08 Jul 2021
Story image

Gamifying cybersecurity key to preventing attacks

By Shannon Williams

Gamifying cybersecurity is the key to preventing attacks, according to new reports from Balbix.

Cybersecurity incidents have increased exponentially in recent months, with Cybersecurity Ventures predicting cybercrime damages will total $6 trillion globally in 2021 - about $190,000 every second.

Most attacks are the result of individual user behaviour, such as passwords, which Balbix says is not surprising considering that 60% of employees fail a simple seven-question cybersecurity quiz. Fewer than 1% ace it.

According to Balbix, in order o increase education and participation among employees, security teams have turned to gamifying cybersecurity. Gamification involves leveraging people's natural desires for learning, mastery, competing, achievement, status, recognition, and rewards towards reducing an organisation's overall breach risk. 

"Many CISOs have found it very effective to use ad-hoc gamification in pushing down ownership of cyber-risk management to individual risk owners," Balbix says.

How security gamification works:

When a new (or recurring) threat emerges, every employee is notified about the situation and offered a remediation task that they need to complete, such as changing a password. Each required mitigating task has a value that reflects priority.

As risk owners complete tasks in a timely fashion, they are awarded points. The accumulation of points is what drives risk owners and also lets security teams measure the relative effectiveness of different risk owners. Public leaderboards and badges offer risk owners positive feedback for making changes and create a sense of common ownership.

Security teams can create quarterly or annual financial incentives for leaders. For example, a holder of a Risk Busting Ninja badge-of-honour may get free lunch, tickets to a show, or entered into a raffle for a free vacation.

Balbix is on the forefront of gamifying cybersecurity. One Balbix customer tied 10% of every employee's annual bonus to their personal password hygiene and clicking behaviour (phishing score). Balbix measured these metrics and provided recommendations to the employees each week to improve their score, which was reflected in a leaderboard. 

Chris Griffith, VP at Product at Balbix:, says security is everybody's responsibility in the enterprise, not just the security teams'. 

"Gamification takes advantage of people's inherent desire to be competitive, to be on top of the leaderboards and win," he says. 

"Security teams can create incentives for employees to strengthen their account passwords, for example," Griffith says. 

"Leaderboards create a sense of community and shared responsibility and meaningful prizes incentivise owning personal security. 

"Best of all, gamification makes security more fun and interactive for those who never think about security, which increases overall education."

"Salesforce was able to dramatically decrease their cyber risk from these two attack vectors by using gamification to align employee risk objectives," says Izak Mutlu, former CISO of Salesforce, now executive-in-residence at Shasta Ventures. 

Balbix CEO Gaurav Banga raffled a free vacation to Hawaii to employees who had kept up security best practices.

Recent stories
More stories