What awareness gamification programs can learn from Pokemon Go

Pokemon Go demonstrates why most awareness gamification efforts really aren’t gamification

Pokemon Go has become a social icon. It is the subject of major news stories, the butt of many jokes, and has lately become a foundation for many vendors equating the game to their own gamification efforts.

Most people do not understand gamification, and inevitably vendors and people misuse the term and overuse it inappropriately. Gamification is essentially rewarding people for exhibiting a desired behavior. It is not merely creating a game for people to play, nor making training a game.

At the moment, the only intended gamification of Pokemon Go is to encourage people to spend money within the game. There are potentially future uses of the game, such as to get people to spend money at partner vendors. For now however, most gamification is exploiting the phenomenon by third parties.

[ ALSO ON CSO: Pokemon Go: What security awareness programs should be doing now ]

Many businesses that are within range of PokeStops purchase “lures” that can attract patrons, as well as Pokemon. Patrons are rewarded with the potential to catch more Pokemon by visiting, and ideally patronizing, the business. The desired behavior is patronizing the establishment, and the reward is the opportunity to catch more Pokemon.

Pokemon is also a great way to get people outdoors and exercising. A large part of the game requires that people travel to real world locations. To hatch eggs, which is a significant aspect of the game, people have to walk or bike at a pace that is not reasonable to achieve without physical effort. As a matter of fact, people are generally rewarded for traveling faster through walking or biking. The game discounts distance traveled at speeds that might be achieved if traveling by car.

Anecdotally, you can see people out and about, playing Pokemon Go, who would otherwise apparently be playing video games in their home. Corporate wellness programs would be strongly advised to take advantage of the game’s phenomenon, and encourage people for reporting the distance traveled.

When I consider most of the self-proclaimed security awareness gamification efforts, I see that they do not truly understand what exactly is gamification. Gamification is not providing information through a game. Gamification is again rewarding people for exhibiting the desired behaviors in actual circumstances.

First, lets examine what is gamification. Gamification is the creation of a reward system. As I previously wrote, there are four required characteristics of a gamification program:

  1. There is a defined goal with defined rewards
  2. There are well established rules on how to achieve the goal and rewards
  3. There is feedback as to where people stand in achieving the goals
  4. Participation is voluntary

In Pokemon Go, the goal is to level up and catch Pokemon. You are informed how many points you need to level up, how to earn points, and how to catch Pokemon. This includes visiting real-world locations and walking/biking/skating/etc certain distances. You are constantly informed how many points you have earned, which Pokemon you caught, and where you are compared to your goals. And, nobody is forcing anyone to play the game.

While many vendors, as well as security practitioners, want to describe their gamification products/programs as a fun way to learn, the effort to provide information is not gamification. Again, gamification is about rewarding actual behaviors, not achieving a random learning objective.

All security practitioners should be aware that just because a user knows what is proper behavior, it doesn’t mean that they actually practice that behavior. For example, some vendors created games about how to tell if a password is strong. They then have in game contests to tell if a student can tell which passwords are strong, and which are weak. If a student knows that a good password has eight or more characters, the “game” issues them a certificate deeming them security aware. However, the only real judge of knowing if a person practices good security behaviors is to try to crack their password to see if it meets the specified procedures. Even then, it is difficult to tell if they reuse the password on multiple accounts, which is a weak security behavior.

Again, knowledge of desired security behaviors is not an indication that the individual will practice that behavior.

In another article, I wrote about the ABCs of behavioral science. Specifically, antecedents (in this case information) influences behavior. Behavior creates consequences, which in turn reinforces or discourages the behavior.

For example, if you burn your hand, you are significantly less likely to recreate the behavior that caused the burn. Science indicates that telling someone that they can burn hand is only 20 percent likely to generate the desired behavior, while the consequence of burning their hand will influence 80 percent of future behavior.

Most of what vendors refer to as gamification is actually just a simple game. They are using a game to convey information. Even if there are in-game rewards, it is still not gamification, as rewards in gamification must be conveyed for real-world behaviors.

So, as you consider Pokemon Go, you see that the game issues rewards for the real-world behaviors of visiting real-world locations, walking/exercising, and spending money. Clearly, spending money is a desired behavior. I have to assume from everything that I read that Niantic, the Pokemon Go creator, has a plan to monetize people visiting real-world locations. While I do not believe it is a business goal for Niantic to have people exercise, I do believe that organizations can use that for wellness programs.

In the meantime, Pokemon Go demonstrates the traits of a good gamification program. It demonstrates what you should be looking for when vendors or your staff describe their gamification efforts. Outside the security world, real gamification efforts are achieving immense success, so it is no wonder that many people and companies claim that they provide such a product. As you can see, gamification can be a very powerful tool to use. Just make sure that you implement actual gamification, and not just a more creative way to provide information. No matter how good the medium is, it will only have 25 percent of the effectiveness of a real gamification program.

Ira Winkler, CISSP can be contacted at www.securementem.com.

Join the CSO newsletter!

Error: Please check your email address.

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts