Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance

Journal of Management Information Systems (JMIS), vol. 37(1), pp. 129-161

76 Pages Posted: 7 Aug 2019 Last revised: 4 May 2020

See all articles by Mario Silic

Mario Silic

Swiss School of Business and Management (SSBM); University of St. Gallen - Institute of Information Management

Paul Benjamin Lowry

Virginia Tech - Pamplin College of Business

Date Written: January 1, 2020

Abstract

We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To do so, we created a gamified security training system focusing on two factors: (1) enhancing intrinsic motivation through gamification and (2) improving security learning and efficacy. Our key theoretical contribution is proposing a recontextualized kernel theory from the hedonic-motivation system adoption model that can be used to assess employee security constructs along with their intrinsic motivations and coping for learning and compliance. A six-month field study with 420 participants shows that fulfilling users’ motivations and coping needs through gamified security training can result in statistically significant positive behavioral changes. We also provide a novel empirical demonstration of the conceptual importance of “appropriate challenge” in this context. We vet our work using the principles of proof-of-concept and proof-of-value, and we conclude with a research agenda that leads toward final proof-in-use.

Keywords: gamification; design science research (DSR); hedonic-motivation system adoption model (HMSAM); immersion; flow; security compliance; security education, training, and awareness (SETA)

Suggested Citation

Silic, Mario and Lowry, Paul Benjamin, Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance (January 1, 2020). Journal of Management Information Systems (JMIS), vol. 37(1), pp. 129-161, Available at SSRN: https://ssrn.com/abstract=3431995

Mario Silic

Swiss School of Business and Management (SSBM) ( email )

Avenue des Morgines 12
Geneva, 10000
Switzerland
9000 (Fax)

University of St. Gallen - Institute of Information Management ( email )

Langgasse 1
St. Gallen, 9008
Switzerland

Paul Benjamin Lowry (Contact Author)

Virginia Tech - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
249
Abstract Views
931
Rank
223,316
PlumX Metrics