Pokemon Go has become a social icon. It is the subject of major news stories, the butt of many jokes, and has lately become a foundation for many vendors equating the game to their own gamification efforts.
Most people do not understand gamification, and inevitably vendors and people misuse the term and overuse it inappropriately. Gamification is essentially rewarding people for exhibiting a desired behavior. It is not merely creating a game for people to play, nor making training a game.
At the moment, the only intended gamification of Pokemon Go is to encourage people to spend money within the game. There are potentially future uses of the game, such as to get people to spend money at partner vendors. For now however, most gamification is exploiting the phenomenon by third parties.
[ ALSO ON CSO: Pokemon Go: What security awareness programs should be doing now ]
Many businesses that are within range of PokeStops purchase “lures” that can attract patrons, as well as Pokemon. Patrons are rewarded with the potential to catch more Pokemon by visiting, and ideally patronizing, the business. The desired behavior is patronizing the establishment, and the reward is the opportunity to catch more Pokemon.
Pokemon is also a great way to get people outdoors and exercising. A large part of the game requires that people travel to real world locations. To hatch eggs, which is a significant aspect of the game, people have to walk or bike at a pace that is not reasonable to achieve without physical effort. As a matter of fact, people are generally rewarded for traveling faster through walking or biking. The game discounts distance traveled at speeds that might be achieved if traveling by car.
Anecdotally, you can see people out and about, playing Pokemon Go, who would otherwise apparently be playing video games in their home. Corporate wellness programs would be strongly advised to take advantage of the game’s phenomenon, and encourage people for reporting the distance traveled.
When I consider most of the self-proclaimed security awareness gamification efforts, I see that they do not truly understand what exactly is gamification. Gamification is not providing information through a game. Gamification is again rewarding people for exhibiting the desired behaviors in actual circumstances.
First, lets examine what is gamification. Gamification is the creation of a reward system. As I previously wrote, there are four required characteristics of a gamification program:
- There is a defined goal with defined rewards
- There are well established rules on how to achieve the goal and rewards
- There is feedback as to where people stand in achieving the goals
- Participation is voluntary
In Pokemon Go, the goal is to level up and catch Pokemon. You are informed how many points you need to level up, how to earn points, and how to catch Pokemon. This includes visiting real-world locations and walking/biking/skating/etc certain distances. You are constantly informed how many points you have earned, which Pokemon you caught, and where you are compared to your goals. And, nobody is forcing anyone to play the game.
While many vendors, as well as security practitioners, want to describe their gamification products/programs as a fun way to learn, the effort to provide information is not gamification. Again, gamification is about rewarding actual behaviors, not achieving a random learning objective.
All security practitioners should be aware that just because a user knows what is proper behavior, it doesn’t mean that they actually practice that behavior. For example, some vendors created games about how to tell if a password is strong. They then have in game contests to tell if a student can tell which passwords are strong, and which are weak. If a student knows that a good password has eight or more characters, the “game” issues them a certificate deeming them security aware. However, the only real judge of knowing if a person practices good security behaviors is to try to crack their password to see if it meets the specified procedures. Even then, it is difficult to tell if they reuse the password on multiple accounts, which is a weak security behavior.
Again, knowledge of desired security behaviors is not an indication that the individual will practice that behavior.
In another article, I wrote about the ABCs of behavioral science. Specifically, antecedents (in this case information) influences behavior. Behavior creates consequences, which in turn reinforces or discourages the behavior.
For example, if you burn your hand, you are significantly less likely to recreate the behavior that caused the burn. Science indicates that telling someone that they can burn hand is only 20 percent likely to generate the desired behavior, while the consequence of burning their hand will influence 80 percent of future behavior.
Most of what vendors refer to as gamification is actually just a simple game. They are using a game to convey information. Even if there are in-game rewards, it is still not gamification, as rewards in gamification must be conveyed for real-world behaviors.
So, as you consider Pokemon Go, you see that the game issues rewards for the real-world behaviors of visiting real-world locations, walking/exercising, and spending money. Clearly, spending money is a desired behavior. I have to assume from everything that I read that Niantic, the Pokemon Go creator, has a plan to monetize people visiting real-world locations. While I do not believe it is a business goal for Niantic to have people exercise, I do believe that organizations can use that for wellness programs.
In the meantime, Pokemon Go demonstrates the traits of a good gamification program. It demonstrates what you should be looking for when vendors or your staff describe their gamification efforts. Outside the security world, real gamification efforts are achieving immense success, so it is no wonder that many people and companies claim that they provide such a product. As you can see, gamification can be a very powerful tool to use. Just make sure that you implement actual gamification, and not just a more creative way to provide information. No matter how good the medium is, it will only have 25 percent of the effectiveness of a real gamification program.
Ira Winkler, CISSP can be contacted at www.securementem.com.