Gamifying cyber security awareness training

Gamification — including an adversarial dice game — could be a key weapon for organisations working to protect their people, customers and data from hackers.

That’s the headline finding made by a group of UK researchers, headed by Professor Steven Furnell FBCS from the University of Nottingham, who have prototyped three experimental cybersecurity games.

Cyber Defence Dice is a competitive tabletop game that uses two sets of custom dice: red for attacks and blue for defences.

Speaking to BCS about the project, Steven said: ‘We’ve been doing a series of playtests with a variety of audiences — from public through to cyber educators and professionals  — and these have been overwhelmingly positive about both the game itself and its potential as a basis for awareness raising.’

How gamification works

Players begin by rolling their dice, and then decide which ones to keep or re-roll in order to build a strong attack or defence, depending on their role in the round.

The next player must then respond to the combination rolled by their opponent. Each die face represents a different type of cyber threat or defence, and players use a crib sheet to guide their decisions. 
The game promotes understanding of cybersecurity concepts and encourages thoughtful decision making. It’s flexible enough to support multiple rule variants, making it suitable for both quick play and deeper engagement.

'Gamification is clearly a very useful mechanism for raising awareness and long term participation in cyber security’, Steven said, adding context. ‘But, elsewhere, the evidence shows that if UK businesses maintained their basic cyber hygiene — addressing some of the basic safeguards that the dice seek to promote — they’d make hackers' jobs harder and make their systems as a whole more resilient.’

The other two games are:

• Hacker Whacker: Inspired by Whack-a-Mole, players hit red or green targets based on whether a cyber attack or defence appears. It teaches threat recognition through fast paced, timed decisions.
• Password Strength Meter: This game mimics a fairground strength tester, letting users input a password and see its strength via a light display. It highlights password quality and adds fun through suspense and competition.

Measuring the results of gamification

The games were designed to test whether short, physical interactions could effectively teach basic cybersecurity concepts. They also sought to prove that playful formats could boost engagement and learning, especially in informal public settings.

Although not a new idea, incorporating gamification into cybersecurity education can be a complex and involved process, where players sometimes need to learn intricate rules.

‘The basics of the dice game can be explained in less than a minute and then learned through further play, and this provides a basis for players to start recognising more about the attacks, defences and potential relationships between them’, Steven said.

Cybersecurity is often seen as dull or overly technical, making it hard to engage everyday users. The project aimed to create quick, fun and accessible activities that could raise awareness without requiring prior knowledge or lengthy setup.

The future of gamification

Along with deploying innovative cyber security concepts, Cyber Defence Dice also looks to harness new manufacturing methods.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

‘We did an initial version based on designs we created, and then got them manufactured overseas,’ Steven explained. ‘This proved rather expensive for a set of 10 dice — five red and five blue. So, we’ve since redesigned the images to enable us to 3D print them locally. Through this, we’ve managed to get the cost down to a level where we’re able to make them available for sale at a reasonable price, and we’ve already been providing them to others for use at events.’

The project's accompanying initial short paper, Cybersecurity Awareness via Physical Games, concluded that the games proved effective in raising cybersecurity awareness through short, engaging interactions that required minimal explanation.

Public facing events, particularly with young people, showed strong interest and enjoyment among participants.

Observations confirmed that the physical format — especially the visually and aurally engaging Password Meter and Hacker Whacker — successfully attracted attention and encouraged spontaneous participation.

Overall, the games demonstrated their value as accessible, impactful tools for informal cybersecurity education.

The project team are: Steven Furnell, James Todd, Xavier Carpent and Simon Castle-Green from the School of Computer Science, University of Nottingham, and Lucija Šmid from the School of Management, University of Bath.