Gamification of Cyber Security Awareness - UX Design & Innovation Strategy by Design Centered Co.

In today’s digital landscape, cybersecurity is a critical concern for organizations worldwide—especially for government bodies like the Government of Canada, where safeguarding data and systems is paramount. Despite its importance, cybersecurity remains complex, often hindered by limited public understanding of potential threats and vulnerabilities. Many individuals underestimate their exposure to cyber risks or find the process of becoming adequately informed dull and unengaging.

Background and Context

The Office of the Chief Information Security Officer (CISO) at Public Services and Procurement Canada (PSPC) is vital to protecting government digital assets, yet encouraging cybersecurity awareness among employees posed a challenge. Although staff recognized cybersecurity’s importance, many found the subject complex and unengaging, which hindered learning and vigilance. PSPC needed a way to make security practices approachable and memorable, fostering a proactive culture against threats.

Challenges

There were a number of challenges that had to be overcome to make cybersecurity a priority and an engaging subject to motivate employees. Some of the challenges we had to overcome or address early on were:

1. Lack of Capacity and Expertise
The Cybersecurity Directorate consisted of a core team of four employee experts in the field of cybersecurity who lacked experience with solutions design and product delivery.

2. No Research or Validation Process
The client became aware of the issue as a result of a cybersecurity audit but did not have an internal process to understand or validate the root causes of the organization’s security profile.

3. Budgetary Limitations
The Cybersecurity Directorate had no previous need for solutions design and therefore had a limited budget that could be assigned to delivering a technology solution to improve cyber awareness.

Solution

Our initial user research gave us insights into a range of possible solutions that could contribute to a more cyber-safe environment. We worked with the client to define a strategy, scope, and roadmap that enabled them to achieve their objectives, resulting in:

1. Employee-Centered Service Blueprint
We developed a service blueprint that enabled the Cybersecurity Directorate to understand their overall ecosystem and areas where solutions and improvements could be introduced.

2. Game-Based Cybersecurity Awareness
We developed a strategy based on the gamification of cybersecurity awareness, a roadmap that aligned with the service model, and KPIs associated with the launch of SpyQuest – a brand-new game designed to engage and motivate employees to learn about cybersecurity.

3. Product Design and Delivery
Our multidisciplinary team used a human-centered design approach to design and deliver an award-winning game experience, which was launched in October 2024.

“ The Design Centered Co. team has completely transformed our approach to innovation, helping us redefine what it means within our ecosystem”

– Ulrich Dorig, Manager, Human Centered Design Office

Benefits and Outcomes

Our contributions towards improving PSPC’s cybersecurity posture have resulted in:

1. Increased Uptake in Cyber Learning
We designed a game theory to encourage and reinforce user behaviors that align with the objectives of the Cybersecurity Directorate – specifically employee engagement to create a cyber-safe workplace.

2. Increased Funding Through Digital Transformation
Our team contributions enabled our client to demonstrate new capabilities in delivering technology solutions to improve operations of public administration. This has resulted in our client receiving additional funding to continue leveraging new technologies to improve the department’s security posture.

3. Continuous User Feedback Loop
By introducing a professional product management practice, we helped the client develop new capabilities and a feedback loop to understand and address employees’ needs.