Cybersecurity Starts with People: Training Employees to Protect Your Business

Cybersecurity is still one of the biggest challenges companies face today and one of the top priorities for CEOs. As artificial intelligence becomes more prevalent, CEOs fear its dual-use nature. While AI can bolster defenses, attackers can exploit it to develop more effective intrusion methods. Proactive investment in AI-driven security measures is essential to stay ahead of these evolving threats. 

Aside from a strong firewall, the most important way to prevent future attacks is to train employees. They’re often the ones responsible for letting a hacker access private data. 160 billion spam emails are being sent daily, and 2.3% of unwanted emails contain malicious content. 

A study by Stanford University researchers and a top cybersecurity organization reported that approximately 88% of all data breaches are caused by an employee mistake. Data breaches impose significant financial burdens on U.S. organizations. In 2024, the average cost of a data breach in the United States reached $9.36 million, maintaining its position as the highest globally. This figure reflects a 10% increase from the previous year, highlighting the escalating financial impact of such incidents.

What can you do?

First, ensure you have clear corporate policies in place as to how your employees can utilize the internet, download files, and manage email in the office and remotely. Then create a comprehensive training schedule that ensures all employees understand best practices in fending off would-be attackers. Content for cybersecurity changes quickly, so training is often key.

Instead of turning to traditional training methods, consider using more immersive solutions such as game-based training. At ELB Learning, we’ve seen how powerfully engaging games can be when it comes to training, especially in a time when capturing and holding attention is more challenging than ever. Whether used for awareness-building or behavior change, the key is delivering a compelling, relatable experience that encourages employees to think critically and take action.

Game Training Examples

Intuit set out to teach 3,000 employees its latest set of security protocols. The company enlisted an agency to create a game called Cloud Defense to help employees master cybersecurity. In the game, players must protect their database from malicious attacks while allowing “good” traffic to pass through the web infrastructure. With each level, the difficulty of the game increases. The game allows each player to learn about Amazon Web Services (AWS) security protocols. To make it more realistic, a “cut scene” news story (think CNN) is shown between each level about the threats a fictitious company is facing. The game tracks and displays scores in the form of a leaderboard and provides rewards and feedback along the way.

While Cloud Defense was created exclusively for Intuit employees, there are other games available for any company to leverage. One example is consulting firm PwC’s Game of Threats, a game designed to help executives assess their readiness to respond to a breach and practice taking precautions before and after an event. This fast-paced, head-to-head digital game simulates the experience of a company under a targeted cyberattack. Participants play the roles of both attackers and defenders, working against the clock to make high-impact decisions and ultimately beat their opponents. The game is intended to raise awareness of cybersecurity across all layers and divisions of a company.

If you prefer to dip your toes in the water, you might consider deploying a micro (logic, trivia, or word) game that focuses on cybersecurity without introducing stories and characters. Regardless of what game you deploy, consider these three questions before rolling it out:

1. What does success look like?

Recognizing performance is important, but before you can recognize it, you need to define it. What does success look like? Some examples are:

• Completion rates
• Repeat plays
• Comprehension
• Retention
• Collaboration
• Application of acquired knowledge

Once you’ve defined success, consider ways in which you can choose the right approach to games, points, badges, levels, power-ups, leaderboards, and rewards.

2. How can you turn your training from a ‘have to’ into a ‘want to’?

Mandatory training can be fun and exciting as long as you keep in mind the following strategies:

• Tell a story. We’ve found that people are more apt to connect with and recall content if it’s presented in the form of a story. Check out our off-the-shelf cybersecurity training course called HackOps. 
• Present a challenge. People like to prove themselves. Present them with character objections, physical barriers, or situational crises, and challenge them to overcome one or more of these in your training playground.
• Don’t make it too difficult. Make the experience fun and challenging, but not so hard that your learners give up before they learn new information or practice critical skills.
• Make it attractive. Visual design is important because, unfortunately, people do judge books by their covers.
• Keep it simple and short. The shorter your training, the better. Break it into bite-sized content that learners can engage in one or multiple sessions at a time.

3. Should you buy or build?

Games are an effective form of training and can increase engagement, comprehension, and retention. When considering training games, companies have three choices:

• Buy a pre-existing game. PwC’s Game of Threats is a great example of a game that has been built once and sold dozens of times.
• Build a custom game. This requires game designers, visual designers, software engineers, and a producer to keep everything on track, on budget, and on time. While some companies have the resources to do this in-house, most are well-served to hire an experienced game developer to do it for them. Learn more about our custom games here.
• Build a templated game. Companies can add their own content to existing game templates to make their training stickier and more fun. The Training Arcade® game-authoring tool allows for a little customization at a lower cost.

Think about your team and what will inspire them to stick with your material until they have mastered it. If you can do this, your employees will likely convert from passive to active learners and master the skills you consider critical. It’s impossible to eliminate cyberattacks, but training games can provide the skills and tools employees need to alter behavior and reduce company risk.