Traditional cybersecurity and compliance training can be dull as dishwater, which can lead to poor engagement and low retention among employees.
Gamification, if done well, offers a refreshing alternative, transforming boring modules into interactive experiences that foster real behavioural change and strengthen your organisation’s overall security posture, argues KnowBe4 Africa’s Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa.
“Traditional training often feels like a drag, too theoretical, irrelevant or disconnected from daily work where people already feel overwhelmed and overloaded.”
She says that presenting one-size-fits-all content to employees that has little real-world application often fails to engage their attention or change their behaviour.
“People forget information they don’t emotionally engage with or see relevance in,” she comments. “Worse still, it does little to instil a true security mindset, the kind that turns passive participants into proactive defenders.”
Enter gamification
By contrast, applying game-design elements, such as points, badges, leaderboards and rewards, to cybersecurity training taps into our natural desire for achievement, competition and progress. “When learning feels like an exciting challenge rather than a chore, retention and engagement improves,” Collard explains. “It helps shift cybersecurity from a compliance burden to a personal skill to be proud of.”
Collard explains that there are sound behavioural and cognitive psychological principles that make gamification so effective. “When we achieve a goal, the brain releases dopamine, activating its reward centres,” she says. “That’s what makes gamified learning so engaging – it literally feels good to make progress.”
Similarly, setting goals has multiple benefits. “When you introduce clear, incremental goals, it increases motivation,” Collard maintains. Social comparison is another psychological phenomenon which can be leveraged. “Leaderboards and peer benchmarking appeal to our natural tendency for social comparison. When employees see how they stack up, they often push themselves further.”
However, Collard believes the ultimate form of motivation is not rewards. “The best gamified security programmes go beyond badges and points,” she says. “They tap into intrinsic motivators like autonomy, mastery and purpose, which drive lasting behavioural change.”
From fitness to language apps
Other industries have successfully harnessed the power of gamification – from fitness reward programmes to educational apps. “By giving away free smoothies and coffees, Virgin Active and Discovery Vitality are actually encouraging their members to stay fit and healthy,” comments Collard. “Likewise, language apps like Duolingo help learners keep track of their progress through streaks, leaderboards and daily goals.” It’s examples like these that have inspired cybersecurity training firms to follow suit.
“One of our most popular security games is Spot the Phish which we developed with Sanlam many years ago,” she explains. “It’s easy and fun to play, while teaching users what to look out for.”
By swiping left or right, players are introduced to multiple phishing scenarios where they could be scammed. “I think its simplicity is what made it so successful.”
Another effective game she uses is a story-driven simulation where employees assume roles, such as a cybercriminal or a detective, and make choices that lead to different outcomes. “This kind of narrative immersion helps them grasp the real-world consequences of their actions,” Collard explains.
Turning passive employees into proactive defenders
But how do organisations move from compliance fatigue to security enthusiasm? Collard suggests starting small, such as a leaderboard for fastest reporting of simulated phishing emails or incorporating storytelling in games. Another recommendation is for organisations to track engagement among employees. “This identifies knowledge gaps and content can then be adapted accordingly,” she says.
This is crucial, as the KnowBe4 Africa Human Risk Management Report 2025 revealed that over 41% of responding organisations say their biggest challenge is measuring whether security awareness training (SAT) actually works. This “confidence gap” highlights a disconnect between perceived awareness and actual readiness, meaning a workforce appearing trained on paper might be vulnerable in reality.
The report further highlights that traditional training frequency is often insufficient, with 29% of organisations conducting training annually and 39% biannually. This low frequency contributes to the “prevalence effect,” where infrequent exposure to even simulated threats makes employees less likely to detect real attacks.
To counter this, gamified phishing simulations, when conducted more frequently, have been shown to directly correlate with measurable improvements in security behaviour. KnowBe4’s research from over 60 000 individual organisations worldwide, comprising over 32-million individual users, confirms this – increased simulation frequency leads to better security habits.
Lastly, by involving employees and rewarding their progress, meaningful behavioural change can occur. “Let your employees come up with their own team names because ownership increases participation,” she urges. “In terms of rewards, offer them incentives or recognition for their achievements.” Incorporating these principles into your organisation’s cybersecurity training will not only up the fun levels at work, it will also have lasting benefits.
“The right application of gamification will increase participation and improve knowledge retention among your employees, resulting in a stronger security posture and a more positive security culture,” Collard concludes.
This is especially important given that the KnowBe4 Africa Human Risk Management Report 2025 also found that only 10% of decision-makers are fully confident their teams would report a suspicious email or threat. Gamification offers a tangible solution to bridge this gap, translating awareness into actionable, consistent security behaviours.