and E-Learning Platforms

• Duolingo: Duolingo incorporates gamified elements such as streaks, levels, and achievements to make language learning engaging. Users earn points   for completing lessons and maintain their streaks for consistent practice.
• Khan Academy: Khan Academy uses badges, progress tracking, and mastery challenges to enhance the learning experience.

E-Commerce and Retail

• Amazon: Amazon’s Prime membership program is a prime example of gamification. Members receive benefits like free shipping, exclusive deals, and access to Prime Video. The feeling of being part of an exclusive club encourages loyalty
• Loyalty Programs: Many credit cards, airlines, and retail stores use point-based systems, discounts, and rewards to incentivize repeat purchases.

Social Media and Community Platforms

• LinkedIn: LinkedIn encourages users to complete their profiles, connect with others, and endorse skills. These actions contribute to their “profile strength,” creating a sense of achievement.
• Reddit: Reddit’s karma system and badges motivate users to participate in discussions and contribute valuable content.

Productivity and Task Management Tools

• Todoist: Todoist awards users with points and levels for completing tasks. The visual progress and sense of accomplishment keep users engaged.
• Habitica: Habitica turns productivity into a game, where users create avatars, earn rewards, and level up by completing real-life tasks.

Mobile Games and Entertainment Apps

• Candy Crush Saga: The addictive gameplay, levels, and rewards in Candy Crush exemplify gamification.
• Pokémon GO: The augmented reality game encourages players to explore their surroundings, catch Pokémon, and participate in events.

Employee Engagement and Training

• Salesforce: Salesforce uses gamification to motivate sales teams. Leaderboards, badges, and challenges drive healthy competition.
• Onboarding Programs: Companies use gamified modules to train new employees effectively

Each industry and product can tailor gamification elements to suit their specific goals and audience.

Moving towards an engaged, motivated workforce

For organizations looking to strengthen their cybersecurity defenses, applying gamification based on the Octalysis Framework could be the key to not only improving engagement and participation rates, but also fostering a proactive, security-conscious workplace culture.

To delve deeper into this transformative approach, Yu-kai Chou's book "Actionable Gamification: Beyond Points, Badges, and Leaderboards" and his upcoming publications are highly recommended.

As the field evolves, staying up-to-date and implementing these educational techniques could make all the difference in a world increasingly threatened by digital adversaries.