Efforts to raise awareness about cyber security can only succeed if they take into account how human behaviour changes over time – which underscores why it’s crucial to consider how these efforts are presented. Consequently, gamification is coming increasingly to the fore. The Cyber Security Coalition can play a pivotal role in this, asserts Anastasiya Tretyak, cyber security culture and awareness expert at EY Consulting, and an active member of the Coalition’s Awareness Focus Group.
"Gamification will continue to be a key component of the cyber security of the future"
“When I joined EY, it quickly became clear that security awareness would be my area of expertise. As soon as I realised the importance of the human factor in cyber security, it became my absolute passion,” Anastasiya shares. “Through this role, I had the opportunity to participate in the plenary sessions of the Awareness Focus Group, as well as several subgroups.”
“The Coalition creates an environment where companies are more willing to share their experiences than they would when reporting publicly or engaging with the press, which makes its added value evident,” she continues. “This increase in expertise, in turn, leads to improved threat intelligence and prevention. We clearly see that the Coalition as a whole is growing into its role.”
The added value of the Coalition also translates into actionable deliverables, according to Anastasiya. “Within the Work Group Secure Metrics, for instance, we developed a Secure Behaviour Framework, freely accessible to everyone. It details 400 behaviours expected from people to secure information, alongside human risk metrics to measure the success of awareness initiatives. The framework reflects the dozens of hours of input from the awareness experts involved. It’s clear that the Coalition strives to reinforce security of both organisations and citizens at a national level.”
The dynamics of behavioural change
Anastasiya emphasises the critical importance of ongoing efforts to increase awareness. “The vast majority of cyber attacks happen because of human error. Yet, most companies tend to focus on technological controls and processes, often neglecting the human factor,” she notes.
The argument often made is that many security awareness initiatives yield little impact, as they fail to drive meaningful behavioural change. “But that’s not accurate. These efforts fall short because they are designed the wrong way: they can be too directive and even come across as aggressive. In other words, they fail to account for how behavioural changes can be achieved. That narrative is highly counterproductive.”
The added value of gamification
Fostering real behavioural change requires a better understanding of how people make decisions. A crucial tool to support this is gamification. “Gamification allows you to tap into people’s basic motivations, both intrinsic and extrinsic. It’s not just about the competitive or interactive elements; it’s also about evoking emotions. The reality is that people are far more likely to remember how something made them feel than a list of dry facts.”
In practical terms, this means focusing more on initiatives such as cyber security board games, escape rooms illustrating how hackers operate, or chatbots explaining ransomware. “When designed and implemented correctly, these approaches are far more engaging and, consequently, much more effective than, for instance, a standard e-learning module. This has been confirmed by numerous studies: gamification does drive behavioural change,” Anastasiya concludes.
