Choose your own training adventure: designing a gamified SETA artefact for improving information security and privacy through interactive storytelling

Abstract

ABSTRACT Online self-disclosure (OSD) on social networking sites can leave individuals and organisations vulnerable to security threats. Following a design science research (DSR) method, we created a gamified, “choose your own adventure” style security education, training, and awareness (SETA) artefact using two formats: text and visual. Both artefacts were designed to identify the security threats that trainees are most susceptible to, debrief them about the threat and its potential consequences, and facilitate behaviour change by letting trainees re-evaluate their decisions. Using a longitudinal randomised controlled experiment, we compared these two artefacts to no intervention and traditional security warning emails by assessing both instrumental (changes in attitudes, intentions, and OSD behaviour) and experiential (memorability and user experience) outcomes. Our survey of 1,718 employees showed that the text-based artefact was better at improving instrumental outcomes, and the visual-based artefact was better at improving experiential outcomes. This study provides a more granular understanding of the linkages between technology artefacts and human experiences through the application of design science thinking. The findings contribute to DSR by developing design principles, testable propositions, and realistic performance evaluation metrics for gamified SETA artefacts, and present practical recommendations for regulating employees’ information security and privacy behaviours inside and outside the workplace.