Gamify Your Training To De-Risk Digital And AI Projects

Privacy and cybersecurity training are supposed to prevent costly and embarrassing employee gaffs. Yet they have a reputation for being boring, irrelevant, tedious and repetitive. Even if employees manage to remember the content, they may struggle to apply it. There’ gamify training to make it stick.

eLearning Industry’s GRC, Ethics & Compliance Editor Jacqueline DiChiara urges companies to weave fun, authenticity and interactivity into training, and to offer it in micro-learning doses. “There's a reason people love detective shows, escape rooms, and Choose-Your-Own-Adventure stories: they're immersive and they force active thinking.” Forbes Technology Council Member Jeremy Vaughan describes how companies can gamify the DevSecOps lifecycle to motivate teams to apply secure coding principles and instill a product security culture in a recent article.

Outside the boardroom — and off the clock — a grassroots movement of mission-driven volunteers has been doing just that. Communities of cybersecurity, privacy and AI experts have been developing serious games and holding events to help people around the globe develop the skills and mindsets needed to tackle evolving threats. While the security community has led the charge, privacy and AI pros are catching on: Privacy Village’s DPDFest is now in its second year and has expanded into a six-week festival that bills itself as a “Disneyland for Privacy.” Meanwhile, a new crop of AI security and responsible AI games have emerged that can be played in physical and virual formats or as part of a hackathon.

Prioritize Fun. The Learning Will Follow.

Serious games use play to make technical concepts accessible and foster a mindset that helps players translate learning to the real world. Though they often incorporate extrinsic motivators like leaderboards, points and badges, the key to their effectiveness is the use of game mechanics to foster critical thinking and collaboration.

Michael Novack, a security architect and board game enthusiast, started making board games to help non-technical employees like accountants develop the critical thinking skills and mental frameworks needed to protect against evolving cyber threats. He dislikes the term “gamification”, which he believes treats fun as a bolt-on to jazz up corporate training. He takes a fun-first approach, creating games that can compete with other board games and could be played in a family game night. He has published two games:

• Byte Club, where players role-play hackers and defenders using the seven steps in the Cyber Kill Chain¹ to attack a system and six disruption strategies to defend it; and
• Fuzzy Logic, where players build a machine learning tool out of cardboard.

DPD25Fest participants have played both games during weekly virtual game nights.

BSides Ottawa has made games core to its events since its inception. Games include:

• Capture the Flag competitions
• Cybersecurity Escape Room
• Games that teach niche skills like LockPick Village
• Interactive table-tops like Policy Village and Ransomware Rampage: A Crisis Control Challenge.

Lead Organizer and Board Chair Jarett Parent told me via email that, “These activities have proven to be wildly successful, often reducing the barriers to entry compared to more traditional, theory-heavy approaches. By offering hands-on, interactive experiences, they make complex cybersecurity concepts more accessible and engaging for participants of all levels.”

BSides Ottawa is part of a global framework of community-driven events organized by and for the infosec community. The name is a nod the B-side record albums that featured the songs that never made it to the main album. According to the BSides website, BSides events offer a grassroots alternative to buttoned-down, theory-driven, commercial conferences. They aim to help people of all levels, roles and sectors connect, expand conversations around security and explore niche and emerging topics.² There have been 1075 BSides events around the world, hosted in 255 cities spanning 65 countries as of January 2025.

Play Secure is an annual, online event devoted entirely to exploring how play can be used to engage, teach and protect people in the digital world. Its founder, James Bore, wanted to make play-based security training and awareness the star of its own show to highlight its legitimacy in its own right. He enlisted co-founder and Industry Analyst, Phelim Rowe, to help. The event is held each June and is open to anyone. Players from Singapore, Angola, the UK, the US, Brazil and Germany and beyond have attended the conferences.

Like Novack, Bore and Rowe distinguish between play and gamification. Bore emphasizes how play is exploratory and simulated. It doesn’t need to have pre-set answers or a pre-defined pathway. Rowe is skeptical of what he calls the “gold star mentality” that pushes people to rack up points to earn a badge. In his view, play-based learning reduced to rewards is not effective. Open-ended play is hard to measure, but it is more effective in helping players understand how to protect themselves and others from security threats. It also pushes players to challenge their assumptions regarding how to deliver security controls. Bore and Rowe noted that a major Play Secure sponsor re-engineered its own training platform to remove the scoreboards and take a more exploratory approach based after the conference.

Play Secure is on a mission to convince others to take learning through play seriously. Rowe asserts that the entire field of infosec emerged from play, as computer engineers explored other ways to use their creations, while physical security professionals have long enjoyed role-plays and immersive learning. This may explain why serious games have gained such traction in the security world. Bore argues that play has always been integral to the way humans learn. It’s not limited to security. He points to war games used during Napoleonic times and kids playing house to learn social skills as evidence.

If You Gamify It, They Will Play — And Learn

Adam Shostack, a leading expert in threat modeling³ and the game designer behind the game Elevation of Privilege maintains a long and growing list of security and privacy games. They include titles like:

• Control-Alt-Hack for ethical hacking
• Data Heist for cyber hygiene and data protection
• Oh Noes! and Backdoors & Breaches for incident response.

Some of the games listed can also be played online. Agile Stationery, a company that creates custom, physical card decks, has an entire section devoted to cybersecurity, privacy and threat modeling tools, attesting to their growing popularity.

Online platforms like Hack the Box, Try Hack Me and Antisyphon offer on-demand micro-modules and immersive games to teach incident response, ethical hacking and other cyber topics. Players use Discord channels to get tips and collaborate with welcoming player communities, and even try some of their games at in-person events, like BSides Ottawa. In similar vein, Privacy Village has an online game platform called Compliance Detective that players can access year-round, and are encouraged to do so during DPD25Fest. They can also collaborate via Slack and meet up for virtual and occasional in-person events, like a recent event held at

AI experts are also turning to play-based learning. AI scientist Dr. Lance B. Eliot describes how to gamify prompt engineering for better results with AI chatbots in a recent Forbes article. But prompts can also be used as attacks. So online games like Lakera’s Gandalf AI have emerged to challenge players to hack a simulated AI chatbot using known prompt injection attacks to help them learn how to make AI chatbots more secure. The Antigranular platform by Oblivious AI runs data science hackathons where players solve real-world problems by building privacy-preserving data models. They will be hosting a Fraud Detection Hackathon for DPD25Fest starting January 28th.

Shostack’s site includes resources for building your own game, and many have taken inspiration from existing games to create their own. Elevation of MLsec — designed to gamify threat detection in machine learning projects — is one example. Kim Wuyts, privacy engineer and the world leading expert on privacy threat modeling, transformed LINDDUN framework she helped create into the LINDDUN GO! card game, drawing inspiration from Shostack’s Elevation of Privilege game. This, in turn, inspired the creation of PLOT4AI for responsible AI and data protection.

Gamify Privacy To Break Down Silos And Upskill Teams

Too often privacy is treated as a last-minute compliance tick-box exercise, even when laws like GDPR mandate Privacy by Design. Minimum Viable Privacy can spell privacy disaster for people and businesses. AI can amplify this risk significantly. Wuyts created LINDDUN GO! as a tool to help break down silos and engineer privacy into the design of systems and products. By turning the LINDDUN framework into a fast-paced card game, she could ease multidisciplinary teams into privacy threat modeling, a core privacy engineering activity.

“Privacy engineering integrates privacy principles into the design, development, and operation of systems to protect personal data, uphold privacy rights and comply with regulations by proactively addressing privacy risks throughout a system’s lifecycle,” says privacy engineer Saima Fancy. The Carnegie Mellon University alum described privacy engineers as the glue between departments. “Anywhere data’s sitting, I’m talking to them. That’s why we’re so unique.”

Rebecca Balebako believes privacy engineering delivers a win-win for both customers and businesses. Now a privacy engineering consultant, the ex-Google privacy engineer and former CMU professor appreciates her craft from a business perspective. Balebako hosts mini privacy engineering and responsible AI bootcamps for DPD25Fest participants where she shares practical tips, like how to create low-cost user tests to help bootstrapped AI startups build AI responsibly. Data Privacy Architect Swati Popuri hosts weekly fireside chats to walk aspipring privacy engineers through technical privacy implementations.

Mert Can Boyar is the founder of Privacy Village and the Lead for Istanbul Bilgi University’s Privacy Innovation Lab. As a privacy lawyer who entered the profession just as GDPR was coming into force, he immediately felt the need for deeper technical knowledge. He couldn’t afford to pursue a formal privacy engineering degree, so he decided to teach himself. Along the way he created the comic book the Hitchhiker’s Guide to Privacy Engineering, which he describes as “a cyberpunk AI-meets-privacy-engineering lovechild that combines an immersive story with the most ambitious glossary and knowledgebase ever attempted.” Then he decided to gamify it.

DPD25Fest brings together privacy creatives, privacy engineers, and the privacy-curious in the “Battle for AI.” The festival features live virtual games, fireside chats and an active Slack channel where teams coordinate and share AI and privacy updates and tips. It also showcases privacy’s creative side with its first Privacy Musical, an artists’ gallery, weekly creative AI challenges and creative privacy talks. The goal is to create a diverse, global movement of privacy engineers and privacy creatives who can help organizations innovate safely in a privacy-respectful manner.

It’s More Than Training — It’s A Movement

Community, creativity and collaboration are critical to the success of both games and events. These are not just games, or conferences. They’re movements.

“BSides Ottawa thrives on the passion and dedication of individuals committed to driving social impact and fostering a community-driven approach to cybersecurity,” says Parent. “Entirely organized and operated by volunteers, our Content Providers come from diverse backgrounds, including government, industry, and academia. They bring a wealth of expertise, creativity, and unique perspectives that ensure our activities remain innovative, inclusive, and impactful.” This in turn strengthens connections within the cybersecurity ecosystem.

Privacy Village continues this ethos.

Besides DPDFest, Privacy Village hosts events year-round, including a joint Battle for AI event with Cephas Joseph Okoth M, a Technical Privacy Consultant and co-founder of Cyber in Africa. He was an early and enthusiastic Privacy Village participant who topped the leaderboards. He now delivers Privacy Bootcamps through Cyber in Africa to grow the privacy engineering community in Kenya. Privacy Village has held a festival for EU lawyers and competitions for law students in Turkey. Boyar asserts that Compliance Detective will always offer some free content because he is committed to democratizing privacy engineering.

Should Your Organization Gamify Training?

Bore believes play-based learning is for everyone. But not every game works for each person. Organizations and content creators should take different learning styles and accessibility considerations into account, provide options, and adapt accordingly.

If you can’t decide whether to gamify privacy or cyber training, try one of the free or low-cost games mentioned in this article in honour of Data Privacy Day on January 28th. At worst your employees will have fun, at best they might learn something new.