Password security and game-based learning

Focusing on financial sector employees in Denmark. The study explores differences in password creation behaviour and the effect of serious game-based learning.  The game, an interactive digital user interface, is custom designed using social design to address previous gaps in research around three areas highlighted in an initial study namely: Shared responsibility, Consideration of Future Consequence and Assisting memory. Conclusions are draw on differences between intended and actual behaviour, and whether password behaviour becomes more secure after the digital interface interaction, resulting in specific practical recommendations for organisations to include in their IT security policies

Previous studies are based on data collected on countries with distinctly different cultures and IT infrastructure; Thailand, UK, and Africa, compared to Denmark, with respondents primarily university students. This study collects data in Denmark using an insurance company as a case study. The data collection for this study focuses on the sector most vulnerable to cyber-attack, the financial sector within an organisational setting. Thereby creating new knowledge in areas; country, sector, and organisational setting.  Furthermore, the custom-built interactive game includes data collection that, when compared to the pre and post self-reporting surveys, will provide a measurement of differences between self-reported and actual, in-game, behaviour. In addition, the digital user interface is custom designed and based on previous research, addressing three areas recommended by the initial study (see section  9.0 “Aktiviteter og handlinger i projektet” below); shared responsibility, consideration of future consequence (CFC) and assist memory. Finally, the digital user interface, being purpose built, addresses gaps in research of serious game design in this area of research not addressing how to create secure passwords and why it is important to do so.

Initial study:

• PASSWORD BEHAVIOUR: Still a threat to cyber security. A study of future financial sector employee’s password behaviour. Gabrielsen L., IBA, available on EAViden

Development of online game:

• Multimedia student theme project development and implementation.
• Testing student project outcomes on finance students and academia.
• Combination of voted student projects into final training game.

Case study data collection:

• Pre implementation questionnaire benchmark measure.
• Implementation of interactive digital user interface.
• Post implementation questionnaire effect measure.

The study makes use of contextual effect evaluation using a semi-controlled experiment by means of a quasi-experimental design. According to Arend et al. (2002) self-reported measures are a unique predictor of cybersecurity-behaviour intention and are significantly correlated to strengthening passwords with any resulting change in condition can lead to the conclusion of the game intervention being the cause of the change in behaviour (Arend et al. 2020, Burch and Heinrich 2016)

Prior to the serious game intervention, and to address reliability of the post intervention measured effect, an attribution analysis is carried out via a questionnaire used for pre and post intervention testing with the intention of capturing the extent to which the observed results are owed to the role played by the intervention, as suggested by (Krogstrup 2016)

The quasi-experiment is via a user-focused, custom-built training game that focuses on increasing awareness of why and how password security is necessary. The specific intention is to capture actual behaviours toward password creation, compared to actual behaviours from the pre-experiment, self-reporting questionnaire. A post-intervention, self-reporting questionnaire measures consciousness and change, if any, in behaviour. The purpose-built training features concentrate on assisting memory, increasing consideration of future consequence, and increasing a sense of shared responsibility.

The objective being to observe how employees within the financial sector act within their daily workplace context. This quasi-experimental study is based on a single non-comparative open case field study following the case observations with the single case focus demonstrating results of what is possible rather than what is typical (Yin 1989).

The theoretical grounding for the study of respondent behaviour is based on Consideration of Future Consequences (CFC) (Strathman et al. 1994), decision making trade-off- security versus ease of memory (Qureshi, Younus, and Khan 2009),  Kahneman’s (2011) systematical thinking, and  Sense of Agency (Di Costa 2017, Di Costa et al. 2018, Goldberg 2018).

The theoretical grounding for password creation and use spans 3 decades and forms the basis for policy framework Yan, et a al., (2000) and (Sotirakopoulos 2011).

Finally, serious game research includes; amongst others, (Jayakrishnan et al. 2020, Furnell et al. 2018, Bada, Sasse, and Nurse 2019, Tschakert and Ngamsuriyaroj 2019)

Data collection was conducted in three phases.

The study is a case study of a Danish insurance company. Data was collected from a population size of 62 employees with a 66% response rate to phase 1. 17/62 respondents completed phase 2 and 46% of the population completed phase 3, 66% of whom had completed phase 2.

Phase 1: Pre-intervention, self-reporting, baseline questionnaire

The questionnaire consisted of 18 questions. The first three determine gender, financial sector experience and current department with the purpose of strengthening validity of representativeness of results by ensuring a broad range across the various functions of a financial sector company. Subsequent questions focused on password behaviour included number of private passwords; same passwords used for private and work purposes; when last a private or work password was changed; when last the password(s) used for authentication access at the company was changed; reason for changing passwords; length and characters used when creating passwords for private use or for authentication access at the company; preferred method when using the company’s 2F verification system, and finally as employees can choose to use the 2F verification system sent to their private mobile phone, whether their mobile phone is password protected, digits and information used when creating memorable passwords.

Phase 2: Game intervention

Phase 2 of the data collection was designed around a user focused interactive, visually appealing user interface. To appear motivating this approach from previous studies has shown good results in raising awareness of and changing behaviour toward password creation and use (Jayakrishnan et al. 2020).

Part 3: Post intervention, self-reporting, effect measurement questionnaire

The post intervention, self -reporting, effect measurement questionnaire directly mirrors the pre intervention questionnaire. The questionnaire was sent to respondents via the same channel and in the same manner as with the pre intervention questionnaire.

• - AP Graduate in Multimedia Design and Communication, Kolding (96)
• - Finansøkonom, Kolding (10)