Gamification of Information Security Awareness Training
Guillermo Francia III, David Thornton, Monica Trifas and Timothy Bowden, Jacksonville State University, Jacksonville, AL, USA
The need for well-trained Information Security and Assurance (ISA) professionals, as well as general information security awareness, has increased considerably in the last decade and shows no sign of slowing. To address this need, both industry and academia have been driven to innovative approaches. The use of digital games and game mechanics to further education has received growing attention and respect in the last several years. There is strong evidence that thoughtful employment of gaming elements can improve motivation and understanding. This paper provides a broad background on the topics of game-based learning, gamification, and serious games. Further, it describes our ongoing approach to developing and promoting digital games for information security awareness, including two game designs and a gamification system architecture.
Keywords
information security awareness; training; gamification; learning; serious games
Information in this chapter
Introduction
The need for well-trained Information Security and Assurance (ISA) professionals, as well as general information security awareness, has never been more pronounced, as shown by current news reports. To address this need, both industry and academia have been driven to innovative approaches. The use of digital games and game mechanics to further education has received growing attention and respect in the last several years. Numerous indications suggest that thoughtful employment of gaming elements can improve motivation and understanding. In this chapter, we describe our on-going project toward the gamification of information security awareness training.
Teaching concepts to children through digital games has received increased attention over the last few years. In fact, a school called Quest to Learn, which educates children in almost every subject through gameplay, opened in 2009 in New York. Even at the college level there has been an increased level of research and attention paid to learning in gaming environments such as Second Life. In the July 2007 issue of Communications of the ACM, Michael Zyda stated that youth spend a great deal of time playing video games, with some game developers claiming from 18,000 to 180,000 years of aggregate in-game play for their games [1].
One of the more vocal proponents of game-enhanced pedagogy is James Gee. He lists 13 principles employed in game design that are also good principles of teaching and learning: co-design, customization, identity, manipulation, well-ordered problems, pleasantly frustrating problems, cycles of expertise, just-in-time and on-demand information, fish tanks, sandboxes, skills as strategies, system thinking, and meaning as action image [2].
Many of Gee’s principles can be mapped directly onto the educational psychology literature, which has a great deal to say about what components should be incorporated into an ideal game-enhanced pedagogy based on the findings of best practices in teaching [3,4]. First, challenging (pleasantly frustrating) goals are essential for increasing student motivation [5]. However, students must be given a great deal of scaffolding (well-ordered problems and just-in-time information) to help them reach these goals. That is, instructors must adjust the amount of guidance they give to fit the student’s current performance level. When the task or concepts are new, the instructor is more likely to give directive feedback and explicit instruction, but as the student’s competence increases, the scaffolds are removed and less guidance is given. Instructors also must set smaller, proximal goals, which students can more easily reach on their way to larger goals [6]. Feedback has also been found to be one of the most essential tools in increasing student persistence and understanding in courses [5].
As the video game industry grows to rival the movie industry, many wonder whether digital games can be anything more than an amusing time sink. Merrilea J. Mayo, director of the Government-University-Industry Research Roundtable at The National Academies, argues that video games could provide effective science and engineering education for the following five reasons:
• Sophisticated video games appeal to a wide audience.
• Students are not limited to the classroom setting and can play games any time.
• Video games are compelling and engaging.
• Video games stimulate chemical changes in the brain that promote learning.
• Initial studies show teaching effectiveness through games to be more effective than the classic lecture.
Several well-known gamification proponents have applied the approach at the secondary as well as post-secondary education levels. Paul Andersen, AP Biology instructor, received the 2011 Teacher of the Year award at the Montana Professional Teaching Foundation, in part for his gamified classroom. He presented a TED talk entitled Classroom Game Design [7], in which he describes how the use of leaderboards, points, and leveling helped to increase motivation and improve learning. Lee Sheldon, associate professor and co-director of the Games and Simulation Arts program at Rensselaer Polytechnic Institute, has employed gamification techniques in his university courses with great success. His book, The Multiplayer Classroom [8], outlines strategies for converting a standard course into a “gamified” course.
Jane McGonigal, author of Reality Is Broken [9], believes that games have the power to not only entertain but improve the world. She claims that multiplayer games teach people how to work more effectively in teams and that games allow people to sublimate stress. Further, McGonigal believes that the problem-solving components of games can be leveraged to make us innovators in truly important global issues like poverty and climate change.
Literature review
General concepts
In [10, p. 2], Quitney and Rainie define “gamification” as “interactive online design that plays on people’s competitive instincts and often incorporates the use of rewards to motivate action that may include, among other things, virtual rewards such as points, payments, badges, discounts, and free gifts.” Gamification—applying the mechanics of gaming to nongame activities—is a new strategy used for influencing and motivating groups of people. The business community started to realize the power it has to improve customer engagement, build loyalty, and offer incentives to employees and partners to perform at high levels. This concept has the potential to solve a variety of problems outside the business world as well, in areas such as:
• Health and wellness: health care cost containment, obesity programs, and smoking cessation
• Education and training: e-learning, corporate and vocational training, and on-line testing
• Public policy and government: education reform, climate change, and welfare reform
The technology consultancy firm Gartner projected that 50 percent of corporate innovation will be “gamified” by 2015. Another consulting firm, Deloitte, cited gamification as one of its top 10 technology trends for 2012 and predicted that serious gaming simulations and game mechanics such as leaderboards, achievements, and skill-based learning will be embedded in day-to-day business processes [11].
According to Quitney and Rainie [10], digital games generated $25 billion in sales in 2010, and their popularity is regarded as driving the Internet adoption of elements of gamification.
The rapid development of social networks, currently used by 70 percent of American Internet users, provides reward and status elements, which are embedded in implicit and explicit forms in the users’ interactions with online communities.
Other applications of gamification, in addition to marketing, status and community building, and skills development, include education and problem solving. Games like Foldit, designed by a group of researchers at the University of Washington [12], have helped to produce real-world benefits. In this game, players generated a crowd-sourced discovery of a key protein component that may be helpful in HIV research.
Gamification, while a slightly ambiguous term, is probably best described as the use of design elements that are characteristic to digital games in non-gaming contexts. Common game elements include, but are not limited to, the following:
Some popular examples of gamification include Microsoft’s Ribbon Hero, which awards users with points, levels, and achievements for completing tutorial sequences. Other popular games, like Fitocracy and Chore Hero, convert activities that are often perceived as arduous into an entertaining diversion by leveraging social aspects, leveling up, and competition (via leaderboards). In pedagogy, gamification can be applied to at least three different approaches: (1) playing educational games, (2) making educational games, and (3) making the program of study itself “game-like.”
Serious games
Though many games are entertaining by nature, a well-designed game has the potential to confer serious benefits. Clark Abt, a war-games and simulation-training specialist, said the following in his 1968 book Serious Games: “[Games] have an explicit and carefully thought-out educational purpose and are not intended to be primarily for amusement. This does not mean that serious games are not, or should not be, entertaining” [13, p. 9]. While there is no clear-cut definition of serious games, a primary component of a serious game is the delivery of learning objectives through engaging and interactive gaming components.
Games adoption in multiple domains
Military training and learning have a long history of using immersive 3D technologies and gaming methods to improve learning outcomes. For the past several years, the US military has recognized the value of using video games for training to accommodate the media preferences of the military personnel and to leverage the fidelity of the technology. Middle Eastern cultural training is a key component of this initiative. The Institute for Creative Technology (ICT) at the University of Southern California (USC) is a major developer of interactive military training modules. The Enhanced Learning Environments with Creative Technologies (Elect) suite of products utilizes the PsychSim social simulation system, which seeks to understand social simulations [13,14]. Elect employs an intelligent coach and tutor to provide the student with pedagogical feedback about social and cultural issues.
The training system Virtual BattleSpace 2 is a fully interactive, three-dimensional gaming system used by the UK army for customized training. It can be used to simulate real terrains and equipment for a multitude of training exercises. The training applications include convoy driving, unmanned vehicle flying, and soldier training and debriefing, among others [15].
The application of serious games dealing with health issues is another area of considerable growth. The Annual Conference on Games for Health is experiencing a steady increase in participation [16]. Health games for practitioners, like the Hollier Simulation Centre pilot program in the United Kingdom, allow junior doctors to experience and train for a variety of medical scenarios by employing computerized mannequins as patients [17]. The learning process occurs through hands-on experiences and session reviews of digital recordings.
According to IBM, serious games will be used by between 100 and 135 of the Global Fortune 500 by 2012. In a study of the relationship between leaders in massively multiplayer online role-playing games (MMORPGs) with real-world leadership, IBM stated the following: “The organizational and strategic challenges facing players who serve as game leaders are familiar ones: recruiting, assessing, motivating, rewarding, and retaining talented and culturally diverse team members; identifying and capitalizing on the organization’s competitive advantage; analyzing multiple streams of constantly changing and often incomplete data in order to make quick decisions that have wide-ranging and sometimes long-lasting effects” [18, p. 1].
Digital games can play an important role in education or training. Some instructors have been using immersive environments and gaming technology in order to reach their students. This shift in teaching practices has been supported by advances in gaming technology and realism. Nowadays, it is less expensive to develop digital games because of availability of game engines, games middleware, and mods (modified versions of existing games); these tools make it possible for people with little or no programming experience to develop digital games. Instructors who are interested in creating educational digital games can focus on the educational features rather than the underlying technology.
Benefits of digital games
Digital games can develop cognitive, spatial, and motor skills. Teachers can use games to emphasize facts, principles, and complex problem solving. Games can also be used to increase creativity or to provide practical examples of concepts and rules that may be difficult to illustrate in the real world. Teachers can make use of games to perform experiments that could be dangerous when performed in real life, such as experiments that use hazardous materials and equipment. While games are often not explicitly educational, they possess intrinsic qualities that challenge learners’ cognitive abilities. Playing well-designed games has the potential to increase the time students spend learning, increase difficulty along with their ability, and allow them to fail without fear.
Gamification system
System architecture
A basic gamification system architecture is shown in Figure 5.1. The two servers facing the Internet are publicly accessible for registered users. The Game Server is a main file transfer machine where games, which are categorized by platform, can be downloaded. The Platform Conversion Server serves as a conversion system for users to convert their games to a desired operating system platform. The three servers on the backend serve three functions: (1) as a repository for all the games that were developed, (2) as a user and system data collection system, and (3) as a development and testing platform for games and other applications.
Software tools
GameMaker is an easy-to-learn, multiplatform, highly configurable game engine produced by YoYo Games. It supports fast application development through built-in libraries and functions relevant to digital gaming. It was created by Professor Mark Overmars, head of the Center for Advanced Gaming and Simulation at Utrecht University. GameMaker’s features include the following: AI path-finding, advanced collision detection, animated graphics, built-in image editor, particle effects, joystick/gamepad support, multi-channel audio/video playback, and a powerful scripting language.
One of the most useful features of GameMaker is its multi-format export feature. Once a game is developed, it can be released for multiple platforms, including Apple iOS, Android, and HTML5. The engine is well documented, and the company website (www.yoyogames.com) features a vast library of tutorials and sample games, many of them user-submitted.
Best of all, GameMaker features a graceful learning curve because of its visual programming style and its scripting language, GML. Students can create a bare-bones prototype in hours and a working game in just a few weeks. One of the authors of this chapter has employed this engine since 2007 in his game design courses. Student teams have completed over 75 games under his supervision. He also teaches numerous game programming seminars each year with middle and high school students.
Game design
Our design methodology is guided by Zichermann and Cunningham’s work on game design elements [19]. Each of these elements is briefly described as follows:
Point Systems are perhaps one of the important components of a gamification system. They provide measures to track the progress of the game, the skill of the player, the interaction between the player and the game, and the status of the player.
Levels provide a measure of the status of difficulty. A good gaming system must provide a seamless transition for the player to transition to each level of difficulty with a reasonable amount of challenge.
Badges provide tokens of achievement toward the goal, indicating and encouraging progress.
Leaderboards provide a ranking of players and a quick comparison. This component may also be a motivational tool for the player to keep on improving in order to attain certain a certain status.
Challenges and quests keep the player engaged by providing the player with activities and pursuits that will constantly challenge the player’s skills.
Onboarding provides a way to delicately usher a novice player into the gamification system. The system must facilitate this transition because the first few minutes of the game are the most critical in determining whether the player embraces the system or not.
Engagement Loops get the player engaged into the system, determine the manner in which the player disengages from the system, and gets the player re-engaged with the system.
Storyboards
Password awareness game
Figure 5.2 depicts the main menu for Brute Force, an educational game that focuses on teaching good password habits. From this menu, the user can choose to learn the rules of the game or start playing immediately. Random passwords fly around the screen, helping to set the theme of the game and draw users in.
Figure 5.3 provides users with the basic knowledge needed to play and enjoy the game. Personal information is used as a resource that players must defend throughout the game. The constant threat of identity theft motivates players to keep playing. The game’s controls are fairly simple (mouse and keyboard), so the game is accessible to all ages and skill levels.
The storyboard on Figure 5.4 represents a general gameplay scenario, demonstrating the level design and core mechanics behind the game. Ease of use is paramount here; the interface is clean and intuitive, which keeps focus on the game. The adversaries are shown walking toward the pool of personal information, passing through the password sockets along the way. The password bank is shown on the left side of the screen.
Should a user choose a weak password, or one that has already been tried, the storyboard shown in Figure 5.5 encapsulates the progress of the game. This is only a sample screen, as the in-game message will change depending on the context of the game (bad password, repeat, etc.). The purpose of in-game messages is to educate the user without the user having to read too much at once. The tutorial manager employs a geometric back-off with regard to help pop-ups. Thus, a player is notified about a misstep less and less often in order to provide gradually decreasing scaffolding. The user learns gradually, in an enjoyable manner, as the game progresses.
Phishing awareness game
This game carries the same focus on an educational and enjoyable experience that is accessible regardless of skill level. Message Received aims to inform users on what phishing is and how to avoid it. From the title screen shown in Figure 5.6, the user can learn the controls or start a game immediately.
The core concept behind the game is that the airplane base that must be defended from enemy planes. Players must inspect the messages (e-mails, websites, etc.) sent by each plane and decide whether or not to accept them. Over time, players will learn to discern legitimate e-mails and websites from phishing attempts.
The storyboard shown in Figure 5.7 shows a typical scenario in the game. Airplanes are flying overhead, each carrying either a bomb or a soldier. The user interface consists of a readout displaying the current plane’s message, a base health monitor, and two buttons for deciding whether the current message is good or bad. As long as the player makes good decisions, the base will remain undamaged.
Figure 5.8 depicts a sample popup that displays when a player accepts a bad message. These screens change based on the context of the game and will help explain why the message was bad. As the players progress through the game, they will become better at filtering out phishing attempts.
Information security awareness games
The information security awareness training games are currently implemented and deployed. The testing and evaluation phase will commence during the Fall 2013 term. The planned game-based training modules include: Password Protection, Phishing Scam, Spam, Spyware, ID Theft, Wireless Vulnerabilities, Anti-Virus Protection, Digital Forensics, and Critical Infrastructure Protection.
Information security awareness metrics
Kark and Stamp published a Forester Research survey [20] documenting the struggle of organizations to provide a meaningful report for managers to make decisions on the security of their information systems. Security metrics can be effective tools for discerning the effectiveness of various components of a security program [21]. A well-known saying states, “What cannot be measured cannot be improved.”
Our gamification system facilitates the monitoring of the state of information security awareness within an organization through the point system and leaderboard components. A Web-enabled database will be enabled and utilized for data collection and analytics. A Web-based reporting system will be designed and implemented to generate comprehensive reports on the state of information security awareness.
Conclusion and future plans
The critical need for Information Security and Assurance (ISA) professionals is becoming more pronounced, as evidenced by past and current news pertaining to cyber-espionage, cyber-intrusion, cyber-warfare, and even cyber-crimes. There are numerous calls to both the industry and academia to address this need, as well as government initiatives that highlight both the national and global importance of cybersecurity. We have presented an overview of an ongoing project in gamification of information security awareness training as a modest contribution to this area of national importance. We envision this project as a catalyst for expanding the information security curriculum from the secondary to the graduate level of education. An opportunity to instill ISA concepts into the mindset of the next generation of professionals exists and we intend to take leadership in this process.
Future plans to enhance and expand the gamification project include:
Acknowledgments
This chapter is based on a project partly supported by the Department of Defense-National Security Agency under grant number H98230-12-1-0427 and the National Science Foundation under grant award OCI-0959687. Opinions expressed are those of the authors and not necessarily of the granting agencies.
References
1. Zyda M. Creating a science of games. Communications of the ACM; 2007 July.
2. Gee J. Learning by design: games as learning machines. Interact Educational Multimedia. 2004;8:15–23.
3. Donovan S, Brandsford J. How students learn: History, science, and mathematics in the classroom. [Internet]. Available from: <http://www.nap.edu/catalog.php?record id=510126> 2005 [accessed 8.02.13].
4. Bell P, Lewenstein B, Shouse A, Feder M. Learning science in informal environments: People, places, and pursuits. [Internet]. Available from: http://www.nap.edu/catalog.php?record id=12190; 2009 [accessed 08.02.13].
5. Hattie J. Visible learning: A synthesis of over 800 meta-analyses relating to achievement New York, NY: Routledge; 2008.
6. Stipek D. Motivation and instruction. Handbook of educational psychology NY: MacMillan; 1996; p. 85–113.
7. Anderson P. Classroom game design. [Internet]. Available from: <http://www.youtube.com/watch?v=4qlYGX0H6Ec>; [Accessed 13.06.13].
8. Sheldon L. The multiplayer classroom: designing coursework as a game. Cengage; 2011.
9. McGonigal J. Reality is broken: Why games make us better and how they can change the world. Penguin Books; 2013.
10. Anderson JQ, Rainie L. Pew Research Center. [Internet]. Available from: <http://www.pewinternet.org/~/media/Files/Reports/2012/PIP_Future_of_Internet_2012_Gamification.pdf>; 2012 [accessed 30.01.13].
11. Gartner Newsroom. [Internet]. Available from: <http://www.gartner.com/newsroom/id/1629214>; 2011 [accessed 02.02.2013].
12. Khatib F., Cooper S., Tyka M. D., Xu K., Makedon I., Popovic Z., Baker D., FoldIt Players. Algorithm discovery by protein folding game players, Proc. Natl. Acad. Sci. USA; 108:47; 18949 –18953; 2011.
13. Abt CC. Serious games Viking Press 1970.
14. USC Institute for Creative Technologies. [Internet]. Available from: <http://ict.usc.edu/news/two-ict-projects-win-army-modeling-and-simulation-awards-for-fy08/>; 2013 [accessed 02.02.13].
15. Ulicsak M. Games in education: Serious games. [Internet]. Available from: <https://www.evernote.com/shard/s18/res/3d58cb23-d313-4364-bff3-d5bb733e601f/Serious-Games_Review.pdf>; 2010 [accessed 30.01.13].
16. Games for health. [Internet]. Available from: <www.gamesforhealth.org>; 2013 Feb [accessed 06.02.13].
17. Hollier Simulation Centre. [Internet]. Available from:<www.hollier-simulation-centre.co.uk>; 2012 [accessed 30.01.13].
18. Reeves B, Malone T, O’Driscoll T. Leadership’s online labs. [Internet]. Available from: <http://hbr.org/2008/05/leaderships-online-labs/ar/1>; 2008 [accessed 30.01.13].
19. Zichermann G, Cunningham C. Gamification by design: Implementing game mechanics in web and mobile apps Sebastopol, CA: O’Reilly Media, Inc.; 2011.
20. Kark K, Stamp P. Defining an effective security metrics program best practices. Forrester Research; 2007.
21. Payne SC. A guide to security metrics. [Internet]. Available from: <http://www.sans.org/reading_room/whitepapers/auditing/guide-security-metrics_55>; 2006 [accessed 15.11.12].