Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance

Journal of Management Information Systems (JMIS), vol. 37(1), pp. 129-161

76 Pages Posted: 7 Aug 2019 Last revised: 4 May 2020

See all articles by Mario Silic

Mario Silic

Swiss School of Business and Management (SSBM); University of St. Gallen - Institute of Information Management

Paul Benjamin Lowry

Virginia Tech - Pamplin College of Business

Date Written: January 1, 2020

Abstract

We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To do so, we created a gamified security training system focusing on two factors: (1) enhancing intrinsic motivation through gamification and (2) improving security learning and efficacy. Our key theoretical contribution is proposing a recontextualized kernel theory from the hedonic-motivation system adoption model that can be used to assess employee security constructs along with their intrinsic motivations and coping for learning and compliance. A six-month field study with 420 participants shows that fulfilling users’ motivations and coping needs through gamified security training can result in statistically significant positive behavioral changes. We also provide a novel empirical demonstration of the conceptual importance of “appropriate challenge” in this context. We vet our work using the principles of proof-of-concept and proof-of-value, and we conclude with a research agenda that leads toward final proof-in-use.

Keywords: gamification; design science research (DSR); hedonic-motivation system adoption model (HMSAM); immersion; flow; security compliance; security education, training, and awareness (SETA)

Suggested Citation

Silic, Mario and Lowry, Paul Benjamin, Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance (January 1, 2020). Journal of Management Information Systems (JMIS), vol. 37(1), pp. 129-161, Available at SSRN: https://ssrn.com/abstract=3431995

Mario Silic

Swiss School of Business and Management (SSBM) ( email )

Avenue des Morgines 12
Geneva, 10000
Switzerland
9000 (Fax)

University of St. Gallen - Institute of Information Management ( email )

Langgasse 1
St. Gallen, 9008
Switzerland

Paul Benjamin Lowry (Contact Author)

Virginia Tech - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
260
Abstract Views
1,019
Rank
228,074
PlumX Metrics