Use of Gamification in Security Awareness and Training Programs

The security reports are unambiguous: the human factor constitutes a real vulnerability in the information security domain. It is crucial that employees of companies and governments understand the risks and threats connected with use of \gls{it} systems, and act on the knowledge to prevent security breaches and leakage of sensitive information to cyber criminals or nation state espionage. It is assumed that security awareness and training programs are one of the primary ways of raising someone's conciousness and building competence in the field of information security. However, current programs are sometimes viewed as tedious and uninteresting by the employees that take them. Consequently, the programs fail to create the behaviour and competence needed for employees to anticipate and prevent security breaches. % Gamification & What is the study about Gamification is a design technique where elements from games are deployed in non-game contexts to increase user engagement and motivation. This thesis has taken a qualitative research approach to assess if and how gamification can be used in security awareness and training programs in order to defeat the tediousness and thus improve learning outcomes. The idea that has been studied is a long-term, continuous program that makes use of a gamified software application to mediate awareness and training material to employees. Qualitative data has been collected through interviews with security professionals and workshops with end users from two different Norwegian companies, in order to gain an understanding of the possibilities and limitations of the proposed concept. A prototype of a gamified application was developed to aid the research. The results indicate that gamification can have positive effects in combination with security awareness and training. Firstly, it was found that companies and employees often can have multiple common ambitions connected with the training; common goals that should be used as focus points in future programs. Secondly, it was discovered that employees would principally value factors such as progression and mastery as motivational stimulus in the training. Thirdly, results from the workshops suggests that gamification can increase motivation towards completing training, and potentially improve learning outcomes as a result of this. Conclusively, it was indicated that a long-term gamified training program, with use of short and concise exercises, could lead employees to think more about security during the daily work, which in turn suggests a potential for behaviour change