A Framework for Integrating Gamification in Information Security Awareness Programmes for Higher Education Students

In the context of higher education, students are often identified as targets for security attacks due to their seeming lack of security awareness. While institutions employ technological solutions to safeguard students when engaging with official systems, this does not extend to students' own devices and cannot influence how, and if, they employ good security practices. A possible mitigation strategy is security awareness training. Literature, however, is divided about the effectiveness of such programmes due to the complacency and irreverence that many people have toward security, possibly due to occurrences of security fatigue and risk homeostasis. Gamification has been shown to be an effective method of enhancing traditional training in such a way as to enhance engagement and promote retention of concepts. There is, however, a dearth of research that investigates the application of gamification in information security awareness training for higher education students. This research, therefore, contributes a framework for the gamification of security awareness training in this context. The framework was developed through identifying gamification mechanics from literature. Possible implementations of these mechanics were presented to higher education students by means of an online self-reporting questionnaire to measure their perception in these mechanics when applied to security training. Feedback from 196 students were incorporated into the development of the resulting framework. Furthermore, the framework was influenced by the Knowledge, Attitude, and Behaviour-model that often underpins research into the human aspects of information security. The resulting framework can contribute to the practical aspects of incorporating gamification in information security awareness training for higher education students.