Gamification of Information Security Awareness and Training

Gjertsen, Eyvind Gaarder Bull; Gjære, Erlend Andreas; Bartnes, Maria; Flores, Waldo Rocha

doi:10.5220/0006128500590070

Cited by 35 publications

(24 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One potential way to continue to increase employees' 1) ability to detect and 2) motivation to report phishing emails might be through the gamification of the mock phishing campaign experience. The addition of gaming elements to non-gaming situations in this and other cyber-related contexts has been explored (Francia et al, 2014;Gjertsen et al, 2017;Emm, 2021;Khando et al, 2021). For example, gamification has demonstrated promise in the education of normal users regarding password security (Scholefield and Shepherd, 2019), and gamified systems can increase motivation to comply with security policy and reduce mock phishing failures, significantly outperforming training provided via email (Silic and Lowry, 2020).…”

Section: Background On Phishingmentioning

confidence: 99%

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Canham¹,

Posey

Constantino

2022

Front. Educ.

View full text Add to dashboard Cite

To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long “Phish Derby” competition at a large university in the U.S. The university’s Information Security Office challenged employees to prove they could detect phishing emails as part of the simulated phishing program currently in place. Employees volunteered to compete for prizes during this special event and were instructed to report suspicious emails as potential phishing attacks. Prior to the beginning of the competition, we collected demographics and data related to the concepts central to two theoretical foundations: the Big Five personality traits and goal orientation theory. We found several notable relationships between demographic variables and Phish Derby performance, which was operationalized from the number of phishing attacks reported and employee report speed. Several key findings emerged, including past performance on simulated phishing campaigns positively predicted Phish Derby performance; older participants performed better than their younger colleagues, but more educated participants performed poorer; and individuals who used a mix of PCs and Macs at work performed worse than those using a single platform. We also found that two of the Big Five personality dimensions, extraversion and agreeableness, were both associated with poorer performance in phishing detection and reporting. Likewise, individuals who were driven to perform well in the Phish Derby because they desired to learn from the experience (i.e., learning goal orientation) performed at a lower level than those driven by other goals. Interestingly, self-reported levels of computer skill and the perceived ability to detect phishing messages failed to exhibit a significant relationship with Phish Derby performance. We discuss these findings and describe how focusing on motivating the good in employee cyber behaviors is a necessary yet too often overlooked component in organizations whose training cyber cultures are rooted in employee click rates alone.

show abstract

Section: Background On Phishingmentioning

confidence: 99%

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Canham¹,

Posey

Constantino

2022

Front. Educ.

View full text Add to dashboard Cite

show abstract

“…Thus, in order to spread awareness to users through more entertaining processes, gamification can be considered, while developing privacy awareness services as well. Some examples have been recorded regarding security awareness [64,65], but gamified attempts are also needed as far as privacy awareness concerns. The contribution of gamification in these services concerns on the engagement of users on using them, resulting on the effective education of users.…”

Section: Unobservabilitymentioning

confidence: 99%

The Role of Gamification in Privacy Protection and User Engagement

Mavroeidi¹,

Kitsiou²,

Kalloniatis³

2020

Security and Privacy From a Legal, Ethical, and Technical Perspective

View full text Add to dashboard Cite

The interaction between users and several technologies has rapidly increased. In people's daily habits, the use of several applications for different reasons has been introduced. The provision of attractive services is an important aspect that it should be considered during their design. The implementation of gamification supports this, while game elements create a more entertaining and appealing environment. At the same time, due to the collection and record of users' information within them, security and privacy are needed to be considered as well, in order for these technologies to ensure a minimum level of security and protection of users' information. Users, on the other hand, should be aware of their security and privacy, so as to recognize how they can be protected, while using gamified services. In this work, the relation between privacy and gamified applications, regarding both the software developers and the users, is discussed, leading to the necessity not only of designing privacy-friendly systems but also of educating users through gamification on privacy issues.

show abstract

“…There are, however, several publications suggesting that many training efforts fail to support users towards secure behavior to a high enough degree [26,27]. Suggested reasons include that it is hard to make users participate in on-demand training, that acquired knowledge is not retained for long enough, and that knowledge does not necessarily translate to correct behavior [20,28]. Some research even suggests that training methods are not empirically evaluated to a high enough extent [29,30].…”

Section: Introductionmentioning

confidence: 99%

“…The ISAT methods included in this research are game-based training and Context-Based Micro-Training (CBMT). Gamified training means that game concepts are applied to ISAT, with the intent to better motivate users to actively participate [28]. It is considered in this research since it is argued to better motivate and engage users when compared to other ISAT alternatives.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Evaluation of Contextual and Game-Based Training for Phishing Detection

et al. 2022

View full text Add to dashboard Cite

Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed.

show abstract

Gamification of Information Security Awareness and Training

Cited by 35 publications

References 17 publications

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

The Role of Gamification in Privacy Protection and User Engagement

Evaluation of Contextual and Game-Based Training for Phishing Detection

Contact Info

Product

Resources

About