I recently took part in a design-thinking workshop to look at how we can use alternative approaches  to security-related issues at SAP, like serious gaming. We had to first come to an agreement on what we thought serious gaming was. Well, we never reached 100% agreement, but we did come up with a few ideas.

• Serious gaming tries to accomplish a non-trivial purpose, such influencing the behavior of the players, or educating them, or letting them test processes in an environment where it is safe to fail. Serious games can be simulations or educational or both!
• Entertainment is optional, but can help reinforce the goals of the game.

In the next phase we sought to identify the problem a serious game about security should solve.

• Increase preparedness by testing the processes we have in place that they could actually handle a real attack.
• Have more effective training to inform our colleagues about security policies within the company.
• Through simulation, reinforce to decision makers the importance of security.

In the end, we had to choose an area to concentrate on. We found that secure behavior was the area we felt was the most important. We created a persona for our target user:

Adrian is 42 and a developer at SAP. He is married with two children. In his free time he takes part in Lego League. He says security is important, but thinks it is a pain in the rear. He participates in the training, despite his annoyance at the constant overhead.

Now we go back to our regular jobs and think about the next steps in creating a training for such a user.

Have you ever considered using serious gaming for security issues at your company? What have you done and what were your experiences?