StudyDaddy Article Writing Paper flow: below format should be made in the paper --flow should be as same as below 1.) Problem Statement--- no changes 2.) Model Diagram --- no changes 3.) Flow theory --- make changes 4.) Literat

Paper flow: below format should be made in the paper --flow should be as same as below 1.) Problem Statement--- no changes 2.) Model Diagram --- no changes 3.) Flow theory --- make changes 4.) Literat

Running head: GAMIFICATION FOR SECURITY TRAINING 1















Gamification for Security Training

Problem Statement

The number of cyber-attacks has been increasing rapidly in organizations and these attacks can bring down the reputation of organizations and can cause a loss of millions of dollars for the organizations. Most of the vulnerabilities, attacks, risks, and viruses are the result of a lack of security awareness of employees and users (Seaborn & Fels, 2015).

These risks, vulnerabilities, and attacks can be reduced by improving the knowledge and skills of employees in strengthening the IT infrastructure of the companies. For this purpose, organizations can arrange several types of workshops and training sessions related to cyber-security awareness. Many employees do not show interest and feel boredom in attending those workshops and training sessions. Gamification is considered a practice that can help in boosting the interest and engagement level of employees during security awareness training.

Gamification will have a positive impact on the security training offered to employees by increasing their interest and engagement level. The main problem which is going to be addressed in this research is the understanding of the impact of gamification on the training session offered to employees for improving the security of IT infrastructure.

The present research study is considered highly useful for finding the impact of gamification on the training sessions offered to employees for improving the security of IT infrastructure. This study would enable organizations to understand the significance of gamification, the possible methods that can be utilized for taking advantage of gamification, and why it is one of the best approaches for increasing the engagement level and involvement of employees in training sessions.

Many employees feel difficulty and face a problem of lack of interest and enthusiasm while attending the workshops and training sessions arranged by their employers and managers (Alotaibi, Furnell, Stengel, & Papadaki, 2016). Hence the use of gamification can be a highly effective technique available for organizations to increase the interest and engagement level of employees in the offered workshops and training sessions (Baxter, Kip, & Wood, 2016).

Model Diagram

Flow Theory

Gamification for Security Training

User Security Compliance



Literature Review on Gamification for Security Training

Gamification is the method in which the knowledge and experience gained from gaming theory and flow theory have utilized in a non-gaming context. The concept of gamification was implemented for the first time during the Cold War to improve productivity (Alotaibi, Furnell, Stengel, & Papadaki, 2016). Coonradt in 1984 was the early researcher who applied gamification in the business context to motivate employees through the usage of clear goals, frequent feedback provision, gaming features, and personal choice (Baxter, Kip, & Wood, 2016).

Gamification highly helps companies increase their employees' engagement level by utilizing several elements of game designing (Kanat, Siloju, Raghu, & Vinze, 2013). According to some previously conducted research studies, it has suggested that the use of goals, storytelling, rewards, and appreciation are the main aspects of gamification for increasing the curiosity, interest, engagement level and experiences of challenges of users to boost the engagement level and interest of participants in the offered training sessions and workshops (Seaborn & Fels, 2015).

The use of the gamification technique is one of the most preferred training methodologies which helps the companies to increase innovation, productivity, knowledge, skills, experiences, and learning procedures of their employees and participants (Alomari, Al-Samarraie, & Yousef, 2019). This technique is mainly based on the use of innovative thoughts and gaming techniques in a non-entertainment manner, such as improving education and work skills.

There are vast numbers of benefits offered by gamification to its users like it enables employees to increase their productivity, provides motivation for improving their engagement and involvement, encourages employees to become more creative for solving the problems and innovatively addressing them, provides strength to the communication procedures (Pattabiraman, Srinivasan, Swaminathan, & Gupta, 2018).

The use of gamification highly helps employers and managers increase employee engagement by introducing several types of innovative dynamics (Mathoosoothenen, Sundaram, Palanichamy, & Brohi, 2017). It has assumed that the companies who utilize the technique of gamification in the training sessions offered to their employees can get more successful in improving the particular required skills of their employees through the increased interest and involvement of employees in the provided training sessions and workshops (Erenli, 2013). However, it is also considered a highly useful approach for transmitting a productive and positive corporate image (Alomari, Al-Samarraie, & Yousef, 2019).

For using gamification more effectively, all the things should be kept simple, engaging, and entertaining to increase the interest and engagement level of employees. The success of gamification relies mainly on employees' increased involvement, usage of effective gaming techniques, and methods and motivation (Alotaibi, Furnell, Stengel, & Papadaki, 2016). The rewards offered are not considered only pure awards but provide means for inspiring employees to achieve their potential. There are vast numbers of organizations that have to utilize gamification techniques like Google, Starbucks, and Dominos, etc.

When companies use gamification, they work to make the existing tasks more innovative and fun, like the use of video games. The advancement in information technology has highly contributed to increasing cybercrimes and terrorism that can put strong negative impact not only on the reputation of the company but also on the data and information stored in the servers of the company of their employees, customers, and the organization itself (Baxter, Kip, & Wood, 2016). The increased numbers of attacks, threats, risks, and vulnerabilities demand the IT companies become more innovative, productive, and reliable (Gonzalez, Llamas, & Ordaz, 2017).

For this purpose, companies have needed to provide training sessions and workshops to improve the skills and knowledge of their employees. So, to identify and tackle the various attacks, threats, risks, and vulnerabilities, employees should know about IT security so that they can protect their privacy and data from intruders (Erenli, 2013). Employees should also be able to think from the perspective of intruders and act accordingly.

To identify and address the cyberattacks effectively, quickly, and without any significant loss in terms of finance, customers, and reputation, the employees should have updated knowledge as advancements in technology are taking place at a fast rate (Seaborn & Fels, 2015). Several types of cybercrimes can be occurred and can be proved highly harmful. In 2018, the UK, 79% of companies were posed with the threat of cyberattacks and had to face the consequences of problems that occurred (Alomari, Al-Samarraie, & Yousef, 2019).

Most people, including the employees of any organization, do not show interest in attending workshops related to any topic as the workshops play a significant role in enhancing the knowledge of its attendees to improve their existing experience and skills about the security of IT infrastructure (Luh, Temper, Tjoa, Schrittwieser, & Janicke, 2020). However, there is a significant problem faced by a lack of interest and involvement in the offered training and workshops, which can be solved using gamification techniques (Hart, Margheri, Paci, & Sassone, 2020).

Besides, the usage of gamification for increasing the involvement and engagement level of employees has considered to be very cost-friendly as it can provide a considerable amount of benefits to its users and can save them from major problems like in case of having lack of involvement and engagement level of employees in the offered sessions, all the resources which were utilized by the companies like cost, time, place, etc. would get wasted and of no use (Seaborn & Fels, 2015).

Gamification works on the desire of human beings to get the win, successful, and achieve something. It allows employers to offer several types of rewards like badges, points, leader boards, and the ability to do trading to get a particular kind of prize for deriving high quality of behavior from employees to get engaged in the training sessions (Thornton & Francia, 2014). However, it is also rooted in science, as wining always creates dopamine in human beings' minds. They want to get reached to the next level and be placed on the top of the leader board by doing whatever they can to feel good and have a feeling of pride (Alotaibi, Furnell, Stengel, & Papadaki, 2016).

Besides, there is also the considerable significance of the rules which are needed to follow for staying in line and to get guided in the decision making. The companies who get successful in implementing and establishing the right rules for the Information Technology Security awareness training sessions and programs can have more opportunities and chances of extending their programs for having long term benefits (Gonzalez, Llamas, & Ordaz, 2017). All the specified rules, regulations, objectives and goals of the training are needed to be clear and straightforward for getting modified and adjusted according to the changing circumstances and situations (Adams & Makramalla, 2015).

Organizations should not move towards the use of gamification because everyone is using it, and it sounds to be very trending and good. It should be implemented when needed and with a particular purpose (Seaborn & Fels, 2015). All the programs which contain gamification should have some unique value, and all the participants should be felt to be very special and interested in learning about cybersecurity for securing the IT departments of the companies by having a feeling of winning something (Alomari, Al-Samarraie, & Yousef, 2019).

All the contents of gamification in the training sessions are needed to be incorporated in a very transparent manner for obtaining a high level of benefits as it can be proved to be very useful and practical for improving the quality of training sessions and achieving a high level of results (Alotaibi, Furnell, Stengel, & Papadaki, 2016). The success of the training based on gamification relies on the program's accomplishment without being noticed of using gamification (Gonzalez, Llamas, & Ordaz, 2017).

Besides, it has also noticed that the things which work well for one organization are not compulsory and would be sufficient for the other companies (Seaborn & Fels, 2015). Each company seems to have its particular unique organizational culture and training programs designing methods because of having unique traits and knowledge (Alomari, Al-Samarraie, & Yousef, 2019). In each training session, human factors are considered to be the weakest element for IT security as they can make mistakes and they are also the ones who can make extra ordinary efforts to secure the system to a high extent from vulnerabilities, risks, and attacks (Chen, 2015).

Literature Review on Information Security Compliance

The 21st century has come with technological advancements that have helped organizations to flourish and work faster and in a more efficient manner. There are numerous changes that the corporate world undergoes and for an organization to stay competitive in the market, it must be able to adapt to the changes that are bound to happen (Desai, 2016). Organization must be able to learn quickly about the business environment. The business principles change over time and Information Technology is one of the most field that a company must take a keen interest.

The changing technological advancements largely include the use of e-commerce which exposes companies to a higher risk of cybercrime. According to Al-Kalbani (2017), there has been a 38% increase in breaches of information technology in public organization in 2016 as compared to 2014. Because of such increase and the threat of a further surge. Companies must design and operate secure electronic systems that they use for exchange of information and funds. It is highly fundamental that the security of information that the organizations hold be kept as high as possible. Companies have noticed the same and they have gone on to adopt security practices that include the adoption of information technology security compliance approach to control the proper use of the information that they have (Al-Kalbani, 2017). Showing that a company has taken the necessary precautions to protect the information they have is now considered to be an institutional yardstick (Al-Kalbani et al., 2017; Safa et al., 2016).

For any sort of security of the information, companies and organizations, including governments have to consider the technical technological aspects as well as the non-technical aspects (Al-Kalbani, 2017). As such, the end game is to a have a set of rules that must be met to ensure security compliance. In the use of information technology, security compliance refers to the implementation of security practices, policies and standards that work best to protect the information owned or controlled by a certain organization (Al-Kalbani, 2017; Alfawaz et al., 2010). If a company complies with information security, it has a better chance of improving it security mechanisms that help safeguard information (Siponen et al., 2010). The compliance approach use to information technology helps to satisfy the trust that the stakeholders have towards the organization (Al-Kalbani, 2017). Therefore, information technology is important in the development of the e-government and other institutions and organizations as well.

As Dimitriadis (2011) describes, information security is “the preservation of confidentiality, integrity and availability of information.” There is no way that information can be preserved if there is no compliance to the standards that guide its preservation. Over the past decade, there was the notion that information security was a technical thing and the IT managers were the only ones tasked with the preservation of the security. However, the notion has been changing to include the non-technical part of the organization (Desai, 2016). This has led to the creation of procedures, policies and awareness programs that help in security compliance. According to Herath and Rao (2009), the failure to prevent security breaches in attacks is a clear sign of a company not complying with the security policies. Research has ascertained that almost half of the security breaches that befall an organization emanate from within the organization (Desai, 2016). This fact places more emphasis to the role that an organization has in stopping security breaches through compliance.

According to Kolkowska and Dhillon (2013), there are two main categories identified with reference to information security approaches. The approaches are the approaches that make use of sanctions and the ones that are behavioral in nature. As such there are two approaches of security management which are individual level and the managerial level of understanding (Flores et al., 2014). This means that the individual employees in an organization need proper training and awareness so that they cannot misuse information. The employees need to understand the consequences of culpability of breach of information.

There have been theories that help understand the compliance of organizations to information security. The institution theory (DiMaggio & Powell, 1983) widely provides a better understanding of the pressures that force an institution to comply. The theory states that “organizations must secure legitimacy from its stakeholders by conforming to external expectations” (Appari et al., 2009). The legitimacy that an organization seeks can be gained my making strategic responses to the pressures from external entities (Cavusoglu et al., 2015). It is paramount to note that the external pressures and the response by the organization defines how the organization is built, run and how it can be understood and evaluated (Al-Kalbani et al., 2017).

For an organization to follow the security compliance, there must be proper external pressures that force it. The pressures include normative, mimetic, and coercive pressures (Cavusoglu, 2015). The coercive pressures are the ones that force an organization to adopt the regulations and practices that help in protection of security of information. The pressures are mainly from the government laws and regulations (Al-Kalbani et al., 2017). The normative pressures are those that stem from the expectations that the community has towards the organization (Appari et al., 2009). Finally, the mimetic pressures are those that stem from the company trying to imitate its peers to gain legitimacy (Safa et al., 2016).

The importance of the pressures to adoption of security compliance is key towards ensuring that the organizations. Since there are many institutions that are using gamification in the training and awareness of the employees, the mimetic pressures play an important role in increasing the compliance levels of other companies. Bulgurcu (2010) finds out that the implementation of information security awareness even helps to increase the belief of employees towards security awareness. While the government can create rules and regulations that forces organizations to increase information security awareness, it is down to the organizations to choose to use gamification in the training of the employees.

Flow theory

As Cakmak et al (2015) notes, flow theory addresses the process where a person engages in an activity that my help in improving his or her cognitive skills. The engagement involves the individual feeling a sense of control, being fully concentrated on the activity performed, enjoying the activity and having the necessary harmony between the skills and the task performed (Cakmak et al., 2015). Csikszentmihalyi (1990) argues that it is possible for a person to achieve happiness by only controlling how they feel in the inner being. An individual can control his life and live the most enjoyable moments of his life by directing his mind to realistic goals and challenges. Therefore, a person who fully puts his or her focus on the work they do will live the flow experience and will have control over the actions they perform.

According to Csikszentmihalyi (1990), the flow experience is interwoven with positive emotions, intrinsic motivation, high level of concentration, and a sense of control. It is important to note that individuals mainly experience the intrinsic motivation whenever they are doing activities that they are interested in. This intrinsic motivation is a key feature to the flow experience. Therefore, intrinsic motivation is easily achieved if a person is performing an activity out of his or her own free will (Cakmak et al., 2015). There are feature of flow experience that are important in determining the flow experience of a person. There are eight principles that are: A challenge activity that requires skills, the merging of action and awareness, clear goals, direct feedback, concentration on the task at hand, the sense of control, the loss of self-consciousness, and the transformation of time (Chen, 2015; Cakmak et al., 2015).

The flow is primarily based on activities and argues that healthy persons enjoy their experience during the activity without even realizing it (Cakmak et al., 2015). By accumulating the activities that are appropriate to the purpose of their life, a person can achieve the happiness they wish with a sense of control over the activity they perform. Flow theory has been used before in many fields including sports, positive psychology, marriage, job performance and distance education among others (Cakmak et al., 2015). In playing online games, the creators of the games have mastered the art of ensuring that a person achieves the flow experience when playing. This way, video games have infiltrated our daily lives in a way that every person, young and grown up, plays some kind of a video games (Chen, 2015). The ability for game makers to ensure that gamers achieve flow experience is by making sure that there is a balance between the challenges that the game provides and the abilities of the person playing (Chen, 2015).

Gamification, flow theory and security compliance

Gamification is a fairly new approach that takes advantage of the video gaming industry to help in the training and awareness about information security. The era now is full of online forms which include transfer and storage of information. The internet use to store and transfer information poses a risk of people hacking in to get information they illegally. In some instances, the leakage of information may be unintentional. As Desai (2016) states, almost half of the security breaches that befall an organization emanate from within the organization. Most of the breaches are unintentional and is because the users are not aware of the simple ways, they can leak information. The gamification process, therefore, uses the gaming principles to make the trainings on cyber security engaging, interesting and informative. This way, the employees get to learn the ways to stopping leakages, following rules. In a nutshell, following rules and stopping leakages leads to security compliance. Information security compliance by the employees means that the whole organization complies and therefore heightened security.


References

Adams, M., & Makramalla, M. (2015). Cybersecurity skills training: an attacker-centric gamified approach. Technology Innovation Management Review.

Alomari, I., Al-Samarraie, H., & Yousef, R. (2019). The role of gamification techniques in promoting student learning: A review and synthesis. Journal of Information Technology Education: Research, 395-417.

Alotaibi, F., Furnell, S., Stengel, I., & Papadaki, M. (2016). A Review of Using Gaming Technology for Cyber-Security Awareness. International Journal for Information Security Research, 660-666.

Armstrong, M. B., & Landers, R. N. (2017). An evaluation of gamified training: Using narrative to improve reactions and learning. Simulation & Gaming, 513-538.

Baxter, R. J., Kip, H. J., & Wood, D. A. (2016). Applying Basic Gamification Techniques to IT Compliance Training: Evidence from the Lab and Field. Journal of Information Systems, 119-133.

Chen, E. T. (2015). Gamification as a resourceful tool to improve work performance. In Gamification in education and business, 473-488.

Erenli. (2013). The impact of gamification-recommending education scenario. International Journal of Emerging Technologies in Learning.

Gonzalez, H., Llamas, R., & Ordaz, F. (2017). Cybersecurity Teaching through Gamification: Aligning Training Resources to our Syllabus. Research in Computing Science, 35-43.

Hart, S., Margheri, A., Paci, F., & Sassone, V. (2020). Riskio: A Serious Game for Cyber Security Awareness and Education. Computers & Security.

Kanat, I. E., Siloju, S., Raghu, T. S., & Vinze, A. S. (2013). Gamification of emergency response training: A public health example. IEEE, (pp. 134-136).

Luh, R., Temper, M., Tjoa, S., Schrittwieser, S., & Janicke, H. (2020). PenQuest: a gamified attacker/defender meta-model for cybersecurity assessment and education. Journal of Computer Virology and Hacking Techniques, 19-61.

Mathoosoothenen, V. N., Sundaram, J. S., Palanichamy, R. A., & Brohi, S. N. (2017). An Integrated Real-Time Simulated Ethical Hacking Toolkit with Interactive Gamification Capabilities and Cyber Security Educational Platform. In Proceedings of the 2017 International Conference on Computer Science, (pp. 199-202).

Pattabiraman, A., Srinivasan, S., Swaminathan, K., & Gupta, M. (2018). Fortifying corporate human wall: A Literature review of security awareness and training. In Information Technology Risk Management and Compliance in Modern Organizations, 142-175.

Redhead, A., & Saunders, J. (2019). Gamification and Simulation. In Serious Games for Enhancing Law Enforcement Agencies, 83-98.

Ruiz-Alba, L., J., Soares, A., Rodríguez-Molina, M. A., & Banoun., A. (2019). Gamification and entrepreneurial intentions. Journal of Small Business and Enterprise Development.

Seaborn, K., & Fels, D. I. (2015). Gamification in theory and action. International Journal for Information Security Research.

Seaborn, K., & Fels, D. I. (2015). Gamification in theory and action: A survey. International Journal of human-computer studies, 14-31.

Thornton, D., & Francia, G. (2014). Gamification of information systems and security training: Issues and case studies. Information Security Education Journal, 15-24.

Wolfenden, B. (2019). Gamification as a winning cybersecurity strategy. Computer Fraud & Security, 9-12.


Al-Kalbani, A, Deng, H & Kam, B (2015b), Organizational security culture and information security compliance for e-government development: the moderating effect of social pressure, Proceedings of the 19th Pacific Asia Conference on Information Systems (PACIS 2015) (pp. 1-11). Atlanta, GA, United States: Association for Information Systems (AIS).

Al-Kalbani, A. (2017). A Compliance Based Framework for Information Security in E-Government in Oman. https://pdfs.semanticscholar.org/85ae/23222e1a34c2a4e4408a00f047b160ca1c6f.pdf

‌AlKalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information Security Compliance in Organizations: An Institutional Perspective. Data and Information Management1(2), 104–114. https://doi.org/10.1515/dim-2017-0006

Appari, A., Johnson, M. E., & Anthony, D. L. (2009). HIPAA Compliance: An Institutional Theory Perspective, Proceedings of the American Conference on Information Systems. pp. 252.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548.

Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385-400.

‌Csikszentmihalyi, M. (1990). Flow: The psychology of optimal experience. New York, NY: Harper and Row

Desai, M. (2016). An integrated approach for information security compliance in a financial services organization. http://etd.cput.ac.za/bitstream/handle/20.500.11838/2396/205219500-Desai-MR-Mtech-IT-FID-2016.pdf?sequence=1&isAllowed=y

DiMaggio, P., & Powell, W. W. (1983). The Iron Cage Revisited: Collective Rationality and Institutional Isomorphism in Organizational Fields, American Sociological Review 48(2), 147-160.

Dimitriadis, C. (2011). Information Security from a Business Perspective. ISACA Journal 1(1):43-48.

Edwards, J. R., Mason, D. S., & Washington, M. (2009). Institutional pressures, government funding and provincial sport organizations. International Journal of Sport Management and Marketing, 6(2), 128-149.

Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures, and perceived effectiveness. Decision Support Systems, 47(2), 154–165.

Ke, W., & Wei, K. K. (2008). Organizational culture and leadership in ERP implementation. Decision Support Systems, 45(2), 208-218.

Kirsch, L. J., & Boss, S. R. (2007). The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines. International Conference on Information Systems, Icis 2007, 103.

Kolkowska, E., & Dhillon, G. (2012). Organizational power and information security rule compliance. Computers & Security, 33, pp.3-11

Safa, N.S., Von Solms, R. & Furnell, S., (2016). Information Security Policy Compliance Model in Organizations, Computers & Security, 56, 70-82.


Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!