Need updated research paper
mahi1432
rpaper.pdf
GAMIFICATION ON SECURITY TRAINING 2
Gamification for Security Training
Problem Statement
The number of cyber-attacks has been increasing rapidly in organizations. These attacks
can bring down the reputation of organizations and can cause a loss of millions of dollars for the
organizations. Most vulnerabilities, attacks, risks, and viruses result from a lack of security
awareness of employees and users (Seaborn & Fels, 2015).
These risks, vulnerabilities, and attacks can be reduced by improving employees'
knowledge and skills in strengthening the companies' IT infrastructure. For this purpose,
organizations can arrange several types of workshops and training sessions related to cyber-
security awareness. Many employees do not show interest and feel boredom in attending those
workshops and training sessions. Gamification is considered a practice that can boost the
investment and engagement level of employees during security awareness training.
Gamification will positively impact the security training offered to employees by
increasing their interest and engagement level. The main problem which is going to be addressed
in this research is the understanding of the impact of gamification on the training session offered
to employees for improving the security of IT infrastructure.
The present research study is considered highly useful for finding the impact of
gamification on employees' training sessions for improving the security of IT infrastructure. This
study would enable organizations to understand the significance of gamification, the possible
methods that can be utilized for taking advantage of gamification, and why it is one of the best
approaches for increasing the engagement level and involvement of employees in training
sessions.
GAMIFICATION ON SECURITY TRAINING 3
Many employees feel difficulty and face a lack of interest and enthusiasm while attending
the workshops and training sessions arranged by their employers and managers (Alotaibi,
Furnell, Stengel, & Papadaki, 2016). Hence the use of gamification can be a highly effective
technique available for organizations to increase the interest and engagement level of employees
in the offered workshops and training sessions (Baxter, Kip, & Wood, 2016).
Model Diagram
Flow theory
The theory of flow is considered useful for explaining the procedure in which the use of
gamification can be highly valuable to improve the learning capabilities and skills of individuals.
The main reason behind the use of the theory of flow is that most of the games have been designed
in such a manner that puts a strong focus on maintaining a balance among the skills and challenges
of the learners. However, the individuals who play video games are considered highly efficient as
they can learn and find the easiest ways to reach the state of flow to learning something (Luh,
Temper, Tjoa, Schrittwieser, & Janicke, 2020). When an employee feels exhausted and bored with
the training sessions, the practice of gamification helps them regain their interest and flow in the
offered training session.
Gamification is considered highly useful for allowing individuals to keep working and
taking interests in the offered tasks in a flow. A flow helps individuals to work on a particular job
Gamification for
Security Training User Security
Compliance
Flow Theory
GAMIFICATION ON SECURITY TRAINING 4
in a stream like from the beginner's levels to medium level, and when they get good in all those
activities, they are moved to the expert level (Gonzalez, Llamas, & Ordaz, 2017). In the same way,
employees are provided with training sessions based on the beginning level knowledge to medium
and then expert varying in the offered activities and training. It helps individuals to develop
relevant skills, thinking capabilities and learning attitudes based on their experience (Erenli, 2013).
However, there is a major role played by intrinsic motivation in the flow theory. The
intrinsic motivation usually occurs whenever an individual starts participating in the behavior that
seems to be personally rewarding not only because of the pressure that occurred by external assets
but also internally by the person (Baxter, Kip, & Wood, 2016). Intrinsic motivation occurs when
individuals want to explore or learn something new that is not done by them before and become
more curious about the practical experience of those things (Wolfenden, 2019).
There are several numbers of research studies which have been conducted for
understanding the effectiveness of theory of flow. Still, the researchers do very little work on the
evaluation of the efficacy of flow theory on the gamification and how they can be useful to improve
the capabilities of employees who are working (Pattabiraman, Srinivasan, Swaminathan, & Gupta,
2018). The flow theory is considered highly helpful in enhancing the efficiency of the activities
and tasks performed by using gamification.
As Cakmak et al. (2015) notes, flow theory addresses how a person engages in an activity
that helps improve his or her cognitive skills. The engagement involves the special feeling a sense
of control, being entirely concentrated on the operation performed, enjoying the activity and
having the necessary harmony between the skills and the task completed (Cakmak et al., 2015).
Csikszentmihalyi (1990) argues that people can achieve happiness by only controlling how they
feel in the inner being. An individual can control his life and live the most enjoyable moments of
GAMIFICATION ON SECURITY TRAINING 5
his life by directing his mind to realistic goals and challenges. Therefore, a person who fully puts
his or her focus on the work they do will live the flow experience and will have control over the
actions they perform.
According to Csikszentmihalyi (1990), the flow experience is interwoven with positive
emotions, intrinsic motivation, high concentration, and a sense of control. It is important to note
that individuals mainly experience intrinsic motivation whenever they are doing activities that they
are interested in. This intrinsic motivation is a key feature to the flow experience. Therefore,
intrinsic motivation is easily achieved if a person performs an activity out of his or her own free
will (Cakmak et al., 2015). There are features of flow experience that are important in determining
the flow experience of a person. Eight principles are A challenge activity that requires skills, the
merging of action and awareness, clear goals, direct feedback, concentration on the task at hand,
the sense of control, the loss of self-consciousness, and the transformation of time (Chen, 2015;
Cakmak et al., 2015).
The flow is primarily based on activities and argues that healthy persons enjoy their
experience during the business without even realizing it (Cakmak et al., 2015). By accumulating
the appropriate events to the purpose of their life, a person can achieve the happiness they wish
with a sense of control over the activity they perform. Flow theory has been used before in many
fields, including sports, positive psychology, marriage, job performance, and distance education
(Cakmak et al., 2015). In playing online games, the creators of the games have mastered the art of
ensuring that they achieve the flow experience when playing. This way, video games have
infiltrated our daily lives so that every person, young and grown-up, represents video game (Chen,
2015). The ability for game makers to ensure that gamers achieve flow experience is by making
GAMIFICATION ON SECURITY TRAINING 6
sure that there is a balance between the challenges that the game provides and the skills of the
person playing (Chen, 2015).
Literature Review on Gamification for Security Training
Gamification is the method in which the knowledge and experience gained from gaming
theory and flow theory have utilized in a non-gaming context. The concept of gamification was
implemented for the first time during the Cold War to improve productivity (Alotaibi, Furnell,
Stengel, & Papadaki, 2016). Coonradt in 1984 was the early researcher who applied gamification
in the business context to motivate employees through clear goals, frequent feedback provision,
gaming features, and personal choice (Baxter, Kip, & Wood, 2016).
Gamification highly helps companies increase their employees' engagement level by
utilizing several elements of game designing (Kanat, Siloju, Raghu, & Vinze, 2013). According
to some previously conducted research studies, it has suggested that the use of goals, storytelling,
rewards, and appreciation are the main aspects of gamification for increasing the curiosity, interest,
engagement level and experiences of challenges of users to boost the engagement level and interest
of participants in the offered training sessions and workshops (Seaborn & Fels, 2015).
The use of the gamification technique is one of the most preferred training methodologies
which helps the companies to increase innovation, productivity, knowledge, skills, experiences,
and learning procedures of their employees and participants (Alomari, Al-Samarraie, & Yousef,
2019). This technique is mainly based on the use of innovative thoughts and gaming techniques in
a non-entertainment manner, such as improving education and work skills.
GAMIFICATION ON SECURITY TRAINING 7
There are vast numbers of benefits offered by gamification to its users like it enables
employees to increase their productivity, provides motivation for improving their engagement and
involvement, encourages employees to become more creative for solving the problems and
innovatively addressing them, provides strength to the communication procedures (Pattabiraman,
Srinivasan, Swaminathan, & Gupta, 2018).
The use of gamification highly helps employers and managers increase employee
engagement by introducing several types of innovative dynamics (Mathoosoothenen, Sundaram,
Palanichamy, & Brohi, 2017). It has assumed that the companies who utilize the technique of
gamification in the training sessions offered to their employees can get more successful in
improving the particular required skills of their employees through the increased interest and
involvement of employees in the provided training sessions and workshops (Erenli, 2013).
However, it is also considered a highly useful approach for transmitting a productive and positive
corporate image (Alomari, Al-Samarraie, & Yousef, 2019).
Using gamification more effectively, all the things should be kept simple, engaging, and
entertaining to increase the interest and engagement level of employees. The success of
gamification relies mainly on employees' increased involvement, effective gaming techniques, and
methods and motivation (Alotaibi, Furnell, Stengel, & Papadaki, 2016). The rewards offered are
not considered only pure awards but provide means for inspiring employees to achieve their
potential. There are vast numbers of organizations that have to utilize gamification techniques like
Google, Starbucks, and Dominos, etc.
When companies use gamification, they work to make the existing tasks more innovative
and fun, like the use of video games. The advancement in information technology has highly
GAMIFICATION ON SECURITY TRAINING 8
contributed to increasing cybercrimes and terrorism that can put strong negative impact not only
on the reputation of the company but also on the data and information stored in the servers of the
company of their employees, customers, and the organization itself (Baxter, Kip, & Wood, 2016).
The increased numbers of attacks, threats, risks, and vulnerabilities demand the IT companies
become more innovative, productive, and reliable (Gonzalez, Llamas, & Ordaz, 2017).
For this purpose, companies have needed to provide training sessions and workshops to
improve their employees' skills and knowledge. To identify and tackle the various attacks, threats,
risks, and vulnerabilities, employees should know about IT security so that they can protect their
privacy and data from intruders (Erenli, 2013). Employees should also be able to think from the
perspective of intruders and act accordingly.
To identify and address the cyberattacks effectively, quickly, and without any significant
loss in terms of finance, customers, and reputation, the employees should have updated knowledge
as advancements in technology are taking place at a fast rate (Seaborn & Fels, 2015). Several types
of cybercrimes can be occurred and can be proved highly harmful. In 2018, the UK, 79% of
companies were posed with the threat of cyberattacks and had to face the consequences of
problems that occurred (Alomari, Al-Samarraie, & Yousef, 2019).
Most people, including the employees of any organization, do not show interest in
attending workshops related to any topic as the workshops play a significant role in enhancing the
knowledge of its attendees to improve their existing experience and skills about the security of IT
infrastructure (Luh, Temper, Tjoa, Schrittwieser, & Janicke, 2020). However, a significant
problem is faced by a lack of interest and involvement in the offered training and workshops,
which can be solved using gamification techniques (Hart, Margheri, Paci, & Sassone, 2020).
GAMIFICATION ON SECURITY TRAINING 9
Besides, the usage of gamification for increasing the involvement and engagement level of
employees has considered to be very cost-friendly as it can provide a considerable amount of
benefits to its users and can save them from major problems like in case of having lack of
involvement and engagement level of employees in the offered sessions, all the resources which
were utilized by the companies like cost, time, place, etc. would get wasted and of no use (Seaborn
& Fels, 2015).
Gamification works on the desire of human beings to get the win, successful, and achieve
something. It allows employers to offer several types of rewards like badges, points, leader boards,
and the ability to do trading to get a particular kind of prize for deriving high quality of behavior
from employees to get engaged in the training sessions (Thornton & Francia, 2014). However, it
is also rooted in science, as wining always creates dopamine in human beings' minds. They want
to get reached to the next level and be placed on the top of the leader board by doing whatever
they can to feel good and have a feeling of pride (Alotaibi, Furnell, Stengel, & Papadaki, 2016).
Besides, there is also the considerable significance of the rules needed to follow for staying
in line and to get guided in the decision making. The companies who get successful in
implementing and establishing the right standards for the Information Technology Security
awareness training sessions and programs can have more opportunities and chances of extending
their programs for having long term benefits (Gonzalez, Llamas, & Ordaz, 2017). All the specified
rules, regulations, objectives and goals of the training are needed to be clear and straightforward
for getting modified and adjusted according to the changing circumstances and situations (Adams
& Makramalla, 2015).
GAMIFICATION ON SECURITY TRAINING 10
Organizations should not move towards the use of gamification because everyone is using
it, and it sounds to be very trending and good. It should be implemented when needed and with a
particular purpose (Seaborn & Fels, 2015). All the programs which contain gamification should
have some unique value, and all the participants should be felt to be very special and interested in
learning about cybersecurity for securing the IT departments of the companies by having a feeling
of winning something (Alomari, Al-Samarraie, & Yousef, 2019).
All the contents of gamification in the training sessions are needed to be incorporated in a
very transparent manner for obtaining a high level of benefits as it can be proved to be very useful
and practical for improving the quality of training sessions and achieving a high level of results
(Alotaibi, Furnell, Stengel, & Papadaki, 2016). The success of the training based on gamification
relies on the program's accomplishment without being noticed by using gamification (Gonzalez,
Llamas, & Ordaz, 2017).
It has also noticed that the things that work well for one organization are not compulsory
and would be sufficient for the other companies (Seaborn & Fels, 2015). Each company seems to
have its particular unique organizational culture and training programs designing methods because
of having unique traits and knowledge (Alomari, Al-Samarraie, & Yousef, 2019). In each training
session, human factors are considered to be the weakest element for IT security as they can make
mistakes, and they are also the ones who can make extraordinary efforts to secure the system to a
great extent from vulnerabilities, risks, and attacks (Chen, 2015).
There is a considerable significance of information security compliance for improving the
quality of operations and services which are being offered to customers. When customers feel that
their data is not protected and secured by their company, they hesitate to provide their confidential
GAMIFICATION ON SECURITY TRAINING 11
and personal information (Adams & Makramalla, 2015). There are many cases in which several
numbers of organizations have to face major loss in terms of customers and finance because of
loss of information and data due to several types of vulnerabilities, breaches, and attacks (Alomari,
Al-Samarraie, & Yousef, 2019). For example, in 2013, Adobe has to compromise the data of 153
million users, which caused the company to face a $1.1 million legal fee and $1 million to its
customers for solving their problems (Swinhoe, 2020).
Also, in 2014, eBay has to compromise 145 million users' data, which caused the company
to pay hefty fines and some corresponding amount to their customers for addressing the impact
which has been faced by them financially (Battaglino, 2019). There are hundreds of examples of
smaller, medium and large scale organization which are offering their services by collecting vast
types of personal and confidential data of their customers and employees and those companies
have to face millions of dollars of loss not only in terms of money but also in their customers and
reputation (Alotaibi, Furnell, Stengel, & Papadaki, 2016). If these organizations have put a strong
focus on the improvement of their IT infrastructure and implemented robust security compliance,
they could have saved themselves from these significant losses.
Security compliance ensures that several security measures have been appropriately taken
by the company to protect the IT infrastructure from several types of attacks, risks, vulnerabilities,
and breaches. Several IT security regulatory compliance numbers can be followed by organizations
(Armstrong & Landers, 2017). This compliance can be effectively implemented if all the relevant
employees seem to be aware of these practices. They have relevant skills and updated knowledge
that is possible to provide to employees who seem to have problems in these areas through the
training sessions.
GAMIFICATION ON SECURITY TRAINING 12
The offered training sessions can be improved by using the practice of gamification, which
allows employees to take significant interest and involvement in the provided training sessions.
These training sessions can help employees understand updated and highly advanced methods to
address these vulnerabilities, attacks, and breaches (Baxter, Kip, & Wood, 2016). Employees can
be offered advanced knowledge about several types of IT security regulatory compliance like
FISMA, HIPPA, SURBANCE OXELY ACT, PCI DSS, etc. All of these acts work effectively
with the collaboration of IT security agencies and the government to secure the confidential and
personal data of customers and employees.
The companies which do not follow the guidelines, practices, standards, and policies
defined by these agencies and government have to face massive amounts of penalties,
punishments, and fines, which can cause them to suffer a significant loss in terms of finances and
customers. These defined standards help organizations to protect credit card information, email
address, bank details, etc. (Chen, 2015) For this purpose, it is suggested that organizations should
offer time to time frequent training sessions to their employees so that they can get updated
knowledge, skills and get aware of best practices that can be utilized by them for strengthening
their IT infrastructure and ensuring IT security compliance (Gonzalez, Llamas, & Ordaz, 2017).
There are many large-scale organizations which have also been become a victim of these
vulnerabilities, breaches, and attacks because of lack of implementation of security compliance.
For example, in 2014, there was an attack made on Yahoo which revealed that the companies
having the latest technologies could also become vulnerable to these problems and the attacks got
successful in stealing the records of more than 500 million accounts (Pattabiraman, Srinivasan,
Swaminathan, & Gupta, 2018). Besides, there was also a significant attack made on the Marriott
Hotels in which the data of more than 500 million customers was stolen.
Commented [ML1]: Need more discussion of each of these types of training with references.
Commented [ML2]: Need a section with reference to discuss the timely of the training issue how often and when
to repeat
Commented [ML3R2]:
GAMIFICATION ON SECURITY TRAINING 13
Hence, if these companies had implemented strong IT security regulatory compliance and
followed the practices and standards specified by the country's IT security agencies and
government, they could have saved their millions of dollars along with their reputation and
numbers of customers (Thornton & Francia, 2014). The organizations can enhance their data
management capabilities, improve the reputation, and market position of the company. Besides,
these regulatory compliance helps organizations promote operational benefits (Gonzalez, Llamas,
& Ordaz, 2017).
Literature Review on Information Security Compliance
The 21st century has come with technological advancements that have helped organizations
flourish and work faster and more efficiently. There are numerous changes that the corporate world
undergoes, and for an organization to stay competitive in the market, it must be able to adapt to
the changes that are bound to happen (Desai, 2016). Organizations must be able to learn quickly
about the business environment. The business principles change over time, and Information
Technology is one of those fields that a company must take a keen interest in.
The changing technological advancements largely include the use of e-commerce, which
exposes companies to a higher risk of cybercrime. According to Al-Kalbani (2017), there has been
a 38% increase in information technology breaches in a public organization in 2016 compared to
2014. Because of such an increase and the threat of a further surge. Companies must design and
operate secure electronic systems that they use for the exchange of information and funds. It is
highly fundamental that the security of information that the organizations hold be kept as high as
possible. Companies have noticed the same and have gone on to adopt security practices that
include the adoption of an information technology security compliance approach to control the
proper use of the information they have (Al-Kalbani, 2017). Showing that a company has taken
GAMIFICATION ON SECURITY TRAINING 14
the necessary precautions to protect the information they have is now considered to be an
institutional yardstick (Al-Kalbani et al., 2017; Safa et al., 2016).
For any sort of security of the information, companies, and organizations, including
governments, must consider the technical, technological, and non-technical aspects (Al-Kalbani,
2017). As such, the end game is to have a set of rules that must be met to ensure security
compliance. In the use of information technology, security compliance refers to the
implementation of security practices, policies and standards that work best to protect the
information owned or controlled by a certain organization (Al-Kalbani, 2017; Alfawaz et al.,
2010). If a company complies with information security, it can improve its security mechanisms
that help safeguard information (Siponen et al., 2010). The compliance approach used to
information technology helps satisfy the trust that the stakeholders have towards the organization
(Al-Kalbani, 2017). Therefore, information technology is essential in the development of e-
government and other institutions and organizations as well.
As Dimitriadis (2011) describes, information security is "the preservation of
confidentiality, integrity, and availability of information." There is no way that information can be
preserved if there is no compliance with the standards that guide its preservation. Over the past
decade, there was the notion that information security was a technical thing, and the IT managers
were the only ones tasked with the preservation of safety. However, the idea has been changing to
include the non-technical part of the organization (Desai, 2016). This has led to the creation of
procedures, policies, and awareness programs that help in security compliance. According to
Herath and Rao (2009), the failure to prevent security breaches in attacks is a clear sign of a
company not complying with the security policies. Research has ascertained that almost half of
the security breaches that befall an organization emanate from within the organization (Desai,
GAMIFICATION ON SECURITY TRAINING 15
2016). This fact places more emphasis to the role that an organization has in stopping security
breaches through compliance.
According to Kolkowska and Dhillon (2013), there are two main categories identified
concerning information security approaches. The approaches are the approaches that make use of
sanctions and the ones that are behavioral. As such, there are two approaches to security
management, which are the individual level and the managerial level of understanding (Flores et
al., 2014). This means that the own employees in an organization need proper training and
awareness not to misuse information. The employees need to understand the consequences of the
guilt of breach of data.
There have been theories that help understand the compliance of organizations to
information security. The institution theory (DiMaggio & Powell, 1983) widely provides a better
understanding of the pressures that force an institution to comply. The theory states that
“organizations must secure legitimacy from its stakeholders by conforming to external
expectations” (Appari et al., 2009). The legitimacy that an organization seeks can be gained by
making strategic responses to the pressures from external entities (Cavusoglu et al., 2015). It is
paramount to note that the organization's external influences and the answer define how the
organization is built, run, and how it can be understood and evaluated (Al-Kalbani et al., 2017).
For an organization to follow security compliance, there must be proper external pressures
that force it. The influences include normative, mimetic, and coercive pressures (Cavusoglu,
2015). The coercive pressures are the ones that force an organization to adopt the regulations and
practices that help in the protection of the security of information. The demands are mainly from
government laws and regulations (Al-Kalbani et al., 2017). The normative pressures are those that
stem from the expectations that the community has towards the organization (Appari et al., 2009).
GAMIFICATION ON SECURITY TRAINING 16
Finally, the mimetic pressures originate from the company trying to imitate its peers to gain
legitimacy (Safa et al., 2016).
The importance of the pressures to the adoption of security compliance is key to ensuring
that the organizations. Since many institutions are using gamification in the training and awareness
of the employees, the mimetic pressures play an essential role in increasing the compliance levels
of other companies. Bulgurcu (2010) finds out that the implementation of information security
awareness even helps to increase the belief of employees towards security awareness. While the
government can create rules and regulations that force organizations to raise information security
awareness, it is down to the organizations to choose to use gamification to train the employees.
Gamification, flow theory and security compliance
For ensuring IT security compliance, companies are needed to have updated knowledge
and skills, which can be achieved by offering several types of training sessions to their workforce.
When the employee is asked to get training sessions, they feel boredom and lack of interest which
can be improved and increased by following the practice of gamification in which several types of
games and rewards can be offered to employees to learn the concepts more effectively and
maintaining a balance among the interest of employees and their leaning capabilities (Baxter, Kip,
& Wood, 2016).
Human beings are the key asset for creating most of the vulnerabilities, breaches, and
attacks along with to address them. Hence, their training is considered highly influential in any
organization because they are considered highly responsible for handling data and IT infrastructure
(Ruiz-Alba, L., Soares, Rodríguez-Molina, & Banoun., 2019). If employees were offered updated
knowledge, practices, and experiences, they would be able to make high-quality decision-making
GAMIFICATION ON SECURITY TRAINING 17
to address the problem more effectively, rapidly, and smartly without getting significant issues for
the company.
Gamification is a relatively new approach that takes advantage of the video gaming
industry to help in the training and awareness of information security. The era now is full of online
forms, which include transfer and storage of information. The internet use to store and transfer
information poses a risk of people hacking to get the information they illegally. In some instances,
the leakage of information may be unintentional, as Desai (2016) states, almost half of the security
breaches that occur an organization emanate from within the organization. Most of the violations
are unintentional and are because the users are not aware of the simple ways, they can leak
information. Therefore, the gamification process uses gaming principles to make training on
cybersecurity engaging, entertaining, and informative. This way, the employees get to learn the
techniques of stopping leakages, following rules. In a nutshell, following regulations and
preventing leakages leads to security compliance.
Information security compliance by the employees means that the whole organization
complies and therefore heightened security. There is a strong relationship between the theory of
flow, IT security regulatory compliance, and gamification because organizations are needed to
strengthen their IT infrastructure by implementing IT security Compliance (Pattabiraman,
Srinivasan, Swaminathan, & Gupta, 2018).
GAMIFICATION ON SECURITY TRAINING 18
References
Adams, M., & Makramalla, M. (2015). Cybersecurity skills training: an attacker-centric gamified
approach. Technology Innovation Management Review.
Alomari, I., Al-Samarraie, H., & Yousef, R. (2019). The role of gamification techniques in
promoting student learning: A review and synthesis. Journal of Information Technology
Education: Research, 395-417.
Alotaibi, F., Furnell, S., Stengel, I., & Papadaki, M. (2016). A Review of Using Gaming
Technology for Cyber-Security Awareness. International Journal for Information Security
Research, 660-666.
Armstrong, M. B., & Landers, R. N. (2017). An evaluation of gamified training: Using narrative
to improve reactions and learning. Simulation & Gaming, 513-538.
Al-Kalbani, A, Deng, H & Kam, B (2015b), Organizational security culture and information
security compliance for e-government development: the moderating effect of social
pressure, Proceedings of the 19th Pacific Asia Conference on Information Systems
(PACIS 2015) (pp. 1-11). Atlanta, GA, United States: Association for Information
Systems (AIS).
Al-Kalbani, A. (2017). A Compliance Based Framework for Information Security in E-
Government in Oman.
https://pdfs.semanticscholar.org/85ae/23222e1a34c2a4e4408a00f047b160ca1c6f.pdf
AlKalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information Security Compliance in
Organizations: An Institutional Perspective. Data and Information Management, 1(2),
104–114. https://doi.org/10.1515/dim-2017-0006
GAMIFICATION ON SECURITY TRAINING 19
Appari, A., Johnson, M. E., & Anthony, D. L. (2009). HIPAA Compliance: An Institutional
Theory Perspective, Proceedings of the American Conference on Information Systems. pp.
252.
Baxter, R. J., Kip, H. J., & Wood, D. A. (2016). Applying Basic Gamification Techniques to IT
Compliance Training: Evidence from the Lab and Field. Journal of Information Systems,
119-133.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An
empirical study of rationality-based beliefs and information security awareness. MIS
Quarterly, 34(3), 523-548.
Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional pressures in security
management: Direct and indirect influences on organizational investment in information
security control resources. Information & Management, 52(4), 385-400.
Csikszentmihalyi, M. (1990). Flow: The psychology of optimal experience. New York, NY:
Harper and Row
Chen, E. T. (2015). Gamification as a resourceful tool to improve work performance. In
Gamification in education and business, 473-488.
Desai, M. (2016). An integrated approach for information security compliance in a financial
services organization.
http://etd.cput.ac.za/bitstream/handle/20.500.11838/2396/205219500-Desai-MR-Mtech-
IT-FID-2016.pdf?sequence=1&isAllowed=y
GAMIFICATION ON SECURITY TRAINING 20
DiMaggio, P., & Powell, W. W. (1983). The Iron Cage Revisited: Collective Rationality and
Institutional Isomorphism in Organizational Fields, American Sociological Review 48(2),
147-160.
Dimitriadis, C. (2011). Information Security from a Business Perspective. ISACA Journal 1(1):43-
48.
Erenli. (2013). The impact of gamification-recommending education scenario. International
Journal of Emerging Technologies in Learning.
Edwards, J. R., Mason, D. S., & Washington, M. (2009). Institutional pressures, government
funding and provincial sport organizations. International Journal of Sport Management
and Marketing, 6(2), 128-149.
Gonzalez, H., Llamas, R., & Ordaz, F. (2017). Cybersecurity Teaching through Gamification:
Aligning Training Resources to our Syllabus. Research in Computing Science, 35-43.
Hart, S., Margheri, A., Paci, F., & Sassone, V. (2020). Riskio: A Serious Game for Cyber Security
Awareness and Education. Computers & Security.
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Role of penalties, pressures, and perceived effectiveness. Decision Support Systems, 47(2),
154–165.
Kanat, I. E., Siloju, S., Raghu, T. S., & Vinze, A. S. (2013). Gamification of emergency response
training: A public health example. IEEE, (pp. 134-136).
GAMIFICATION ON SECURITY TRAINING 21
Ke, W., & Wei, K. K. (2008). Organizational culture and leadership in ERP implementation.
Decision Support Systems, 45(2), 208-218.
Kirsch, L. J., & Boss, S. R. (2007). The Last Line of Defense: Motivating Employees to Follow
Corporate Security Guidelines. International Conference on Information Systems, Icis
2007, 103.
Kolkowska, E., & Dhillon, G. (2012). Organizational power and information security rule
compliance. Computers & Security, 33, pp.3-11
Luh, R., Temper, M., Tjoa, S., Schrittwieser, S., & Janicke, H. (2020). PenQuest: a gamified
attacker/defender meta-model for cybersecurity assessment and education. Journal of
Computer Virology and Hacking Techniques, 19-61.
Mathoosoothenen, V. N., Sundaram, J. S., Palanichamy, R. A., & Brohi, S. N. (2017). An
Integrated Real-Time Simulated Ethical Hacking Toolkit with Interactive Gamification
Capabilities and Cyber Security Educational Platform. In Proceedings of the 2017
International Conference on Computer Science, (pp. 199-202).
Pattabiraman, A., Srinivasan, S., Swaminathan, K., & Gupta, M. (2018). Fortifying corporate
human wall: A Literature review of security awareness and training. In Information
Technology Risk Management and Compliance in Modern Organizations, 142-175.
Redhead, A., & Saunders, J. (2019). Gamification and Simulation. In Serious Games for
Enhancing Law Enforcement Agencies, 83-98.
Ruiz-Alba, L., J., Soares, A., Rodríguez-Molina, M. A., & Banoun., A. (2019). Gamification and
entrepreneurial intentions. Journal of Small Business and Enterprise Development.
GAMIFICATION ON SECURITY TRAINING 22
Seaborn, K., & Fels, D. I. (2015). Gamification in theory and action. International Journal for
Information Security Research.
Seaborn, K., & Fels, D. I. (2015). Gamification in theory and action: A survey. International
Journal of human-computer studies, 14-31.
Safa, N.S., Von Solms, R. & Furnell, S., (2016). Information Security Policy Compliance Model
in Organizations, Computers & Security, 56, 70-82.
Thornton, D., & Francia, G. (2014). Gamification of information systems and security training:
Issues and case studies. Information Security Education Journal, 15-24.
Wolfenden, B. (2019). Gamification as a winning cybersecurity strategy. Computer Fraud &
Security, 9-12.
