Use of Gamification in Security Awareness and Training Programs

The security reports are unambiguous: the human factor constitutes a real vulnerability in the information security domain. It is crucial that employees of companies and governments understand the risks and threats connected with use of \gls{it} systems, and act on the knowledge to prevent security breaches and leakage of sensitive information to cyber criminals or nation state espionage. It is assumed that security awareness and training programs are one of the primary ways of raising someone's conciousness and building competence in the field of information security. However, current programs are sometimes viewed as tedious and uninteresting by the employees that take them. Consequently, the programs fail to create the behaviour and competence needed for employees to anticipate and prevent security breaches. % Gamification & What is the study about Gamification is a design technique where elements from games are deployed in non-game contexts to increase user engagement and motivation. This thesis has taken a qualitative research approach to assess if and how gamification can be used in security awareness and training programs in order to defeat the tediousness and thus improve learning outcomes. The idea that has been studied is a long-term, continuous program that makes use of a gamified software application to mediate awareness and training material to employees. Qualitative data has been collected through interviews with security professionals and workshops with end users from two different Norwegian companies, in order to gain an understanding of the possibilities and limitations of the proposed concept. A prototype of a gamified application was developed to aid the research. The results indicate that gamification can have positive effects in combination with security awareness and training. Firstly, it was found that companies and employees often can have multiple common ambitions connected with the training; common goals that should be used as focus points in future programs. Secondly, it was discovered that employees would principally value factors such as progression and mastery as motivational stimulus in the training. Thirdly, results from the workshops suggests that gamification can increase motivation towards completing training, and potentially improve learning outcomes as a result of this. Conclusively, it was indicated that a long-term gamified training program, with use of short and concise exercises, could lead employees to think more about security during the daily work, which in turn suggests a potential for behaviour change

Gamifying a Learning Management System: Narrative and Team Leaderboard in the Context of Effective Information Security Education

Gamified learning management systems (LMS) can be effective in case game-design elements (GDE) address users’ motivation to engage with the topic and lower barriers to learning. In the context of Security Education, Training, and Awareness (SETA) programs, gamification is stated to be a major success factor. However, there is scarce research about the relationship between GDE and learning outcomes such as information security awareness. The evaluation of GDE regarding the application context is important because inappropriate gamified approaches can lead to negative outcomes, e.g., anxiety or inappropriate behavior. Thus, we first derive narrative and team leaderboard (TL) as appropriate GDE for the context of SETA. Second, Spearman correlation analyses indicate positive significant relationships between the experience of narrative and team leaderboard with information security awareness. Therefore, we implicate integrating narrative and team leaderboard within an LMS in the context of SETA programs

Gamification techniques for raising cyber security awareness

Due to the prevalence of online services in modern society, such as internet banking and social media, it is important for users to have an understanding of basic security measures in order to keep themselves safe online. However, users often do not know how to make their online interactions secure, which demonstrates an educational need in this area. Gamification has grown in popularity in recent years and has been used to teach people about a range of subjects. This paper presents an exploratory study investigating the use of gamification techniques to educate average users about password security, with the aim of raising overall security awareness. To explore the impact of such techniques, a role-playing quiz application (RPG) was developed for the Android platform to educate users about password security. Results gained from the work highlightedthat users enjoyed learning via the use of the password application, and felt they benefitted from the inclusion of gamification techniques. Future work seeks to expand the prototype into a full solution, covering a range of security awareness issues

The THREAT-ARREST Cyber-Security Training Platform

Cyber security is always a main concern for critical infrastructures and nation-wide safety and sustainability. Thus, advanced cyber ranges and security training is becoming imperative for the involved organizations. This paper presets a cyber security training platform, called THREAT-ARREST. The various platform modules can analyze an organization’s system, identify the most critical threats, and tailor a training program to its personnel needs. Then, different training programmes are created based on the trainee types (i.e. administrator, simple operator, etc.), providing several teaching procedures and accomplishing diverse learning goals. One of the main novelties of THREAT-ARREST is the modelling of these programmes along with the runtime monitoring, management, and evaluation operations. The platform is generic. Nevertheless, its applicability in a smart energy case study is detailed

The Industry and Policy Context for Digital Games for Empowerment and Inclusion:Market Analysis, Future Prospects and Key Challenges in Videogames, Serious Games and Gamification

The effective use of digital games for empowerment and social inclusion (DGEI) of people and communities at risk of exclusion will be shaped by, and may influence the development of a range of sectors that supply products, services, technology and research. The principal industries that would appear to be implicated are the 'videogames' industry, and an emerging 'serious games' industry. The videogames industry is an ecosystem of developers, publishers and other service providers drawn from the interactive media, software and broader ICT industry that services the mainstream leisure market in games, The 'serious games' industry is a rather fragmented and growing network of firms, users, research and policy makers from a variety of sectors. This emerging industry is are trying to develop knowledge, products, services and a market for the use of digital games, and products inspired by digital games, for a range of non-leisure applications. This report provides a summary of the state of play of these industries, their trajectories and the challenges they face. It also analyses the contribution they could make to exploiting digital games for empowerment and social inclusion. Finally, it explores existing policy towards activities in these industries and markets, and draws conclusions as to the future policy relevance of engaging with them to support innovation and uptake of effective digital game-based approaches to empowerment and social inclusion.JRC.J.3-Information Societ

Model-Driven Cyber Range Training: A Cyber Security Assurance Perspective

Security demands are increasing for all types of organisations, due to the ever-closer integration of computing infrastructures and smart devices into all aspects of the organisational operations. Consequently, the need for security-aware employees in every role of an organisation increases in accordance. Cyber Range training emerges as a promising solution, allowing employees to train in both realistic environments and scenarios and gaining hands-on experience in security aspects of varied complexity, depending on their role and level of expertise. To that end, this work introduces a model-driven approach for Cyber Range training that facilitates the generation of tailor-made training scenarios based on a comprehensive model-based description of the organisation and its security posture. Additionally, our approach facilitates the auto- mated deployment of such training environments, tailored to each defined scenario, through simulation and emulation means. To further highlight the usability of the proposed approach, this work also presents scenarios focusing on phishing threats, with increasing level of complexity and difficulty

Gamification as a neuroergonomic approach to improving interpersonal situational awareness in cyber defense

In cyber threat situations, the establishment of a shared situational awareness as a basis for cyber defense decision-making results from adequate communication of a Recognized Cyber Picture (RCP). RCPs consist of actively selected information and have the goal of accurately presenting the severity and potential consequences of the situation. RCPs must be communicated between individuals, but also between organizations, and often from technical to non-/less technical personnel. The communication of RCPs is subject to many challenges that may affect the transfer of critical information between individuals. There are currently no common best practices for training communication for shared situational awareness among cyber defense personnel. The Orient, Locate, Bridge (OLB) model is a pedagogic tool to improve communication between individuals during a cyber threat situation. According to the model, an individual must apply meta-cognitive awareness (O), perspective taking (L), and communication skills (B) to successfully communicate the RCP. Gamification (applying game elements to non-game contexts) has shown promise as an approach to learning. We propose a novel OLB-based Gamification design to improve dyadic communication for shared situational awareness among (technical and non-technical) individuals during a cyber threat situation. The design includes the Gamification elements of narrative, scoring, feedback, and judgment of self. The proposed concept contributes to the educational development of cyber operators from both military and civilian organizations responsible for defending and securing digital infrastructure. This is achieved by combining the elements of a novel communication model with Gamification in a context in urgent need for educational input.publishedVersio