Aim/PurposeTo evaluate the sustainability of gamified cybersecurity education, training, and awareness (ETA) initiatives by addressing recurring limitations, conceptual misclassifications, and the overlooked influence of novelty and duration.

BackgroundGamification has seen widespread application in cybersecurity ETA initiatives and is frequently credited with improving engagement, motivation, and learning outcomes. However, its true effectiveness remains uncertain.

MethodologyA systematic literature review (SLR) following the PRISMA framework was conducted, analyzing 12 peer-reviewed empirical studies focused on gamified cybersecurity ETA interventions.

FindingsThe review reveals that most gamified initiatives are short-term and assessed within the novelty effect window, which may inflate their perceived effectiveness. Only two studies applied established gamification frameworks, highlighting a widespread reliance on improvised designs. Common elements like leaderboards and time pressure often cause unintended negative effects, such as anxiety and disengagement. Additionally, poor reporting on intervention duration and negative outcomes hinders reproducibility. Long-term behavior change remains largely unexamined. By synthesizing these findings, this study offers design guidance and calls for more structured, evidence-based approaches to gamification in cybersecurity.

Recommendations for PractitionersDesign for long-term impact, not short-term stimulation. Align game elements with user motivations and context. Use theory-based frameworks to document positive and negative outcomes to support continuous improvement and behaviour change.

Recommendation for ResearchersResearchers should adopt longitudinal study designs to assess the sustainability of gamified interventions beyond the novelty phase, focusing on behavioural change rather than short-term engagement. Future studies must explore optimal durations for meaningful outcomes and examine how game elements affect diverse user groups and contexts. Clarifying distinctions between gamification, serious games, and simulations is essential to reduce conceptual ambiguity. Developing context-sensitive frameworks that incorporate motivational and environmental factors is also critical. Finally, standardizing reporting on duration, design models, and both positive and negative outcomes will improve comparability and advance research in this field.

Future ResearchThis research advances the design of evidence-based gamified interventions to help close the cybersecurity skills gap and promote a more security-conscious digital culture. Organizational adoption can enhance user awareness and reduce human-related risks. Future research should distinguish gamification from related methods like serious games and simulations, and shift focus from short-term engagement to long-term outcomes such as secure behavior and compliance. Studies must report both positive and negative effects, considering demographic and contextual factors. Developing integrated, context-aware frameworks and conducting longitudinal studies to determine optimal intervention durations are essential. Standardized reporting and exploration of gamified internal policies will further support effective and sustainable cybersecurity awareness.