The Potential of Gaming to Ameliorate Human Factors in Information Security Compliance

Introduction

Information security professionals are always trying to manage risk. The four phases of security risk management are deterrence, prevention, detection, and recovery (Warkentin & Willison, 2009). A thorough, readable information security policy (ISP) can serve as both prevention and deterrence, and should include the following items (Sommestad et al., 2014):

• •

  descriptions of acceptable use of resources

• •

  security responsibilities

• •

  consequences for violations of the policy

• •

  required training types appropriate to each employee

However, the presence of a well-written ISP alone is not sufficient to prevent and deter security breaches caused by employee non-compliance, especially if they are written in a “technocratic” style (Vance et al., 2012).

Kirlappos et al. (2013) warn against long lists of prohibited actions and advocate for a higher-level set of awareness principles to support personal agency. Further, D’Arcy et al. (2014) found that security-related stress (SRS) caused by complex, ambiguous, and overlong ISPs can foster non-compliant behavior. Such policies must be paired with effective, engaging training that not only seeks to mitigate threats but to build a broader safety culture (Fagade & Tryfonas, 2016). Although the costs of recovery can be much higher than prevention, 75% of security awareness professionals reported spending less than half their time on awareness (SANS, 2021). Further, most report that time, not budget, is the limiting factor. It can be difficult to convince administration to commit more personnel, because it is much harder to estimate what security breaches were prevented versus those that actually occurred. Even so, more action must be taken to improve information security compliance, because the losses associated with security breaches are not only monetary, but reputational as well (Safa & Ismail, 2013).

Background

Many scholars agree that the human element is the “weak link” in information security (Bulgurcu et al., 2010; Hu et al., 2012). According to the Verizon Data Breach Investigations Report, 85% of data breaches involved some form of human interaction, with the highest-ranking risks involving phishing and poor passwords (Verizon, 2021). IBM Security and the Ponemon Institute (2020) reported that 63% of security incidents in 2019 were related to negligence which cost companies over $300,000.

Other human factors that lead to non-compliance include ignorance, apathy, mischief, and resistance (Safa et al., 2016; Siponen et al., 2010). Combating these factors can be challenging because information security program leads tend to have a more technical background, and often lack the soft skills needed to communicate effectively with users about human factor risks. The aforementioned human factors leave employees vulnerable to a wide array of attacks, including phishing and social engineering. Credential phishing via email was by far the most common social engineering attack type of 2021, according to Proofpoint (2021). Social engineering attacks are especially effective because they exploit the abiding human vulnerabilities referred to by Scholl (2018) as “social gateways”, including stress, helpfulness, and curiosity.