One of the challenges we have with security awareness is when you come down to it, awareness training and education can become boring over time. Yes there are steps you can take to make it exciting, and there are many things you can do to sexy training up, but how often do you have employees bragging about how good their security behaviors are? Or how often do you have employees researching on their own how they could be more secure? While that is not happening for most organizations, it is something gamification could possibly change. Gamification (as defined at Wikipedia) is applying game and design techinques to non game applications to engage audiences. I'm not talking about creating security awareness related games, such as what Wombat folks did with their Anti-Phishing Phil game. I'm talking about taking the entire concept of security awareness and making it a competition / game. Bruce Schneier has a interesting blog post on how the concepts of gamification even apply to the building of jihadist communities. Examples for gamifying security awareness programs include ... Leader Board - Have a leader board tracking who are the most 'aware' employees. This could be measured by things such as scores on awareness quizzes or how many months employees have gone without falling victim to phishing assessments. People then compete to be in the lead. Badges - Have achievement badges for different courses or training levels people complete. Currency - Have a points or currency system. The more points people earn, the more things they can do (buy company shwag, team lunch, etc). They can earn points by completing more training, reading newsletters, replying to security awareness questions, helping others secure themselves, etc. Then allow people to trade, share or gift these points. Challenges - Create security awareness challenges between users or even departments. The end goal here is not to create games for security awareness training, but to make security awareness training (and changing behaviors) a fun game!