Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance
Journal of Management Information Systems (JMIS), vol. 37(1), pp. 129-161
76 Pages Posted: 7 Aug 2019 Last revised: 4 May 2020
Date Written: January 1, 2020
Abstract
We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To do so, we created a gamified security training system focusing on two factors: (1) enhancing intrinsic motivation through gamification and (2) improving security learning and efficacy. Our key theoretical contribution is proposing a recontextualized kernel theory from the hedonic-motivation system adoption model that can be used to assess employee security constructs along with their intrinsic motivations and coping for learning and compliance. A six-month field study with 420 participants shows that fulfilling users’ motivations and coping needs through gamified security training can result in statistically significant positive behavioral changes. We also provide a novel empirical demonstration of the conceptual importance of “appropriate challenge” in this context. We vet our work using the principles of proof-of-concept and proof-of-value, and we conclude with a research agenda that leads toward final proof-in-use.
Keywords: gamification; design science research (DSR); hedonic-motivation system adoption model (HMSAM); immersion; flow; security compliance; security education, training, and awareness (SETA)
Suggested Citation: Suggested Citation