Gamification of Information Security Awareness and Training

Eyvind Garder B. Gjertsen, Erlend Andreas Gjære, Maria Bartnes, Waldo Rocha Flores

Abstract

Security Awareness and Training (SAT) programs are commonly put in place to reduce risk related to insecure behaviour among employees. There are however studies questioning how effective SAT programs are in terms of improving end-user behaviours. In this context, we have explored the potential of applying the concept of gamification – i.e. using game mechanics – to increase motivation and learning outcomes. An interactive SAT prototype application was developed, based on interviews with security experts and a workshop with regular employees at two companies. The prototype was tested by employees in a second workshop. Our results indicate that gamification has potential for use in SAT programs, in terms of potential strengths in areas where current SAT efforts are believed to fail. There are however significant pitfalls one must avoid when designing such applications, and more research is needed on long-term effects of a gamified SAT application.

References

  1. Bada, M., Sasse, A., and Nurse, J. (2015). Cyber Security Awareness Campaigns: Why do they fail to change behaviour? International Conference on Cyber Security for Sustainable Society, pages 118-131.
  2. Bahrick, H. P. and Hall, L. K. (2005). The importance of retrieval failures to long-term retention: A metacognitive explanation of the spacing effect. Journal of Memory and Language, 52(4):566-577.
  3. Baxter, R. J., Holderness, D. K., and Wood, D. A. (2015). Applying Basic Gamification Techniques to IT Compliance Training: Evidence from the Lab and Field. Journal of Information Systems. American Accounting Association.
  4. Beris, O., Beautement, A., and Sasse, M. A. (2015). Employee rule breakers, excuse makers and security champions:: Mapping the risk perceptions and emotions that drive security behaviors. In Proc. of the 2015 New Security Paradigms Workshop, pages 73- 84. ACM.
  5. Burke, B. (2014). Gamify: How Gamification Motivates People to Do Extraordinary Things. Bibliomotion.
  6. Cone, B. D., Irvine, C. E., Thompson, M. F., and Nguyen, T. D. (2007). A Video Game for Cyber Security Training and Awareness. Computers & Security, 26(1):63- 72. Elsevier Ltd.
  7. Deci, E. L. (1971). Effects of Externally Mediated Rewards on Intrinsic Motivation. Journal of personality and Social Psychology, 18(1):105-115. American Psychological Association.
  8. Deterding, S., Dixon, D., Khaled, R., and Nacke, L. (2011). From game design elements to gamefulness: defining gamification.Proc. of the 15th international academic MindTrek conference: Envisioning future media environments, pages 9-15.
  9. Hamari, J., Koivisto, J., and Sarsa, H. (2014). Does Gamification Work?-A Literature Review of Empirical Studies on Gamification. Proc. of the 47th Hawaii International Conference on System Sciences. IEEE.
  10. Huotari, K. and Hamari, J. (2011). Gamification from the perspective of service marketing. In Proc. CHI 2011 Workshop Gamification .
  11. Lebek, B., Uffen, J., Breitner, M. H., Neumann, M., and Hohler, B. (2013). Employees' information security awareness and behavior: A literature review. Proc. of the Annual Hawaii International Conference on System Sciences, pages 2978-2987.
  12. Maslow, A. H. (1943). A Theory of Human Motivation. Psychological Review, 50:370-396. American Psychological Association.
  13. Mollick, E. R. and Rothbard, N. (2013). Mandatory Fun: Gamification and the Impact of Games at Work.SSRN Electronic Journal, pages 1-68.
  14. NIST (2003). Special Publication 800-50: Building an Information Technology Security Awareness and Training Program. National Institute of Standards and Technology (NIST).
  15. Oracle (2016). Customer engagement platform. https://opower.com. Opower Inc. Accessed on 15 Dec 2016.
  16. PCISSC (2014). Best Practices for Implementing a Security Awareness Program. Payment Card Industry (PCI) Security Standards Council. Available at https://www.pcisecuritystandards.org/document library.
  17. Peffers, K., Tuunanen, T., Gengler, C. E., Rossi, M., Hui, W., Virtanen, V., and Bragge, J. (2006). The Design Science Research Process: A Model for Producing and Presenting Information Systems Research. Proc. of the first international conference on design science research in information systems and technology (DESRIST 2006), pages 83-106.
  18. Puhakainen, P. P. and Siponen, M. (2010). Improving Employee' Compliance Through Information Systems Security Training: An Action Research Study. MIS Quarterly, 34:757-778.
  19. Ramirez, D. and Squire, K. (2015). Gamification and learning. The gameful world: approaches, issues, applications, pages 629-652.
  20. Rigby, C. S. (2015). Gamification and motivation. The gameful world: Approaches, issues, applications, pages 113-137.
  21. Rocha Flores, W. and Ekstedt, M. (2016). Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Computers and Security, 59:26-44.
  22. Ruighaver, A. B., Maynard, S. B., and Chang, S. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1):56-62.
  23. Ryan, R. M. and Deci, E. L. (2000). Self-Determination Theory and the Facilitation of Intrinsic Motivation, Social Development, and Well-Being. American Psychologist, 55(1):68-78. American Psychological Association, Inc.
  24. Shaw, R. S., Chen, C. C., Harris, A. L., and Huang, H.-J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52:92-100. Elsevier Ltd.
  25. Sicart, M. (2015). Playing the good life: Gamification and ethics. The gameful world: Approaches, issues, applications, pages 225-244.
  26. Siponen, M., Adam Mahmood, M., and Pahnila, S. (2014). Employees' adherence to information security policies: An exploratory field study. Information and Management, 51(2):217-224.
  27. Thornton, D. and Francia, G. (2014). Gamification of Information Systems and Security Training: Issues and Case Studies. Information Security Education Journal, 1:16-29. DLINE.
  28. Tsohou, A., Karyda, M., and Kokolakis, S. (2015). Analyzing the Role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Computers & Security, 52:128-141. Elsevier Ltd.
  29. Verizon (2016). 2016 Data Breach Investigations Report. Technical Report 1.
  30. Zichermann, G. (2011). The Six Rules of Gamification. http://www.gamification.co/2011/11/29/the-sixrules-of-gamification. Gamification Co. Accessed on 28 May 2016.
Download


Paper Citation


in Harvard Style

Gjertsen E., Gjære E., Bartnes M. and Flores W. (2017). Gamification of Information Security Awareness and Training . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 59-70. DOI: 10.5220/0006128500590070


in Bibtex Style

@conference{icissp17,
author={Eyvind Garder B. Gjertsen and Erlend Andreas Gjære and Maria Bartnes and Waldo Rocha Flores},
title={Gamification of Information Security Awareness and Training},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={59-70},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006128500590070},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Gamification of Information Security Awareness and Training
SN - 978-989-758-209-7
AU - Gjertsen E.
AU - Gjære E.
AU - Bartnes M.
AU - Flores W.
PY - 2017
SP - 59
EP - 70
DO - 10.5220/0006128500590070