In almost any security training, getting something wrong counts as a red mark. We pick the wrong option, the system logs it as an error, and it moves on to the next question. In a video game, something different happens. The character falls, the screen says we lost, and that fall is exactly the part where something sticks. We try again, and this time we dodge the pit we hadn’t spotted before.
It looks like a design detail, but it touches the heart of how people learn to make decisions under pressure. An awareness program that only rewards the right answer misses the juicier half of the story, which is what happens when we get it wrong and nobody sends us the bill.
That permission to fail, to learn from your mistakes without paying dearly for it, has a name and has evidence behind it. It is worth a look, because it explains why a well-designed game leaves a mark the usual course never manages to.
Why does a video game let us fail with nothing at stake?
A video game rests on a silent pact. You can fail as many times as you want and nothing real breaks. We call that safe practice, the chance to try a decision, watch it go wrong, and start over with no consequences off the screen. The mistake there works as information for the next attempt rather than as a sentence.
Every failed attempt tells you something about the next one. You fell into the pit, so now you know it is there. You opened the trap chest, so next time you distrust the one that glows a little too much. Nobody sends you an email from HR for dying on level three (yet). That margin is what turns a game into a comfortable place to practice things that feel scary in real life. When the cost of trying drops to almost zero, we try more, and from all that trying we sharpen our eye for the next round.
In security, what feels scary is fairly concrete. Clicking where you shouldn’t have clicked, approving a transfer that wasn’t real, handing a credential to the wrong person. A game lets us live through those micro-decisions many times over, in a setting where the worst ending is starting the level again. And practicing the decision, rather than reading about it, is what later holds the reflex in place.
What does the evidence say about learning from mistakes?
The research is fairly clear on one point. Training that lets people make mistakes tends to work better than guiding them step by step so they never slip. This approach has a not very glamorous name, error management training, and it comes down to giving the mistake room during practice instead of armoring every move.
A meta-analysis by Nina Keith and Michael Frese, published in the Journal of Applied Psychology in 2008, pulled together twenty-four studies with more than two thousand people and compared the two paths. Training with mistakes beat the method that avoids them, with a moderate and consistent effect. And here is what matters most to those of us who work in awareness. That advantage grew when the person had to apply what they had learned to a new situation, different from the one they had practiced.
Which is, deep down, what we ask of anyone facing an attack. The malicious email that arrives is never identical to the one in the course example. The sender and the pretext change, and sometimes even the language it is written in. Recognizing the new trap from the old ones we have already lived through is transfer, and it is exactly the ground where learning through mistakes pulls ahead. A method that showed us the right answer only once turns up less prepared for that appointment.
There is a simple intuition behind that result. When we are afraid of getting things wrong, we explore less. We follow the safe path someone marked out and avoid touching what we do not know, which is the opposite of what it takes to spot something unprecedented. An environment where mistakes are free lowers that guard. It lets people try, dare to look under the rug, and build their own judgment, instead of memorizing a single correct route that collapses the moment reality changes one detail.
Why doesn’t a quiz you pass once train the reflex?
A quiz you pass once measures what we remember that day, not what we will do months later when the odd email lands. We tick the right option, the certificate prints, and the topic gets filed away. The awkward part is that security is not decided at quiz time but at decision time, and a lot of time usually passes between the two.
What we need is for the right move to come almost without thinking when the trap appears, beyond being able to answer a multiple-choice question well. I call that the reflex, and the reflex is not explained, it is trained. It gets built by repeating the same micro-decision in similar contexts until recognizing it takes little effort.
A quiz touches it once. A game makes you repeat it without it feeling like repetition, because it wraps the decision in a story and a challenge you actually want to keep going. Here an idea I bring up often comes back, which is that boredom is a security hole. Practice that bores gets abandoned, and what gets abandoned trains nothing. The game handles that part almost on the sly. While the person wants to clear the level, they are rehearsing the decision we care about as a bonus. I have written before about how repetition holds learning in place, back when we talked about microlearning and a continuous drip.
How do you bring safe practice into an awareness program?
The practical way to give people that permission to fail is to put realistic situations in front of them where the mistake does not cost much but does leave something behind. Three approaches complement each other well inside a single program.
The first is simulation. A simulated phishing email lets the person take the bait in a controlled setting and get, on the spot, the explanation of what gave it away. They failed, but they failed in the drill, which is exactly where we want them to fail rather than in front of a real attacker. Simulation tools exist for that, so the first unlucky click happens in a rehearsal.
The second is cybersecurity awareness games. Here safe practice is almost literal. The person makes security decisions inside a story, gets it wrong, sees the consequence inside the game, and tries again. In our library of cybersecurity awareness games that is exactly the mechanic, training judgment by playing instead of listening to a list of prohibitions. And since each game builds its own world, the same idea can be told in very different ways without wearing thin, something we already saw when reviewing the gamification mechanics that change behavior and when looking at video games as power-ups for the program.
The third is the teachable moment. When a person takes a risky action, say clicking on a phishing simulation, that instant is the best possible lesson, because attention is at its peak. The teachable moment steps in right there, the moment the mistake happens, and explains what risky action they took and how to spot the trick next time. It follows the same logic as the game, showing what happened and offering the way out on the spot, without the usual sermon, which tends to arrive late and which nobody quite listens to anyway.
It is worth not mixing it up with the nudge, which is a separate piece. The nudge works earlier, as prevention, with a subtle push that shows up at the moment of the decision to steer without forcing. The teachable moment comes afterward, as a reaction, once the mistake has already happened and there is a warm lesson to make the most of. They serve different functions and reinforce each other when they live in the same campaign, something we covered in how nudges and teachable moments shape behavior.
There is something worth keeping in view across all three. Safe practice only teaches if the mistake leaves a clear lesson. A game that lets you lose without telling you why entertains for a while and changes nothing. The consequence on the screen has to point at the decision you want to train, and the chance to try again has to come quickly, while the experience is still warm.
A mistake teaches when the person understands why they got it wrong. Without that explanation all that is left is a bit of entertainment, and that difference is what separates a game that trains from one that just passes the time. It is also where it is worth measuring whether people learned something or merely had fun.
As an awareness platform with content native to Spanish and an established presence across LATAM and Spain, at SMARTFENSE we see that pattern all the time. The programs that move the needle most tend to be the ones that let people practice the decision, over the ones that explain it better. The controlled mistake, early and with no real cost, turns out to be one of the best teachers we have on hand.
Let’s go back to the red mark from the start. In a quiz, that mark is the end of the matter. In a game it is the beginning of the next attempt, and with luck of the learning we were after. What makes the difference is having had a place to get it wrong before the mistake was for real.
A good awareness program looks more like that than like a quiz. It lets people practice and get it wrong as many times as they need, and it trusts that the next trap will be recognized because it was already lived through somewhere that falling didn’t hurt. That is where training stops feeling like a formality and starts looking after someone.
Does your program leave people room to get it wrong, or does it only test them the day the mistake can no longer be undone?
Leave a Reply