Conference PaperPDF Available

Sustainable Information Security Sensitization in SMEs: Designing Measures with Long-Term Effect

Authors:

Abstract and Figures

The paper is accepted by HICSS-56, 2023: This paper outlines an overall scenario for on-going personnel development measures designed to increase information security awareness in small and medium-sized enterprises (SMEs) in Germany and to help small businesses improve their security levels and defenses. The three-year project combines different actors and a multitude of methods, with a focus on conducting interviews and online surveys with companies, developing customized game-based awareness trainings, tests, and on-site attacks, and creating measurements and evaluations as well as maturity statements, guidelines, and low-threshold security concepts. A mix of analog/digital serious games and operational trainings with reviews is of key importance here. Compared with the findings from the applied scientific literature on behavioral research and design, the ultimate goal at project’s end is to extrapolate statements on the success and efficacy of the measures and their long-term effect.
Content may be subject to copyright.
Sustainable Information Security Sensitization in SMEs:
Designing Measures with Long-Term Effect
Margit Scholl
Technische Hochschule Wildau
margit.scholl@th-wildau.de
Abstract
This paper outlines an overall scenario for ongoing
personnel development measures designed to increase
information security awareness in small and medium-
sized enterprises (SMEs) in Germany and to help small
businesses improve their security levels and defenses.
The three-year project combines different actors and a
multitude of methods, with a focus on conducting inter-
views and online surveys with companies, developing
customized game-based awareness trainings, tests, and
on-site attacks, and creating measurements and evalua-
tions as well as maturity statements, guidelines, and
low-threshold security concepts. A mix of analog/digital
serious games and operational trainings with reviews is
of key importance here. Compared with the findings
from the applied scientific literature on behavioral re-
search and design, the ultimate goal at project’s end is
to extrapolate statements on the success and efficacy of
the measures and their long-term effect.
Keywords: Awareness raising in SMEs, security train-
ings, narrative design, user experience, measurements.
1. Introduction
The 11th Allianz Risk Barometer 2022 shows cyber
perils, business interruption, and natural disasters as the
current top three business risks globally (AGCS, 2022a).
German companies fear an interruption of their business
(1st place, with 55% of the relevant responses) even
more than a cyberattack (2nd place, with 50%) (AGCS,
2022b). Survey respondents (57%) see the increase in
ransomware attacks as the top cyber threat over the com-
ing year, with worrying trends such as “dual blackmail
tactics” (AGCS, 2022b). Cyber or information security
(ISec) is also gaining importance in the area of ecologi-
cal and social corporate governance as a way to obviate
increasing difficulties with regulatory authorities, inves-
tors, and other stakeholders (AGCS, 2022b). This con-
firms earlier assessments that the continuous implemen-
tation of information security awareness (ISA) measures
not only reduces the business risk for companies but also
increases their attractiveness (known_sense, 2016). The
promise of awareness-raising measures being imple-
mented and communicated to customers represents a
competitive advantage because of the positive external
effects generated and increased trust in the company
(known_sense, 2016).
According to a recent study in Germany (DIHK,
2022), the cyberattacks of the past year have shown that
any company can be targeted by hackers. Back in 2007,
it was assumed that the various ISec measures of the
previous years had had a positive influence on the cor-
porate cultures of numerous German organizations and
the security-related behavior of employees (Zerr, 2007),
but the effects of these measures were not sustained.
German companies have recognized the dangers of a
wide range of cyberattacks and taken technical precau-
tions. There has, however, been no significant increase
in organizational measures for ISecincluding aware-
ness raising and training for managers and employees
and only a third of the companies surveyed have an ac-
tion plan for emergencies (DIHK, 2022). This contra-
diction shows a paradox at work in German companies,
with an evident lack of sustained implementation of
awareness-raising measures, especially in small and me-
dium-sized enterprises (SMEs).
The research question of this paper is, How can on-
the-job trainings and further educational measures for
people in SMEs be designed and implemented in order
to establish long-term awareness and training as part of
a company security culture? This paper emphasizes a
holistic approach, which is important in developing the
necessary competences and actively involving people in
specific ISec situations. The overall scenario of an on-
going project to increase ISA in German SMEs is out-
lined, including the development and testing of analog/
digital serious games and operational reviews. Section 2
summarizes the applied behavioral research findings,
which are important in building up the overall project
scenario. Section 3 explains the project, the choice of
topics, and the methods used in the holistic approach.
Preliminary project results are summarized in section 4,
with a look ahead to the next phases of the project.
2. Applied research findings
Proceedings of the 56th Hawaii International Conference on System Sciences | 2023
Page 6058
URI: https://hdl.handle.net/10125/103369
978-0-9981331-6-4
(CC BY-NC-ND 4.0)
ISA should be seen as part of security communica-
tion in companies and is a prerequisite for successful in-
formation security management (ISM) and the develop-
ment of an operational Information Security Manage-
ment System (ISMS) as well as a Business Continuity
Management (BCM) system. The international standard
ISO/IEC 27001 (ISO/IEC 27001:2017) defines specific
requirements for an ISMS:
continuous ISec improvements
anchoring of ISec in day-to-day business
tailoring of ISec to meet external requirements
building of trust with business partners and the
public.
ISO/IEC 27001 also explicitly requires the training
of employees and defines the details of such training.
Various aspects of education and training or ISA are de-
scribed under the headings Resources, Competence,
Awareness, and Communication. Legislatures, custom-
ers, and the public are also seen as drivers for ISA
(ISO/IEC 27001:2017). The need for regular awareness-
raising and training measures is therefore clear in theory
but is either not implemented in practice in SMEs or,
where implementation approaches exist, does not lead
to the desired sustainability. A number of studies con-
clude that most ISec training measures and the many op-
erational guidelines, as well as threats of sanctions and
phishing simulations, have no apparent long-term effect
(Bada et al., 2016; ENISA, 2019; ISF, 2014; Volkamer
et al., 2020). The German IT-Grundschutz (baseline
protection) of the Federal Office for Information Secu-
rity (BSI) describes the ISec risk situation as per the
ORP.3 module “Awareness and Training” (BSI, 2020):
Insufficient knowledge of regulations
Inadequate ISA
Ineffective activities in training design
Inadequate training of security functions
Undetected security incidents
Non-observance of safety measures
Carelessness in handling information
Lack of acceptance of ISec requirements
Social engineering
Back in 2009, David Lacey wrote, “You can blame
individuals for making mistakes. But many will be due
either to a failure by management to provide adequate
resources, training and oversight, or to a flaw in the de-
sign of systems and processes” (Lacey, 2009, p. 52).
Risk management or risk perception is of particular im-
portance in SMEs. “But it takes time to coach managers
to identify, assess and manage risks. Complex frame-
works are off-putting. It’s better to start simple and pro-
gressively increase the level of sophistication” (Lacey,
2009, p. 132).
2.1 Information Security Awareness
ISA means conscious perception and is not even
three decades old as a research field, making it a young
discipline that requires interdisciplinary input: different
perspectives, methods, content, and other components
of awareness are emerging as the risks facing ISec and
its response requirements grow. There are numerous
definitions of ISA, some of which have very different
nuances. In psychology, ISA is related to a person’s cur-
rent situational awareness of their environment and the
resulting implications for action. Achieving sustainable
ISA is a recurring challenge, since ISec includes a wide
range of mostly abstract and complex topics. As hu-
mans, we are social beings and cannot see, taste, smell,
or touch the bits and bytes. In addition, the core focus of
the SMEs is usually on something else, and the stress of
everyday work can push ISec into the background.
The international literature on the subject often ex-
plains this in terms of the KAB model (Kruger &
Kearney, 2006): Knowledge, Attitude, Behavior. This
model has been adopted and modified by many re-
searchers. The core thesis is that ISA emerges from what
employees or users know about ISec, its vulnerabilities
and risks, what they think or what they think about it and
how they actually behave in this context. A large spec-
trum of theories has been consulted in this research field
to obtain knowledge about the real security behavior and
influencing factors. The theories most applied to explain
ISec behavior are the Theory of Planned Behavior, Gen-
eral Deterrence Theory, Compliance Theory, Protection
Motivation Theory, the Technology Acceptance Model
and the Theory of Reasoned Action, Social Bond The-
ory, and Involvement Theory (Scholl et al., 2018). Fur-
thermore, people often ignore or underestimate the ex-
tent to which their actions in a situation are determined
by the actions of others, and they often ignore or under-
estimate the persuasive effect that social norms can have
on their choices (Cialdini, 2007), which is why role mo-
dels are important. In addition, the key message that
changing the behavior of employees cannot be achieved
simply by imparting knowledge but must be accompa-
nied by further measures has not yet got through to man-
agement, CISOs, and other C-level executives (Sasse et
al., 2022). The study by Slusky & Partow-Navid (2012)
revealed that the major problem with ISA is not a lack
of security knowledge but the way that knowledge is ap-
plied in real-world situations. According to Cialdini
(2007), those involved should be honestly informed
about the damage caused by even a modicum of unde-
sirable behavior.
In German-speaking countries, the following model
has been established in operational ISA (Helisch &
Pokoyski, 2009): Knowledge, Volition, Capacity. This
Page 6059
means that the key elements in security awareness inter-
sect with operational training management and human
resource development, with general security communi-
cation, and with change management, defining security
awareness’s three methodological levels. This has the
following implications for awareness-raising measures
(Helisch & Pokoyski, 2009; Pokoyski et al., 2021):
Knowledge, “being informed” (elements
drawn from learning theory, cognitive factors)
as Layer 1classical information processing is
the (old-school) basis of security awareness.
This involves the imparting of knowledge per-
taining to security rules, guidelines (policies),
security risks, and the possible consequences
of security breaches.
Volition, “being willing” (elements drawn
from marketing, emotional factors) as Layer
2—merely communicating information is not
enough to have a sustained and, more im-
portantly, motivating effect on the processes of
awareness: for this reason, emotional factors
must also be addressed for all target groups.
Capacity, “being able” (elements of change
management and systemic communication) as
Layer 3security culture is invariably influ-
enced by interactions with staff as well as with
customers and partners. Security thus also in-
volves systemic factors, the interactions within
an organization (and its external relationships)
viewed in the context of its corporate culture.
Specific elements of systemic communication
are “empowerment” and dialogue-based con-
stellations (e.g., team formats).
2.2 Information Security Culture
For Lacey (2009), establishing an understanding of
security culture in organizations is a must for security
professionals. But it is not static or easily definable
(Lacey, 2009, p. 208). Security culture can be fear based
or inspirational. But trust and empowerment are more
effective and go much further (Lacey, 2009, p. 208).
When designing an organizational structure, it is im-
portant to understand that both the requirements and the
solutions can vary greatly both between and within com-
panies (Lacey, 2009, p. 208).
ISA is an aspect of both security marketing and se-
curity communication for the “Security Awareness
Framework” of the firm known_sense (2016), and these
areas, in turn, are ancillary to the concept of security cul-
ture. This implies that security culture can be viewed as
all the beliefs and values cherished by individuals and
organizations where there is agreement about the kind
of events that pose risks, and how these risks should be
countered (known_sense, 2016). Security culture is un-
derpinned by a complex process of learning and experi-
ence, in which common goals, interests, norms, values,
and behavioral patterns are established: it can thus be
regarded as a part of the corporate culture, which is a
visible manifestation of employees’ habitual approaches
to dealing with security challenges. It also delineates
how security is organized in the workplace and thus re-
flects employees’ security-related attitudes, beliefs, per-
ceptions, and values (known_sense, 2016). The term
“security culture” refers to a dynamic phenomenon that
is transformed by every significant event that takes
place in the organization (known_sense, 2016). This
process of evolution should be considered when security
awareness measures are being implemented. The above
definition suggests that ISA is part of the security cul-
ture and has a significant effect on it.
This already makes it clear that there is no simple
definition for the term “security culture” either. On the
contrary: a survey of 1,200 security experts by Forrester
Consulting on behalf of KnowBe4 enterprise in Decem-
ber 2019 produced 749 unique definitions (Collard,
2022), which can be summarized in five categories:
Compliance with security policies (29%); Awareness
and understanding of security issues (24%); Security as
everyone’s responsibility (22%); Security advocacy and
support (14%); Security embedded in the organization
(11%). In terms of content, the following seven dimen-
sions are important for operational safety culture (Col-
lard, 2022): Attitudes, Behaviors, Cognitive Factors,
Communication, Compliance, (Social) Norms, and Re-
sponsibilities. Here, the following three attitudes to
safety culture need to be considered in designing aware-
ness and training measures (Collard, 2022):
Just because I’m aware, it doesn’t mean I care.
If you try to work against human nature, you’ll
fail.
What people do is way more important than
what they know.
2.3 Information Security Awareness Training
According to Collard (2022), information security
awareness training (ISAT) is about finding effective be-
havioral measures to close possible gaps between
awareness as knowledge, existing intentions, and con-
crete behavior. Hallsworth et al. (2016) apply a modern
understanding of human behavior to healthcare to show
that in practice this can lead to better health outcomes at
lower costs and that improvements are contingent on
such an understanding. The authors transferred the Easy,
Attractive, Social, and Timely (EAST) framework of the
Behavioral Insights Team from 2014 to their focus of
investigation: healthcare (Hallsworth et al., 2016):
Page 6060
Easy means minimizing the effort for those in-
volved. Barrierseven minor onesshould be
reduced to make “good” behavior more likely.
Attractive means capturing people’s limited at-
tention through visual or spatial design with
new features and simple and clear messages.
Social means that people as social beings are
strongly influenced by what others do (“social
norms”) (see also Cialdini, 2007). Making
good behavior more visible can make it appear
more common and easier to copy.
Timely means recognizing the moments of ef-
fective intervention and then implementing
measures in good time. The effect of behav-
ioral interventions should be evaluated.
For our own scenarios described in section 3 it be-
comes obvious that the EAST framework can and
should also be applied to ISec. This is where B. J.
Fogg’s (n.d.) “Behavior Design” comes into play. He
wants to help people to be successful and calls for bar-
riers to be broken down so that people can behave ac-
cordingly. “The Fogg model of behavior shows that
three elements must converge simultaneously for a be-
havior to occur: motivation, ability, and a prompt. If a
behavior does not occur, at least one of these three ele-
ments is missing” (Fogg, n.d.). His behavioral model
highlights three main motivators, Sensation, Anticipa-
tion, and Belonging, each of which has two sides: Pleas-
ure/Pain, Hope/Fear, Acceptance/Rejection (Fogg,
n.d.). These core motivators apply to everyone and are
central to human experiencehence his advice (Fogg,
n.d.): Focus on small steps to promote long-term
change. His model also shows that ability and motiva-
tion have a “compensatory relationship” when it comes
to performing behaviors (Fogg, n.d.). According to
Fogg, there are three ways to increase skills: the worst
way is to train people. Another possibility is to give the
human a tool or resource that facilitates his behavior.
Fogg advocates the third way: scaling back the intended
target behavior so that it is easier for people to achieve,
with debriefings showing a positive learning effect
(Lacruz & Américo, 2018). In terms of behavior design,
this means focusing on the simplicity of the target be-
havior, thereby enhancing personal capability. As a con-
sequence, if the conception and design of awareness-
raising and training measures are to increase ISec, one
must first be clear about the desired behavioral chains
that are ultimately to be achieved with the measures.
The design of these measures must pay close atten-
tion to the methods of communication, especially when
efficacy and long-term effects are required. As compre-
hensive digitization has been carried out over the years,
digital teaching methods have become increasingly im-
portant, and their effect should be assessed in compari-
son to analog ISec training methods. Sixteen years ago,
Burke et al. (2006) attempted to determine the relative
effectiveness of different methods of occupational
safety and health training aimed at improving safety
knowledge and performance and reducing adverse out-
comes such as accidents, illness, and injuries. The most
engaging training methods involve active employee par-
ticipation and, as a result, lead to greater knowledge ac-
quisition and reduced accidents, illness, and injury
(Burke et al., 2006). These training methods include
practical exercises and dialogue. They are more effec-
tive than other safety and health training methods. It was
concluded at the time that these results challenge the
emphasis on more passive computer-based and remote
training methods for public health personnel (Burke et
al., 2006).
In order to develop an appropriate training concept
in line with international and national standards such as
the ISO/IEC family of standards 2700X (ISO/IEC
27000:2018(E)), or the BSI standards 200-1 to 200-4
(BSI, 2017), the risk and threat situation must be made
clear, the target groups determined, and training content
specified. Furthermore, in order to determine their effi-
cacy, the measures must also be carried out, their suc-
cess defined, and their effectiveness checked. In terms
of continuous improvement, the existing ISA must also
be regularly adapted to current circumstances and in-
creasing risks. Section 3 outlines the relevant steps and
makes it clear that great care should be taken over the
methods, design, and wording used in the measures as
per the literature summarized here in section 2.
3. The project and its overall scenario
The project “Awareness Lab SME (ALARM) In-
formation Security” is funded by the German Federal
Ministry for Economic Affairs and Climate Action
(BMWK) and runs from October 1, 2020, to September
30, 2023. The project is part of a group of support initi-
atives. SMEs benefit from a focus on concrete practical
examples as well as competence and IT security pro-
grams that are provider-neutral and tailored to the
SME’s particular needs. The BMWK allows the final
project results to be used free of charge.
A university research team and subcontractors of
the project as well as SMEs and associated partners are
developing and testing ISA tools with the aim of pro-
moting the nationwide improvement of security aware-
ness in German SMEs and thus a general increase in
ISA. To this end, an innovative process scenario for ISec
is being developed iteratively in three phases using an
agile, participatory approachthis involves experience-
oriented scenarios, both analog and digital, as well as
Page 6061
“on-site attacks” and further checks. The overall sce-
nario is intended to raise awareness among managers
and employees with a focus on targeted personnel de-
velopment in SMEs, which is not available as yet on this
scale. Here, ISec is made concrete and tangible in the
context of work processes that have become increas-
ingly digital. At the same time, people are actively in-
volved at an emotional level in the development of
measures. This should result in a company-wide ISec
culture being established with long-term effect.
3.1 Methodology for defining the ISec topics
that are currently important in SMEs
The first step was to define the ISec topics that are
important for the target groups (employees of the four
pilot SMEs). A preliminary study (Pokoyski et al.,
2021)conducted by one of the project subcontractors
and based on anonymized in-depth interviewswas
carried out between January and March 2021. A sum-
mary of the results was produced (in German) in
April/May 2021. The BMWK approved their publica-
tion in August 2021.
Fifteen two-hour face-to-face interviews were ini-
tially planned, and the constraints imposed by the pan-
demic meant that these were all carried out online
(Pokoyski et al., 2021). The study sample included a to-
tal of sixteen people from the pilot SMEs who were sur-
veyed in 90-minute online interviews by a three-person
team of project subcontractors. Most of the interviews
were carried out from home offices. The interviews
were conducted in secure WebEx rooms set up by the
University as project leader, although in four instances
the interviewees were at their place of work. Four of
them had management roles, nine were management
and executive assistants (including 3 IT specialists), two
were staff without managerial function or staff respon-
sibility, and one was a trainee. One participant was aged
between 18 and 25, six were between 26 and 35, four
were between 36 and 45, three were between 46 and 55,
and two were over 56. The methodology uses morpho-
logical market and media research, supplemented by
secondary research, including comparative descriptions
and key performance indicators (KPI) (Pokoyski et al.,
2021). It takes into account internal security awareness
campaign evaluations carried out by the subcontractor
between 2009 and 2020, focused on six large German
companies operating in different industries (Pokoyski et
al., 2021).
Parallel to the study, an online survey was started
by the university research team that dealt specifically
with the fields of activity in the four SMEs: the results
are published in German as the first of a total of three
planned reports (von Tippelskirch et al., 2022).
3.2 Summary and discussion of the findings
from the interviews and survey
The results of the initial online questionnaire (Re-
port 1, 2022) indicate that ISec is not currently viewed
holistically in SMEs. From the in-depth interviews
(Pokoyski et al., 2021) it was found that the issue of ISec
is directly related to the unique quality of SMEs, which
confidently present themselves in a dynamic zone in-
volving family-style, trust-based cooperation, and flex-
ibility in response to the needs of the market. It is clear
from all the interviews that the participants identify
strongly with their company and feel close ties with it.
The managing directors and other executives emphasize
the sense of belonging and loyalty felt by their employ-
ees and the high degree of confidence they have in them.
An understanding of each other’s difficulties and foibles
is evident, and the picture that is painted is of relaxed,
generally harmonious cooperation. The size of the com-
panies also facilitates direct contact with staff. A feature
of SMEs is their high degree of flexibility, the possibil-
ity of finding individual solutions, and the ability to re-
spond quickly to the needs of the market. This agility
has showed its value during the pandemic, when work-
ing in a home office has not only been sanctioned but
actively supported by the prompt provision of equip-
ment (laptops, headsets, cameras, etc.) (Pokoyski et al.,
2021).
The interviews confirm that trainings and other
awareness-raising measures are being implemented in
all the pilot SMEs taking part. However, without sup-
port, the issue of ISec is soon conflated with “data pro-
tection,” and when a holistic view is taken of security, it
is linked with “compliance,” “occupational safety,” and
“fire protection” (Pokoyski et al., 2021). When applied
to data protection, the idea of “awareness raising” is key,
covering the sensitive data that, according to the inter-
viewees, needs to be secured: personal data and sensi-
tive topics, including salary, contracts and contract de-
tails, and company secrets. The SMEs taking part in the
study have as yet made little use of holistic security
awareness concepts, of the kind envisaged in the project,
or an awareness framework with a documented strategy.
The same is true of ISA measurements and other evalu-
ations related to the raising of employee awareness.
There is a general lack of any systematic process of
awareness raising, which would help develop a func-
tioning security culture. The results of the study on ISec
topics for SMEs, weighted according to supposed rele-
vance and importance, produced the following ranking
(Pokoyski et al., 2021):
1. Passwords
2. Phishing, CEO Fraud, etc.
3. Social engineering, Manipulation, etc.
4. Apps, software, etc.
Page 6062
5. Security in the home office
6. Data protection in the cloud and in the context
of customers and suppliers
7. Messenger services, secure transmission, stor-
age, encryption, etc.
8. Information classification (only for SMEs
where it is an implemented process).
The topics “Mobile security” and “Safety on the
go” were accorded low priority, which can be attributed
to the COVID-19 situation (Pokoyski et al., 2021).
Corroborating the psychology-based Study 1
(Pokoyski et al., 2021) that was conducted, the online
questionnaire carried out for report 1 (von Tippelskirch
et al., 2022) also revealed that the respondents view
many ISec topics as “old” and in such general terms that
it is hard to limit them to just one activity profile. As a
result, the profiles defined in this report are lumped to-
gether into the following profile groups (von Tippel-
skirch et al., 2022): general basic competences; produc-
tion, development, sales; data processing and IT infra-
structure; maintenance and communication; organiza-
tional and PA work, administration and HR; strategic
planning and management.
ISATs should be specific to an activity profile and
its specific tasks. According to the results of both the
study and the report, this requires a higher level of ISec
maturity on the part of the SMEs. Suitable training ma-
terial is required if ISATs are to be organized efficiently
in everyday work life. In addition, a tightly woven ISec
network in the form of an optimally established “human
firewall” involves people switching roles for training
purposes and discussing and internalizing the lessons so
learned (von Tippelskirch et al., 2022). The approach
chosen in the project is to develop awareness-raising
measures as easily adaptable learning scenarios that can
ultimately be used and specified by the SMEs them-
selves. In the project, the results of the initial Study 1
and the outcomes of Report 1 are the basis for develop-
ing new awareness-raising material tailored to the con-
cerns of the SME in question and employees’ personal
engagement with the issues. The goal hereand thus
the value added for SMEsis to provide integrative in-
terlocking measures that contribute to systematic aware-
ness raising and help, in actual terms, to develop a secu-
rity culture.
3.3 Gamification and embedded narratives
There are various methods for promoting ISA that
can be used to create and model awareness: their con-
tent, implementation, and success depend, among other
things, on the business model, the corporate and security
culture, and the ISec maturity. From section 2 of this pa-
per it is important to point out that ISA is a multidisci-
1: Home Office
2: Password & Data Protection & Cloud
3: CEO Fraud
4: Software & Apps
5: Social Engineering (Cyber Pairs)
6: Idea for Messenger & Encryption
7: Idea for Information Classification
Figure 1. Analog learning scenarios (aLS) under de-
velopment as part of the project for SMEs (pre-final
for aLS 1–5, and initial ideas for aLS 67)
Page 6063
plinary area involving cognitive, emotional, and sys-
temic factors.
Although gamification or serious games as learning
support are not new, in recent years they have gained in
popularity in ISec research. However, we know from the
Study 1 that German SMEs still have reservations: play-
ing should not be the main focus. Other studies also il-
lustrate that there is a danger that the commonly used
motivational goal of winning the game causes learning
experiences designed to promote understanding and the
ability to cope with challenges (e.g., emergency re-
sponses) to fall by the wayside (Lacruz & Américo,
2018). These results from Lacruz & Américo (2018)
make it clear that debriefings positively influence the
experiential learning cycle. In addition, Schell (2020)
emphasizes that the success of a game depends to a large
extent on the player’s willingness to regard it as mean-
ingful. Naul & Liu (2020) recommend using narratives
that stimulate the imagination and include characters
with whom learners can empathize. In principle, the pri-
mary purposes of “serious” games can be diverse and
used in many areas, such as education, healthcare, ad-
vertising, and politics, for teaching or training (Arriaga
et al., 2013). The handbook (Bernardes et al., 2022) con-
tains recent research showing the broad spectrum of
gamification for economic and social development.
3.3.1 Analog learning scenarios. For ISec, we need
moderation tools for discursive team settings, intensive
training specific to the target group with simulations and
other discursive, gamified, or interactive elements to in-
volve people emotionally, motivate them, and make
ISec “understandable.” These instruments must contain
didactic and emotional components from learning the-
ory as well as marketing components.
We must be able to enter into an intensive exchange
about ISec: talk about security! The analog learning sce-
narios are developed jointly by the subcontractor
known_sense and the university research team (see fig.
1). They are designed as assignment games for the top-
ics defined by the pilot SMEs in Study 1 (see above), so
that a moderator can easily get into conversation with
the participants, and the participants with each other,
giving them a chance to contribute their experience. An-
alog assignment gamesas per the “Home Office” sce-
nario (fig. 1), for example, which is played on a board
representing a large family houseinvolve information
cards being read out loud by the participants, after which
they are discussed and assigned to a suitable part of the
family house. Here, players start with risk cards, which
are used to identify the critical spots in the house. After
that, possible improvements are focused on with the de-
fense cards.
The tests to be carried out with attending partici-
pants in three iterations per game are used both to sim-
plify the complexity of the topics while maintaining the
attractiveness of the game and to optimize the emotional
game design. The response has been very positive so far
not only from tests with the pilot companies but also at
public events. Improving the detailed preparation of the
feedback is an ongoing process in the project. The final
versions will be made available in German for down-
load, free of charge, from the project website.
3.3.2 Digital learning scenarios. Parallel to the seven
analog serious games, the seven digital games are being
developed together with another subcontractor, Game-
book Studio, who uses the popular Visual Novel format
to integrate a player as an active participant in his/her
own story in a simple manner. All decisions that the
player has to make influence the further course of the
game (see fig. 2).
Figure 2. Digital learning scenarios under develop-
ment: one decision tree in a preliminary version.
Fig. 2 shows an excerpt from the digital scenario
“The Hacker Attack,” in which the player runs through
the game in the role of a social engineer: Number 1 in-
dicates the start of the digital game, which is being de-
veloped using Gamebook Technology. Green nodes in
the schedule are “story modules” that provide infor-
mation to the player (text, instructions, feedback, music,
Page 6064
etc.). Number 2 refers to a red node where the player has
to make decisions, including whether they want to be
addressed as a woman or a man, which is determined at
the beginning. Number 3 shows a story module that is
not connected by a linethe designer has already set out
an alternative, but it is not integrated into the current
game story. At decision point 4, the player can interrupt
the game and look at the stored glossary (5) to get more
input. Decision point 6 is a “time choice”: the player has
to decide between possibilities and then proceeds ac-
cordingly to number 7. Should the player need too much
time, then the game will send her/him back (8). How-
ever, all the information the player has already accumu-
lated is retained and will lead to other options for the
next step at decision point 9. This explanation shows
how important the designer’s empathy with the topic
and the target group is in building the story.
Figure 3. Examples of avatar emotions in the pro-
ject’s serious digital games (pre-final version).
The player of the digital serious games slips into a
different role in each of the seven games and experi-
ences the concrete company situation of the ISec topic
from a different perspectivee.g., that of a forensic sci-
entist, a hacker, a security officer, or the artificial intel-
ligence of the game company.
The digital learning scenarios can therefore be
played from very different perspectives, which provide
deeper insight into the various topic areas as well as the
risks and dangers peculiar to them. At the same time, the
player becomes more familiar with the company’s situ-
ation and employees: the boss, the dispatcher, the work-
shop manager, and the trainee. The avatars can show
some emotions (see fig. 3) and sounds can also be heard;
although the figures do not speak, the situation and de-
cision options are presented with texts, so that the player
has time to think about the question.
The digital games are thus not a copy of their analog
counterpart. Rather, they have their own content on the
topics selected for SMEs and thus represent interesting
learning supplements that employees can complete in-
dependently, regardless of time and place. The variety
of different perspectives also has two positive effects:
On the one hand, it ensures that playing does not become
boring and that the motivation to learn is sustained. On
the other, it conveys the relevance of the various actors
and their methods within ISec. The Visual Novel format
with Gamebook Technology is therefore suitable as a
simple but effective tool for conveying very different
content in a separate, personalized learning experience.
Every game decision not only has consequences for the
further course of the personalized story but also differ-
entiates the topic in more depth and thus offers different
learning paths and levels of difficultydepending on
your previous knowledge, personal strengths and weak-
nesses, and learning preferences. This means that every
type of learner and every level of knowledge is ad-
dressed with decisions, and the format is therefore suit-
able for use in a particularly broad target group.
However, successful learning is generally based on
solid data collection and personalization of the learning
experience adapted to this data. The digital learning sce-
narios thus use in-game messages providing feedback
on participants’ decisionsshowing points as stars
without disturbing their immersion in the story. KPI-
based live tracking to assess user behavior and a supple-
mentary user survey for self-assessment of the level of
knowledge on the subject before and after playing the
learning scenario also help in the optimization process.
The feedback so far has been positive. Detailed analysis
of the feedback must be left to a separate research paper.
3.3.3 On-site attacks. In addition to the seven analog
and digital learning scenarios, the project also includes
seven on-site attacks for which another subcontractor is
responsible. Ethical questions and the agreements with
the managing directors of the SMEs also play a key role.
Additional practice-oriented instructions and tips for
low-threshold security concepts for SMEs should
emerge from the relevant findings. These will also be
available on the project website at its completion. The
overall feedback from these gamified processes, which
will not be complete until 2023, must also be left to a
separate research paper.
So far, one phishing attack has been carried out in
the project. Another three “on-site attacks” are planned
for 2022, with three more to be coordinated in 2023.
Page 6065
Conducting on-site attacks is tricky and must be
done with extreme caution. Some scientists have grave
concerns about them (see Volkamer et al., 2020). How-
ever, the aim of our project is to enhance employee
awareness: the procedure should thus not be perceived
by employees as an “attack” on their personal work pro-
cesses or lead to personal exposure. Every on-site attack
must be designed in such a way that it does not have a
negative impact on the working atmosphere and the cul-
ture of trust in the company. It is important to ensure
that employees feel safe/secure in their work environ-
ment and see the on-site attacks as a supporting tool to
raise awareness. The attacks are always discussed with
the responsible persons in the company and all employ-
ees receive all the relevant information and results be-
fore and/or after the attacks, so that these attacks do not
damage the company’s culture of trust and error.
3.4 Security Awareness Measurements
Security is not so much a state as a process. All
measures must be checked for their effectiveness in op-
erational work, including security and awareness
measures, because otherwise processes cannot be man-
aged and improved. The “Return on Security Invest-
ment” (ROSI), for example, is not compatible with a ho-
listic view of ISA. Different approaches are therefore re-
quired to verify the effectiveness of ISA measures.
Figure 4. The overall scenario of ongoing personnel
development to increase ISA in SMEs
Moreover, it is evident that ISA measurement
(ISAM) is an interdisciplinary challenge and an open re-
search question in scientific terms. We know that risk
perception is an important indicator. But WHAT do we
actually measure, and HOW? How can we infer con-
sciousness from a person’s understanding or attitude?
How can we infer actual behavior from this? Do ques-
tionnaires and tests with knowledge surveys reflect re-
ality? Probably not. We would need to observe people
in their everyday lives, making them “transparent” in
terms of their personal data, which is not desirable in an
open, democratic society. While being fully aware of
this problem, we still want to try to implement ISAM in
the project in two different ways. The first approach
uses the analog and digital learning scenarios with test
and control groups, and pre- and post-tests. In the sec-
ond approach, the mathematical partial order methodol-
ogy is examined for a possible ranking; however, it is
still not clear which indicators are actually suitable for
this purpose. The ultimate goal of these efforts is a ma-
turity model for awareness, incorporating all the ele-
ments, results, experiences, expectations, and know-
ledge (see fig. 4).
4. Limitations, current conclusions, sum-
mary, and outlook
The results of the interviews (Study 1: Pokoyski et
al., 2021) and the survey (Report 1: von Tippelskirch et
al., 2022) cannot be regarded as representative, because
of the small size of the samples (four pilot SMEs). Nev-
ertheless, they give a concrete and up-to-date insight
into how ISec and ISA are faring in German SMEs. In
the project, the results and the further participation of
the SMEs form a valuable basis for personal examina-
tion of the ISec topics. Narratives with references to
daily life and the working world seem to be suitable
communication tools. Their design must actively in-
volve people in dialogue about ISec, touch them emo-
tionally, and include their own experiences. The added
value of the project lies in the systematic and integrative
interlocking of a wide variety of measures that contrib-
ute to systemically oriented awareness-raising and spe-
cifically to the development of a security culture.
The project deviates significantly from previous un-
successful forms of classic ISA training. The final ver-
sions of the gamified training materials, the results of
the awareness measurements, the instructions and low-
threshold security concepts, and well-founded state-
ments on the degree of maturity can only be expected at
the end of the project in fall 2023.
5. Acknowledgements
As the initiator of Awareness Lab SME (ALARM)
Information Securityand project manager, I would like
to thank the Federal Ministry for Economic Affairs and
Climate Action for funding this project. I am grateful to
our long-standing security awareness partner, the com-
pany known_sense, and the other subcontractors, Game-
Page 6066
book Studio, Thinking Objects, and sudile, whose spe-
cial input into the project can be found on the project
website https://alarm.wildau.biz/en. My special thanks
to the pilot companies for their active involvement and
to my research teamalso featured on the project web-
sitewho have moved the project forward in different
constellations. Finally, I would like to acknowledge the
anonymous reviewers for their helpful critical com-
ments. Many thanks, too, to Simon Cowper for his de-
tailed and professional proofreading of the text.
6. References
AGCSAllianz Global Corporate & Specialty SE (Ed.)
(2022a). Allianz risk barometer 2022. (English version:
worldwide results).
AGCSAllianz Global Corporate & Specialty SE (Ed.)
(2022b). Allianz Risk Barometer 2022 (German version:
results of Germany)
Arriaga, P., Esteves, F., & Fernandes, S. (2013). Playing for
better or for worse? Health and social outcomes with
electronic gaming. In M. M. Cruz-Cunha, I. M. Miranda
& P. Gonçalves (Eds.), Handbook of research on ICTs
for human-centered healthcare and social care services
(pp. 4869). IGI Global.
Bada, M., Sasse, A.M., & Nurse, J.R. (2019). Cyber Security
Awareness Campaigns: Why do they fail to change be-
haviour? ArXiv, abs/1901.02672
Bernardes, O., Amorim, V., & Moreira, A. C. (2022) (Eds.).
Handbook of Research on Cross-Disciplinary Uses of
Gamification in Organizations. IGI Global.
Burke, M. J., Sarpy, S. A., Smith-Crowe, K., Chan-Serafin, S.,
Salvador, R. O., & Islam, G. (2006). Relative effective-
ness of worker safety and health training methods. Amer-
ican journal of public health, 96(2), 315-324.
Cialdini, R. B. (2007). Descriptive social norms as underap-
preciated sources of social control. Psychometrika, 72(2),
263-268.
Collard, A. (2022). „Verhaltensdesign in Security Awareness
Programmen, Webinar of KnowBe4, May 20, 2022)”/
“Behavioral Design in Security Awareness Programs”.
DIHKDeutscher Industrie- und Handelskammertag e. V.
(Ed.) (2022). Zeit für den digitalen Aufbruch: Die IHK-
Umfrage zur Digitalisierung/Time for the digital awake-
ning. The IHK survey on digitization.
ENISAEuropean Union Agency for Network and Infor-
mation Security (2019). Cybersecurity Culture Guide-
lines: Behavioural Aspects of Cybersecurity.
BSI Federal Office for Information Security (Ed.) (2020).
BSI-Kompendium, Baustein ORP.3.
BSI—Federal Office for Information Security (Ed.) (2017).
BSI-Standards.
Fogg, B. J. (n.d.). Fogg Behavior Model. Retrieved May 26,
2022, from https://behaviormodel.org/
Hallsworth, M., Snijders, V., Burd, H., Prestt, J., Judah, G.,
Huf, S., & Halpern, D. (2016). Applying behavioral in-
sights: simple ways to improve health outcomes. World
Innovation Summit for Health, Doha, Qatar, 2930 No-
vember.
Helisch, M., & Pokoyski, D. (Eds.) (2009). Security Aware-
ness Neue Wege zur erfolgreichen Mitarbeiter- Sensi-
bilisierung/ Security Awareness - New ways to success-
fully raise employee awareness. Wiesbaden: Springer
Vieweg.
ISF (2014). From Promoting Awareness to Embedding Behav-
iors, Secure by choice not by chance.
ISO/IEC 27001:2017. Berlin: Beuth, 2017.
ISO/IEC 27000:2018(E), Information technology Security
techniques Information security management systems
Overview and vocabulary. INTERNATIONAL
STANDARD ISO/IEC 27000, fifth edition 2018-02.
known_sense (ed.) (2016). Security Awareness Framework.
Cologne.
Kruger, H. A., & Kearney W. D. (2006). A prototype for as-
sessing information security awareness, Computers &
Security, Vol. 25, No. 4, pp. 289296.
Lacey, D. (2009). Managing the Human Factor in Information
Security: How to win over staff and influence business
managers. John Wiley & Sons.
Lacruz, A. J., & Américo, B. L. (2018). Debriefing's Influence
on Learning in Business Game: An Experimental Design.
BBR. Brazilian Business Review, 15, 192-208.
Naul, E., & Liu, M. (2020). Why Story Matters: A Review of
Narrative in Serious Games. Journal of Educational Com-
puting Research, Vol. 58, No. 3, pp. 687-707.
Pokoyski, D., Matas, I., Haucke, A., & Scholl, M. (2021).
Qualitative Wirkungsanalyse Security Awareness in
KMU (Projekt "ALARM Informationssicherheit") (p.
72). Wildau: Technische Hochschule Wildau.
Sasse, M. A., Hielscher, J., Friedauer, J., & Peiffer, M. (2022).
Warum IT-Sicherheit in Organisationen einen Neustart
braucht/Why IT security in organizations needs a fresh
start. Federal Office for Information Security (BSI) (ed.)
(2022): Proceedings of the 18. Deutscher IT-Sicher-
heitskongress des BSI/18th German IT Security Congress
of the BSI, Februar 2022.
Schell, J. (2020). Die Kunst des Game Designs: bessere Ga-
mes konzipieren und entwickeln. BoD–Books on De-
mand. 2. Edition, 2016.
Scholl, M. C., Fuhrmann, F., & Scholl, L. R. (2018). Scientific
knowledge of the human side of information security as
a basis for sustainable trainings in organizational prac-
tices, Proceedings of the 51st Hawaii International Con-
ference on System Sciences.
Slusky, L., & Partow-Navid, P. (2012). Students Information
Security Practices and Awareness, Journal of Information
Privacy and Security, Vol. 8, No. 4, 2012, pp. 326.
Volkamer, M., Sasse, M. A., & Boehm, F. (2020). Analysing
Simulated Phishing Campaigns for Staff. European Sym-
posium on Research in Computer Security (pp. 312-328).
Cham: Springer.
von Tippelskirch, H., Schuktomow, R., Scholl, M., & Walch,
M. C. (2022). Report zur Informationssicherheit in KMU
Sicherheitsrelevante Tätigkeitsprofile (Report 1) (p.
111). Wildau: TH Wildau.
Zerr, K. (2007). Security-Awareness-Monitoring. DuD Daten-
schutz und Datensicherheit 31. Wiesbaden: Springer
Gabler
Page 6067
... In the project "Awareness Lab SMEs (ALARM) Information Security" funded by the German Federal Ministry of Economics and Climate Protection (BMWK) from 2020 to 2023, an overall scenario is being developed to explore new, human-centered ways of increasing information security on a long-term basis in German SMEs. In addition to extensive literature reviews on the situation in companies, the current status of ISA was observed in the project using a combination of different methods [1], [13]. This third study of the "ALARM Information Security" project rounds off the series of project studies, with desk research conducted by the subcontractor known_sense. ...
... Our modern gamebased analog awareness-raising measures to create long-term information security and data protection are characterized by: • active participation • a haptic approach • interactivity • discursive settings • stories/narratives to enhance memory • the ability to contribute personal experience • flexible timing (from 15-minute sessions during breaks to hour-long intensives) It has been scientifically recognized for decades that a mix of methods is necessary for different target groups, different types of learners, and abstract topics [20]. In addition to the analog serious games, our project has therefore also focused on the development of supplementary digital serious games [13] [21] [22], which can be accessed for individual play via the project website [23]. When using the digital serious games for business purposes, it is important that there is a debriefing within the team in order to support the discursive nature of the training. ...
... When using the digital serious games for business purposes, it is important that there is a debriefing within the team in order to support the discursive nature of the training. In addition, suitable "on-site attacks" (simulations, on-site inspections) were carried out; their findings are reflected in instructions for action and low-threshold security concepts for SMEs [13] [23]. In addition, the topics we deal with to raise awareness are of lasting interest to employees, since they all relate to and are important in private life-this is repeatedly emphasized in both the empirical (e.g., [24]) and the scientific literature (e.g., [25] [26]). ...
... Seven classes of cybera?acks could be iden:fied, challenging not only on a na:onal level but also globally [1]. The situa:on is far more difficult for small enterprises or private persons, as cybersecurity relates to individual or staff capacity and is thus o_en not adequately performed [2]. In contrast to larger enterprises, where the informa:on flow can be assumed to be organized hierarchically and thus work efficiently, the informa:on sources and sinks in smaller enterprises may be associated with a variety of job profiles, such as produc:on, process management, marke:ng, and others. ...
Preprint
Full-text available
Cybersecurity is playing an increasing role in society today. Private individuals and small to medium-sized enterprises often do not have the staffing capacity to install their information security team, including IT administrators, who could protect the enterprise against cyberattacks. A crucial step toward improving the company’s defenses against cyberattacks is to increase the information security awareness of all employees. The present study focuses on a method defining a multidimensional awareness indicator applying Rasch and partial order methodology. The method is designed to suggest in a graphic form how awareness can be “sharpened” in the company through a multidimensional awareness indicator, derived from questionnaires. A two-step procedure is presented, involving the analysis of questionnaires and, subsequently, displaying an awareness indicator.
... . (Scholl, 2023) . ...
Article
Full-text available
Purpose: Simultaneously with the developments of the 20th century and the process of globalization in the present era, information and communication technology has facilitated the emergence of a networked society. The new world has evolved into a network whose primary structure is information and electronic communication systems. The transformation of social interactions into virtual communities has led to the rise of social insecurity and new forms of crimes and misdemeanors in virtual spaces. Gradually, with the expansion of information and communication technology, especially the Internet, and subsequently the proliferation of threats and risks associated with it, the concepts of information security, information systems security, and cyber security were also developed. Just as soldiers are trained to handle various threats in war, the world of information is a real battlefield, with hackers and cyber-attacks posing significant risks. Information security experts should be equipped with the necessary skills to effectively deal with cyber-attacks, much like expert soldiers. The current applied developmental research is focused on identifying key indicators to design effective behavioral patterns for information security experts dealing with cyber threats. Method: In this study, a purposeful and development-oriented approach was employed, using a meta-composite and qualitative-quantitative (sequential-exploratory) method. Initially, 112 sources were selected from 270 primary sources using a library method and were the focus of the work. To identify the security components of information systems, the Barroso and Sandlowski 2007 seven-step technique was utilized, resulting in the calculation of 142 indicators from the selected documents. After clustering the indicators using RapidMiner software, the research identified 5 dimensions and 17 components. Subsequently, a two-stage Delphi method involving two groups of 15 experts was employed to evaluate the questions, value assessment, and validity. Following the completion of the qualitative phase, the study progressed to the quantitative or exploratory stage. An invitation letter and questionnaire, comprising 125 verified indicators, were then prepared and sent to 156 information security experts. And after receiving 111 complete questionnaires, which meets Cochran's requirement for a minimum statistical population size of 111 people, the questionnaire collection phase concluded, and the analysis process commenced with the assistance of SPSS and MATLAB software. Findings: In this study, the dimension of "security threats" has the highest factor load weight of 0.983 among all other dimensions. Within the "security threats" dimension, the component of "unintentional damages" has the highest weight compared to other components. The dimension of "security vulnerabilities" follows with a factor load weight of 0.979, ranking second. The "process factors" dimension ranks third with a factor load weight of 0.975, and the "human factors" dimension also has a factor load weight of 0.975. The fourth rank is held by the dimension of "0.970," and finally, the "technical factors" dimension, with a factor loading of 0.920, ranks last among the dimensions of this research. Despite receiving the lowest score and weighting overall, the "technical factors" dimension has the highest factor load weight assigned to the components of "encryption" and "equipment," with a score of 0.978, and the lowest score assigned to the components of "monitoring" with a weight of 0.88 and "planning" with a weight of 0.84. In the following, the obtained results and prioritizations were compared with those of other studies, and the validity of the results was confirmed based on the validation and verification of the comparisons. Conclusion: In general, it should be noted that, contrary to the opinion of most data-oriented companies that prioritize "technical factors" in information security, the results obtained in this study have shown that this assumption was incorrect. The importance of the behavioral patterns of information security experts has been confirmed, which is influenced by laws, organizational structure, organizational culture, and training. Finally, with the assistance of the weights assigned to the obtained components and indicators, suggestions were made to modify the behavioral patterns of information security experts after ranking and prioritizing the components and characteristics.
... The work of the "Information Security & Awareness" research team at TH Wildau has shown in various projects and studies with different project partners that the psychological background of security behavior must be taken into account when raising awareness of information security and data protection. This means that the vivid and practical communication of threats and corresponding security measures is necessary in order to emotionally involve the participants, achieve active awareness raising, promote motivation, and create more lasting information security awareness (Scholl 2023a). In recent years, the research group has published numerous scientific publications in German and English on this topic. ...
Experiment Findings
Full-text available
This is a short summary in English of the German project documentation “Awareness Lab SME (ALARM) Information Security,” which is published in February 2024 by https://buchwelten-verlag.de/ebooks.php ISBN: BOOK 978-3-945740-75-0 PDF 978-3-945740-77-4 EPUB 978-3-945740-76-7 As planned, all the important materials (in German) of the project in tried-and-tested digital and analog form for raising awareness among SME employees have been available since September 2023: they can be obtained free of charge for internal, non-commercial use from the project website https://alarm.wildau.biz/. In the hope that by reading the project documentation in German, you will also find useful suggestions relating to your own operational implementation and, above all, have fun trying out the analog and digital awareness-raising materials and passing on our findings, I wish us all an active “Talk about Security!”
... The BMWK only allows learning scenarios for German SMEs to be developed in German: the final versions can be used free of charge by all organizations for internal, noncommercial purposes and will be available from the project website in September 2023 [61]. The overall approach of the project is summarized in [62]. ...
Chapter
Full-text available
The COVID-19 pandemic triggered a large, sustained shift to working from home. This sudden shift to a new environment rapidly increased the opportunities for cyberattacks on individuals. The employees of small- and medium-sized companies can be seen as a major new target for cyberattacks because cybercrime prevention is often neglected in home offices. Human beings are the current target of cyberattacks as well as the last line of defense, especially when technology fails. Awareness of cyber situations is an essential aspect of managing information security risks. Continuous information security awareness measures targeted to all employees are an existential necessity for companies if they are to develop their digitization successfully. The article illustrates a German project developing an overall scenario with a mix of measures for companies designed to raise such awareness. Analog and digital narrative serious games with interactive and discursive elements focused on the home office are described in detail as a part of the overall scenario. They must be carefully designed and used within a practice-oriented mix for the target groups, so that information security is made tangible and comprehensible. All materials will be made available for noncommercial use in German on the project website by September 2023.
... Demgegenüber gab es keinen nennenswerten Anstieg an organisatorischen Maßnahmen für Informationssicherheit und nur ein Drittel der in der DIHK-Studie befragten Unternehmen verfügt über einen Notfallplan [41]. [38], [49]. ...
Book
Full-text available
Grundlage dieser Studie ist Desk Research, u. a. mit den beiden oben benannten tiefenpsychologischen Wirkungsanalysen, u. a. basierend auf Tests, Fokusinterviews bzw. Gruppendiskussionen mit insgesamt 136 Probanden/-innen aus KMU. Darüber hinaus kamen insbesondere auch beim FAQ und den Detailempfehlungen die Erfahrung während dieses Projektes und die 20-jährige Erfahrung von known_sense in Bezug auf Security Awareness-Kampagnen bei mehr als 150 Organisationen bzw. Unternehmen sowie insbesondere bei der Kreation und Durchführung von Lernstationsformaten (u. a. Serious Games) bzw. der Erstellung interner Security Awareness-Konzepte und -Frameworks für Kunden/-innen zum Zuge. Im Kapitel 5 werden die Erkenntnisse aus dem Gesamtszenario und den drei Studien des Projekts „Awareness Labor KMU (ALARM) Informationssicherheit“ im Lichte weiterer Literatur reflektiert und ein konzeptioneller Ausblick gegeben.
Research Proposal
Full-text available
Der Begriff Informationssicherheit bezieht sich auf den Schutz von Informationen jeglicher Art und Herkunft. Gefährdungen existieren durch menschliche Fehlhandlungen, organisatorische Mängel, vorsätzliche Handlungen, technisches Versagen oder höhere Gewalt. Führungskräfte und Mitarbeitende der Unternehmen sollten daher gegenüber technischen und organisatorischen Maflnahmen (TOM), mit denen den Gefährdungen angemessen begegnet werden kann, aufmerksam sein. Dies setzt in den Unternehmen eine aktive Personalentwicklung zur Informationssicherheit und ein umfangreiches Risikomanagement hinsichtlich der betrieblichen Prozesse voraus. Das Projekt erfüllt trotz widriger Umstände infolge der Corona-Pandemie seine Ziele: Basierend auf Aussagen von deutschen KMU durch Interviews (veröffentlichte Studien 1, 2, 3) und Online-Umfragen (veröffentlichte Reports 1 und 3) wurden sieben analoge Lernszenarien, sieben digitale Serious Games und sieben niederschwellige Sicherheitskonzepte für KMU konzipiert, in der Praxis erprobt und mit Projektende kostenfrei für die nicht-kommerzielle Nutzung zur Verfügung gestellt. Darüber hinaus hat das Projektteam noch weitere Ergänzungen innerhalb einer sehr aktiven Öffentlichkeitsarbeit zur Verfügung gestellt: ein digitaler Selbsttest für Mitarbeitende, ein zusätzliches Serious Passwort-Hacking-Game sowie etliche deutsche und englische wissenschaftliche Veröffentlichungen. Das Projekt „ALARM Informationssicherheit“ basiert auf dem Grundsatz „Digitalisierung nur mit Informationssicherheit.“ Informationssicherheit nur mit Awareness.“ https://alarm.wildau.biz/static/fe062649349d53eac94582900bc76c1c/alarm-schlussbericht-2024.pdf ISBN: 978-3-949639-09-8 The term information security refers to the protection of information of all types and origins. Information security threats may arise from human error, organizational deficiencies, intentional actions, technical failure, or force majeure. Managers and employees of companies should therefore be attentive to technical and organizational measures (TOM) that can be used to adequately address the risks. This requires active personnel development focused on information security and extensive risk management with regard to operational processes. The project met its goals despite the adverse circumstances resulting from the Covid pandemic. Based on statements from German SMEs gathered from interviews (published studies 1, 2, 3) and online surveys (published reports 1 and 3), seven analog learning scenarios, seven digital serious games, and seven low-threshold security concepts for SMEs were designed, tested in practice, and made available free of charge for non-commercial use at the end of the project. In addition, the project team has made other additions available as part of a very active public relations effort: a digital self-test for employees, an additional serious password-hacking game, and a number of German and English scientific publications. The “ALARM Information Security” project is based on the principle “Digitization only with information security. Information security only with awareness.” https://alarm.wildau.biz/static/fe062649349d53eac94582900bc76c1c/alarm-schlussbericht-2024.pdf ISBN: 978-3-949639-09-8
Article
Full-text available
This paper studies the influence of debriefing in the learning of the participants of business games. Through quasi-experimental study we examined the self-declarations of 112 undergraduate Business Management students undertaking the 8th term, divided into two groups: experimental, exposed to debriefing; and control, not exposed to the debriefing. MannWhitney´s tests revealed that the quantum of learning perceived by the members of the experimental group was statistically significantly higher than the members of the control group in seven out of nine learning variables assessed (p < 0.05). The average effect size (d = 0.45) shows an average improvement of 18%. These results suggested that the debriefing positively influence on experiential learning cycle promoted by business games. In the perspective of Kolb’s experiential learning cycle (Kolb, 1984), our findings suggest that Reflective observation and Abstract conceptualization stages can be reinforced by subsequent debriefing activities to the simulation rounds, in order to enhance continuous processes of action and reflection of the participants, according to the spiral experiential learning cycle.
Conference Paper
Full-text available
Comprehensive digitization leads to new challenges because of cybercrime and related security countermeasures. There is no doubt that this will fundamentally affect our lives and is leading to an increase in the importance of information security (IS). However, technology solutions alone are not sufficient to ensure IS countermeasures. The human side of security is important to protect organizational assets like user information and systems. The paper illustrates these relationships in terms of information security awareness (ISA), examining its goals and the factors influencing it through the systematic analysis and review of scientific literature and the transfer of scientific knowledge for practical purposes. We reviewed the publications of leading academic journals in the field of IS over the past decade.
Article
Full-text available
Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.
Article
Full-text available
Böckenholt and van der Heijden’s results regarding compliance with insurance regulations—that the enforcement activities of a regulatory agency were relatively unpredictive of compliance—are consistent with findings from other domains (e.g., tax adherence), where personal factors and informal social controls have been shown to play a more significant role. However, the specific form of informal social control investigated in Böckenholt and van der Heijden’s study (the perceived approval/disapproval of friends and family) is not the only kind of informal social control that has proven effective in spurring compliance. Descriptive social norms, which involve perceptions not of what others approve but of what others actually do, also influence compliance decisions powerfully. Yet, the role of descriptive social norms in rule adherence is often underappreciated by governed and governors alike. The consequences of this relative lack of recognition are discussed within the arena of compliance with pro-environmental regulations and requests.
Article
Full-text available
We sought to determine the relative effectiveness of different methods of worker safety and health training aimed at improving safety knowledge and performance and reducing negative outcomes (accidents, illnesses, and injuries). Ninety-five quasi-experimental studies (n=20991) were included in the analysis. Three types of intervention methods were distinguished on the basis of learners' participation in the training process: least engaging (lecture, pamphlets, videos), moderately engaging (programmed instruction, feedback interventions), and most engaging (training in behavioral modeling, hands-on training). As training methods became more engaging (i.e., requiring trainees' active participation), workers demonstrated greater knowledge acquisition, and reductions were seen in accidents, illnesses, and injuries. All methods of training produced meaningful behavioral performance improvements. Training involving behavioral modeling, a substantial amount of practice, and dialogue is generally more effective than other methods of safety and health training. The present findings challenge the current emphasis on more passive computer-based and distance training methods within the public health workforce.
Article
This paper by Dr. Maria Bada and Professor Angela Sasse focuses on Security Awareness Campaigns, trying to identify factors which potentially lead to failure of these in changing the information security behaviours of consumers and employees. Past and current efforts to improve information security practices have not had the desired effort. In this paper, we explain the challenges involved in improving information security behaviours. Changing behaviour requires more than giving information about risks and correct behaviours – firstly, the people must be able to understand and apply the advice, and secondly, they must be willing to do – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour (e.g. theory of reasoned action, theory of planned behaviour, protection motivation theory). We review the suitability of persuasion techniques, including the widely used fear appeals. Essential components for an awareness campaign as well as factors which can lead to a campaign’s failure are also discussed. In order to enact change, the current sources of influence-whether they are conscious or unconscious, personal, environmental or social, which are keeping people from enacting vital behaviours, need to be identified. Cultural differences in risk perceptions can also influence the maintenance of a particular way of life. Finally, since the vast majority of behaviours are habitual, the change from existing habits to better information security habits requires support. Finally, we present examples of existing awareness campaigns in U.K., in Australia, in Canada and Africa.
Article
Literature has shown that immersive learning environments such as digital educational games and simulations often incorporate storytelling elements in their designs as narrative can be an effective way of making learning more meaningful to students. The purpose of this study is to review the literature on the role narrative can play in the experience of a learner engaging in learning games and to synthesize research on features of story that have demonstrated success in these learning environments. The findings have shown that distributed narrative, intrinsically integrated fantasies, empathetic characters and virtual agents, and adaptiveness or responsivity are four characteristics of game narratives found to be effective. Several learning game analyses were performed to illustrate how these games used narrative to foster greater immersion, engagement, motivation, and learning. Finally, a narrative design strategy for serious games is suggested which integrates the effective narrative features as shown in the example games, along with two analysis frameworks, Game Discourse Analysis and Narrative Centered Informant Design. The findings of this study should provide much-needed insights to designers and researchers who are involved in creating immersive learning environments.
Article
As cyber threats continue to grow at an exponential rate, the need for training in information security awareness spreads far beyond the Information Technology college curriculum. Information Security proliferates into various domains of knowledge and becomes more context-aware. Consequently, the training in information awareness at a college level must cater more specifically to students' practices. This paper presents the results of the Information Security survey conducted among students of the College of Business and Economics at California State University, Los Angeles in spring 2011. The survey revealed several characteristics of students' practices and their awareness of risks and countermeasures related to computer skills, mobile computing, loss and encryption of data, online social networking, awareness training, correlation between practice and awareness, and others. The survey also revealed that the major problem with security awareness is not due to a lack of security knowledge, but in the way the students apply that knowledge in real-world situations. Simply, the compliance with information security awareness is lower than the understanding of it. The findings discussed in this paper are provided to assist colleges in designing curriculum that includes more context-based Information Security training.
Handbook of research on ICTs for human-centered healthcare and social care services
  • P Arriaga
  • F Esteves
  • S Fernandes
Arriaga, P., Esteves, F., & Fernandes, S. (2013). Playing for better or for worse? Health and social outcomes with electronic gaming. In M. M. Cruz-Cunha, I. M. Miranda & P. Gonçalves (Eds.), Handbook of research on ICTs for human-centered healthcare and social care services (pp. 48-69). IGI Global.
Handbook of Research on Cross-Disciplinary Uses of Gamification in Organizations
  • O Bernardes
  • V Amorim
  • A C Moreira
Bernardes, O., Amorim, V., & Moreira, A. C. (2022) (Eds.). Handbook of Research on Cross-Disciplinary Uses of Gamification in Organizations. IGI Global.