Gamifying cyber security training

Emma Dockerill Headshot
Written by Emma Dockerill
Marketing Executive

At Bulletproof, we know that different people learn in different ways. So when a healthcare provider came to us needing an innovative, engaging way of delivering security awareness training, we stood ready to deliver. The healthcare provider in question was St Andrews Healthcare – providers of specialist care for people with challenging mental health needs. Being a company that works with vulnerable individuals, staff awareness of cyber security is essential. Therefore, the purpose of the training days was to learn how to prevent cyber attacks by demonstrating common attack methods.

The activities took place in September 2020 and were tailored in order to adhere to Covid-19 guidelines. Originally the day was planned to be on-site, but thanks to social distancing requirements, we took the training online. This allowed everyone to still participate in a safe way whilst maintaining interest.

Red Vs Blue

Wanting to encourage engagement through healthy competition, we devised a ‘Capture the Flag’ themed training exercise, gamified into a tournament of red team vs blue team exercises – similar to the teams we have within Bulletproof. Red team are our penetration testers (attackers), who ethically hack into infrastructures to find vulnerabilities. Blue team are the SOC analysts (defenders), who monitor activity 24/7 to protect against attacks.

During the tournament, the red team’s aim was to find weaknesses of a fictional company, (for instance by finding a password), in order to attack them. The blue team, however, would have to work out how and when they were breached. The aim was for each team to use their technical skills to solve a series of challenges and earn as many points as possible. The teams could have hints to help them during their challenges, but at a cost to some of their points – and what do points make?

The staff got to take turns as both the red team and the blue team, so that they understood both attacking and defending. Structuring the training into separate red team and blue team exercises means that staff are aware of cyber threats, as well as how to find and prevent them. It provides an exciting, engaging framework on which to base discussions about hackers’ motives and staff security responsibility. This enables staff to guard against everyday threats – because why would you want your cyber security efforts undone by simple human error? Following this training, staff were able to go back into their roles more knowledgeable, thanks to our hands-on teaching of what to look out for.

Victory trophy

In fact, don’t just take our word – here’s what some of the attendees had to say about their training days:

  • “Seeing how attackers can find information relevant to our company to exploit/impersonate us, especially information publicly available online, is key to protecting our own potential security flaws.”
  • “It was good to be able to put ourselves in the shoes of a hacker and try to exploit as many vulnerabilities as possible.”
  • “It's shown why it's important to think carefully about passwords and why you want your data more difficult to get into.”
  • “I went in to this exercise knowing nothing, but came out knowing that bit more. I would definitely do another.”

We’re glad that everyone found it a valuable experience. At Bulletproof we understand that making cyber security training fun and engaging is the key to knowledge retention and improving best practice amongst your workforce.

St Andrews Healthcare Logo

Bulletproof delivered an innovative and engaging training programme to educate our staff on cyber security. With activities structured for our teams to think like a hacker, the training encouraged a deep understanding of the cyber threats we’re facing. This means we’re better equipped to identify and proactively prevent cyber attacks against our organisation.

Alexandra Vujcich  IT Security Officer, St Andrews Healthcare

Secure your staff with engaging training

If you’d like help educating your staff on how to be cyber secure in a fun and innovative way, contact us today and we can work with you to design a bespoke training experience.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.