Gamification: Making cybersecurity awareness and professional development engaging

The cybersecurity threat landscape is constantly evolving. New attack vectors emerge weekly. This necessitates the adoption of strategies to engage and upskill teams on an ongoing basis.

Whether it’s raising general awareness about cybersecurity among your staff, or specific professional development training for your IT and development teams, there are many ways you can incorporate gamification to enhance your organisation’s cybersecurity posture.


Gamification to Raise General Awareness

It’s easy for staff to slump into a rut of boredom and complacency.

Getting your staff motivated to regularly learn new skills is a significant challenge in many organisations. This is particularly true when it comes to cybersecurity awareness training.

All too often non-technical staff see cybersecurity as ‘someone else’s problem’. There is an assumption the IT department will handle the issue.

Such attitudes are not only wrong, they can be dangerous for your organisation. With human error now one of the leading causes of cyber breaches, getting everyone on board when it comes to your organisation’s cybersecurity posture is essential.

A concerted effort is required to drive awareness among staff across the entire organisation. Building a security awareness culture, with specific emphasis on stopping phishing emails, is now a major priority for many organisations.

webinarAs a leading cybersecurity service provider, Shearwater is committed to helping organisations achieve a cyber-aware culture. Our recent webinar outlined the 3 Pillars that form the basis of cultural change within an organisation. If you haven’t yet had the opportunity to watch it, you should. It is filled with important strategies you can implement within your organisation.

One of the core pillars highlights the importance of engaging staff by winning hearts and minds.

Gamification can be a powerful tool to achieve this.

By incorporating game mechanics and game thinking as a component of training, gamification seeks to engage learners in interesting and fun ways. It encourages problem solving and motivates staff by introducing elements of competition and reward.



Shearwater’s Phriendly Phishing is a leading Australian training program that uses gamification elements to help organisations teach staff about email security.

Phishing email awareness is critically important. Attackers increasingly seek to exploit human error in order to infect your organisation’s IT infrastructure with malware, or to carry out Business Email Compromise (BEC) attacks.

PHISHING AWARENESSPhriendly Phishing succeeds in educating staff because it injects fun and excitement into its training modules.

The training begins by imparting basic phishing knowledge. Then, through a series of fun learning modules that combine interactive elements of gamification, staff analyse a variety of phishing emails. This highly interactive course is scenario-based and aims to enhance the phishing detection skill of learners.

According to Damian Grace, founder of Phriendly Phishing, “Gamification is an important training methodology because it significantly boosts learner engagement. By implementing gamification, we can ensure learners achieve ‘wins’. This increases the effectiveness of the learning processes as studies show learners are motivated when they have a sense of achievement. By incorporating innovative and interactive gaming elements, learners acquire new skills and retain that knowledge for the long term.”


Gamification in Professional Development

Gamification is also a useful tool in professional development strategies.

With your IT and application development teams requiring ongoing training opportunities, gamification can be an ideal way to enable them to up-skill.



Application developers focus on developing great applications. However, all too often they either don’t take into consideration security issues, or they try to bolt-on security measures at the end of the development pipeline, just before going live.

It’s essential to find ways to up-skill developers, so they have the necessary cybersecurity awareness to adopt a ‘shift-left’ approach and begin implementing security measures from the beginning of the development lifecycle.

That’s one of the main reasons we host the annual Shearwater Hackathon.
Hackathons are a great example of gamification, because they allow developers to participate in a fun and engaging competition whilst honing their security awareness skills. Also known as Capture-the-Flag challenges, a hackathon typically involves uncovering and exploiting vulnerabilities in a simulated web application.

The recent Shearwater Hackathon attracted over 150 participants, many from leading Australian companies. Participating in a winnable competition, in which staff can earn recognition and prizes, is a great professional development strategy.

According to Shearwater’s Chief Strategy Officer, Shannon Lane, the best type of education is ‘learning by doing’. Hackathons encourage participants to “look at applications as an adversary would – underlining the significance good security controls have in the launch of products and services” said Mr Lane.



Training application developers about the importance of writing secure code is now on the radar for many organisations. It’s increasingly understood the first step to developing a secure application is writing high quality code. Shearwater is often called on to provide Secure Development Training as part of an organisation’s professional development initiatives for its application developers.

A useful benchmark when developing any web or mobile application is the OWASP list of common vulnerabilities. These outline some of the most regularly seen attack vectors used by hackers.

So, OWASP’s decision to begin incorporating gamification as a strategy to raise awareness among developers about security is welcome news.

new poker-like card game The new poker-like card game is designed to be an easy to learn introduction to the risk concepts of the OWASP Top Ten. It is designed to teach developers best practice security measures in an environment that reflects a sense realism and excitement.

It pits black hats against white hats to see who can be the first to hack their opponent’s website.

Whilst this new game is still in development by OWASP, it’s further evidence that gamification is beginning to be incorporated into a wide range of cybersecurity professional development programs.



Even when a nation isn’t at war, the armed forces don’t stop training. Ongoing drills and exercises during peace time are essential to ensure the military is combat-ready whenever an attack occurs.

The same should be the case when it comes to your IT and SOC teams.

Through cyber-attack simulation games, you can ensure your organisation is ready to handle a wide range of real-life attack vectors.

Like hackathons, attack simulations are a form of gamification. They pit teams against each other in a competition to develop an incident response plan for a realistic cyber-attack.

Reports indicate that as many as 76% of Australian organisations do not have a formal cybersecurity incident response plan. Addressing this requires IT and SOC departments to have professional development training so they understand what elements comprise an incident response plan. This is where attack simulation games can be extremely useful for your organisation. They identify gaps within your organisational capacity to handle a cybersecurity breach.

Shearwater scholarship recipient, Margueritte Saboungi, recently participated in her first cyber-attack simulation game. Known as CyBCA, the exercise recreated a real-world incident in which an attacker had disabled all connections to a bank’s ATM network. Armed with some basic facts, such as the network configuration layout which detailed how the ATMs linked back to the bank’s servers, Saboungi and her team had just a few hours to develop a comprehensive incident response plan.

Incorporating gamification in the professional development of your IT and SOC teams will enhance your organisation’s security posture, test your ability to prevent attacks, and teach ways to handle breaches when they occur.


How Shearwater can help you?

In a variety of different ways, gamification is increasingly prevalent in strategies to motivate staff to become more cyber aware and in efforts to enhance cybersecurity skills through professional development.

Shearwater specialises in a wide range of cybersecurity training services. Some, like our phishing awareness modules, already combine elements of gamification. Others, like our secure development training, can be combined with novel gamification elements to have a big impact on your staff.

Speak with Shearwater today to learn about training options for your organisation.