News Brief #5: Gamification in cyber-security training: major approaches and challenges

The COVID-19 pandemic resulted in an increasing need for digitalisation and the urgent adoption of emerging internet-based technologies from multiple users, ranging from casual to professional use. To this end, a variety of different systems exist, either lightweight self-paced platforms or large-scale environments that are able to simulate real world incidents and assist the learning and training procedure of users. Different platforms are developed for different age groups and the knowledge depth that each one provides is adapted accordingly. Regardless of their differences, all these platforms share a common goal: attract the interest of users, educate them, and offer them the necessary knowledge to avoid or defend themselves and their assets against malicious actions.


To attract the users’ interest and engage them with their learning material or practice scenarios while at the same time concealing the dull procedure of learning, multiple training platforms apply gamification mechanisms to their systems. However, deciding which gamification techniques to apply to a specific platform is a demanding goal, which is bound to the platform’s characteristics and relevance to the audience of interest.

Main Challenges

In a gamified system, users must be confronted as players to formally analyse their goals and motivation factors to apply a relevant taxonomy. [1]Bartle suggests four distinct player types in respect to the user’s psychology: (1) The Achiever, (2) The Explorer, (3) The Socializer and (4) The Killer, whilst Marczewski [2]suggested which elements can be situationally used based on each user type. A platform willing to implement serious gamification should provide multiple elements; the more components provided, the more possibilities for the users to be attracted. However, since each platform uses its own mechanisms, hosting different groups of people and considering their background and needs, it is very challenging to create a generalized gamification method and apply global norms.

To create a gamification scheme, several steps need to be considered prior to its implementation. It requires the platform creators to perform relevant research about the gamification methods, to reflect the desired educational outcomes and connect them to the gamification schemes, which can be a costly and time-consuming procedure. Although multiple gamification elements can be used in a variety of concepts, their exact implementation to perfectly fit and achieve the desired outcomes is an important step towards meaningful gamification. No standardization method to create a gamified platform exists, however there are some guidelines that one can respect to achieve better results in respect to a variety of metrics, such as the targeted audience, the material hosted by the platform and the overalls platform’s expansion possibilities.

The FORESIGHT facilitates a variety of distinct CR platforms that share their own scoring and evaluation mechanisms. For each platform not only different metrics were considered for the final user evaluation but each one had its own weight distribution even for commonly used metrics. However, being a federated environment, a global gamification and evaluation schema should be designed, able to compare and evaluate users in a pre-defined metrics, regardless the source of an exercise, as well as to respect the initial configurations of each unique CR. Additionally, the FORESIGHT platform hosts users of different background and specialization, whilst also long-term or short-term users, referring to trainees that will engage with the platform for a few days or weeks, to users that will engage for many months. These characteristics consolidate multiple distinct groups of users, with each group needing to be addressed uniquely to attract their interest. Considering all the prerequisites, a gamification schema is implemented along with normalization mechanisms in respect to these axes to reflect the platform’s needs and user characteristics, and relevant research whilst developing all necessary tools, resulted in the following tips to be considered while creating a gamification mechanism.


Use core game elements.

Regardless of the platform type, the targeted audience, and the game implementation there are 7 core mechanics that can be used in all areas: (1) Badges, (2) Leveling systems, (3) Leaderboards, (4) Progress Bars, (5) Virtual Currencies, (6) Awards, and (7) Challenges. Additionally, to those seven core mechanics, to determine the trainee’s progression and performance, Points are used as an overall grading mechanism and the Story-Line technique is used to attract both professional and non-professional users, used to present the dilemma, or the task needed to be solved by the user, creating a more appealing environment for the trainee. All elements can be combined to create complex gamification schemes, however, since different elements result in different outcomes, they need to be carefully selected and implemented.

Know your Audience.

Gamification’s existence can positively impact the general learning procedure, from simple quiz games to complex scenarios and games that include complete virtual worlds, with the ability for the user to navigate in it. Based on the platform’s goals, learning depth and audience, different elements can be adapted, from elements used to attract the youth to more formal and complex mechanisms used to carefully reflect a user’s actions. Creating a virtual environment, hosting a variety of scenarios, achievements, self or team-based exercises and challenges can not only engage the users, but keep them in constant interaction with the system and provides a greater purpose for them to be constantly using the platform. Having users learning either individually or in groups seems to have a different resolve in the trainee, attracts users with different backgrounds and offers different training scenarios in respect to the needs of the group of people that it aims to attract. It is important to classify the platform in respect to its material and usage. This categorization highlights the reasoning of the selected gamification schemes based on the platform’s content and audience, that will determine the graphics implemented, the strictness of their gamification schemes, and the level of learning depth in the exercises.

Understanding is deeper than Knowledge.

Platform types can be separated into four categories based on these evaluation axes: Serious Games, Self-Paced platforms, Cyber Ranges and Cyber-Range Federations. All gamification mechanisms utilized by any platform type fall under one of the main seven categories, and further elements could be implemented to extend the platform’s capabilities. Utilizing story-line techniques when presenting the task to the users can be beneficial to their overall immersion and attract their interest or even assist a better understanding of the goals and challenges presented, and can be used in all types of platforms, adjusted to the look and feel of it.

Serious games are games that tend to educate rather than entertain. They are important tools for introducing the cyber-security basics to non-professional audiences and assist them to gain further knowledge about a specific field of study. Their ease of use is one of the most important advantages they offer, and they can be suitable for people with no or little prior knowledge of cyber security. They share a more game-like approach to their educational style, and tend to use game-like graphics, avatars, simple user interfaces and reward the user more often while being less punishing. 

Self-paced platforms offer the ability for a user to train through a variety of scenarios and gain knowledge and experience through exercises based on real-world incidences. Individuals can interact at their own pace, in single exercises or large virtual infrastructures, with complex storylines. Typical features and characteristics include an overall design targeting professionals of varying expertise levels; the importance of in-depth understanding of the learning material, which is supported by emulated large-scale scenarios; and socialization and relationship amongst participants is highly promoted. Thus, in such platforms, elements like points, badges and leaderboards are commonly used to reflect a user’s progression and various progress bars provide feedback.

A Cyber-Range (CR) refers to a testing environment where the trainees have to solve a number of different tasks where vulnerabilities are reproduced under multiple scenarios and training environments. Based on the trainees’ level of expertise, the system is being adjusted to address their needs, creating multiple difficulty levels that tend to award users with unique achievements and points in respect to the scenario’s difficulty and their performance. Finally, a Federation of Cyber-Ranges (FCR) consists of multiple CRs originating from different domains to simulate hybrid scenarios, and thus all elements implemented in CRs are introduced to the final federated platform. Leaderboards are commonly implemented in such environments to motivate users.

Try not. Do. Or do not. There is no try.

Serious games are those games made not for entertainment as their first purpose but to train their users regarding a specific matter. They include educational material but are highly characterized by the extensive use of game elements to conceal the ‘boring’ aspect of the educational procedure and refer to the mixture of graphics and sounds as a major part of the overall design. On the other hand, a platform designed for professionals is more complex and can be composed of different modules for exploiting the features and capabilities of the platform and its goals; the modules are related to scenarios, teaming, monitoring, management, and scoring, where various indicators are used to measure a participants’ performance through methods, tools and metrics, accumulating their progress during an exercise, and encapsulating gamification mechanisms in such environments.

Regardless of the selected platform type, the implemented gamification mechanism should be designed in respect to the targeted audience and should be able to attract their interest. Gamification must be appealing. It should make people want to try more, to feel content with their accomplishments and challenged by their losses; to feel eager to keep on trying, to engage, to learn and improve. Any scheme should be punishing, but not punishing enough for the users to abandon their learning process and give up.

The gamification scheme will determine the type of users to interact with the platform, and the users will form the gamification scheme’s mechanics, providing a bidirectional relationship. Any initial development may fail, but sometimes one must unlearn what they have learned. Gamification is a dynamic element, part of the overall platform. When failing, try again, adjust it. Stop focusing on the negatives, commit to it, listen to the feedback, and create components that best suit the platform’s goal and its people.


[2] Marczewski, Andrzej. (2015). User Types HEXAD. Link: