Security locks

Cybersecurity is not a game

A new EU research report has called for a common approach to cybersecurity. Sadly, it suggests remedying this with ‘gamification’, laments Jason Walsh

20 April 2023

A new EU report has highlighted an information security skills gap across the continent. Penned by Finnish researchers Jarno Limnéll and Niko Candelin, the 2023 Cyber Citizen Report aggregates several indices including the Digital Economy & Society Index, the Global Competitiveness Index and the National Cyber Security Index in order to measure all of “the different dimensions of cybersecurity”. 

Finland, Estonia and Spain ranked highest, with Malta, Slovenia and Bulgaria trailing at the back. Ireland’s showing is, frankly, poor, ranking nineteenth out of the EU 27, though it did at least score over 200 out of a possible 300.

Overall, the report concludes that EU citizens should have the ability to act as safely as possible online, and suggests creating an online learning portal to help them develop the skills to do so. However, while it is true that, as the report argues, citizens’ “abilities to act in a safe and secure manner in the digital world” could be improved with education, taking citizens seriously does not seem to be on the agenda.




Computers, particularly networked computers, are complex things. Perhaps lamentably so (and it is certainly the case that the Internet has unleashed upon us a kind of user-interface hell, with designers free to do as they please rather than follow human-computer interaction guidelines) but here we are. It seems to me that the problem with people’s interactions with computers and IT is that, on a fundamental level, people just do not understand how computers work.

For all the ‘learn to code’ and ‘STEM education’ blather we are now routinely subjected to, few today receive an education in the foundational concepts of computing or, dare I say it, logic. Instead, they are trained to consume media, crank out documents of various kinds and, in some cases, manipulate databases or develop applications in high level languages. 

Little wonder that many people struggle with cybersecurity. While an age-related skills gap is to be expected, what is most striking is that many adults who grew up as smartphone users know about as much about the inner workings of their devices as they do about their cars (another problem, incidentally).

The Cyber Citizen Report certainly recognises the problem, but does it have the solution? And is there the will to fix it? The report states that “citizens will be asked to take part in planning the educational content”. Fair enough, but which citizens? And how? Many consultative efforts, whether in government or business, are easily manipulated and often appear to be little more than attempts to use a phantom public as a cat’s paw for actions already decided at a policy level. 

Overall, the report’s suggestions are a mixed bag. Noting a “clear willingness in EU member states” to develop public competency in cybersecurity, it points out that, at present, there is no common, EU-wide model to do so. This is uncontroversial, as is the recognition of a shortage of cybersecurity professionals who could act as trainers.

And the winners are…

However, I find the suggested remedy problematic for a number of reasons. Leaving aside the fact that an official portal is likely to be a door no-one will ever choose to open, the proposed educational strategy raises more questions than it answers. Saying, “games have established themselves as a form of social behaviour and are increasingly becoming a key learning tool”, the report suggests this as a key method for delivering the necessary education.

Really? So-called ‘gamification’ is popular in the tech-business nexus because it delivers repeat customers (actually, in the case of social media people as raw materials, but I will pass over that for the moment). Cottoning on this, governments and think tanks have decided they want in on the action. But does it work for anything other than convincing people to finger the infinite scroll? And, more importantly, is it ethical? Play as a form of learning is firmly established, particularly for children, but is it really suitable for adults? And, in any case, it is now evident that IT-based ‘gamification’ is better characterised as a form of exploitation than it is gameplay.

Simple rules can certainly be reinforced by staged repetition, and staged repetition can be made, somewhat at least, less tedious by adding elements of gameplay. Serious learning of complicated things, however, requires deeper concentration, especially if the learner is supposed to actually understand why something is so rather than just how to pull the virtual lever.

Moreover, whatever about social media companies’ methods for attempting to keep users glued to their screens, the very concept of citizenship is at odds with an infantile playschool approach to ontology and epistemology. Put simply, we are not children, so why treat us as though we are?

Businesses are free, if they want, to treat the public as a sea of sensation-seeking children, but we should expect more from society. And yet, increasingly, governments’ efforts to engage with citizens see them talk down to us. This was particularly noticeable during the Covid-19 pandemic, but the trend was evident long before then, complete with cartoons and ‘friendly’ public service announcements. Should we really be encouraging this?

Read More:

Back to Top ↑