Usually when you build a product, you are building something that you believe people will actively want to use. You’re making a dating app, a social network, a music player, or something along those lines. People like those things!
But what do you do if you’re in the unusual situation of building a product that people don’t really want to use? This can happen when your target buyer isn’t the same as the end user. For example, if you’re building a product to help kids eat their vegetables, it is the parents who really want the product. The kids, ie your actual users, don’t. Vegetables are gross.
Faced with this challenge, product managers usually turn to a familiar trick: gamification. Make the vegetable eating app a game, give the kids points and rewards, and magically they’ll love it. Vegetables are suddenly cool and not gross!
Unfortunately, it isn’t that simple. And double unfortunately, for me at least, building a security awareness platform is a lot like making the kids-eat-their-vegetables app. Most people don’t want security awareness training, they just want to do their job in peace.
This blog post explains why gamification isn’t a solution to the challenges faced while building a security awareness platform, and then outlines the approach we have taken at Pistachio instead.
Gamification: When It Works
One of the best examples of gamification is Duolingo, which managed to turn learning a new language into a game. I will be out with friends at night and they’ll frantically open their phones to complete a Duolingo lesson before midnight in order to “keep their streak alive”. The benefit of keeping a streak alive is pretty trivial, and yet it seems important enough to some people to interrupt a night with friends over. Clearly gamification is working.
Other great examples of gamification are Fitbit’s step goal, Strava’s leaderboards, and Snapchat’s streaks. So, what do all of these have in common? The key is that people already care about the main goal of the product, like learning a new language, improving fitness, or keeping in touch with friends.
Importantly, no one is learning a new language because they want to keep a Duolingo streak alive. They’re learning a new language so that they can talk to their in-laws or visit a new country. The gamification element is there to help people to not fall off. This is true of the other examples as well. No one starts running so they can be on a Strava leaderboard, because if you don’t care about running you don’t care about Strava either.
Why Gamifying Security Awareness Does Not Work
Given that gamification works in contexts where the user cares about the main objective of the product, it is clear that a product can’t gamify its way to having kids eat vegetables. The vegetables will still be gross, and having a 10-day streak, 500 vegetable points, or being the top vegetable eater in the class just won’t matter.
This is also why you can’t gamify your way to a security culture within an organization. Most people just don’t care. They don’t care that they’re number one on an awareness training leaderboard. And they aren’t going to find a “spot the phish” game fun either. No matter what type of “fun” you incorporate into the product, let’s face it, you’re not building Zelda: Tears of the Kingdom here. It just isn’t going to be that fun.
Driving Engagement Without a Game
Building a security awareness platform isn’t an easy task from a product development perspective. Not only do the end users not really want our product, the target group for users is extremely broad, as it covers basically everyone who uses a computer in some form at work. We have users that like learning new things, we have users that just want to get through the day, we have users who are already cybersecurity experts, and we have users who think they’re too important to be doing the training.
Once we accept that the vast majority of our users don’t really care about cybersecurity, the best thing we can do isn’t to try to make it fun (because it won’t be), but rather to make it easy. Whether you love cybersecurity or hate it, you will appreciate convenience.
For Pistachio, that means not asking users to log in to a platform but rather sending training material directly via email. It means automatically adjusting to each user’s preferred language based on settings in Microsoft. It means picking out relevant training based on the user’s job, company, department, location, and software used, and adjusting the training and attacks to each user as they learn. And it means preferring simple, text-based content over videos and games.
It also means not sending users training and attacks they don’t need. If someone hasn’t fallen for any of our attacks that use subdomain tricks, we don’t need to send them training content about subdomains. And it means not spamming our users, too. When people show they “get it” we try to have fewer touch points so they can focus on their work without us getting in the way. We can’t make people enjoy cybersecurity awareness training, but we can make it as painless as possible for them. That is what we have tried to do, and that will always be the vision driving product development at Pistachio.
I think there are other plausible solutions in other contexts. For example, I don’t think convenience will be a big driver for the kids-eat-their-vegetables app. However, I think the approach is the same. Stop fighting the reality by trying to make everything into a game, and focus on what unites your users and how to make the overall experience less painful.