Boosting Cybersecurity in German SMEs with Gamification and Serious Play

TL;DR

Gamified cybersecurity training offers an engaging and effective way to improve security awareness and practices within German SMEs. The ALARM Information Security project demonstrates the success of integrating gamification into training, enhancing retention and understanding of cybersecurity principles. By leveraging customized game scenarios, regular workshops, and participatory feedback loops, SMEs can bolster their cybersecurity posture and build a security-first culture. Investing in gamified training may require considering significant costs, but the ALARM project offers all materials generated free of charge for non-commercial use. The future of cybersecurity training looks promising with advances in AI and VR, making gamified approaches even more impactful.

Introduction: Why Gamification Matters in Cybersecurity for SMEs

In today’s digital era, cybersecurity stands as a critical pillar for the survival and success of small and medium-sized enterprises (SMEs) across Germany. With an increasing reliance on digital technologies, businesses face cyber threats that can compromise sensitive data, disrupt operations, and inflict severe financial and reputational damage. Despite their pivotal role in the national economy, SMEs often find themselves underprepared to handle such threats due to limited resources and cybersecurity expertise.

In this ever-evolving landscape of cyber threats, SMEs are increasingly recognizing the importance of robust information security awareness training (ISAT). Traditional cybersecurity training methods can often be uninspiring, leading to a lack of employee engagement and retention. However, a novel approach is gaining traction: the integration of gamification and serious play into ISAT.

This article was especially inspired by the publication of a résumé after three years’ practice of "ALARM Information Security" by Margit Christa Scholl from TH Wildau and one quote in particular:

The use of technology is essential, but, without people, a security process will not work or be viable. When developing analog and digital learning scenarios (serious games / realistic simulations) for information security awareness, we discovered that the term “gamification” is largely unknown in German SMEs and needs to be explained first. (Scholl, 2024)

Cybersecurity in German SMEs: Current Challenges and Threats

Small and medium-sized enterprises (SMEs) in Germany are increasingly targeted by cybercriminals due to their often limited cybersecurity measures compared to larger corporations. This is not a phenomenon exclusive to Germany!

Here are some relevant statistics and studies from around the world highlighting the critical role of cybersecurity in this size of enterprises:

1. A systematic review indicated that many SMEs significantly underestimate their cybersecurity threats, leading to increased vulnerabilities and risks. The study highlighted the need for better management understanding and stronger cybersecurity practices within SMEs to mitigate these risks (Alahmari & Duncan, 2020).

2. Another study described the impact of cybersecurity practices on cyberattack damage, emphasizing that effective security measures can significantly reduce financial damage, loss of sensitive data, and restoration time after an attack. This underscores the importance of comprehensive cybersecurity strategies tailored to the unique needs of SMEs (Alharbi et al., 2021).

3. The cybersecurity landscape for SMEs is evolving rapidly with the advancement of Industry 4.0, making them susceptible to sophisticated cyber threats. This evolution demands proactive cybersecurity measures to protect their digital assets and maintain business continuity (Wallang et al., 2022).

4. Research has also shown that SMEs are the new prime targets for cyberattacks in the smart-home/office sector, illustrating the need for robust and resilient cybersecurity solutions that can adapt to the rapidly changing threat landscape (Vakakis et al., 2019).

These studies collectively highlight the critical role of cybersecurity in German SMEs, demonstrating the pressing need for enhanced security practices to safeguard their operations from increasing cyber threats.

Moreover, as the backbone of Germany’s economy, representing a vast majority of total businesses and employing millions, the cybersecurity resilience of SMEs is not just a private concern but a national economic security issue. Enhancing their cybersecurity measures is therefore imperative, not only to protect individual enterprises but also to safeguard the broader economic landscape.

So let’s delve into how gamification — an innovative but already proven learning approach — can revolutionize cybersecurity training within your SME, turning a routine compliance necessity into an engaging, effective tool for enhancing security awareness and behaviors.

Understanding Gamification’s Role in Cybersecurity Training

Gamification:

Gamification involves applying game-design elements and principles in non-game contexts to enhance user engagement, motivation, and retention. This innovative approach harnesses the intrinsic allure of games — such as scoring points, competing with others, and following rules of play — to make learning and other activities more enjoyable and immersive.

In the context of cybersecurity training, gamification is particularly relevant as it transforms traditional, often tedious learning processes into dynamic, interactive experiences. For SMEs, where resources for extensive training might be limited, gamification can provide a cost-effective solution to enhance employees’ understanding and retention of complex cybersecurity concepts.

Key Principles of Gamification in Cybersecurity

The core principles of gamification include goal setting, real-time feedback, transparency, voluntary participation, and a narrative structure that guides the user experience.

Gamification supports information retention by involving learners in hands-on scenarios that require active decision-making and problem-solving, thereby reinforcing knowledge through practice.

By aligning learning objectives with game mechanics, gamification not only enhances motivation but also fosters a deeper connection to the content, making it an effective strategy in modern educational and professional development programs.

Successful Applications of Gamification in Different Industries

Here are some examples of successful gamification implementations across various industries, demonstrating the wide-ranging benefits of this approach:

1. Analyzing Students’ Self-Perception of Success and Learning Effectiveness Using Gamification in an Online Cybersecurity Course
   This study designed a cybersecurity game based on cognitive constructivism learning theory and found that realistic game design and contextualization significantly impact students’ self-perception of success. The game also correlated with higher success rates in the course, suggesting that gamification can improve engagement and knowledge consolidation in cybersecurity education (Ros et al., 2020).

2. Successful Gamification of Cybersecurity Training
   A serious game designed for cybersecurity training was shown to result in higher self-reported scores on attitudes, perceived behavioral control, intentions, and behavior compared to non-cybersecurity games. This indicates that gamification can effectively enhance the behavioral aspect of cybersecurity (T. Steen & Julia R A Deeleman, 2021).

3. Gamification of cyber ranges in cybersecurity education
   Cyber ranges offer virtualized environments for practical cybersecurity training. Gamification of these environments has been used to improve student enthusiasm, increase information uptake and retention, and motivate students to engage in learning activities (Martin Jelo & P. Helebrandt, 2022).

4. Enhancing Cyber Security Education and Training through Gamification
   This research developed standardized methodologies and algorithms to evaluate trainees’ performance in gamified cybersecurity education. It also explored the potential of an AI-assisted co-pilot system for personalized training, showing that gamification can enrich learning experiences and outcomes (Iasonas Diakoumakos, 2023).

5. Gamification in Cybersecurity Education: The RAD-SIM Framework for Effective Learning
   The RAD-SIM framework was proposed for designing behaviorally effective cybersecurity games. This framework combines psychological and behavioral principles with learning theories to facilitate practical game-based learning, increasing engagement and knowledge retention (Lily Thompson et al., 2022).

6. Gamification of cybersecurity training
   A virtual cybersecurity escape room based on the Octalysis gamification framework was developed, which improved user engagement and knowledge retention. Playtesting results and experimental quantification based on eight gamification metrics were shared (C. DeCusatis et al., 2022).

These examples illustrate gamification’s versatility as a tool for improving engagement and outcomes across a broad spectrum of activities, demonstrating its potential as a transformative strategy in various sectors.

Case Study: The ALARM Project’s Success in Cybersecurity

Inside the ALARM Project: An Overview

The "ALARM Information Security" project, officially titled "Awareness Labor KMU (ALARM) Informationssicherheit," aimed to enhance information security within German small and medium-sized enterprises (SMEs) through interactive and practical personnel development and comprehensive security analysis. This project was particularly significant due to its timing, being conducted during the COVID-19 pandemic, which presented unique challenges and required innovative approaches to achieve its goals. The project spanned three years and involved iterative testing, adaptation, and refinement of its methods in real-world SME settings.

One of the key lessons from the ALARM project was the effectiveness of integrating gamified elements into security training. This approach significantly increased engagement and retention of information among participants.

The ALARM project was funded by the German Federal Ministry for Economic Affairs and Climate Action and was carried out by the Technical University of Wildau along with various partners and collaborators. It ran from October 2020 to March 2024, extending slightly beyond its original end date to accommodate delays and additional developments.

Materials Provided: Along with the training scenarios and games, the project also developed a digital self-test for employees, an additional serious password-hacking game, and numerous publications in both German and English, disseminating the findings and tools to a broader audience.
By the project’s conclusion, all materials developed were made freely available for non-commercial use, ensuring lasting benefits beyond the participant group as well as widespread accessibility and implementation across German SMEs.

Key Outcomes and Lessons from the ALARM Project

Outcomes:

• Enhanced security awareness among SME executives and employees.
• Developed comprehensive, actionable strategies tailored for SME needs.
• Offered a suite of tools and resources, free of charge, to facilitate ongoing security education and preparedness.

Lessons Learned:

• The integration of serious games significantly improved engagement and retention of cybersecurity principles.
• Real-world testing within SMEs was crucial in refining the tools and methods, highlighting the importance of feedback in developmental phases.
• The project underscored the necessity of continuous education and proactive cybersecurity measures, rather than reactive strategies.

Testimonials and Feedback from Participants

Participants provided positive feedback about the project’s approach and outcomes:

• Many noted the practical relevance of the training scenarios, which helped them understand and implement better security practices.
• The serious games were particularly well-received, offering an interactive and engaging way to learn complex security concepts.
• Executives appreciated the comprehensive resources and the autonomy the project promoted within their companies for ongoing security management.

The ALARM project not only equipped SMEs with crucial security skills but also fostered a culture of cybersecurity awareness that is expected to yield long-term benefits. Its innovative approach serves as a model for similar initiatives globally, demonstrating the effectiveness of interactive, participatory learning in cybersecurity education.

The project also underscored the need for ongoing education and proactive measures in cybersecurity, moving beyond reactive strategies.

Key Lessons from the ALARM Project for Your SME

Implementing the lessons learned from the ALARM Information Security Project into the Information Technology Security Awareness (ITSA) strategies of your SME can be a transformative step towards enhancing your cybersecurity posture. Here are detailed strategies and steps for integration:

1. Adoption of Gamified Learning Methods

The ALARM project demonstrated the effectiveness of using serious games to enhance cybersecurity awareness. German SMEs can adopt this approach by:

• Developing Custom Serious Games: Tailoring game scenarios to reflect common security challenges faced by the SME, which helps in engaging employees with relevant and practical content. Make use of the suite of tools and resources provided free of charge by the ALARM project.
• Regular Gaming Sessions: Organizing periodic security workshops where employees can participate in these games, thereby reinforcing security concepts and procedures in an engaging manner.

2. Participatory Design and Feedback Loops

The iterative and participatory approach of the ALARM project ensures that training materials are continuously improved based on user feedback. SMEs can implement this by:

• Involving Employees in the Creation Process: Engaging a diverse group of employees in the development and testing of security awareness materials to ensure they are understandable and applicable across all levels of the organization.
• Regular Feedback Mechanisms: Establishing channels through which employees can provide feedback on the training materials and sessions, allowing for ongoing improvements and updates.

3. Integration of Analog and Digital Training Tools

Combining both analog and digital training tools can cater to different learning preferences and enhance the overall training experience. SMEs can integrate these tools by:

• Blended Learning Approaches: Using digital platforms for delivering theoretical knowledge and analog tools, like board games or card games, for interactive sessions that reinforce the digital content.
• Accessibility of Digital Resources: Making all training materials available on an internal platform so that employees can access them anytime, reinforcing learning outside of structured training sessions.

4. Real-World Simulations and On-Site Attacks

Simulating real-world cybersecurity threats can prepare employees for actual incidents, which SMEs can adopt by:

• Regular Cyber Drill Exercises: Conducting scheduled cyber drills to test the response of employees to simulated cybersecurity incidents, such as phishing or ransomware attacks.
• Use of Ethical Hackers: Employing ethical hackers to test the defenses of the SME, providing a real-world perspective on the effectiveness of current security measures and training.

5. Ongoing Awareness and Maturity Measurements

Continuously measuring the effectiveness of ITSA initiatives is crucial for long-term improvement. SMEs can implement this by:

• Setting Benchmarks and Goals: Establishing clear, measurable goals for cybersecurity awareness and conducting regular assessments to measure progress.
• Awareness Metrics and KPIs: Developing key performance indicators (KPIs) related to IT security awareness, such as incident response times, employee phishing report quota, and other relevant metrics.

6. Creating a Security-First Culture

Building a company-wide culture that prioritizes information security is essential. SMEs can foster this culture by:

• Regular Updates and Communication: Keeping security policies and practices regularly updated and clearly communicating any changes to all employees.
• Rewarding Compliance and Awareness: Recognizing and rewarding employees who actively contribute to cybersecurity efforts, encouraging their peers to follow suit.

By implementing these strategies, German SMEs can significantly enhance their cybersecurity awareness and resilience, leveraging the proven practices and outcomes of the ALARM project. This not only protects the individual SME but also contributes to the broader goal of securing the German SME sector against evolving cyber threats.

Budgeting for Gamified Cybersecurity Training

To budget effectively for gamified cybersecurity training, SMEs need a nuanced understanding of the potential costs associated with various approaches. Research indicates that the cost-effectiveness of gamified training lies in its ability to increase employee engagement and retention, reducing the need for repeated or additional training.

1. Platform and Software Costs:
   The cost of gamified training platforms and software varies widely based on features and scale. A research study by Travis D. Ashley et al. (2022) found that the upfront investment in a sophisticated platform can range from $5,000 to $20,000, with annual maintenance costs around $1,000 to $5,000. These costs can be offset by the platform’s ability to effectively train large numbers of employees.

2. Custom Development Costs:
   Developing custom gamified training content tailored to specific SME needs involves significant costs. Alharbi et al. (2021) noted that the development of custom games could exceed $50,000, but this investment can be justified if it results in a significant improvement in cybersecurity awareness and resilience.
   That is why making all materials developed by the ALARM project freely available for non-commercial use is a great benefit for German SMEs.

3. Instructor and Facilitator Fees:
   Depending on the complexity of the gamified training, the fees for instructors and facilitators may vary. Studies like those from Wallang et al. (2022) emphasize the importance of expert facilitation to maximize the effectiveness of the training, which can cost around $1,000 to $10,000 for specialized trainers.
   On the other hand, such a specialist might help to overcome quickly some challenges while implementing gamified training, such as resistance to change or technical barriers and therefor justify the investment.

4. Licensing and Subscription Fees:
   Research indicates that gamified training platforms often come with subscription fees ranging from $100 to $2,000 per user per year, depending on the tool’s complexity and features (Ros et al., 2020).

5. Time and Productivity Costs:
   Vakakis et al. (2019) noted that training can indirectly incur costs through reduced productivity as employees participate in training sessions. Gamified training, however, tends to engage employees more effectively and efficiently, leading to shorter training periods and less downtime.

6. Return on Investment (ROI):
   Studies have shown that gamified training has a high ROI due to its effectiveness in improving cybersecurity awareness. For instance, research by Lily Thompson et al. (2022) demonstrated a significant increase in security compliance rates post-training, which helps justify the upfront costs.

SMEs should weigh these potential costs against the benefits of improved cybersecurity posture, reduced training time, and enhanced engagement. The initial investment may often justify the expense by the long-term gains in security awareness and resilience.

The Future of Gamified Cybersecurity Training

The future of gamified cybersecurity training is a fascinating and rapidly evolving field that promises to revolutionize how individuals and organizations approach the development of cybersecurity skills. Emerging trends in gamification and cybersecurity are closely linked, as gamification techniques are increasingly being applied to enhance the learning experience in cybersecurity education (Iasonas Diakoumakos, 2023; Martin Jelo & P. Helebrandt, 2022).

The use of game design elements in non-game contexts, particularly in education, has shown to increase student enthusiasm, information retention, and engagement (Martin Jelo & P. Helebrandt, 2022). This is particularly important in cybersecurity, where the pace of change is relentless, and the need for skilled professionals is growing.

Technological advancements such as artificial intelligence (AI) and virtual reality (VR) are poised to further enhance the gamification of cybersecurity training. AI can be leveraged to create personalized learning experiences, adapting to the skill level of the trainee and providing tailored challenges that guide learners towards areas that need improvement (Iasonas Diakoumakos, 2023). VR, on the other hand, offers an immersive environment where learners can practice their skills in a realistic, yet controlled and safe, virtual world (Al-Karaki et al., 2023). This combination of AI and VR can create a highly engaging and effective learning environment that can simulate real-world cybersecurity scenarios.

SMEs must stay ahead in cybersecurity training to protect their digital assets and maintain a competitive edge. Strategies for SMEs to stay ahead include adopting gamified training platforms that are affordable and easy to use, such as freemium gamified platforms. These platforms can provide SMEs with the ability to train their staff effectively without incurring significant costs. Additionally, SMEs can benefit from cybersecurity learning factories, which offer practical training and knowledge sharing in a low-cost solution that replicates real working environments (Veerasamy et al., 2023).

In conclusion, the future of gamified cybersecurity training is bright, with innovative technologies and strategies making it more accessible and effective than ever before. By embracing these trends, SMEs can ensure that their workforce is equipped with the necessary skills to face the cybersecurity challenges of tomorrow.

Sources

1. Alahmari, A., & Duncan, B. (2020). Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 1–5. https://doi.org/10.1109/CyberSA49311.2020.9139638
2. ALARM – Security Awareness KMU. (o. J.). Abgerufen 1. Mai 2024, von https://alarm.wildau.biz
3. Alharbi, F., Alsulami, M., AL-Solami, A., Al-Otaibi, Y., Al-Osimi, M., Al-Qanor, F., & Al-Otaibi, K. (2021). The Impact of Cybersecurity Practices on Cyberattack Damage: The Perspective of Small Enterprises in Saudi Arabia. Sensors, 21(20), 6901. https://doi.org/10.3390/s21206901
4. Al-Karaki, J. N., Itradat, A., & Mekonen, S. (2023). Immersive Cybersecurity Teaching/Training Using Gamification on the Metaverse: A Hands-On Case Study*. 2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), 0101–0108. https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361297
5. C. DeCusatis, E. Alvarico, & O. Dirahoui. (2022). Gamification of cybersecurity training. Proceedings of the 1st International Workshop on Gamification of Software Development, Verification, and Validation. https://doi.org/10.1145/3548771.3561409
6. Iasonas Diakoumakos. (2023). Enhancing Cyber Security Education and Training through Gamification. Proceedings of the 2nd International Conference of the ACM Greek SIGCHI Chapter. https://doi.org/10.1145/3609987.3610016
7. Lily Thompson, Nicholas Melendez, Justin S. Hempson-Jones, & Francesca Salvi. (2022). Gamification in Cybersecurity Education: The RAD-SIM Framework for Effective Learning. European Conference on Games Based Learning. https://doi.org/10.34190/ecgbl.16.1.504
8. Martin Jelo & P. Helebrandt. (2022). Gamification of cyber ranges in cybersecurity education. 2022 20th International Conference on Emerging eLearning Technologies and Applications (ICETA), 280–285. https://doi.org/10.1109/ICETA57911.2022.9974714
9. Ros, S., Gonzalez, S., Robles, A., Tobarra, Ll., Caminero, A., & Cano, J. (2020). Analyzing Students’ Self-Perception of Success and Learning Effectiveness Using Gamification in an Online Cybersecurity Course. IEEE Access, 8, 97718–97728. https://doi.org/10.1109/ACCESS.2020.2996361
10. Scholl, M. C. (2024a). Résumé of the Gamified Increase in Security Awareness in German Small and Medium-Sized Businesses after Three Years’ Practice of „ALARM Information Security“. https://doi.org/10.13140/RG.2.2.13519.29600
11. Scholl, M. C. (2024b). Schlussbericht des Projekts „Awareness Labor KMU (ALARM) Informationssicherheit“: Neue Wege für mehr Informationssicherheit in deutschen Klein- und mittelständischen Unternehmen.
12. T. Steen & Julia R A Deeleman. (2021). Successful Gamification of Cybersecurity Training. Cyberpsychology, behavior and social networking. https://doi.org/10.1089/cyber.2020.0526
13. Travis D. Ashley, Roger Kwon, S. Gourisetti, Charalampos Katsis, C. Bonebrake, & P. A. Boyd. (2022). Gamification of Cybersecurity for Workforce Development in Critical Infrastructure. IEEE Access, 10, 112487–112501. https://doi.org/10.1109/ACCESS.2022.3216711
14. Vakakis, N., Nikolis, O., Ioannidis, D., Votis, K., & Tzovaras, D. (2019). Cybersecurity in SMEs: The Smart-Home/Office Use Case. 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), 1–7. https://doi.org/10.1109/CAMAD.2019.8858471
15. Veerasamy, N., Mkhwanazi, T., & Khan, Z. (2023). Digital innovation through cybersecurity learning factories. European Conference on Knowledge Management, 24(2), 1383–1390. https://doi.org/10.34190/eckm.24.2.1551
16. Wallang, M., Shariffuddin, M. D. K., & Mokhtar, M. (2022). CYBER SECURITY IN SMALL AND MEDIUM ENTERPRISES (SMEs): WHAT’S GOOD OR BAD? Journal of Governance and Development (JGD), 18(1), 75–87. https://doi.org/10.32890/jgd2022.18.1.5