Gamifying Cybersecurity Awareness

Introduction

In a connected world where people are getting access to ICT at younger and younger ages (Kritzinger, 2017), developing a sense of cybersecurity awareness is becoming increasingly important, especially in young children (Venter et al., 2019). In the past three years in the US, phishing complaints increased by over 900% while monetary loss in 2020 due to tech support scams reached more than $146 million, up from $38 million in 2018 (IC3, 2020, p. 21,22). Cybersecurity awareness training is provided in workplaces and cybersecurity has even become part of some K-12 curricula, such as CSTE (Computer Science Teachers Association, n.d.), yet the IC3 report by the FBI suggests that cybercrime does not seem to be decreasing (IC3, 2020). Increasing cybersecurity awareness could potentially lower the ever-increasing cybercrime rate. Why does cybercrime keep increasing, despite efforts to increase cybersecurity awareness? Warnings and primings are common tools to raise awareness, but their effectiveness is questionable (Junger et al., 2017). Perhaps alternative methods of training need to be considered. Methods that could not only increase cybersecurity awareness in adults but foster it in young children.

Gamification is the application of game concepts to learning in the hopes of making it more engaging and entertaining, which increases learning, retention, and motivation (Parra-González et al., 2021). While traditional instruction or flipped learning might be useful for older students and adults, younger children learn better through play and a gamified approach (Parra-González et al., 2021). As such, gamification could be used to not only train adults but also young children, fostering cybersecurity awareness at a young age.

In this essay, literature will be reviewed on the use, application, efficacy, and feasibility of gamification in cybersecurity awareness training not only in the overall cybersecurity community but also in the context of schools. Propositions will be made on the application of these methods, as well as potential alternatives.

Literature summaries

Ros et al. (2020) focused on which gamification features lead to the greatest improvement in self-perceived success in the students, while also monitoring the impact of voluntary participation in the game and the overall effectiveness of gamification. The context of their study was an online cybersecurity course. They designed a digital video game containing metaphors for various aspects of security and gathered data through a questionnaire. It was noted that there was an increased dropout rate for students who did not play the game. It raised the question that perhaps students who were willing to play the game were already more engaged and motivated in the course. Ros et al. made three conclusions. Firstly, the most important features were engagement and contextualization. Secondly, that nonparticipation in voluntary activities could be a predictor for student dropouts. Lastly, that gamification could be an effective supplement to traditional learning (2020).

Hart et al. (2020) commented on the lack of adaptability of current educational cybersecurity games and created an adaptable card game to test engagement and interest in gamified education in cybersecurity. They found that their game was more popular and effective with working adults than university students because the workers could more easily relate to the theme of the game (an office environment), while the students “missed the fun element” (2020, p. 11). Hart et al. pointed out that having a points system had a negative influence on their game, while a feedback system was better received by the participants. It was concluded that gamification could be an effective training tool if applied correctly (Hart et al., 2020).

Qusa and Tarazi (2021) wanted to test the effectiveness of gamified instruction. Their sample consisted of 30 individuals between the ages of 9 and 22, from different backgrounds and education levels. Qusa and Tarazi created a browser-based serious game centred around password creation. Multiple rounds of the game were played over two months, with each playthrough preceded by a pre-test and followed by a post-test where players were asked to compare different passwords. The results showed an average of 5% improvement after playing the game.

Reviewing the literature

Hart et al., Ros et al., and Qusa and Tarazi all agree that there is an increasing need to raise cybersecurity awareness and that gamification might be an engaging way to educate and train people from different backgrounds and skill levels (Qusa and Tarazi, 2021; Hart et al., 2020; Ros et al., 2020), based on the notion that people learn better through hands-on experience (Wolfenden, 2019).

Hart et al. (2020) and Ros et al. (2020) conducted empirical studies on the constructivist application of gameplay mechanics in an educational context and created educational cybersecurity games that focused on multiple aspects of cybersecurity. Qusa and Tarazi (2021) did not explicitly base their study on a particular pedagogical framework and only concentrated on password creation. Hart et al. (2020) wanted to assess the efficacy of their game in increasing cybersecurity awareness. Ros et al. (2020) had three research questions: “Which are the design elements of the game that influence students’ self-perception of learning success?”, “Does the students’ decision to play the game allow to detect any effect that could improve the teaching process?”, and “Is there any relationship between playing the game and better academic performance?” (2020, p. 97719). Qusa and Tarazi (2021) simply wanted to know if a gamified approach could be useful in educating users on password generation strategies.

Hart et al., Ros et al., and Qusa and Tarazi all used quantitative research methods. Hart et al. (2020) based their study on the Technology Acceptance Model, using Perceived Ease Of Use (PEOU), Perceived Usefulness (PU), and Intention To Use (ITU) as metrics. Meanwhile, Ros et al. (2020) used a Structural Equation Model with the metrics Perceived Usefulness (PU) and Confidence (CO), and Engagement (E) and Context (C) as external variables. Ros et al. noted an extreme lack of female participants in their study (only 2%), which further highlights the need to introduce cybersecurity awareness at the school level (Venter et al., 2019). Both studies gathered data through questionnaires utilizing a Likert scale of 1 to 5. Hart et al. noted a mean PU of 3.4 with students, while Ros et al. noted 3.68. Hart et al. also noted a PU of 4.3 with adults. The lower PU of students could be attributed to flaws with the games themselves, as Hart et al. noted that students struggled to find their game relatable, while Ros et al. noted that students did not always understand the metaphors in their game. Qusa and Tarazi (2021) conducted pre-tests and post-tests in which users were asked to compare the strengths of different passwords to see if there was an increase in knowledge gained. The small sample size in Qusa and Tarazi’s study (30 participants) questions the rigour of their study.

Hart et al. created a physical, multiplayer card game and tested it with two groups: working adults and college students. Hart et al. noted that students did not find their game fun (Hart et al., 2020, p. 8). This had a negative influence on the outcome, as students lacked engagement and motivation. Conversely, working adults were more engaged in Hart et al.’s game, as the scenario was more relatable to them (Hart et al., 2020, p. 8). Ros et al. created a digital mobile game based on metaphors (eg. having the character wear a disguise to represent spoofing). They found that some of their metaphors were not clear and thus not necessarily effective. Ros et al. only tested their game with college students, though participation was voluntary in order to test their second research question. As a result, Ros et al. discovered that students who did not voluntarily play the game were more likely to drop out of the course and that playing the game could serve as a predictor for dropout rates. This could be attributed to student motivation and engagement, as highly motivated students might be more likely to invest time and effort into non-compulsory exercises like this. However, it is worth considering that the higher scores Ros et al. observed could be attributed to said motivation and engagement in the course itself, and not necessarily the game, thus potentially invalidating their third research question. Qusa and Tazari created a digital video game and tested it with one group. Like Hart et al., Qusa and Tazari recognized that fun is an effective motivator and source of engagement, however, they opted to use fear as a motivator instead, their argument being that it motivated students to “avoid the apparently bad consequences of their bad decisions” (Qusa and Tarazi, 2021, p. 0679). Qusa and Tazari failed to provide a more detailed breakdown of their results in terms of age, education level and background. Considering the age gap between the youngest and oldest students, and the fact that some of the participants were already in IT-related programs (Qusa and Tarazi, 2021, p. 0680), there is a possibility of the results being skewed. The lack of a control group means Qusa and Tarazi were not able to determine if their gamified approach worked better than traditional instruction.

Hart et al. (2020) and Ros et al. (2020) noted the importance of feedback in educational games. Hart et al’s game requires the presence of a trained specialist to give feedback to the players. The need for a specialist in Hart et al.’s game, alongside the formal theme of the game, caused some students to say that it felt more like a lecture than a game. This negatively impacted engagement among students. Ros et al. provided contextual feedback in-game, though they did not comment on the perceived impact of feedback in their study. Qusa and Tarazi (2021) similarly provide contextual feedback in the game but did not provide insight into the perceived effectiveness.

All three articles claimed that a gamified approach to cybersecurity education is more effective than traditional methods, leading to higher retention of knowledge and increased engagement in the topic (Qusa and Tarazi, 2021; Hart et al., 2020; Ros et al., 2020). However, all of the articles focused on a targeted increase in cybersecurity awareness, such as training in an organization, or as a supplement to traditional cybersecurity training (eg, in the context of a university course). None of the articles mentions how cybersecurity awareness could be increased in the general public. None of the authors tested long term retention of knowledge, though Hart et al. plan to conduct a longitudinal study on this (Hart et al., 2020, p. 11).

Conclusion

All of the above authors agree that gamification has potential as a learning method, especially with a targeted audience (Qusa and Tarazi, 2021; Hart et al., 2020; Ros et al., 2020). All three authors utilized serious games which have education as a primary goal and entertainment secondary (Laamarti et al., 2014, p. 3). Engagement and contextualization seem to be key factors in the efficacy of gamified approaches (Ros et al., 2020, p. 97725). This is confirmed by Hart et al., in that their game was better received with working adults, who were able to relate to the setting of the game (Hart et al., 2020, p. 8). Thus, when creating a serious game, the setting or theme of it is important to keep players engaged. When dealing with children this might become more difficult, as using metaphorical representations of cyber threats could lead to misinterpretations (Ros et al., 2020, p. 97722). Serious games aimed at children should not only use a setting and theme that children are familiar with but also explain cyber threats in a direct manner in a way that is easy to understand.

Many serious cybersecurity awareness games, such as those mentioned in the literature reviews of Hart et al. (2020, p. 2), Ros et al. (2020, p. 97719) and Qusa and Tarazi (2021, p. 0677), are aimed at specific sectors as training tools and can be completed in a short timeframe. Compare this with the gamified language learning mobile app Duolingo (Duolingo, 2011), which is aimed at the general public and promotes continuous, long-term engagement. Perhaps such a long-term app could help raise the overall cybersecurity awareness of the public? In that case, two challenges arise: how do we get users motivated to start playing of their own volition and how can we provide enough depth to the game to keep users engaged for an extended period? One suggestion is to focus on the entertainment value of the game and then add real cybersecurity elements. In other words, instead of serious games, perhaps we could look at commercial video games.

As an alternative to serious games, some commercial video games have entertainment as a primary goal yet could be used as an educational resource (Thomas and Clyde, 2013) and thus have education as a secondary goal. Currently, there are numerous commercial video games that could be used to learn programming skills, such as Screeps (Screeps LLC, 2015) and Human Resource Machine (Tomorrow Corporation, 2015). This solves one of the problems mentioned earlier since users are primarily interested in the entertainment value of the game and thus motivated by that. While there are games with hacking and security as a focus, such as Hacknet (Trobbiani, 2015), the majority of them are not realistic enough to classify as educational, though they could potentially elicit interest in cybersecurity from a player. A game with realistic cybersecurity issues could educate users on those issues. For example, a game could be from the point of view of a social engineer attempting to gain access to different systems using real attack methods such as phishing or spoofing. Users could be engaged in the act of hacking systems, while subconsciously learning real attack methods.

Children are exposed to ICT (and the related dangers) from a very young age, and cybersecurity awareness needs to be instilled early (Kritzinger, 2017). Some children might not enjoy video games, so other media such as television could also be considered to teach cybersecurity awareness, in much the same way Dora the Explorer (Nickelodeon Animation Studios, 2000) promotes the learning of Spanish. There are various educational children’s shows focusing on all kinds of subjects like science, mathematics and history, however, cybersecurity - and computer science for that matter - is not a common topic (Common Sense Media, n.d.).

If applied correctly, gamification could be a useful tool in raising cybersecurity awareness in both adults and children. However, it should not be considered as the best or only solution. More rigorous research into the topic is required.

Bibliography

Common Sense Media (n.d.) Educational TV Shows for Kids [Online]. Available at https://www.commonsensemedia.org/lists/educational-tv-shows-for-kids (Accessed 14 April 2021).

Computer Science Teachers Association (n.d.) CSTA [Online]. Available at http://www.csteachers.org (Accessed 9 April 2021).

Duolingo (2011) Duolingo, [Online]. Available at https://www.duolingo.com/.

Hart, S., Margheri, A., Paci, F. and Sassone, V. (2020) ‘Riskio: A Serious Game for Cyber Security Awareness and Education’, Computers & Security, vol. 95, p. 101827 [Online]. DOI: 10.1016/j.cose.2020.101827.

IC3 (2020) Internet Crime Report 2020, Federal Bureau of Investigation [Online]. Available at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.

Junger, M., Montoya, L. and Overink, F.-J. (2017) ‘Priming and warnings are not effective to prevent social engineering attacks’, Computers in Human Behavior, vol. 66, pp. 75–87 [Online]. DOI: 10.1016/j.chb.2016.09.012.

Kritzinger, E. (2017) ‘Growing a cyber-safety culture amongst school learners in South Africa through gaming’, South African Computer Journal, vol. 29, no. 2 [Online]. DOI: 10.18489/sacj.v29i2.471 (Accessed 13 April 2021).

Laamarti, F., Eid, M. and El Saddik, A. (2014) ‘An Overview of Serious Games’, International Journal of Computer Games Technology, vol. 2014, pp. 1–15 [Online]. DOI: 10.1155/2014/358152.

Nickelodeon Animation Studios (2000) ‘Dora the Explorer’, Dora the Explorer, Nickelodeon [Online]. Available at https://www.imdb.com/title/tt0235917/.

Parra-González, M. E., López-Belmonte, J., Segura-Robles, A. and Moreno-Guerrero, A.-J. (2021) ‘Gamification and flipped learning and their influence on aspects related to the teaching-learning process’, Heliyon, vol. 7, no. 2, p. e06254 [Online]. DOI: 10.1016/j.heliyon.2021.e06254.

Qusa, H. and Tarazi, J. (2021) ‘Cyber-Hero: A Gamification framework for Cyber Security Awareness for High Schools Students’, 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), NV, USA, IEEE, pp. 0677–0682 [Online]. DOI: 10.1109/CCWC51732.2021.9375847 (Accessed 12 April 2021).

Ros, S., Gonzalez, S., Robles, A., Tobarra, Ll., Caminero, A. and Cano, J. (2020) ‘Analyzing Students’ Self-Perception of Success and Learning Effectiveness Using Gamification in an Online Cybersecurity Course’, IEEE Access, vol. 8, pp. 97718–97728 [Online]. DOI: 10.1109/ACCESS.2020.2996361.

Screeps LLC (2015) Screeps, Screeps LLC [Online]. Available at https://screeps.com (Accessed 9 April 2021).

Thomas, C. M. and Clyde, J. (2013) ‘Game as Book: Selecting Video Games for Academic Libraries based on Discipline Specific Knowledge’, The Journal of Academic Librarianship, vol. 39, no. 6, pp. 522–527 [Online]. DOI: 10.1016/j.acalib.2013.07.002.

Tomorrow Corporation (2015) Human Resource Machine, [Online]. Available at https://tomorrowcorporation.com/humanresourcemachine (Accessed 9 April 2021).

Trobbiani, M. (2015) Hacknet, [Online]. Available at https://hacknet-os.com/ (Accessed 9 April 2021).

Venter, I. M., Blignaut, R. J., Renaud, K. and Venter, M. A. (2019) ‘Cyber security education is as essential as “the three R’s”’, Heliyon, vol. 5, no. 12, p. e02855 [Online]. DOI: 10.1016/j.heliyon.2019.e02855.

Wolfenden, B. (2019) ‘Gamification as a winning cyber security strategy’, Computer Fraud & Security, vol. 2019, no. 5, pp. 9–12 [Online]. DOI: 10.1016/S1361-3723(19)30052-1.