While many vendors, as well as security practitioners, want to describe their gamification products/programs as a fun way to learn, the effort to provide information is not gamification. Again, gamification is about rewarding actual behaviors, not achieving a random learning objective.
All security practitioners should be aware that just because a user knows what is proper behavior, it doesn’t mean that they actually practice that behavior. For example, some vendors created games about how to tell if a password is strong. They then have in game contests to tell if a student can tell which passwords are strong, and which are weak. If a student knows that a good password has eight or more characters, the “game” issues them a certificate deeming them security aware. However, the only real judge of knowing if a person practices good security behaviors is to try to crack their password to see if it meets the specified procedures. Even then, it is difficult to tell if they reuse the password on multiple accounts, which is a weak security behavior.
Again, knowledge of desired security behaviors is not an indication that the individual will practice that behavior.
In another article, I wrote about the ABCs of behavioral science. Specifically, antecedents (in this case information) influences behavior. Behavior creates consequences, which in turn reinforces or discourages the behavior.
For example, if you burn your hand, you are significantly less likely to recreate the behavior that caused the burn. Science indicates that telling someone that they can burn hand is only 20 percent likely to generate the desired behavior, while the consequence of burning their hand will influence 80 percent of future behavior.
Most of what vendors refer to as gamification is actually just a simple game. They are using a game to convey information. Even if there are in-game rewards, it is still not gamification, as rewards in gamification must be conveyed for real-world behaviors.
So, as you consider Pokemon Go, you see that the game issues rewards for the real-world behaviors of visiting real-world locations, walking/exercising, and spending money. Clearly, spending money is a desired behavior. I have to assume from everything that I read that Niantic, the Pokemon Go creator, has a plan to monetize people visiting real-world locations. While I do not believe it is a business goal for Niantic to have people exercise, I do believe that organizations can use that for wellness programs.
In the meantime, Pokemon Go demonstrates the traits of a good gamification program. It demonstrates what you should be looking for when vendors or your staff describe their gamification efforts. Outside the security world, real gamification efforts are achieving immense success, so it is no wonder that many people and companies claim that they provide such a product. As you can see, gamification can be a very powerful tool to use. Just make sure that you implement actual gamification, and not just a more creative way to provide information. No matter how good the medium is, it will only have 25 percent of the effectiveness of a real gamification program.
Sign up for Computerworld eNewsletters.