Title: “The use of Game-based Learning in Training and Achievement of Cyber Security Literacy in Business”
Author: Caitlyn Gaugler
Introduction
In this e-book, we will be examining the effectiveness of game-based learning in the private sector where businesses aim to tackle the pressing matter of cyber security.
Cyber security
In an age where much of the world is working collaboratively, remotely, or over the internet, the topic of cyber security is a hot one. From network security, application security, operation security, disaster recovery and business continuity, and end user education, there is much to be protected from threats. Cyber security is understood as, “the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It’s also known as information technology security or electronic information security” (Kaspersky, 2022).
The main concern for most businesses revolves around the end users— employees— who are the primary users and the most unpredictable security factor in an otherwise secure system. End users are preyed upon with general threats, such as suspicious e-mail attachments, unidentified USB or wireless devices. They are also targeted with more personalized threats, such as an e-mail that resembles that of their supervisor’s or one from a coworker that contains personal details asking for login information. Cyber solutions company, Kaspersky notes, “Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization” (Kaspersky, 2022). It’s no surprise that the private sector has responded to increased threats with increased cyber security education for employees.
To strengthen the end-user layer of defense, companies have turned to an educational approach through cyber security training for non-experts. These educational interventions can be as simple as a e-mail sent out with do’s and don’ts to web-based learning, and even classroom awareness sessions. Not all educational interventions are created equally. Ernst & Young describes pitfalls of cyber security education and why many organization’s cyber security educational interventions are ineffective:
- They lack proper success metrics- the focus is on knowledge when it should be behavior: “What the metric does not reflect is the culture change you want to achieve as a result. People are often very skilled at recognizing the correct answer at the end of the quiz, but do not apply this knowledge during their working activities.”
- They lack regular content updates – fail to keep up with the tempo of cybercriminals: “Frequently updating the topics and their content is a strong requirement within a dynamic threat landscape.”
- They lack regular engagement – awareness is delivered as a “one-off” exercise: “The focus of such an approach is in having a periodic ‘one-off’ exercise, leaving out more regular engaging campaigns.”
- They lack engaging content – fail to grab people’s attention: “Often you start with good intentions reading through the content with a half eye, but end up clicking through the slides as fast as possible to “tick the box”. This type of content is not engaging enough and diminishes the effectiveness of training.”
- They lack alignment to business risk – use generic campaigns: “Generic campaigns that are not aligned with the actual business risk often miss the point, as the audience does not recognize themselves or the organization.” (Ghigny et al., 2020)
Ernst & Young’s approach to cyber security education follows gamification and game-based learning. The firm describes gamification of interest as a tool for, “changing perception and attitude and provides a hands-on approach to learning.”
Game-based Learning
Game-based learning and gamification are terms that often occur together and some uses may lead people to believe they are interchangeable. The difference between gamification and game-based learning are, however, fairly stark. While gamification borrows elements and principles from games, gamification can be applied in a non-gaming context. It focuses on teaching new skills/knowledge and modifying behaviors through gaming mechanics. Meanwhile, game-based learning is, “an effective method to provide training to the users. Serious games are games that are designed with a purpose rather than just intended for pure entertainment. They are proved to be effective tools for training and achieving a behavioral change. Such methods of using games for training is also referred to as games based learning approaches” (Alotaibi et al., 2016).
Game-based learning has seen increased use in training environments as it’s engaging, supports critical thinking, and it is a format that can be used to repackage existing eLearning content where retention may be higher. Game-based learning appeals to employees across the generation spectrum. When used in a learning context, GBL games can:
– Encourage strategic thinking.
– Provide an opportunity for practice.
– Enhance motivation among disengaged learners.
– Promote healthy competition.
– Improve self-directed learning and independent thinking.
– Foster collaboration.
– Create a safe environment for learning through experimentation and trial and error.
– Help develop a spirit of patience and persistence among learners (Pandey, 2020).
Game-based Learning as a potential solution
Game-based learning when geared at professional development is advantageous in multiple ways. It’s an ideal format for knowledge reinforcement as it can help cement existing prior knowledge, refresh an employee’s memory, or introduce new knowledge. Employees can apply what they’ve learned in a simulation in a real world context and they’re able to try multiple approaches in a risk-free environment. Unlike the real world where a mistake could cause financial or reputational consequences, game-based learning allows learners to learn through trial and error. Described as mistake-driven learning, game-based learning eLearning games are, “all about making mistakes and learning from them. Staffers are able to take calculated risks that may not pay off. But they still get something from the experience. They can evaluate their own performance and see where they went wrong and how to improve. Especially if you pair it with targeted feedback and online training recommendations” (Pappas, 2020).
Game-based learning is also an effective performance management tool. Games can provide personalized and discrete feedback where players can identify personal weaknesses and areas to improve upon as they progress through the game. Overall, game-based learning provides a great opportunity for engaging learning that allows for learners to develop or refine knowledge, identify opportunities for personal improvement, and mitigate the risks that may come with making mistakes in the real-world context instead of inside a game.
Case Overview
This case follows UK-based researchers and their study participants in their mobile learning game which they developed in response to the scarce utilization of cyber security training in the private sector. The researchers described a problem where enterprises were, on average, losing half a million dollars from security attacks while, in 2017, only 20% of UK companies had their staff receive training on cyber security. The researchers decided to take a game-based learning approach, particularly mobile learning, to address the gap. They selected this approach after reviewing a study which compared the use of text, videos, and games in cyber security and found the game-based method was more effective in teaching users how to avoid phishing scams than test-based or video-based methods.
The study follows 17 participants, 8 males and 9 females. The participants came from a variety of industries, such as manufacturing, healthcare, and online publication industries. Six of these participants were managers in the aforementioned industries. The remainder were non-management employees from other sectors and students. The study participants were selected using convenience sampling where all represented contacts of the researcher. The participants were said to not be experts in cyber security and were not previously involved in the development of the application or any prior iterations or prototypes. The researchers describe the projectl as, “We trialed the app with 17 participants with the aim to: (1) test which elements of the game hold potential for fostering engagement with cyber security and (2) understand how users interpret and react to a playful provocation of being made to feel solely responsible for their organizations cyber security, shining a light on the implicit positioning of users as the weakest link in cyber security literature” (Filipczuk et al., 2019).
The application covered learning materials grouped under the following categories: passwords, phishing, social engineering, virus/malware and data protection.
Solutions Implemented
Researchers in this study created a mobile-learning, or m-learning, game with the intention of “fostering participation of cyber security awareness in offices” (Filipczuk et al., 2019). Mobile learning is a useful tool that can be used for solving problems, building skills, building knowledge in “real world context” and the aim should be to create successful performance by utilizing the right tool for the job which helps support performance (Reiser & Dempsey, 2017).
The game has the player play as an employee at a fictional company where they must make optimal choices throughout the game to avoid being fired for making poor cyber security choices. The game play has multiple choice quizzes which introduce a scenario before displaying the question and up to four choices. When a user selects an answer, they are presented with a dialog box displaying information relevant to the question. This repeats for the duration of the quiz. The goal is to answer all questions, getting fewer than three incorrect. Upon passing, the user is shown the number of questions they got correct in each category and their final score. They can navigate to the summary which displays a breakdown of their past scores and which educational material pages they have read. If the user fails the quiz, a button takes them to the learning material of the failed section – once they read the material, they can retake the quiz. A leaderboard allows users to benchmark themselves and compete with others. A number of parameters are logged, including the results of each individual quiz attempt, which questions the participant answered correctly/incorrectly, the outcome of the quiz, the time taken to complete it and which learning material pages have been read (Filipczuk et al., 2019).
Users are also given the option to explore topics under the categories of passwords, phishing, social engineering, virus/malware and data protection prior to taking a quiz. These categories were selected as they were deemed to be the most important areas of cyber security for non-expert professional knowledge workers to be made aware of from reviewing existing products and literature. As a means of tapping into valuable prior knowledge, the researchers describe how they made the information relevant to employers and managers by, “design[ing] the app to be capable of providing an assessment of all users’ current knowledge with a short interaction time, using a multiple choice quiz format” (Filipczuk et al., 2019)
As mentioned previously, the advantage of game-based learning is its ability to allow players to make and learn from mistakes in-game versus in a real-world context. In the application, if a participant failed the quiz or were “fired” in the game, they were asked to revise their answer after reading the information related to the incorrectly answered questions. This was repeated until they passed the quiz.
Outcomes
The results of the study were all participants passed the quiz in fewer than five attempts. The majority of users took between 5 and 10 minutes to pass. Of the seven participants who passed on their first attempt, six indicated they had received at least some level of cyber security education prior to this study. Conversely, all but one of the 10 participants who did not manage to pass the quiz first time indicated that they had never received cyber security education. 67% of the ‘employers’ group passed the quiz successfully first time, whereas only 27% of the ‘general population’ group were able to do so. The content of the app in its current state was deemed to be relevant and of sufficient detail for understanding, as confirmed by 15 participants. Additionally, the 15 participants agreed the app increased their awareness of cyber security issues (Filipczuk et al., 2019).
The app was evaluated by participants with a closing questionnaire following each quiz using Likert scale responses (1- strongly disagree to 7-strongly agree). The questions were in relation to the app’s design and usability, their learning experience, changes to their self-reported cyber security literacy, and the opinions on the scenario of the app (whether an employee would be fired or not based upon their cyber security choices). The researchers justified this final question in their interest in, “how users responded to this notion of responsibility and the palatability of a dark humour approach, in preference to the positive (and more common) storyline of the user becoming a hero, e.g. saving their company from malicious attack” (Filipczuk et al., 2019).
The goal when creating the app was to improve cyber literacy of employees to reduce a company’s risk of cyber security breach. The preliminary findings following the study suggest that an increase in cyber security literacy from using the game is feasible, and in short interaction time (<10 minutes), as well. Participants’ interaction times were tied to their prior knowledge where users with higher levels of background knowledge completed the game faster than those without prior knowledge. This suggests that a quiz-based platform may, “be suitable for the time-constrained context of office environments, offering time-saving advantages over traditional workplace e-learning platforms (e.g. Health and Safety) where all users must navigate through all scenarios. Additionally, the design benefits employers by ensuring a given level of competency among staff and providing a rough estimation of overall human security risks in an organisation” (Filipczuk et al., 2019).
Implications
The development of a m-learning application in this study was ultimately a success. The majority of participants reported an improvement on their cyber security literacy following completion of the game. The participants who did not experience a drastic improvement in their cyber security literacy noted they had prior knowledge going into the study but these participants were overwhelmingly the minority.
In a similar study with an app called CyberAware, 43 school-aged children used the mobile game-based solution to focus on topics of firewall technologies, antivirus software, security patches and updates, and e-mail spam folders. CyberAware focused on a mix of technical aspects in addition to the pedagogical framework of ARCS: attention, relevance, confidence, and satisfaction motivation model. The goal for the environment was for students to be motivated, “to not only understand the various concepts being taught, but also to recognize their application in various real-life situations as well” (F. Giannakas, G. Kambourakis and S. Gritzalis, 2015).
Similar to the case study, CyberAware was able to double the proficiency of learners in cyber security literacy. Despite the many claims of success in the use of game-based learning in other subjects, the area of cyber security is still relatively new. “Various studies have been reviewed, out of which most of the studies have indicated positive results in using gaming technologies as a tool for creating awareness and training. However few studies are not evaluated and few of them used small sample population in the studies. From the review it is evident that there is a need for in-depth and robust evaluations to conclude the effectiveness of serious games for cyber security, and also the need for using large sample population in these studies”(Alotaibi et al., 2016).
In the face of a growing number of cyber security threats, it’s imperative employees are receiving effective educational interventions surrounding cyber security literacy to protect their personal data and company data. Despite the infancy of game-based learning in cyber security education, the results have been impressive in improving attitudes towards security where users feel greater ownership of the risk and the learners have gained new knowledge that can be extended to future threats as they are developed.
Works Cited:
Alotaibi, Faisal & Furnell, Steven & Stengel, Ingo & Papadaki, Maria. (2016). A Review of Using Gaming Technology for Cyber-Security Awareness. International Journal for Information Security Research. 6. 10.20533/ijisr.2042.4639.2016.0076.
Filipczuk, D., Mason, C., & Snow, S. (2019). Using a game to explore notions of responsibility for cyber security in organisations. Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems. https://doi.org/10.1145/3290607.3312846
Giannakas, G. Kambourakis and S. Gritzalis, “CyberAware: A mobile game-based app for cybersecurity education and awareness,” 2015 International Conference on Interactive Mobile Communication Technologies and Learning (IMCL), 2015, pp. 54-58, doi: 10.1109/IMCTL.2015.7359553.
Ghigny, B., Machilsen, K., & Vandenbroeck, D. (2020, September 24). Why gamification might be the right answer for your Organization’s cybersecurity awareness. EY US – Home. Retrieved April 24, 2022, from https://www.ey.com/en_be/cybersecurity/why-gamification-might-be-the-right-answer-for-your-organization
Kaspersky. (2022, March 30). What is cyber security? www.kaspersky.com. Retrieved April 24, 2022, from https://www.kaspersky.com/resource-center/definitions/what-is-cyber-security
Pandey, A. (2020, September 22). 5 Strategies for Using Game-based Learning to Drive Learner Engagement and Motivation. Training Industry. Retrieved April 24, 2022, from https://trainingindustry.com/articles/content-development/5-strategies-for-using-game-based-learning-to-drive-learner-engagement-and-motivation-spon-eidesign/
Pappas, C. (2020, December 4). Serious Games Success: 6 Insider Secrets To Engage And Educate. eLearning Industry. Retrieved April 24, 2022, from https://elearningindustry.com/successful-serious-games-insider-secrets-to-engage-and-educate
Reiser, R. A., & Dempsey, J. V. (2017). Trends and issues in Instructional Design and Technology. Pearson.