Teaching and Learning Cybersecurity Awareness with Gamification in Smaller Universities and Colleges

This research to practice full paper presents our investigation into the use of gamification in teaching cybersecurity awareness to students. Although there are evidences of increasing research activities in cybersecurity, cyberattacks continue to be pervasive. Academic institutions are largely responsible for educating and producing skilled professionals with cybersecurity competences. However, cybersecurity education can be challenging, especially to smaller institutions, usually characterized by meagre resources. In literature, one of the beneficial pedagogical methods for teaching cybersecurity awareness is gamification, which is based on constructivist theoretical framework. While this method has proved very useful, one major challenge is that gamification platforms can be costly to develop and difficult to maintain. This may discourage smaller institutions from using gamification to teach cybersecurity awareness. Freemium gamified platforms e.g., Kahoot! can offer an alternative that is affordable, easy to use and requires very little to no overhead cost. The research questions under investigation are: what is the impact of gamification (as an instructional method) on students' learning of cybersecurity awareness?, which game elements and what aspect of gamification best motivate students?. Using questionnaire, we asked the students, from a small university in Northwestern Pennsylvania, USA, to rate their knowledge and awareness of cyberattacks. Afterwards, we taught a cyber awareness module with 5 learning objectives to these students using gamification in Kahoot! platform. At the end of the class, we administered another questionnaire to the students and asked them to rate their knowledge and awareness of those same cyberattacks. Our analysis and statistical results show that gamification is an effective technique for knowledge acquisition in cybersecurity awareness. Furthermore, students are mostly motivated by game elements that give them a sense of achievement. Finally we found that students are more interested in the knowledge acquisition aspect of gamification rather than the entertainment and winning aspects. The results of our study may be beneficial for instructional design of introductory cybersecurity awareness courses.