Gamification and Cybersecurity

Removing frustration through Gamification to ensure network safety.

Guardian360 Lighthouse Gamification Example

Sector Cyber Security

Client Guardian360

My Role UX design, Research, UI design

Project Time 5 Months

Project Background

During my third year, I secured a 5-month UX internship at Guardian360, set to begin after summer. Initially, I was to support the company’s UX engineer on a long-running project by providing help in the form of making UX artifacts so I could slowly explore the different facets of UX. But it was not to be as the project got shelved for the time being due to a lack of funding.

Instead, I was now tasked with independently researching Gamification principles and find a way to apply them to the company’s flagship product, Lighthouse.

Lighthouse

Guardian360’s Lighthouse is a cybersecurity and compliance platform offering 24/7 monitoring of networks and web applications. It helps organizations detect vulnerabilities, meet standards like GDPR and ISO 27001, and automate compliance processes with real-time insights and daily updates.

The Problem

Guardian360 noticed that many of their customers who had bought
Lighthouse weren’t using it.

Lack of perceived value

Users who do not use Lighthouse do not see the value it provides and will be unlikely to renew their membership or encourage others to try it out.

Reputation Damage

If Lighthouse remains unused by users, they won’t talk about it, making it harder to sell the product on the market and grow its reputation.

Lack of Feedback

Lighthouse needs feedback to be improved, but without users the product no feedback can be gained to improve the product.

The Goal

Guardian360 saw Gamification as a solution to their user retention problem. And thus the Gamification project was born, it’s goal: to figure out how Gamification could best be applied and integrated into Lighthouse.

User Engagement

Users who use Lighthouse see the value it provides and will be likely to renew their membership and encourage others to try it out.

Reputation Increase

If Lighthouse is consistently used by users, they will talk about it to others, thereby making it easier to sell and grow its reputation.

Growth Potential

With an increasing amount of users, Lighthouse will get more feedback through which the product can be improved.

Research

Research Methodology

1. Desk Research

Answering what gamification is through sub questions to find the answer to the main question

2. Risk & Reward Analysis

Do the risks of implementing gamification outweigh the benefits?

3. Competition Analysis

Do our competitors use gamification? And if so what can we learn from them?

4. User Interviews

What do users currently think of the product? Do their problems align with those we are aware of and are trying to fix?

The Big Question

How would the implementation of gamification benefit Guardian360?

Sub Questions

1. User Learning Flows

How does gamification help users learn to use a product or service?

2. User Interaction

Why does Gamification work for people? And why do people prefer gamified systems over non-gamified ones?

3. Task Management

How does a gamification system help users keep track of their current and future tasks?

4. User Rewards

In what ways are users rewarded for doing what a Gamification system wants them to do?

5. User Communication

How can a user express themselves through a gamification system?

3. Task Management

What are SAAS (software as a service) type products doing with gamification?

Competition analysis

“What are Guardian360’s competitors doing with gamification? And what can we learn from them?”

Answer: After extensively researching the competition I could not find any evidence that they are doing anything with gamification.

Risk Reward Analysis

Risks

Gamification can alienate users if it’s too competitive.

If not careful an organization can accidently end up encouraging negative behavior in their users through gamification.

Gamification can minimize the severity of certain topics.

Gamification can overshadow the main product through external rewards. This removes the internal reward aspect from the user.

Gamification doesn’t work for people who prefer tradional work methods.

Gamification can distract users from important tasks like learning by having the focus put too much on gaining external rewards.

Depending on how extensive the Gamification is implemented, it might be unsustainable for small teams. This is because in some cases, content would need to be constantly made to keep users coming back.

Rewards

Gamification helps with learning processes.

Gamification personalizes a user’s experience to suit their particular needs.

Gamification motivates people to complete tasks repeatedly through external rewards (of value in either a material or social sense)

Gamification helps users keep track of their progress.

Gamification can help create or bring community’s together.

Gamification streamlines and automates processes, making them more efficient and easy to use. Gamification values a user’s time and doesn’t waste it.

Gamification can help foster and encourage positive user behavior that an organization likes to see.

Applicable Risks & Rewards

Gamification helps with learning processes.

Gamification helps users keep track of their progress.

Gamification streamlines and automates processes, making them more efficient and easy to use. Gamification values a user’s time and doesn’t waste it.

Conclusion

4. User Rewards

After assessing the various risk and reward aspects of Gamification that could be integrated within Lighthouse, it was determined that there were more rewards than risks. Furthermore, the only risk that was present could be avoided by creating a system that doesn’t rely on a constant stream of new content.

User Interviews

Six people were interviewed:

Three directors, Two IT advisors, and One SOC operator

Are there any challenges you are currently facing during your job?

What are your daily frustrations when using lighthouse?

What do you like the most about Lighthouse? And why?

Do we communicate enough information to help you do your job?

Are there any improvements you would like to see from Lighthouse or Guardian360?

What other improvements would you like to see

Overall most if not all of the particpants were happy with the current product, but could also pinpoint areas of improvement.
Feedback was given on area’s that could be improved, a lot of which was already known, but a few of which weren’t.
New bugs and other system problems were revealed that needed fixing.
When asked how they were kept up to date with information about new changes to Lighthouse all participants identified one or multiple sources provided by Guardian360. The current information system seemed to be working.

Awnsering the main Question

Current state

While Guardian360’s flagship product Lighthouse has an extensive tool set with a visually pleasing and clean user interface, it is lacking in the following aspects:

It doesn’t provide users with a way to onboard or educate themselves about Lighthouse.
It doesn’t provide the user with a reliable way to track system statuses.
It doesn’t provide the user with a way to track where they are in their processes to achieve their goals.
The system, while robust, does not provide enough customizability to suit any user’s particular needs.
When a user is stuck, Lighthouse does not provide any tooling with which the user can help themselves, making them therefor dependent on external help.

Are there any improvements you would like to see from Lighthouse or Guardian360?

Overall most if not all of the particpants were happy with the current product, but could also pinpoint areas of improvement.
Feedback was given on area’s that could be improved, a lot of which was already known, but a few of which weren’t.
New bugs and other system problems were revealed that needed fixing.
When asked how they were kept up to date with information about new changes to Lighthouse all participants identified one or multiple sources provided by Guardian360. The current information system seemed to be working.

Sitemap

Because Lighthouse had two user languages: Dutch and English I made two seperate versions to better highlight the differences in terms of how the system communicates with its users and how certain parts are misleading or cause confusion which should be prevented.

Flowchart

Thanks to the insights gained by the flowchart and the making of the two versions of the sitemap I was able to make a new and improved version, that followed a more logical page structure.

Role based Persona's

Network Engineer

What do I do?

I monitor the network for any problems or weaknesses and If I find any I solve them.
I make sure the network stays in tip-top shape.

Why do I do it?

I want to keep our network safe so that everyone can do their job

What do I want?

To see if there is an update or something else I need to do so that the system keeps working (at peak performance)
I want to see if there are any problems that need to be fixed (especially of a very critical or dangerous level)
To see all the details of any problems the system finds so that I can find out how to solve them.
To be able to effectively communicate the happenings in the system to anyone (even non-technical people from say marketing)

What’s stopping me?

Not enough info from the system is preventing me from doing my job.
Not having the right tools in the system I use to deal with certain problems.
Being unable to communicate technical problems to non-technical people

What or who informs me?

The System I work in/with (Lighthouse in our case)

IT Manager

What do I do?

I am responsible for managing the organization’s Information Technology department’s organization, operations, systems, and infrastructure. I do all of this to ensure that business can proceed as normal at all times.
I identify growth opportunities within the system that my team works in so that my IT team members can do their work more efficiently.
I create security policies/procedures/protocols for the IT team to follow to ensure that next to no security incidents can happen within our system and organization. (Social hacking/engineering prevention)
I collaborate with both internal and external people on business interests to ensure that we are using the service that offers the most value for our organization.

What do I want?

To help the organization grow and be able to provide more value to customers.
To have the system I work with incorporate the feedback we give it.
To have a safe (security risk-free) work environment for my organization/colleagues.

What’s stopping me?

Being confronted with extremely technical issues of which I have no know-how that the system can’t help me resolve on my own.
Not being able to manage certain elements within the system, makes it harder for me to manage the network’s environment for me and my colleagues.
The system is unmaintainable or meets our business needs.
Being unable to communicate with people what is happening in our Cyber security systems due to a lack of info from the system

Why do I do it?

To ensure that everyone within the IT team has the tools they need to accomplish their work.
To ensure that the business needs of the company/organization that we work with/for are being met.

What or who informs me?

The System I work in/with (Lighthouse in our case).
Our business needs.

Security Operations Center Engineer

What do I do?

I report to management whether or not I think the system we work with is sufficient for us to continue running operations smoothly.
I handle support tickets from members of my organization that use our system (a system like Lighthouse).
I keep up with new trends in the cybersecurity space to ensure that we are able to catch and prevent any new security exploits that might come our way.
I work to identify which problems the system catches are really problematic for my organization to handle and which security issues should have priority (To be dealt with in which order).

What do I want?

To be able to catch and identify threats/security issues before they actually become a big problem in an easy and efficient way.
To have the system I work with incorporate the feedback we give it.

What’s stopping me?

Not being able to properly identify which issues are actual issues for our organization (being unable to weed out false positive issues).
The system has a slow response time on catching/identifying threats/issues (there could be a security breach that we wouldn’t know of and we wouldn’t be able to react to it in time due to the system catching it too late).

Why do I do it?

To ensure that the organization’s work can continue as usual without any obstacles.

What or who informs me?

The System I work in/with (Lighthouse in our case).
New cybersecurity threats.

Managed Service Provider

What do I do?

I grow my business by providing more ways to help clients resolve their cyber information security problems.
I advertise my business to potential clients.
I prevent problems for my clients before they face any issues/become aware of them.
I provide technical support to clients both big and small.
I advise/inform businesses on how they could improve their IT security (mostly to business people who lack technical expertise) I am a tech ambassador.

Why do I do it?

To grow my business so that I can help/provide more services for non-technical people. So that people can do what they want online without fear of being hacked.

What or who informs me?

The System I work in/with (Lighthouse in our case).
Cyber Security/IT trends.
My clients.
My business needs.

What do I want?

To grow my business
To provide value to my clients.
To have the tools to identify and solve the problems in an efficient manner that I or my clients encounter

What’s stopping me?

Not being able to help clients due to a lack of tools (to help solve the problems I encounter) or info on the tools I’m using (lack of documentation/support from the tool company)
Being unable to communicate with people what is happening in our Cyber security systems due to a lack of info from the system.
The tool(‘s) that I’m using are not growing with my business and client needs

Chief Information Security Officer

What do I do?

I make sure that the security system our organization uses works to protect our business/information assets (so that people don’t steal our information/programs)
I make sure our organization stays GRC (Governance, Risk management, and Compliance) compliant.
I make sure that our organization’s security program is effective and efficient (and if not I’ll work to find a better one)
I communicate with people who are and aren’t technically skilled in IT Security within and outside my organization, especially on the management side.
I go over cybersecurity investments with business stakeholders.
I create security policies/procedures/protocols for the IT team to follow to ensure that next to no security incidents can happen within our system and organization. (Social hacking/engineering prevention)

What do I do?

To safeguard and protect my organization’s assets.
To be able to keep up to date on the latest cyber security trends and threats.
To help build, manage, support, and educate cybersecurity communities (to help reduce overall cyber crimes/incidents)

Why do I do it?

To ensure that the organization’s work can continue as usual without any obstacles.
To help shape/create an internet that is risk-free.

What’s stopping me?

Being unable to make our organization/the tools we are using to protect our assets, GRC compliant.
Being unable to communicate with people what is happening in our Cybersecurity systems due to a lack of info from the system.
Being unable to keep up with the latest threats and trends in the cyber security world

What or who informs me?

Cybersecurity / IT trends.
The Cybersecurity / IT community.
The System I work in/with (Lighthouse in our case).
Business / management needs

Prototyping

When I first started ideating on concepts for the prototype I went for a full reinvention approach of the interface, one where the user could reshape their Lighthouse environment to suit their wants and needs. However I soon came to realize that this would be impractical as the Guardian360 team were already working daily on shipping out new features and bug fixes which meant they barely had any time to work on anything else.

So I went back to the drawing board and went for a more minimalistic approach to the problem. The (then) biggest obstacle for users both old and knew was the lack of understanding the workings of the system. A big part of this was that the current system had no way of teaching new or veteran users how it worked. This problem became further exacerbated by the fact that it also used unique terminology that wasn’t always findable within or outside the system, leaving the users confused and ultimately frustrated. So I began working on a prototype that would let the Guardian360 team experience how a learning system could be implemented within the current framework of the system.

Link to the hifi Prototype: https://xd.adobe.com/view/8a02a113-59ff-45e3-b112-09416e25ee4d-df51/

Besides the example of the teaching system other gamification elements such as a progress tracker, tooltips were implemented. I also added a link where the user could contact one of Guardian360’s partners to showcase how this could benefit and tie into the existing business structure.

While the prototype achieved its goal and was therefor successful, I regret the visual state that it had been left in. This was because the project was nearing the end and time was running out. So I chose to prioritize the making of a functional prototype that lacked the final polish that is expected of a High Fidelity Prototype. If I could go back in time and change one thing to do differently about the project, that would be it.

Project Conclusion

At the end of the project I was able to highlight to the wonderful team at Guardian360 what the current pain points were based on the research done, how they could be addressed and what further improvements could be made to increase the user experience by personally walking them through the HIFI prototype. Doing this highlighted the differences between the existing and HIFI versions of Lighthouse.

After showcasing the prototype, I gave the team a document called “Gamification Proposals” that contained a condensed version of all the design work and research I had performed and why I did what I did over the last 5 Months so that they could take that knowledge and know how to apply it by following a few simple steps I had identified for them that would fit into their existing work capacity. Besides this, I also listed some quick wins they could gain based on work required versus the value they would gain from it.

In the end all involved party’s were happy with the end result.

(You can read what my bosses had to say about me and my work down below in the testimonials section.)

Future Proofing

I really enjoyed working at Guardian360 and to this day I want them to keep succeeding, that is why during my stay I did my best to propose and work on changes that would help the startup in the long run. These changes fell outside of the scope of the project for which I was brought onboard.

Guardian360 finds itself within the cybersecurity space where a lot of technical terms and unique language is used that someone not familiar with them can’t easily understand them. That is why I proposed and in coordination with the team made a terms guide that newcomers can look at to familiarize themselves with the language so that they can better communicate and work with the team.

Finding ways to ensure UX quality is maintained through the use of a small UX guide I made for the dev team and by holding meetings and discussions where I teached the team more about UX best practices.

When I joined Guardian360 I asked to see all the related design documents the company had produced over the years to familirize myself with the new project and all the design work that had been done before. However due to time and resource constraints next to no documentation existed to learn from. So during my stay I put in extensive work to provide the company with design tools and artifacts that could be referenced and used in the future to help ease design work for those coming in after me. This includes but is not limited to the design artifacts you have seen so far in this project.

Impacts

At the end of the project, I brought value to Guardian360 by providing:



A List of Findings and Design Materials

To improve the user experience of Lighthouse and lay a solid UX foundation to build upon for years to come.



A High Fidelity Prototype

Through which the Guardian360 team can experience the benefits of Gamification first hand.



A Gamification Guide

To help the Guardian360 team understand and implement Gamification whilst avoiding its pitfalls.



Solutions & Refinements

To help speed up the integration process of new hires to the team.

A Data List

gathered through interviews which the team can use to gain new insights into the thoughts, wishes and expectations of their users.

Testimonials

Jan Martijn Broekhof

Director of Guardian360, Guardian360

During his internship, Axel conducted extensive research on the usability of our website and web application. In doing so, he was very thorough; Axel likes to understand in detail why certain things were developed. In doing so, he shows an enormous eagerness to learn and great enthusiasm. As a result, Guardian360 received a report from Axel that lays a solid foundation for UX design and gamification in the years to come. All of which he has substantiated with prototypes and clearly naming quick wins.

Martin Hugo

UX Engineer, Guardian360

Axel worked with me as a user experience designer at Guardian360 – I found him to be very passionate and dedicated to his work. He has a high attention to detail and took initiative to produce many UI artifacts that were missing from our organization, over and above the scope of work assigned to him. This made our lives much easier, and his impact at Guardian360 will be felt long after he has gone. He has the potential to be a game-changer for whoever employs him into their team.

Other Projects

Perception Changing Marketing Campaign

Marketing, UX Design

Changing perceptions to save lives.

View Case Study

Exploring the Virtual Senses

UX Design / Programming / Project Lead

An interactive experience where not all is as it seems.

View Case Study