Revisiting the Problem Statement

Initial research by the author found many users accessing social networking sites mostly do not adhere to security best practices (Anthonysamy, Greenwood & Rashid 2013). Data collected during preliminary research suggested that a high number of social networking site users unknowingly leak personal information because they do not know how to use privacy controls correctly (Erlandsson, Boldt & Johnson 2012). Sadeghian, Zamani and Shanmugam (2013) also identified additional threats which include but is not limited to spam, phishing, a malicious shortened uniform resource identifier (URL) and fake users.

Uninformed users might not even realise this is a threat, and therefore they might not consider information security important. Information security does not form part of these users’ reality, resulting in behaviours which could be detrimental to their online safety.

Subsequently, further background information on the current state of cybercrime was obtained through a literature study to support the findings of the initial research (Section 2.3). This identified the need to address threats originating from the Internet that target these uninformed users, to whom we can refer to as ‘information security novices’, through the development of an information security awareness program.

An understanding of information security awareness programs was achieved by conducting a literature study to formulate the steps required to design, develop, implement and evaluate the effectiveness of an information security awareness program required for this study (Chapter 3).

As a result, the topics affecting information security novices were determined with research conducted on users at Internet Cafés in rural areas in Tshwane (Gauteng, South Africa). Users at Internet Cafés use computers to access resources on the Internet, which include but are not limited to social networking sites, email and content (Section 5.2.1).

Following the identification of the relevant topics (Section 5.2.3), the design and development of the delivery mechanism had to be completed. Many information security awareness delivery mechanisms exist, including posters, email messages and presentations. The use of games to transfer knowledge to users has been observed in many research fields. For example, Lenoir (2003) described the development of games to train military personal in the United Sates (US) military. The game “America’s Army:

Operations” was developed to identify potential military recruits (Zyda, Mayberry, Wardynski, Shilling & Davis 2003), while flight simulators were developed to train pilots in a simulated environment (Bell & Waag 1998). In the medical field, computer games were also developed to reduce errors during surgeries (Graafland, Schraagen & Schijven 2012).

Many computer games have been developed to be played on several platforms which include personal computers, laptops, mobile devices and the Internet. The use of social networking sites within the Internet domain was selected due to the high adoption rates by users. Several sites provide mechanisms to deploy custom developed applications. The high use of social networking sites together with the development tools provided by these sites resulted in the creation of applications within these platforms (Hui, Lin & Li 2013).

These applications focus on a wide variety of ideas which include but are not limited to entertainment and education. For example, IgnitePlay (2011) was developed to promote healthy living with the use of gamification, in other words gain points by performing desired

actions (Yohannis, Prabowo & Waworuntu 2014). Another social networking game developed by Corcoba and Munoz (2013) focus on changing bad driving behaviour. Both these games demonstrate the use of games to change behaviour. Information security awareness also focuses on the adaption of user behaviour. Consequently the objective of the social networking game would be designed around the theme of information security awareness. A literature study was conducted on the design of a game to deliver the selected information security awareness content through social networking sites.

Thereafter, the social networking site game was developed and deployed. The game formed part of the information security awareness program, which also included the development of training material covering the identified topics. Questionnaires were also designed and developed as a qualitative research tool to provide a dataset to determine the effectiveness of the information security awareness program.

In brief, the effectiveness of the information security awareness program could be determined by the data collected during the implementation phase. The data collection process entailed: a pre-assessment using questionnaires to determine the initial information security awareness levels of the participants; presentation of training material which focused on the identified information security topics, then an interim assessment;

playing online games on the information security topics, and then another final assessment after the game playing. The data sets were compared to determine if game play could be used to enhance learning the content of information security awareness programs.

To summarise, the focus of this dissertation was to determine the effectiveness of gaming within an information security awareness program. Numerous information security awareness frameworks exist within the information security awareness domain, therefore the selection of the most appropriate framework for the intended audience is critical. Next, an understanding of the life cycle of the selected framework was required to allow customisation and effective implementation. Information security awareness programs can be delivered to the target audience using various mechanisms therefore the need to determine the effectiveness of gaming components as part of information security awareness program arose.

This dissertation aimed to answer the following questions:

What is the current security knowledge of information security novices?

An information security awareness program can only be implemented where a need has been identified, otherwise the endeavour would be considered as wasteful expenditure.

Considering the number of security breaches disclosed and the end users who have fallen prey to cybercrime the general security knowledge of end users is considered

“unsatisfactory” (Section 1.1).

This was supported by research conducted in Section 5.3 on the threats originating from social networking sites, which highlighted the ignorance of end users who have not implemented privacy control correctly.

What threat categories should be included in an information security awareness program for information security novices?

A wide variety of threat vectors exist which could be used for nefarious purposes. Many of these threats require the end user to perform an action before exploitation can occur. Also, many of these threats fall outside of the knowledge domain of the novice end user, as in the case of Denial of Service attacks and Zero Day attacks. End users, as discussed within the context of this dissertation, use computer resources on a daily basis to conduct activities. However they do not consider the security concerns of using computers.

A literature study was conducted in Section 5.2.3 to identify which topics should be considered to protect end users. Subsequently a list of information security awareness topics was identified. These in turn could be used to develop information security awareness material to educate the end user resulting in the mitigation of threats.

How effective are lecture based information security awareness programs?

As part of the information security awareness program conducted within this study, one of the components was the use of in-person training, also known as lecture based training.

This occurred between the pre-assessment (PRE) and the post-assessment (P1). The topics identified in Section 5.4 formed the basis of the lecture. The results from the analysis of the collected data did not indicate that the lecture had a significant impact on the participants (Section 8.2.1). It should also be noted that lecture based training is considered as one-directional communication, transfers knowledge in one direction, and

has limitations, as described in Section 7.3.3. For example, one-directional communication informs an audience but is not designed to promote understanding.

How is the effectiveness of an information security awareness program measured?

The effectiveness of information security awareness programs are measured through changes in behaviour. The observation of the participants’ behaviour before and after an information security awareness programs is critical. Information security awareness metrics are useful to collect data from the environment. The testing of information security awareness levels can be achieved by deploying metrics that focus on the testing of knowledge, as in the case of questionnaires.

This dissertation has demonstrated the use of questionnaires to measure the information security awareness levels of the participants (Section 8.2). Due to time and funding this study was limited to only questionnaires; however the effectiveness of future information security awareness programs can be increased by deploying additional metrics.

What components are found in an information security awareness program?

Several information security awareness frameworks exist for the standardisation and implementation of information security awareness programs (Chapter 3). It was noticed that all frameworks have a life cycle represented by phases which each one need to be completed before moving to the next phase. A needs assessment and topic identification were conducted in the design phase (Chapter 5). The development phase described the platform to be used to deliver the content to the target audience (Chapter 6). During the implementation phase, the information security awareness program was deployed to the target audience and also collected data from the participants (Chapter 7). The last phase analysed the data collected during the information security awareness program; the findings subsequently to be used to improve the information security awareness program (Chapter 8).

It is imperative to consider the impact of the platforms used to deliver the content of the information security awareness. The learning styles of the participants, environment, costs and time are identified constraints that impact the implementation of an information security awareness program. These affect the impact the information security awareness program has on the participants as seen by the impact of motivation.

How effective are games as a platform to deliver information security awareness?

The main focus of the dissertation was to determine the effectiveness of gaming components as part of an information security awareness program. The analysis of the data collected during the game play supported the notion that gaming does have a positive effect by increasing knowledge retention and learning (Chapter 8).

A holistic view of the collected data from the assessments indicated an event which affected the results. Upon investigation, the effect of intrinsic and extrinsic motivation was identified as the cause of the negative result. Subsequently the impact of the game as part of the information security awareness program is inconclusive as the last assessment results were skewed. Also, the data collected during the game play tracked individual performance, but this data cannot be linked to an individual’s assessment data, resulting in unreliable conclusions as described in Section 8.3.