Use of gamification to increase IT security in organizations

Contact person: Denitsa Kirova

IT security is a system property that is specified by a number of criteria. The criteria most frequently used in the literature (also known as IT security properties) are availability, confidentiality and integrity (Dhillon and Backhouse 2000; Eckert 2013, p. 6 ff.). Ensuring IT security is currently a basic requirement for achieving the goals of any organization.

Organizations are understood as complex, socio-technical systems (Cartelli 2007) in which people and machines interact with each other increasingly intensively. Consequently, to establish and ensure a desired level of IT security in an organization, procedures are needed that address both the technical and social "parts" of the system (Dhillon and Backhouse 2000; Kayworth and Whitten 2010).

In the early 2000s, IT security was considered an IT department problem (Dhillon and Backhouse 2000). Most traditional IT security assurance practices, which generally predate this time, such as checklists, standards, and maturity models, take a technical view of the IT security problem (Siponen 2005). Increasingly, however, the importance of the human factor in this area is being recognized. Humans are considered the "weakest link" in an IT security system (Aurigemma and Panko 2012). Studies from recent years show that human error is one of the main reasons for the increase in IT security incidents (e.g., Ponemon 2015; BSI 2015). This includes, for example, errors in the operation of IT systems and a lack of knowledge and awareness regarding IT security. These "gaps" in organizational IT security are countered by various measures, such as training and awareness programs. The goal of these measures is to "engender" behavior that is compliant with the organization's IT security goals and principles (Kayworth and Whitten 2010). Even though training and awareness programs are already part of organizations' IT security policies, the results of the above studies show that they are not very effective. This means that procedures for developing and implementing training and awareness programs are needed, which are effective and promising.

Gamification is an approach to encourage certain behaviors, such as increased engagement or increased productivity (Robson et al. 2016). It describes the application of game design elements in a non-game context (Deterding et al. 2011). It has been used and studied in teaching and for marketing purposes since about 2010 (Hamari, Koivisto, and Sarsa 2014; Roselli and Rossano 2015). In the field of IT security education, games or game-based applications have been used, mainly in the U.S., since 1999. These applications are largely developed by and used in defense and military agencies to train IT security professionals (Pastor, Díaz, and Castro 2010). While the integration of gamification in university programs for computer science students and the enhancement of "gamified" applications (Nagarajan et al. 2012) have been investigated in research, studies on the use of gamification to enhance IT security in an organizational context are lacking.

The dissertation project at the Chair of Business Administration, in particular Information Management at the FernUniversität in Hagen, Germany, addresses the question of how gamification can be used in an organization to increase the IT security competence of organizational members and thus contribute positively to establishing and ensuring the desired level of IT security. The research project is based on a design-oriented approach (Design Science) (Hevner et al. 2004).

Sources:

Aurigemma, Salvatore und Raymond Panko. 2012. A Composite Framework for Behavioral Compliance with Information Security Policies. In: Proceedings of the Annual Hawaii International Conference on System Sciences, 3248–3257. IEEE.

BSI. 2015. Cyber-Sicherheits-Umfrage 2015: Ergebnisse. Bonn.

Cartelli, Antonio. 2007. Socio-Technical Theory and Knowledge Construction: Towards New Pedagogical Paradigms? Issues in Informing Science and Information Technology 4: 1–14.

Deterding, Sebastian, Rilla Khaled, Lennart E. Nacke und Dan Dixon. 2011. Gamification: Toward a Definition. In: CHI 2011 Workshop Gamification: Using Game Design Elements in Non-Game Contexts. Vancouver: ACM.

Dhillon, Gurpreet und James Backhouse. 2000. Information System Security Management in the New Millennium. Communications of the ACM 43, Nr. 7: 125–128.

Eckert, Claudia. 2013. IT-Sicherheit: Konzepte - Verfahren - Protokolle. 8. Aufl. München: Oldenbourg Wissenschaftsverlag GmbH.

Hamari, Juho, Jonna Koivisto und Harri Sarsa. 2014. Does Gamification Work? - A Literature Review of Empirical Studies on Gamification. In: Proceedings of the 47th Hawaii International Conference on System Sciences, 3025–3034. IEEE.

Hevner, Alan R., Salvatore T. March, Jinsoo Park und Sudha Ram. 2004. Design Science in Information Systems Research. MIS Quarterly 28, Nr. 1: 75–105.

Kayworth, Tim und Dwayne Whitten. 2010. Effective Information Security Requires a Balance of Social and Technology Factors. MIS Quarterly Executive 9, Nr. 4: 163–175.

Nagarajan, Ajay, Jan M. Allbeck, Arun Sood und Terry L. Janssen. 2012. Exploring Game Design for Cybersecurity Training. In: Proceedings of the 2012 IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems, 256–262. Bangkok: IEEE.

Pastor, Vicente, Gabriel Díaz und Manuel Castro. 2010. State-of-the-art Simulation Systems for Information Security Education, Training and Awareness. In: Education Engineering (EDUCON), 2010 IEEE, 1907–1916. Madrid: IEEE.

Ponemon. 2015. 2014: A Year of Mega Breaches.

Robson, Karen, Kirk Plangger, Jan H. Kietzmann, Ian McCarthy und Leyland Pitt. 2016. Game on: Engaging Customers and Employees through Gamification. Business Horizons 59, Nr. 1: 29–36.

Roselli, Teresa und Veronica Rossano. 2015. Focus on: Gamification and Serious Game for Learning. Journal of e-Learning and Knowledge Society (Je-LKS) 11, Nr. 3: 7–12.

Siponen, Mikko T. 2005. An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice. European Journal of Information Systems 14, Nr. 3: 303–315.