“Traditional training often feels like a drag — too theoretical, irrelevant or disconnected from daily work where people already feel overwhelmed and overloaded,” asserts Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa.
She says presenting one size fits all content to employees that has little real-world application often fails to engage their attention or change their behaviour.
“People forget information they don’t emotionally engage with or see relevance in. Worse, it does little to instil a true security mindset, the sort that turns passive participants into proactive defenders.”
Applying game-design elements, such as points, badges, leader boards and rewards to cybersecurity training taps into our natural desire for achievement, competition and progress, she says.
“When learning feels like an exciting challenge rather than a chore, retention and engagement improves. It helps shift cybersecurity from a compliance burden to a personal skill to be proud of.”
Collard says there are sound behavioural and cognitive psychological principles that make gamification effective. “When we achieve a goal the brain releases dopamine, activating its reward centres. That’s what makes gamified learning engaging — it feels good to make progress.”
Similarly, setting goals has multiple benefits. “When you introduce clear, incremental goals it increases motivation.”
Social comparison is another psychological phenomenon which can be leveraged.
“Leader boards and peer benchmarking appeal to our natural tendency for social comparison. When employees see how they stack up they often push themselves further.”
However, Collard believes the ultimate form of motivation is not rewards. “The best gamified security programmes go beyond badges and points. They tap into intrinsic motivators such as autonomy, mastery and purpose, which drive lasting behavioural change.”
From fitness to language apps
Other industries have successfully harnessed the power of gamification — from fitness reward programmes to educational apps.
“By giving away free smoothies and coffees, Virgin Active and Discovery Vitality are encouraging their members to stay fit and healthy. Likewise, language apps such as Duolingo help learners keep track of their progress through streaks, leader boards and daily goals.”
It's examples such as these that have inspired cybersecurity training firms to follow suit.
“One of our most popular security games is Spot the Phish which we developed with Sanlam many years ago. It’s easy and fun to play, while teaching users what to look out for.”
By swiping left or right, players are introduced to multiple phishing scenarios where they could be scammed.
“I think its simplicity is what made it so successful.”
Another effective game she uses is a story-driven simulation where employees assume roles, such as a cybercriminal or a detective, and make choices that lead to different outcomes.
“This sort of narrative immersion helps them grasp the real-world consequences of their actions,” Collard explains.
Turning passive employees into proactive defenders
But how do organisations move from compliance fatigue to security enthusiasm? Collard suggests starting small, such as a leader board for fastest reporting of simulated phishing emails or incorporating storytelling in games. Another recommendation is for organisations to track engagement among employees.
“This identifies knowledge gaps and content can then be adapted accordingly.”
The right application of gamification will increase participation and improve knowledge retention among your employees, resulting in a stronger security posture and a more positive security culture
— Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa
This is crucial as the KnowBe4 Africa Human Risk Management Report 2025 revealed that more than 41% of responding organisations say their biggest challenge is measuring whether security awareness training works. This “confidence gap” highlights a disconnect between perceived awareness and readiness, meaning a workforce appearing trained on paper might be vulnerable in reality.
The report further highlights that traditional training frequency is often insufficient, with 29% of organisations conducting training annually and 39% biannually. This low frequency contributes to the “prevalence effect”, where infrequent exposure to even simulated threats makes employees less likely to detect real attacks.
To counter this, gamified phishing simulations, when conducted more frequently, have been shown to directly correlate with measurable improvements in security behaviour. KnowBe4 says its research from more than 60,000 individual organisations worldwide, comprising 32-million individual users, confirms this — increased simulation frequency leads to better security habits.
By involving employees and rewarding their progress, meaningful behavioural change can occur.
“Let your employees come up with their own team names because ownership increases participation. In rewards, offer them incentives or recognition for their achievements,” Collard says.
“The right application of gamification will increase participation and improve knowledge retention among your employees, resulting in a stronger security posture and a more positive security culture.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.