The need for game-based learning methods to address cyber threats

Abstract

Cyber security threats are increasingly a serious concern to organisations, with an annual worldwide cost of a trillion dollars in 2021. Potentially the most significant contributor to cyber security threats is the human element, yet this has typically been insufficiently addressed in proposed solutions. Significant resources have been allocated to software, training and other solutions designed to tackle this threat, yet existing methods to improve cyber security have failed to deliver the desired results. Commonly cited issues include the lack of engagement in training, leading to disinterest and a ‘one size fits all’ approach, meaning some groups benefit from training more than others. This study will examine the need for game-based training methods in addressing cyber security threats caused by human error. Game-based training methods have previously been proposed to improve engagement in training and this study will discuss other potential benefits of game-based training. The aim of this work is to justify the use of game-based training methods in cyber security and begin to determine which aspects of games may be most effective at causing long-term positive behaviour change. Following an extensive literature review, a pilot study was run in which a survey was presented to 37 individuals who have taken cyber security training in the past, to query opinions and perceptions regarding cyber security training participants had previously taken, and how they feel they would behave when faced with certain cyber security threats. Upon analysis in SPSS, the results of this work indicate that factors such as training frequency and exposure to cyber security attacks have a significant impact on cyber security behaviour. A correlation between engaging training and impact of training on behaviour also serves to justify the development of such training methods. When combined with previous results on cyber security training this highlights the need for training to be engaging, regular, and relevant, and shows that the realistic simulation of cyber security threats (such as in game-based training) is of significant benefit. These results will help inform future development of effective game-based training methods and encourage their use more widely.