• United States



Contributing Columnist

What is gamification? Lessons for awareness programs from Pokemon Go

Jul 17, 20177 mins
IT SkillsMobile SecuritySecurity

Gamification is a way to reward people for exhibiting a desired behavior. It is not merely creating a game for people to play, nor making training a game. As Pokemon Go turns a year old, here are some of the things awareness programs can learn from the massively popular game.

Most people do not understand gamification, and inevitably vendors and people misuse the term and overuse it inappropriately. Gamification is essentially rewarding people for exhibiting a desired behavior. It is not merely creating a game for people to play, nor making training a game.

There are four required characteristics of a gamification program:

  1. A defined goal with defined rewards
  2. Well established rules on how to achieve the goal and rewards
  3. Feedback as to where people stand in achieving the goals.
  4. Voluntary participation

Pokemon Go demonstrates all of these traits and demonstrates what you should be looking for when vendors or your staff describe their gamification efforts.

Learning from Pokemon Go

The massively popular mobile game recently celebrated its first anniversary. While many people may want to discount it as a children’s game, the reality is that it is major phenomenon. (Full disclosure: I admit to playing the game, and I concede that it is nothing more than a less than productive way to spend time. It also gives me a reason to get outside and explore cities.) 

While it isn’t as popular as it was when it was initially released, hitting a high point of 120,000,000 active daily users, the current estimate of 60,000,000 daily users is still more than impressive. Even more notable is that the game has taken in $1,200,000,000 in the first year. To give you an idea of the scale of revenue, the only companies that sell only security products or services that rival Pokemon Go revenue are McAfee and Symantec. Snapchat has less than half that revenue.

[Related: Pokémon Go’s strategy could thwart cybersecurity threats]

Given the sustained popularity, there is a great deal awareness programs that implement gamification efforts can learn from Pokemon Go.

At the moment, the only intended gamification of Pokemon Go is to encourage people to spend money within the game and at commercial partners. They put PokeStops at Starbucks and Sprint locations. Also to encourage people to use Sprint, they are allowing Sprint customers an hour early into the Pokemon Go Fest being held in Chicago in July 2017. However, most gamification is exploiting the phenomenon by third parties.

Many businesses that are within range of PokeStops purchase “lures” that can attract patrons, as well as Pokemon. Patrons are rewarded with the potential to catch more Pokemon by visiting, and ideally patronizing, the business. The desired behavior is patronizing the establishment, and the reward is the opportunity to catch more Pokemon.

Pokemon is also a great way to get people outdoors and exercising. A large part of the game requires that people travel to real world locations. To hatch eggs, which is a significant aspect of the game, people have to walk or bike at a pace that is not reasonable to achieve without physical effort. And people are generally rewarded for traveling faster through walking or biking. The game discounts distance traveled at speeds that might be achieved if traveling by car.

Anecdotally, you can see people out and about, playing Pokemon Go, who would otherwise apparently be playing video games in their home. Corporate wellness programs would be strongly advised to take advantage of the game’s phenomenon, and encourage people for reporting the distance traveled.

When I consider most of the self-proclaimed security awareness gamification efforts, I see that they do not truly understand gamification. Gamification is not providing information through a game. Gamification is again rewarding people for exhibiting the desired behaviors in actual circumstances.

In Pokemon Go, the goal is to level up and catch Pokemon. You are informed how many points you need to level up, how to earn points, and how to catch Pokemon. This includes visiting real-world locations and walking/biking/skating/etc. certain distances. You are constantly informed how many points you have earned, which Pokemon you caught, and where you are compared to your goals. And, nobody is forcing anyone to play the game.

While many vendors, as well as security practitioners, want to describe their gamification products/programs as a fun way to learn, the effort to provide information is not gamification. Again, gamification is about rewarding actual behaviors, not achieving a specified learning objective.

All security practitioners should be aware that just because a user knows what is proper behavior, it doesn’t mean that they actually practice that behavior. For example, some vendors created games about how to tell if a password is strong. They then have in-game contests to tell if a student can tell which passwords are strong and which are weak. If a student knows that a good password has eight or more characters, the “game” issues them a certificate deeming them security aware. However, the only real judge of knowing if a person practices good security behaviors is to try to crack their password to see if it meets the specified procedures. Even then, it is difficult to tell if they reuse the password on multiple accounts, which is a weak security behavior.

Again, knowledge of desired security behaviors is not an indication that the individual will practice that behavior.

In another article, I wrote about the ABCs of behavioral science. Specifically, antecedents (in this case information) influences behavior. Behavior creates consequences, which in turn reinforces or discourages the behavior.

For example, if you burn your hand, you are significantly less likely to recreate the behavior that caused the burn. Science indicates that telling someone that they can burn their hand is only 20 percent likely to generate the desired behavior, while the consequence of burning their hand will influence 80 percent of future behavior.

Most of what vendors refer to as gamification is actually just a simple game. They are using a game to convey information. Even if there are in-game rewards, it is still not gamification, as rewards in gamification must be conveyed for real-world behaviors.

So, as you consider Pokemon Go, you see that the game issues rewards for the real-world behaviors of visiting real-world locations, walking/exercising, and spending money. Clearly, spending money is a desired behavior. I have to assume from everything that I read that Pokemon Go creator Niantic has a plan to monetize people visiting real-world locations. While I do not believe it is a business goal for Niantic to have people exercise, I do believe that organizations can use that for wellness programs.

[Related: Pokemon Go: What security awareness programs should be doing now]

Also, while the game has lost roughly half their players, they have made improvements to retain players. They added more Pokemon to catch. They added more opportunities to score points. They created in-game events where you earn accelerated points. As previously mentioned, they are holding real world events. In addition to retention, this adds excitement to the game for current players and increases engagement. Awareness programs should examine how they can similarly refresh their efforts to create excitement and variety to retain and attract participants. Again, true gamification programs rely upon voluntary participation and enthusiasm.

Gamification can be a very powerful tool. Just make sure that you implement actual gamification, and not just a more creative way to provide information. No matter how good the medium is, it will only have 25 percent of the effectiveness of a real gamification program.