Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
To purchase hard copies of this book, please contact the representative in India:
CBS Publishers & Distributors Pvt. Ltd.
www.cbspd.com
|
customercare@cbspd.com
The COVID-19 pandemic triggered a large, sustained shift to working from home. This sudden shift to a new environment rapidly increased the opportunities for cyberattacks on individuals. The employees of small- and medium-sized companies can be seen as a major new target for cyberattacks because cybercrime prevention is often neglected in home offices. Human beings are the current target of cyberattacks as well as the last line of defense, especially when technology fails. Awareness of cyber situations is an essential aspect of managing information security risks. Continuous information security awareness measures targeted to all employees are an existential necessity for companies if they are to develop their digitization successfully. The article illustrates a German project developing an overall scenario with a mix of measures for companies designed to raise such awareness. Analog and digital narrative serious games with interactive and discursive elements focused on the home office are described in detail as a part of the overall scenario. They must be carefully designed and used within a practice-oriented mix for the target groups, so that information security is made tangible and comprehensible. All materials will be made available for noncommercial use in German on the project website by September 2023.
*Address all correspondence to: margit.scholl@th-wildau.de
1. Introduction
Cybersecurity Ventures predicts that by 2025, the global cost of cybercrime will be USD 10.5 trillion [1]. While we protect ourselves and our valuables in the analog world with various measures in response to very different risks, the same cannot be said of the digital world—there, we are much more casual in how we deal with our personal data. Dukes explains that beyond our current security culture, we need to establish the use of technology and a new way of thinking about it to protect ourselves within anonymous cyberspace with data transfers within seconds [2]. According to Sample, Loss, Justice et al., sales of Internet-enabled home electronics have increased, with an Internet of Things (IoT) forecast from Gartner in 2017 of well over 20 billion for 2020, allowing many home users to unknowingly become accomplices in cyberattacks [3]. In a survey on security concerns surrounding IoT devices, 99 percent of respondents expressed concerns about data security [4]. However, the chip shortage continues to slow the IoT market recovery, which is why the number of global IoT connections grew by just 8 percent in 2021 to “only” 12.2 billion active endpoints [5]. IoT devices such as thermostats, smart TVs, and household appliances offer attractive access to uninvited guests like attackers. Most users (citizens) are unaware of the basic security settings on their Wireless Access Point or firewall settings provided by their Internet Service Provider and do not know how to change these settings [3]. We must, therefore, all raise our awareness of the risky cyber situation and review and adapt our behavior. This paper seeks to help raise awareness of information security (IS) and data protection (DP) so as to contribute to an overall increase in security culture in Germany, with a special focus on employees in small and medium-sized enterprises (SMEs).
Owing to the COVID-19 pandemic, many companies suddenly had to allow employees to work from home (WFH) [6]. For example, prior to the COVID pandemic, approximately 29 percent of Americans were working from home, while that number has virtually doubled to approximately 60 percent as of April 2020 [7]. The home office (HO) has become a very real experience for a large part of the population due to the pandemic: this is also the case in Germany with lockdowns in business, society, and schools. Practice in Germany shows that the legal basis has not yet been properly prepared [8]. What is certain is that the number of home users has increased very rapidly, ranging from desktop computers and laptops to tablets, smartphones, and devices connected to IoT, and the age groups of users have also increased from adults to children and seniors [9]. At the same time, the shift to remote IT solutions has opened up a plethora of opportunities for cyber incidents and attacks, with the “most popular” now appearing to be phishing schemes and ransomware attacks [10]. This reveals the need for greater cyber awareness and greater competence among the entire population, which also requires a rethink in politics [3]. Fadinger & Schymik examine the effects of HO/WFH: on the one hand, the risk of infection in German regions and, on the other, the output for the German economy [11]. They note that the infection rate has been well contained by HO/WFH and therefore recommend that working from home be maintained for as long as possible so that those workers who cannot work from home can return to work while minimizing the risk of infection [11]. However, this only covers the safety aspect, and it is important to also consider the security side of the story: Fichtenkamm et al. even go so far as to say that “the COVID-19 crisis [has] triggered a cyber pandemic” [12].
The average cost of a data breach has risen to USD 4.24 million, yet many business owners still believe it is unlikely their organization will be targeted [12]. However, nowadays, it is no longer a question of IF a company will become a victim, but only WHEN [13]. Some organizations were well prepared for the COVID-19 pandemic and only had to expand their remote infrastructure, while others had to build digitization from scratch [7]. Because the move to digital was sudden, most businesses, especially small ones, have not had the time to adequately assess their cybersecurity (CS) requirements for HO/WFH [6]. The fact that employees access sensitive corporate data from external networks opens the door to many CS risks that can lead to data loss, data breaches, and, thus, enormous financial losses [6]. Accordingly, the number of security breaches and damage costs reached a record high in 2021, with an average cost per incident of USD 5.4 million in Canada [14]. Therefore, despite (technical) security measures and risk management guidelines, HO/WFH regulations and employee behavior are reported as important factors affecting CS [14]. The most recent Ponemon Institute survey shows that 71 percent of organizations are very concerned that remote workers put them at risk of data breaches and security vulnerabilities [9]. In addition to cybersecurity risks, data protection risks are also a general concern for members of the public, as their private information is often collected and used [9]. Thus, in general, the cybersecurity behavior of citizens must be made more coherent, which requires a rethink at the government [9] and business levels.
According to Machado & Gouveia, Google’s official blog reports that more than 240 million spam messages containing the word COVID in their text were sent daily and led users to the 42,000 websites created from early to late March 2020 to collect their data illegally [15]. Owing to a general lack of expertise among members of the public, this combined social engineering (SE) technique is successful in 80 percent of the scams used. To experts, these attacks have occurred with great frequency in Latin American countries, especially in Brazil, which saw an increase of around 350 percent in the first quarter of 2020 [15]. The German economy is also affected by a wide range of attacks, and here, too, these are shifting into digital space, while analog forms of attack are decreasing [13]. In 2017, a total of 53 percent of the German companies surveyed were affected, and an additional 26 percent were probably affected; in 2021, the figures were 88 percent and 12 percent, respectively, and in 2022, 84 percent and 9 percent—at the top of the list of data thefts in German companies are communication data such as emails and customer data [13]. Forty-five percent of the companies surveyed by the German Bitkom e.V. in 2022 see cyberattacks as a threat to their existence, while a year earlier, it was only 9 percent [13]. In addition, critical infrastructures continue to be the focus of cyberattacks, and in 2022, the most common types of damage were password theft and phishing attacks [13]. An increase in ransomware attacks is seen as the top cyber threat over this year, 2023, with worrying trends such as “dual blackmail tactics” [16]. In 2022, every second German company was targeted by SE attacks, most commonly via telephone (38 percent) and email (34 percent) [13]. SE can still be found clearly in the private sphere (13 percent) and in professional networks (9 percent); this is followed by private social networks with 5 percent, video conferences with 4 percent, and trade fairs or events with 3 percent [13]. Hackers do not attack the systems first, but in nine out of 10 attacks they start with the employees because they represent the more lucrative end of the business to loot [17]. The attacks on the economy are becoming more professional—in other words, organized crime has increased significantly in 2022 and stands at 51 percent [13].
The introduction shows that the central importance of IS and DP must be given more importance in the future, and this also applies to the area of HO/WFH. The proportion of investments in IT security measured against the total IT budget of the company is growing but is only 9 percent on average for all the companies surveyed [13].
According to the German Chamber of Industry and Commerce (DIHK) survey on digitization, German companies have recognized the wide range of cyberattacks and taken technical precautions [18]. However, their awareness raising and training for managers and employees are weak [18]. This contradiction shows an evident lack of sustained implementation of awareness-raising measures in SMEs. Moreover, Proofpoint’s 2022 phishing situation report notes a general decline in security awareness, suggests pandemic fatigue with an impact on employees’ motivation and attention, and shows a lower priority of security awareness training in 2021 [19].
The research question of this article is as follows: How can we increase knowledge and raise information security awareness (ISA) and cybersecurity awareness (CSA) relating to HO/WFH and adapt human behavior accordingly? Measures that have been tried and tested in practice must be taken into account. For example, the finding from the study by Johansson et al.: Chief Information Security Officers (CISOs) recognized increased awareness among employees when microlearning with shorter topic modules was used [20].
This paper continues as follows: Section 2 summarizes the main findings from literature reviews. In the third section, our complex project is explained, briefly introducing the conceptual background and the story concept, describing preliminary versions of our learning scenarios relating to HO/WFH, and presenting in more detail the development of analog and digital serious games designed to raise awareness in German SMEs. Section 4 focuses on the discussion of the project’s results in light of the applied scientific literature, including current evaluation results of the learning scenarios, and the fifth section looks ahead to the next phases of the project. At the end, in Section 6, the contribution of this paper and avenues for future research are summarized.
2. Literature review about information security and data protection in home office
The COVID-19 pandemic has accelerated digitization in all countries. Škiljić assumes differences in how CS is observed in European countries. Croatia is given as an example, which unfortunately was completely silent on the CS threats caused by the pandemic: it simply left its companies to their own devices. Also, it failed to warn individuals [10]. Nyikes sees it as the responsibility of the government and authorities to ensure the CS of Internet users by obliging information and communication technology (ICT) service providers to offer fundamentally secure services (possibly at an additional cost) [21]. The “security awareness and digital competence” of users are important, but according to [21], ICT must relieve users of security burdens and ensure IT security. Bispham et al. point out that while a focus on the threats or increasing security issues associated with HO/WFH is important, it is too narrow. In their opinion, further research is needed with selected case studies involving defined groups of people on the question of whether CS has changed from a barrier to an enabler for remote work [22]. According to Nyikes, the security measures can be divided into four different groups: first, physical (e.g., guarding the premises, visitor treatment, fire protection); second, administrative (e.g., risk analysis, regulation, and business documentation); third, personal protection (the selection of suitable people to trust, security awareness); and fourth, electronic IS (system monitoring, operation, transmission path protection, border protection) [21].
CS—as part of IS—is the backbone of successful digitization of society, and awareness of cyber situations is an essential aspect of managing them [23]. The research conducted by Andreasson et al. in Swedish authorities shows that at the beginning of the pandemic, employee communications focused more on first-order risks such as video conferencing and teleworking than on second-order risks such as billing fraud or SE; it points out that almost two-thirds of managing authorities have not implemented their CS policies but merely initiated or documented them [23]. The emergency situation caused by the COVID-19 pandemic has reorganized the working world and the educational and social realms; digital education and social communication on the Internet have increased significantly [21]. This increased and sudden use of the Internet has dramatically increased the vulnerability of users and systems [21]. There can be no doubt that there is a link between the COVID-19 pandemic and the increase in cyberattacks on vulnerable sectors, with healthcare organizations being one of the main victims of cyberattacks during the pandemic. This is also the new normal, with the expectation of HO/WFH being increasingly exploited [24].
De Kimpe et al. examine the perceptions of Internet users and show that they are more inclined to take protective measures when they believe that cybercrime poses a more critically serious risk (with a high level of perceived severity) [25]. Machado & Gouveia show that the increase in cybercrime particularly affects those whose expertise and technological knowledge are not in sync with the reality of this threat [15]. Recent research works with strategic game models to defend against Advanced Persistent Threats—here, the timing of the attack and defense movements plays a central role [26]. According to Sample et al., the labor shortage affects all areas of CS, is exacerbated by the growth of IoT, and underpins the need to bolster staff development initiatives to foster more awareness of CS and, more generally, of IS and DP [3]. However, CS also needs people with different perspectives, approaches, mindsets, and methods to solve current and emerging cyber challenges [3]. Sample & Justice further argue that academic silos of disciplines such as law, psychology, sociology, resilience, reliability, statistics, data science, international studies, and others are to be broken down and become increasingly intertwined with CS [27]. Cross-disciplinary team-building and exchange formats are therefore necessary.
Agrafiotist et al. argue that although extensive research has been done to understand the impact of cyber incidents, a model that can support analytics to detect, measure, predict, and prioritize cyber damage is lacking [28]. The cyberattack threat landscape is rapidly changing, and the potential impact of such attacks is uncertain due to the lack of effective metrics, tools, and frameworks to understand and assess the damage businesses are exposed to from cyberattacks [28]. As a result of extensive literature research, the authors create a taxonomy of cyber damage to which companies are exposed [28]. This taxonomy encompasses five broad themes: physical or digital damage, economic damage, psychological harm, damage to reputation, and social and societal harm [28]. Since organizations lack sufficient models to assess the direct and indirect damage from cyberattacks, analytical tools such as taxonomies are necessary: these contribute to the discourse on the subject. Analysis of the case studies also shows that organizations are unaware of the harm suffered by consumers or their employees. Therefore, without a holistic understanding of all potential harms, it is impossible for organizations to prioritize controls to mitigate those harms [28].
The German IT Grundschutz Methodology, which is based on Standard 200–2 of the Federal Office for Information Security (BSI) for the development of security concepts within an information security management system (ISMS) proposes the following six typical damage scenarios to clarify the concrete situation of institutions, be they authorities or companies ([29], pp. 79, 126): violation of laws, regulations, or contracts; impairment of the right to informational self-determination; impairment of the physical integrity of a person; impairment of the ability to perform tasks; negative internal or external effects; financial consequences. The damage that could occur if confidentiality, integrity, or availability is lost for a particular (business) process or for an IT system or an application including its data can usually be assigned to these typical damage scenarios [29]. Frequently, a single instance of loss or damage may involve several damage scenarios—thus, for example, failure of an application could prevent essential work from being performed, resulting in direct financial loss and, at the same time, in a loss of reputation ([29], p. 79). However, additional scenarios could also be considered to capture the specific situation ([29]p. 80).
2.1 Topic “home office”
HO/WFH is the generic term for the concepts of telework, alternating telework, and mobile work. There are differences in Germany—e.g., with regard to labor and data protection. The sudden urgency of digitization has been made apparent by the pandemic, and the inhibition threshold in the use of digital tools has decreased among users [30]. In terms of the proportion of people working from home, Germany was below the EU average before the COVID-19 pandemic and well behind other countries such as France, the United Kingdom, and the Scandinavian countries [31]. Only 12 percent of all dependent employees in Germany worked mainly or occasionally from home, although this would theoretically be possible for 40 percent of jobs [31]. In most cases, the desire to work from home is thwarted by employers; according to Brenke, if they were to rethink their position, the proportion of teleworkers could rise to over 30 percent—the gap between employees’ desire for HO/WFH and the opportunities offered by employers was greatest in the financial sector and in public administration [31]. Because of the pandemic, statistics clearly show how HO/WFH has changed the CS landscape for businesses and created new risks [6]. A survey of 3000 remote office workers and IT professionals in the United States, United Kingdom, France, and Germany showed that 77 percent of remote workers use unmanaged, insecure bring your own devices (BYOD) to access corporate networks and data [6]. Additionally, 29 percent of employees surveyed said they allowed other members of their household to use their company computers for activities such as schoolwork, gaming, and shopping [6].
In addition, HO/WFH has become a very real experience for a large part of the population and also leads to concepts of entitlement. Practice shows, however, that the legal basis has not yet been properly prepared, even if the German Federal Ministry of Labor and Social Affairs (BMAS) is planning a legal right to HO/WFH [8]. The investigation by Barrein points out that a legal entitlement according to §8 TzBfG (law on part-time work and fixed-term employment contracts) proves to be only partially effective; instead, the legislature should promote regulations based on social partnership [8]. Antczak & Horzela point out that in Poland, too, the necessary legal and organizational solutions do not keep up with the speed and universality of the implementation of remote work and HO/WFH [32]. Irrespective of this legal problem and the various security problems, many authors assume that our way of working cannot be rolled back to the status quo before the pandemic. According to Borkovich & Skovira, the advantages of telework or HO/WFH include improved productivity and employee satisfaction, the reduction of unplanned absences, less time wasted, and a better work-life balance [33]. At the same time, employers can also benefit by, for example, saving on overhead costs, eliminating facilities and time zones, and reducing travel expenses [33]. However, the research of Borkovich & Skovira makes it clear that IT departments in general are overwhelmed by the task of controlling the ever-increasing email activities of employees. In addition, the corporate culture must be adapted because there is a general lack of open communication and transparent cooperation as well as constant feedback; they advocate six essential strategies to develop an inclusive HO/WFH corporate culture: control, collaboration, communication, cost, cloud, and culture [33].
According to Kellner et al., HO/WFH is rated more positively overall, with the advantages of flexibility of place and time, fewer interruptions, and increased concentration at work [30]. The merging of work and private life is mentioned as a disadvantage, as is a lack of contact, informal discussions, and spontaneity [30]. There is thus a growing need for a mixed form of office work and HO/WFH [30]. Using a survey module, Von Gaudecker et al. analyzed how working hours changed under the social distancing regulations enacted to combat the COVID-19 pandemic [34]. Examining the Netherlands as a prototypical Western European country, both in terms of its welfare system and its response to the pandemic, the authors show that the total number of hours is decreasing, especially among the self-employed and those with lower educational attainment [34]. An educational gap occurs because tertiary-educated workers work many more hours from home, the magnitude of this effect being tempered by the government’s definition of some workers as essential to the functioning of the economy [34]. Cross-industry studies show that there are two clusters: one is office-like occupations with a high proportion of academics and HO/WFH hours; in the other, manual tasks and social interactions predominate, with low proportions of academics and HO/WFH hours [34]. Brenke confirms that—and this was the case even before the pandemic—well-qualified, full-time employees are particularly interested in HO/WFH [31]. The basic motive is apparently the desire for more autonomy in terms of time and not just the compatibility of work and family because singles want to work at home as often as single parents [31]. Teleworkers often have long working hours that are far above average and frequently do unpaid overtime—nevertheless, they are more satisfied with their work than other workers, especially those who would like to work from home but are not given the opportunity to do so [31]. Now that the pandemic has peaked, employees in the Netherlands expect these current patterns to continue [34]. They also expect a great deal from government support programs to help them keep their jobs—i.e., their expected response to unemployment is far lower than in the United States or United Kingdom [34]. This also makes the high demands on the welfare state clear, which is likely to be similar in Germany.
The results of [31, 34] are not surprising. Messenger & Gschwind remind us that as early as the 1970s and 1980s, Jack Nilles and Allan Toffler predicted that the work of the future would be moved to or near the homes of employees using technology dubbed “telecommuting” [35]. This “new ICT,” including smartphones and tablet computers, has changed work and life in the 21st century, which have been revolutionized by the detachment of work from classic office spaces, whereby technological progress has continuously promoted the development of telework in different phases [35]. According to Messenger & Gschwind, today’s diverse, location-independent, technology-enabled new ways of working are all part of the same revolution in work-life interrelationships [35]. And the technological revolution is continuing. Owing to the ongoing pandemic and associated increase of HO/WFH in Germany, the use of (several) messengers (“multi-homing”) has increased in addition to telephone and e-mail ([36], p. 66). In 2021, 73 percent of users in Germany operated multi-homing, 83 percent used a messenger service at least weekly, and among the under-thirties, the figure was as high as 99 percent [36]. Apparently, messaging solutions are also enjoying increasing popularity in the federal administration environment and are used by many authorities [36]. However, when it comes to formal communication with companies, authorities, doctors, and other nonprivate addressees and organizations, many users stick to classic (mobile) telephony because of better accessibility ([37], p. 48).
Moreover, IoT comprises a wide range of different devices that receive and transmit data over a network without human intervention, thus connecting the digital world with our physical world [38]. In 2020, 11.7 billion connected IoT devices were actively used worldwide; by 2025, this number is expected to rise to over 30 billion, so that it is expected that there will be an average of four smart devices for every person [38]. The demand for IoT consumer (IoTC) products is growing and presents manufacturers, brand owners, and retailers with new challenges in the area of CS, because from smart televisions to cameras and scales to children’s toys, every connected consumer product is a potential threat to data security and privacy, and manufacturers could be held accountable [38]. Back in December 2019, a hacker gained access to a surveillance camera and was able to molest an eight-year-old child [38]. The standard of the European Institute for Telecommunications Standards (ETSI) EN 303645 “Cyber Security for Consumer Internet of Things” has served security efforts since 2020; since 2018, the data protection provisions of the General Data Protection Regulation (GDPR) EU 2016/679 has come into effect; and the Radio Equipment Directive (RED) 2014/53/EU require IT security for all IoT devices from August 2024 on [38]. The challenge is to find the balance between usability, functionality, and security when developing new consumer devices—a well-known example from the past is the baby doll “Cayla,” which was taken off the market by the German Federal Network Agency in 2017 [38].
According to Li et al., security education training and awareness (SETA) programs help organizations to mitigate security breaches caused by human error and to manage the security-related behavior of employees at work [9]. To do this, employees must be continuously made aware of IS and related policies and be able to apply them in their daily activities to prevent security incidents [9, 39]. Clear CS guidelines, effective training, and guidance from the organization result in a relatively high level of transparency regarding the responsibilities of employees [9]. Therefore, the cybersecurity behavior of citizens/employees is becoming a major concern in modern times, leading to an awareness of some unresearched challenges for individual CS behaviors [9]. The responsibility for protecting information and privacy security that individual users must bear is complicated [9]. This includes the perceived personal responsibility of users as well as the invisible responsibility of shared devices or networks in the home environment [9]. Thus, some users may be responsible for the CS of others at home and this may include children [9]. This feeds into the transparency of responsibility—i.e., the extent to which people understand the limits of their responsibility [9]. Responsibilities may lie on the software development side or with vendors, CS services, or users: the actors may believe that some CS operations were the responsibility of the other party, and no cybersecurity measures were taken, resulting in a vulnerable area in the home cybersecurity environment—accountability and accountability transparency have never been mentioned by individual users in previous studies, but they do impact CS behavior [9].
Furnell & Vasileiou also emphasize that CS is often seen as someone else’s problem, with the result that the very parties who should be involved in it instead distance themselves from it. For example, end users often seem to assume that their employer, ISP, or some other party takes care of their security needs [40]. In reality, they themselves as individuals play an important role because no matter what steps are taken elsewhere, there will be some threats that reach them directly [40]. So, individuals will find that they need to make security-related decisions, and they clearly need some level of awareness and understanding to do so [40]. On the other hand, companies may unrealistically assume that their employees should already have acquired general CS awareness elsewhere and feel that they do not have to take full responsibility [40]. One of the most important prerequisites is that the various stakeholders recognize and address their role [40]. In fact, a fundamental challenge is that we are not dealing with a situation that fits everyone—this has an impact on the target-group orientation of training and awareness-raising measures [40].
The cross-case analysis of Fallahdoust on HO/WFH offers three main results: (1) All cases show that almost no training material was produced due to the sudden shift to HO/WFH; (2) All cases indicated that they use streaming services on their work devices and felt the cyber risk to be low since they access their network through some form of authentication; (3) Lack of management involvement is highlighted as a major gap in fostering conversation and promoting safer CS behavior [14]. The following six-step method is proposed to design nudges [14]:
Define an undesired cybersecurity behavior by identifying risky behavior.
Identify and outline aspects of the choice environment—i.e., the context in which choices are made.
Select aspect(s) of the choice environment to target.
Propose an intervention to help channel undesired behavior into desired behavior.
Implement the designed solution, or nudge, with a small control group at the organization, which is to measure its effectiveness—if successful, the solution is ready for mass implementation.
Maintain monitoring and adjust the nudge as behavior changes.
2.2 Topic “awareness raising”
Proofpoint’s survey in 2022 asks, “Which of the following topics does your security awareness training program cover?” [19]. In the category “Recommended practices for working from home,” Germany scored just 25 percent, performing worst among the surveyed European countries France, Spain, and Great Britain and coming in significantly below the global average of 37 percent ([19], p. 48). This again confirms the statement that there was no training material produced in Germany owing to the sudden shift to HO/WFH. Brown sees the need for a move toward more widespread HO/WFH and increased acceptance of it but warns of the dangers to business processes, personal data, and critical infrastructures resulting from a lack of security of private networks and systems: “No one wants to be hacked. However, many people do not even know when they will be hacked or how to protect themselves” [41].
In 2017, almost half of European Internet users considered themselves well informed about cybercrime [42]. Further research by Vogels & Anderson has found that actual digital knowledge is limited in the general population, and levels of knowledge vary by educational level and age [43]. The representative survey of 967 respondents by De Kimpe et al. on perceived knowledge also revealed the following paradox: people who believe they are well informed enough about online risks see no need to take further measures against cybercrime, as they feel less vulnerable online, while acknowledging the overall seriousness of cybercrime and empowered to take the right security measures [25]. Future cybercrime campaigns and awareness-raising interventions should, therefore, carefully adjust their communication and explicitly emphasize that any Internet user can become a victim of cybercrime [25]. It is recommended that future interventions include providing vivid, relatable, relevant messages as a form of indirect experience of cybercrime that could highlight the personal vulnerability of each Internet user (see also [44]). The emphasis on personal responsibility combined with the provision of vicarious experiences of online protection appear to have a positive impact on protection motivation if the message is tailored to the level of knowledge of the individual [25, 45].
The literature review by Aldawood & Skinner examined popular awareness-training solutions and techniques used by organizations to defend and mitigate CS social engineering threats. Recent training methods identified in this study include serious games, gamification, virtual labs, tournaments, simulations, and the use of other modern applications [46]. Up-to-date awareness programs that educate people about SE threats, including video streaming, compliance, topical training, awareness campaigns, and conferences, are used [46]. Training methods have changed over the years, with organizations using virtual and real scenarios and competitions to learn about social engineering threats and strategies to mitigate them [46]. The communication of real scenarios in working environments is becoming increasingly important; serious games and simulations are the most effective solutions against SE threats because in both cases real experiences with SE threat scenarios are used to raise awareness. Gamification, virtual labs, and tournaments also include similar physical and mental solutions [46]. However, it is currently unclear how gamification affects creativity vis-à-vis other forms of incentives [47]. For Aldawood & Skinner, the best solutions also include video tutorials on threats and mitigation methods, awareness conferences, training campaigns, and security reports—it seems to be a recipe for success [46].
When it comes to information security awareness training (ISAT), there is no doubt that merely imparting knowledge does not lead to the necessary awareness, appropriate risk assessment, or sustainable behavioral change in the area of IS and CS [48]. In addition, the key message that changing the behavior of employees cannot be achieved simply by imparting knowledge but must be accompanied by further measures has not yet got through to management, CISOs, and other C-level executives [48]. Moreover, the major problem with ISA is not a lack of security knowledge but the way that knowledge is applied in real-world situations [49]. According to Cialdini, those involved should be honestly informed about the damage caused by even a modicum of undesirable behavior [50].
Further research is needed to determine the extent to which emphasizing personal vulnerability would have a positive impact on user protection motivation and behavior [25]. Fear is not a good guide. Indeed, simply eliciting fear without incorporating actionable and effective recommendations stimulates fear control, leading to defense mechanisms to reduce fear rather than engaging in protective behaviors that would reduce threat [51]. A very interesting aspect, which is beyond the scope of this publication, is the extent to which the victim of a cybercrime act can themselves be held guilty. According to Machado & Gouveia, it is obvious that in most cases of cybercrime, the victim bears some complicity because individual careless behavior when using the Internet is a gift for cybercriminals [15]. For example, in Brazilian criminal law, the behavior of the victim is taken into account when determining the penalty handed down to the offender, and if the victim is solely at fault, no penalty is imposed and the offender is released [15]. But such purely legal aspects go beyond this paper.
Borg & Unit stresses that the current formalization of (university) CS training risks actively preventing people from developing many of the skills and abilities that are most needed [52]. According to [52], too much focus is placed on the narrow technical part of the CS risk assessment, and both consequences and threats as well as economic viability, are ignored. It is necessary, instead, to do things that increase the costs for the attackers, and you also need people who can think things through over and over again and move between disciplines so casually that they hardly notice it [52]. Li et al. currently regard people’s CS behavior as an important concern—another subject for future research [9]. Chaudhary et al. argue, that CSA is not only about knowledge but also about putting what you have learned into practice. It is an ongoing process that needs to be adjusted in subsequent iterations to improve its usability and sustainability [53]. This is only possible if a CSA program is reviewed and evaluated in a timely manner. Reviewing and evaluating an awareness program provides insight into the program’s effectiveness on audiences and the organization, invaluable information for continuous improvement of the program; in addition, it provides the information that management and sponsors need to decide whether or not to invest in the program [53]. Despite these benefits, there is no common understanding of what factors to measure and how to measure them during the assessment process [53]. The authors adapted the European Literacy Policy Network’s four indicators (impact, sustainability/long-term efficacy, accessibility, and monitoring) for awareness assessment to make them suitable for assessing a CSA program [53].
Through literature research, Chaudhary et al. summarize the following factors of a training program for evaluation: behavior, attitude, knowledge, interest (by audience/organizer/management), reachability (accessibility of awareness materials), touchability (self-motivated actions), value-added (nonfinancial/financial benefit), usability (relevant topics, delivery, practice, user confidence and satisfaction, usefulness of the awareness program) and the overall feedback [53]. Among all the factors measured, behavior, attitude, and knowledge are the most popular in literature; similarly, methods of measuring these factors can be broken down into survey, test, passive data, face-to-face interaction, and observation, with survey and passive data being the most popular [53]. Wang et al. are conducting a quantitative analysis of UK companies to examine the key elements contributing to SETA implementation [54]. Their results show that the awareness of the company management has the greatest influence on decision-making with regard to SETA implementation [54]. Moreover, most organizations generally lack awareness of CS protections for employees using externally hosted web services and products and services dependent on online services [54]. In addition, business leaders generally tend to minimize their budgets [54]. Ghafir et al. pointed out that the lack of corporate training budgets negatively influences employee awareness training [55].
The information and experience compiled in our current complex project with pilot companies should enable the management, acting together with CISOs, to initiate training and further educational measures tailored to the needs of the specific working groups. In study 1, interviews were carried out to ascertain the main IS/CS issues of interest to the companies [56, 57]. An online survey was also conducted and evaluated as report 1, allowing security profiles to be developed [58]. The results provided the basis on which to build an innovative overall scenario for IS/CS in SMEs and develop seven analog and seven digital serious games as well as seven on-site learning attacks geared to the main topics in order to raise awareness. ISA/CSA in the organizational context can be defined as the extent to which staff understand the importance of IS/CS, the level of security required by the organization, and their individual security responsibilities [59]. It is important to arouse positive emotions in employees when raising their ISA—this can be done by integrating emotional design into awareness-raising measures [60]. Our project is named “Awareness Lab SME (ALARM) Information Security” and funded by the German Federal Ministry for Economic Affairs and Climate Action (BMWK). It runs from October 1, 2020, to September 30, 2023. The BMWK only allows learning scenarios for German SMEs to be developed in German: the final versions can be used free of charge by all organizations for internal, noncommercial purposes and will be available from the project website in September 2023 [61]. The overall approach of the project is summarized in [62].
The IS topics relevant to SMEs emerged from the first study of our project for the analysis of the current situation, which is based on in-depth psychological interviews with four pilot SMEs. The topics formed the basis of the development of both the analog and digital game-based learning scenarios and the on-site attacks. Their working titles were [56, 57]:
Password security.
Phishing, CEO fraud & co.
Social Engineering, manipulation & co.
Apps, software & co.
Safe & secure in the home office.
Data protection in the cloud and data protection in the context of customers and suppliers.
The project’s subcontractor, “known_sense” has been committed to lively communication on the subject of security and effective awareness raising since 2002 and has extensive experience in the conception and development of analog serious security games. The firm known_sense began collecting ideas at the end of 2020, aware of the risks that were being amplified by the pandemic, especially in the home office. However, as the first project task, in-depth psychological interviews on the current situation of German medium-sized companies had to be carried out in order to obtain a solid impact study of the initial situation [56, 57].
Based on these findings on relevant IS topics, the subcontractor, together with the project team from known_sense, defined seven game-based, analog learning scenarios that are to be designed, developed, visualized, and produced during the project period until September 2023. Based on our shared experiences from past projects, we have planned three iterations for each analog learning scenario:
First, the subcontractor proposes a learning scenario on the defined topic, which is optimized together with the university’s project team.
The learning scenario is then tested by the project’s pilot companies and further improved based on their feedback.
As the third iteration, the improved learning scenario is tested with external SMEs from the customer environment and at public events. Based on these experiences, the final version of the learning scenario is developed and produced.
The tests to be carried out in three iterations per analog game with participants present make it clear whether the complexity of the topic should be reduced, the attractiveness of the game can be improved, and the design needs to be optimized for an emotional game design. The prefinal titles of the seven analog learning scenarios (LS) are [63]:
LS 1: Living safely and working securely from home (home office).
LS 2: Password protection and multi-factor authentication.
LS 3: The five phases of CEO fraud.
LS 4: Mobile communication, apps & co.
LS 5: Cyber Pairs (social engineering methods).
LS 6: Data and information protection.
LS 7: Information classes roulette.
Two of the seven analog learning scenarios are presented in this publication: namely, “Living safely and working securely from home” (LS 1) and “Mobile communication, apps & co.” (LS 4). The analog serious games are designed as assignment games for the topics defined by the pilot SMEs in study 1 [56, 57], so that a moderator can easily get into conversation with the participants and the participants with each other, giving them a chance to contribute their experience. Characteristics of each of our analog learning scenarios are:
Tests in three iterations per game within the project
Play time reducible to 15 min.: approx. 3–5 min. Start (“pick up”), approx. 8–5 min. Play (“active doing”), approx. 4–5 min. End (“mnemonics/golden rules”)
Various tests in practice with different target groups outside of the project’s participants
Users’ feedback used for continuous improvement
Figure 1 shows some pictures of the use of such games with interesting comments from analog awareness training. Such tests, to be carried out with attending participants in three iterations per game, are used both to simplify the complexity of the topics while maintaining the attractiveness of the game and to optimize the emotional game design. The response has been very positive so far, not only from tests with the pilot companies but also at public events. Improving the detailed preparation of the feedback is an ongoing process in the project.
Figure 1.
Some comments in training with four analog serious games to raise awareness of information security for the topics home office, CEO fraud, mobile communication, and cyber pairs.
3.1.1 The analog game “living safely and working securely from home”
This game on the subject of HO/WFH consists of a plastic board, foil, or plot with an original size of 168 cm × 118 cm, showing a large family house set up as a learning scenario (see Figure 2). The board should be laid out on a correspondingly large table. This playing area is also available as a poster on a pinboard. A moderator briefly introduces themself and the topic of this learning station. They ask the participants about their experiences, problems, and solutions in the home office or with smart IoT applications and let the participants briefly talk about these issues. The moderator then briefly explains the course of the game. This introductory phase should last a maximum of 5 minutes.
Figure 2.
Large board as lively picture (hidden-object puzzle) and playing area for the analog serious game “living safely and working securely from home,” prefinal version 2022.
A total of 17 aspects, numbered from 1 to 17 on the board, need to be dealt with by the players in the prefinal version of the game. There are orange risk cards in DIN B7 size on which the various security risks that can be encountered in the home environment are described in two to three sentences. In the first phase of the game, these risk cards are distributed to the participants by the moderator; they read out the risks, and together, they try to find the situation on the board and place the card accordingly. In the second phase of the game, green defense cards are distributed, which represent protective measures and, thus, solutions for the risks shown on the risk cards. The green defense cards are also to be placed on the board. The moderator can use a stopwatch. Both phases of the game should only last 2.5 to 3 minutes. For larger groups of participants, it can be useful to have participants act together as pairs.
The final phase is followed by a debriefing of 4 to 5 minutes in which incorrect assignments or unresolved questions are clarified. If the learning scenario is used in a competition with several teams of participants, the moderator awards points to each team for the correct allocation of the cards and takes all the cards off the board before the next team arrives. Briefings (instructions, solution sheets, and golden rules) are available for the moderator. We recommend having teams of up to 12 people, so—in a circle training with four different analog learning scenarios—48 people would tackle four topics in 1 hour.
An example of an orange-colored “risk card” (prefinal version) is shown in Table 1. In the first phase of the serious game, this card should be matched to the correct number (#16) on the board shown in Figure 2. This provides insights into the private sphere of employees. Unless work and home are separated, my private life is exposed to all the participants in a video conference; at larger conferences, it is also easy to lose track of who is attending and what will happen to the information about me and my private life. The prefinal version of the learning scenario recommends as a security measure (green card, not shown) that the backgrounds for video conferences be adjusted and that very private things be placed out of the webcam’s field of view, especially if the participants are unknown. A test run with the camera should also be carried out (privately) before such a conference.
Table 1.
Example of an orange-colored risk card to be matched to the correct number on the board in Figure 2 as the first phase in playing the learning scenario as serious game (German left, English translation right).
The green protection card Q, shown in Table 2, should be assigned to the situation with the number 17 on the board (see Figure 2). It recommends only exchanging sensitive information via a virtual private network (VPN) to be provided by the employer. In order to guarantee the necessary transmission speed, the video function should be switched off if necessary. It is also noted on the protection card that the expertise of the company’s IT administrator should be included to help secure conferencing platforms and establish stable connections. The risk card laid out beforehand makes it clear that if processing, conversations, or video conferences in which sensitive data is exchanged take place without a VPN (because of the supposedly slower transmission speed), attackers can eavesdrop and read the data.
Table 2.
Example of a green-colored “protection card” (prefinal version) to be matched to the correct number (#17) on the board shown in Figure 2 as the second phase in playing the serious game (German left, English translation right).
Figure 3 clarifies the specific game situation with the assignment of the cards by the participating players. The moderator is given a summary showing the correct assignment of the orange and green cards, so that they can quickly correct the participants’ solutions as part of the game or in a follow-up session (not shown). During the debriefing, which is the third phase of the serious game, the participants should be given so-called “golden rules” orally or by printout. These rules underline that the separation of private life and working life makes both areas safer and more secure. Specifically, the following advice can be given:
The same security requirements apply in the home office as in the workplace.
Working from home should only be done with the tools provided or approved by the company.
No processing of company-internal or (strictly) confidential information takes place in the private IT environment (personal PC, hard drive, etc.).
Only the information and documents that are really needed and are explicitly allowed should be taken home.
It is best to lock documents away because the same applies in the private sphere: all sensitive data must be kept safe not only from children but also from visitors and, if applicable, domestic staff.
Protect computers from outside eyes and always lock them when leaving the workplace.
Always think of potential viewers and listeners: it is sometimes pleasant to work on your own terrace or at the open window, but this is usually not very discreet.
In the event of a security incident, company-defined reporting methods must be used.
In addition, the private infrastructure must always be kept up-to-date—routers, virus protection, firewalls, and all smart devices must be provided with their own passwords and updates.
Figure 3.
Game situation with the assignment of cards to the scenarios presented on the analog board shown in Figure 2.
3.1.2 The analog game “mobile communication, apps & co.”
Mobile communication using apps is also closely linked to HO/WFH. Since work today is often hybrid, mobile communication, apps, and software are still an important topics in SMEs (see study 1 [56, 57]). The corresponding analog learning scenario is actually very similar to the home office scenario explained above (see Figures 2 and 4): it also makes use of a large board as a kind of “hidden-object puzzle” with orange risk cards and green protection cards. This type of puzzle—i.e., a picture showing a busy scene—is always useful when the IS topic under consideration applies to different contexts. The participants can very quickly immerse themselves in the scenes shown as a picture story. Here, in the analog game “Mobile communication, apps & co.,” there are 12 scenes (numbered #1 to #12) with smartphone or app usage taking place on three levels in a subway station and a house in the background. The scenes show different people using different smartphone apps. Here, too, the participants should find, discuss, and understand the IS/DP risks and assign appropriate security measures. In terms of the process, a procedure analog to the learning scenario described in 3.1.1 is recommended. However, the other five analog learning scenarios developed in our project are structured completely differently—only these two have the same didactic character.
Figure 4.
Structure of the analog learning scenario “Mobile communication, apps & co.” as a picture showing busy scenes with short story descriptions and visualizations centered on the use of smartphones and apps (prefinal version 2022).
In the initial phase, the moderator may ask the following question: What are the risks and other disadvantages of using apps that are popular as Internet services? Social media/networks, music, and video streaming sites, appointment planners, online games, web conferencing platforms, translation, presentation, cloud services, and e-mail services can be mentioned here. The moderator can also have the participant team estimate what percentage of apps steal data. A test procedure developed by the German TÜV [38] showed that of the 500 apps tested, around 40 percent of the programs read data without this being necessary for their function. When assigning the risks and the measures to address them, additional disruption cards that do not match the situations presented can be mixed in, in order to increase the participants’ attention. In the final phase of the serious game, the question of where to find the security settings on your own smartphone can be addressed. If more time than 15 minutes is available, the moderator should go through the security settings of individual apps and discuss the pros and cons of each configuration. There are also extensive instructions given for the moderator in this learning scenario.
Mnemonics, like “golden rules,” should also lead to discussion and an exchange of experiences between the participants. The guide also provides the moderator with sample questions to stimulate discussion. The moderator should be well-prepared for the game. The golden rules of this serious game relate to the following aspects:
Only install apps from trusted sources; apps can be gateways for malware and cybercriminals, promoting identity theft and manipulation.
As a rule, you install apps on all your mobile devices at your own risk—you should inform yourself about possible risks.
Remove apps you no longer use because each additional app is a security hole. Ideally, turn off services that are not needed.
With each installation, pay attention to the rights that each app demands. If you allow access to the microphone or camera, there is a risk that your device will be used as a mobile bug.
Do not tamper with your device by jailbreaking (iPhone) or rooting (Android), as this will compromise your security settings and device warranty.
When using apps or Internet services, you always transfer data that may be stored, processed, and possibly published or otherwise used in third countries outside the EU. As there is often a lack of transparency about the data protection guidelines of numerous providers, you should expect individual items of data to be systematically analyzed and used in attacks on organizations (e.g., for espionage purposes).
3.1.3 Implications for the other five analog serious games
For the five further analog learning scenarios that have been developed, it is easy to extrapolate their importance for HO/WFH. Depending on actual company practice, circuit training can be set up in combination with the other learning scenarios as learning stations. If, for example, the manipulation of people—i.e., social engineering—is an important aspect, then it may be useful to train the definition of terms (LS 5: “Cyber Pairs”) and CEO fraud (LS 3: “The five phases of CEO fraud”). If, on the other hand, the classification of data and data protection are of central importance in the operational processes, the sixth (LS 6: “Data and information protection”) and seventh learning scenarios (LS 7: “Information classes roulette”) can be used in a targeted manner.
It is very likely that the second learning scenario (LS 2: “Password protection and multi-factor authentication”) will always be important in relation to HO/WFH. Password security is only as good as the people who use it, who often lack the motivation to apply optimal password security [64]. In 2022, every fifth adult in Germany will have been a victim of an attempted smartphone scam—two million people, in other words; among those under 30, the figure is as high as 30 percent, but the number of unreported cases is likely to be even higher [64]. Here, both IS and DP try to increase security through two-factor authentication (2FA) so that no unauthorized third parties gain access to the accounts. 2FA ensures that nobody can access the account without the express consent or at least the knowledge of the account holder—even if the access data becomes known by accident or was captured by a hacker attack [64]. In companies, the implementation of 2FA is therefore an important step in increasing data security for employees and guaranteeing the protection of their customers’ personal data. However, this requires additional effort for employees or users in general: instead of simply entering a password, a code must be generated, or a device must be kept ready [64], which is why users must be made aware of this.
A good first step is to raise awareness of password security and make clear to users the possible consequences of their carelessness [64]—this is shown separately in the analog scenario LS 2. It is one way to educate employees about the importance of IS/DP through the use of narrative games in an analog discursive setting specifically designed to raise awareness, providing a fun and interactive way of protecting their own and customer data. With increasing digitization, IS/DP are critical concerns for organizations of all sizes. With an increasing number of employees shifting to HO/WFH, companies are facing new challenges when it comes to protecting their sensitive data and IT systems. Remote workers may not have the same security awareness and training as those working in a traditional office environment, making it important for organizations to find effective ways to train their remote workforce.
3.2 The digital serious games
3.2.1 Overview of the digital learning scenarios
The subcontractor, Gamebook Studio, provides the easy-to-use and comprehensive toolset Gamebook Technology for the development of digital serious games based on storytelling. It includes the use of the Visual Novel format to integrate a player as an active participant in their own story in a simple manner. The project’s seven digital learning scenarios (Figure 5) are being developed by this subcontractor in consultation with the research team of the university. The digital games are not a simple reflection of the analog variants because they are intended to generate independent motivation for addressing the issues, with employees targeted as different types of learners. The variety of different perspectives also has two positive effects: on the one hand, it ensures that playing does not become boring and that the motivation to learn is sustained; on the other, it conveys the relevance of the various actors and their methods within IS/CS.
Figure 5.
In our project, seven digital learning scenarios are developed to increase the ISA of employees in German SMEs. Of these, the home office (red border) is presented in more detail in this paper. These game developments are only funded in German. In addition, an eighth digital LS is developed by the research group. They can all be played in German directly from the project website [61].
All the decisions that the player has to make influence the course of the game. Every game decision not only affects their personalized story but also differentiates the topic in more depth and thus offers different learning paths and levels of difficulty—depending on your previous knowledge, personal strengths and weaknesses, and learning preferences. This means that every type of learner and every level of knowledge is addressed with decisions, and the format is therefore suitable for use in a particularly broad target group.
In contrast to the analog version, the digital scenario is played by the employee working alone at a time and location of their choice. Therefore, the discursive environment within the digital game must be determined by the player’s decisions—the game designer has an important task here to develop the story and the learning paths in an appropriate and appealing way. The more successful the designer is in this, the more the story will stick in the learner’s memory. In addition, a discussion of the digital learning scenarios should take place within the company afterward—with an active, in-depth focus on IS/DP to anchor what has been learned over the long term. The debriefings of serious games are very important for the learners. The final titles of the seven digital learning scenarios are as follows (see [61], in German):
LS1: The first day (social engineering & password protection).
LS2: The hacker attack (social engineering: methods & tools).
LS3: The search for clues (CEO fraud: methods and protective measures).
LS4: AI in the home office (protective measures home office & smartphone).
LS5: Everything just stolen (password hacking methods & password protection).
LS6: A classification in itself (information classification & purpose).
LS7: The ransomware attack (encryption & messenger services).
In addition, an eighth digital LS was developed by the research group:
LS 8: Password hacking (crack a social media profile).
3.2.2 The digital serious game “AI in the home office (protective measures home office & smartphone)”
The next figure shows the decision tree (Figure 6, left column) of the digital game “Artificial Intelligence (AI) in the home office”—represented here in a very rough form—which the player goes through in the role of an AI. At the very beginning of the game (number 1 in Figure 6), the player is given general information. Green nodes in the decision tree are “story modules,” providing the player with information presented as text, instructions, feedback, or even music. Figure 6 (right) shows representative images of the information security officer (ISO), who gives the player initial information about their task, and the AI avatar, whose name should be given by the player. The ISO also explains that whatever decisions the player makes will affect how the game progresses. The decisions to be made should therefore be well considered by the player, since the goal is to pick up on the AI’s recommendations for a secure but livable way of working from home. The ISO also explains that the player’s points will be counted, and both his efficiency and social skills will be analyzed. In this case, efficiency means whether and how quickly the player catches on to what the AI recommends. At the end (number 10 in Figure 6), feedback is given on how much learning content the player has discovered along the way and their score in the form of stars. A maximum of three stars can be obtained for learning and for the security awareness they have demonstrated. At the very end of the learning scenario, reference is made to the other six digital learning scenarios.
Figure 6.
Digital learning scenario under development (prefinal version). The rough decision tree of the story “AI in the home office” (left) and sample scenes for the three paths (right) with ten positions—See text for explanation.
The actual story starts at the next green node, identified by the number 2 in Figure 6—the decision as to which home office should be examined first by the AI: the images corresponding to the possible choices can be seen on the right. The three paths correspond to the home office of the dispatcher, Gabi Burgmeister (second column in Figure 6), the boss, Dietmar Krause (third column), and the trainee, Jonas Schmidt (fourth column). The numbers 3 to 9 in the particular path that has been selected refer to the decision as to which questions the AI should ask the people working in the home office. To the right of this are sample images of the scenes for the particular path. It is also evident that the avatars are able to show emotions. In the digital game, sounds and music can be heard to accompany the situation, but the avatars do not speak. The decision options are presented to the player in the form of text, so that the player has time to think about the question. The development of the storyline (first column in Figure 6) shows how important the designer’s empathy with the topic and the target group is in building the story.
As an example, for the entire learning scenario, the following information is given for numbers 1 to 10 and the player is asked to make decisions.
The security expert welcomes the player and informs them about the content of the learning scenario as follows: “In this learning scenario, you will try, as an artificial intelligence (AI), to find the most common mistakes in the home office. I pay attention to security awareness and whether you can correctly predict human behavior (machine learning). During the evaluation at the end, I will give you more detailed feedback on this.”
The player is asked to enter a system name as an AI. It is then made clear to them that in the company under consideration, most of the employees are currently working from home. In order to ensure more security, there, the branch manager Dietmar Krause decided to start a test run with AI software. After a successful attempt in the branch, it should now check the home offices of the individual employees. However, the AI is still in the testing phase.
The player also experiences the AI’s thoughts as follows: “Oh, these humans! Now it is all down to this cluster of organic cells whether I can show what you need for real security in the home office. Because if this little experiment goes well, I will be featured at the Security Software Convention and hopefully get to market then. Unless that faulty biomass throws a spanner in the works! Then it goes back into the development process and I get reprogrammed. But I know how to prevent that …”
The player then learns about their specific task as an AI. They have the opportunity to go to the home office of three different employees and look for weak points there. As an AI, the player may also be able to prevent errors by correctly predicting human behavior.
The player as AI is asked whose home office they would like to check. There are three people to choose from: the dispatcher, Gabi Burgmeister; the branch manager, Dietmar Krause; and the trainee, Jonas Schmidt.
Numbers 3–8 (Figure 6) for HO/WFH of Gabi Burgmeister:
The player learns from Gabi Burgmeister that she lives alone with a dog named Wauzi. They learn the name of the Wireless Local Area Network (WLAN) and the registered laptop and an Android tablet. The AI introduces itself to Gabi, who, after a brief shock, remembers that the branch manager had mentioned something like that. The AI explains its mission to check the home office for security vulnerabilities and begins to scan Gabi’s network environment.
For example, the player is asked what vulnerabilities they are likely to find and should decide between the following:
“The router probably still has its default password.”
“The microphone is probably always on.”
“The WiFi signal at work is probably weak.”
The router is the right choice here and the AI recommends that Gabi change the password of her router and her network as a matter of urgency. Gabi asks, “But why? The password is super long. So, it has to be secure, does not it?” The AI explains that lists of standard passwords are circulating and that hackers can gain access to the home network in no time at all.
Numbers 3–8 (Figure 6) for HO/WFH of Dietmar Krause:
The AI reports to the boss, Dietmar Krause, via his smart speaker. The player learns that Dietmar Krause lives with his wife and two children in a terraced house that has been set up as a smart home. All residents share computers and other end devices.
With the information that the workforce of the Grüsselig company is in the home office three out of five working days, the player must decide whether all employees of the company should:
“have company computers made available”;
“be paid a bonus because the company saves electricity”; or
“be provided with guidelines on ‘Security in the home office.’”
The AI explains that clear guidelines and protocols are the be-all and end-all of a functioning security architecture and can be implemented without great technical effort.
As the story progresses, the AI takes control of all the devices in Dietmar Krause’s smart home in order to optimize it. The player has to specify his first course of action:
“Establish physical protection against eavesdropping.”
“Maximize Internet security.”
“Update all devices.”
The AI informs the player that regular updates are important to close security gaps and keep the smart home up-to-date. The player must then specify their further course of action.
If the player selects “Maximize Internet security,” the AI disconnects all Internet connections in the home that are not immediately identified as work-related. The result is that the son can no longer play a console and complains, whereupon Dietmar Krause makes it clear that this is going too far and that all residents are allowed to use the Internet.
The establishment of physical protection against eavesdropping means that all doors in the house are locked. However, Mr. Krause’s wife does not want to be locked up. She wants to talk on her cell phone on the balcony, while the AI sees this as a security risk, since someone could overhear what she is saying.
After this situation has also been resolved, contrary to the AI’s advice, the AI realizes that all smart home devices still have their default passwords and third-rate criminals could hijack the devices and cause a situation like the one just shown. The AI suggests introducing a uniform level of security for the workforce and keeping the device software up-to-date. From a cost-benefit point of view, the player needs, among other things, to establish a VPN system for all employees.
Numbers 3–8 (Figure 6) for HO/WFH of Jonas Schmidt:
The trainee, Jonas Schmidt, is the youngest employee in the company and has not agreed to the home office security measure by the AI. Nevertheless, the player as an AI must decide whether he first
“checked the router”; or
“looked through the webcam.”
The webcam reveals a Scarface movie poster, the book The Bitcoin Bible, and a few protein products. Jonas apparently lives in a shared apartment with at least three people. Eight devices (computers, mobile phones, tablets) are logged into the network. No major security measures can be seen, and the WLAN name is “Alice im WunderLAN.” The player should decide the probability of whether more than 10 people know the password for the network. The AI also draws attention to dubious websites and malware threats.
The AI wants to send Jonas a message on his phone, and the player decides which of the messages to take. The AI explains to Jonas that it determined his password from information that it collected with the help of his webcam. The player must now decide what the password for the account “JoSchmi02” is:
“Snailsweet2”
“KryptoMontana1312”
“JohnnyJungle@420”
In the conversation between Jonas and the AI, the player must also choose one piece of advice for Jonas:
“Cover the webcam when it’s not in use.”
“Delete your browsing history regularly.”
“Have no hints of passwords in your webcam image.”
Finally, the AI suggests creating an extra access for guests in the home network of the shared apartment.
At number 9 in Figure 6, the three stories, which can be played in any order, are merged. The feedback for the played digital game at the end (number 10 in Figure 6) is divided into two sections. Under “Machine learning” the correct prediction of human behavior is assessed, and under “Security awareness” the answers are evaluated. A maximum of three stars is possible in both categories.
The term “serious game” is established nowadays, but there is no unique definition of the concept because it refers to a wide range of applications: they are used for training, advertising, simulation, or education and are designed to run on different systems [65]. According to the technical report by Susi et al., serious games focus on learning with practical simulations for problem solving, with a number of positive effects when it comes to informing, learning, developing skills, social interaction, and psychological aspects [65]. However, there seems to be no conclusive evidence to support the much-vaunted usefulness of serious games, so research should focus on explaining why and under what conditions these games are compelling and effective [65]. Laamarti et al. give special attention to the design of digital serious games and their development, and the game developer must strike a balance between the fun factor and the game’s main purpose [66]. In recent years, serious games have emerged as a new educational approach in IS that creates a fun, enjoyable environment in which users can experience attacks and practice appropriate behavior to protect information assets; ISA often only involves the transfer of knowledge—e.g., via a web-based training or a lecture [67].
According to Hart et al. there is a lack of pedagogically motivated methods and tools to support the design of serious games and to ensure that they achieve the learning goals [68]. Brown & Vaughan argue, “The ability to play is critical not only to being happy but also to sustaining social relationships and being a creative, innovative person” ([69], p. 6). In our opinion, based on our diverse experience with serious games in the field of IS/DP, emotional design should be integrated into the learning materials through the use of games and game elements [60, 70]. Meaningful narratives support immersion in serious games, which is crucial for learning success [71]. Green argues that stories support teaching as they:
are more suited to raising interest in a topic compared to, for example, PowerPoint slides conveying information and hard facts;
give the learning material a context so that the individual learning elements are easier to recall—for example, by creating vivid images; and
help motivate learners to engage with abstract, possibly challenging learning content, inasmuch as they provide a nonthreatening way into a topic [72].
According to Landrum et al., stories also make the learning content personally relevant and thereby support the learning process [73]. Because of these benefits, research documents the effectiveness of storytelling for teaching and learning. The main benefit of storytelling is that its narrative structure and the emotional involvement of learners promote retention of the learning content [73]. Thus, good narratives of serious games invite the player to participate in the story and decide on the development of the story, thus encouraging the intrinsic motivation to learn. It is recommended that the narratives stimulate the imagination and include characters with whom learners can empathize [73].
Our analog and digital learning scenarios (serious games) for raising ISA/CSA—as described in Section 3—are being developed and improved with target groups in three stages of iteration. They use emotional designs with storytelling and interactions in discursive settings. To help raise awareness in IS/DP, the complexity of the topics needs to be reduced. Moreover, each game should be shortened, with a maximum time limit of 15 minutes, so that it can be played by employees in a break or together with other games in an effective circuit training. On the other hand, if more time is available, each topic can be presented and discussed in depth; above all, the experiences of the participants should be included again and again, so that a more in-depth training of 1 hour can result. Both our analog and digital learning scenarios can therefore be used flexibly: they can deal with the topic in a reduced or extended way.
The prefinal analog learning scenarios were also evaluated by external SMEs [63]. The “safe living and secure working from home” learning scenario showed the fewest obstacles for learners in the tests and evaluations. In general, our experience with such pictures of busy scenes like this, in which “risk cards” and “protection cards” are matched, is that they all work equally well. The principle of the game does not have to be explained at length by the moderator but is adopted automatically by the participants after a few seconds. The learners understand the game and their task immediately. With risk scenarios that are mostly familiar, this learning scenario is an ideal “soft start” to a learning course including the other six games on the subject of IS/CS. Some spontaneous responses from participants are given as examples [63]:
“It fosters a sense of achievement. You do not feel totally helpless.”
“It’s just like in real life—video conferencing with the boss while the children are yelling or crying close by.”
“Actually, this is all clear, and yet it’s something that happens to you.”
The participants usually seem grateful to be able to review their own experience of working from home, which became much more prevalent as a result of the pandemic, in relation to IS/CS and DP. Both business and private issues are addressed together. Many employees often discuss examples from their own environment, and younger people, in particular, cite things that happened to their own parents or grandparents [63]. The advantages and disadvantages of working from home and in the office are compared, and people’s motivation and fears are discussed. Laughter is triggered by the idea of the number “Alexa in the toilet” (#xx), and the game is completed quickly despite a lively discussion [63]. In all cases, the correct assignment of the 34 cards to the 17 scenarios is relatively quick—the 5 minutes of playing time are usually sufficient without the moderator having to motivate participants to go faster. In rare individual cases when the visualization of a station number cannot be understood immediately, talking with the other participants or the moderator helps bring clarity. During the debriefing, the importance of the topic is emphasized, and the implementation is praised. The game of this LS is rated, relatively speaking, as “easily solvable” and “extremely practical” [63]. From the point of view of the evaluation [63], there was no need for any changes to the final version of the game.
The in-depth discussion in the context of IS enables participants to understand the meaning and purpose of the digital tools, informed by an increasingly critical attitude toward their own working conditions. At the same time, it is often clear that employees in SMEs are relatively unconcerned about facing personal consequences if they make a mistake [56, 57, 63]; this also reveals deficits in the operational safety culture. All in all, with the help of analog games, the employees seem to be able to develop an awareness that seems interesting to them and takes on a life of its own, encouraging them to delve further into the topic. This is brought out by the abundance of lively, in-depth questions from the participants. Moreover, gamification can have a positive impact on creativity [47]. The consistently high interest of our participants was also reflected in inquiries about content that may not be covered by the learning scenarios. This was coupled with a significant stretching of the tight time limit of 15 minutes set aside for the task. However, all our analog learning scenarios are flexible and can be extended in terms of content.
In the learning scenario related to living and working safely from home, the authors of study 2 recommend addressing the typical home office risks mixed in with risks deriving from IoT or Smart Home, since IoT devices all rely on the same network, which is used when working in the home office. This means that the use of smart devices entails additional risks for projects that are brought home from work, unsupervised by the employer, for further elaboration on the network, possibly involving private hardware. Discussions of this kind help participants learn to pay more attention to IS in their own company and to recognize the connection (the same network) between business and private use [63]. By their very nature, the analog games for IS include the necessary interaction and discussion as part of the visualized story/narrative. This helps participants internalize and remember the content. Our own experience of using these games consistently shows that the debriefing, however brief, is very important.
Our experience creating three agile iterations for the digital learning scenarios developed in the project confirms that special attention should be paid to the design and the story of these serious games. It is necessary to find a balance between the fun factor and the game’s main purpose—to reduce the complexity of security and data protection issues. All the serious digital games in the project are immersive stories that depict everyday security-relevant work situations in SMEs. The players experience the stories from a first-person perspective, which is different in each game. This enables the learning content to be examined in detail and encourages identification with it.
As mentioned above, Figure 6 (left) offers a very rough representation of the decision tree: the actual individual parts that make up the story can only be seen in the Gamebook Technology production tool. For example, decision points can be used to allow the player to interrupt the game and take a look at the glossary to get more input on the topic. Decision points may also constitute a “time choice” such that the player must choose between options within a specified period. If the player takes too much time to decide, the digital game sends them back. However, the player will retain all the information they have previously accumulated, leading to other options for the next step. This brief explanation makes it clear how important the designer’s connection to the topic and empathy for the target group are in building an appropriate story.
Technical implications could be examined in more intricate detail in Dietmar Krause’s smart home, which would, however, increase the complexity of the digital learning scenario. At the end of each of the three stories of the learning scenario, specific golden rules could also be presented as a watch list or made available for download. Moreover, legal implications could be dealt with in the story by Jonas Schmidt, since the AI searches his home office without consent. Further legal bases could be explored. It would also increase the complexity of the digital game.
The digital games are not a simple reflection of the analog variants because they are intended to generate independent motivation for addressing the security and protection issues. It is clear how important the designer’s connection to those topics and empathy for the target group is in building an appropriate story. This means that the game designer has an important task here to develop the learning paths in an appropriate and appealing way. The more successful the designer is in this, the more the story will stick in the learner’s memory. In addition, a discussion of the digital learning scenarios should take place within the company afterward—with an active, in-depth focus on IS/CS/DP debriefings to anchor what has been learned.
An analog and a digital serious game for ISA/CSA should be completed in 15 minutes, thus corresponding to the study results of [20]. The length of such a microlearning module should be very short, lasting only a few minutes: “What you can do quickly during a break” [20]. Quizzes that followed a module were also valued because they forced people to focus on content [20]. Adapting the (external) training material to the local context and language was seen as crucial by staff; however, they also acknowledged that this could be a challenge for the CISO [20]. Presentations should be limited in duration to around 15 to 20 minutes to help learners focus on the topic. Employees had a positive perception of workshops, and various types of interactive meetings in which discussions could take place and knowledge exchange was encouraged, with the element of interactivity cited as the main reason for the positive attitude [20]. We can confirm these results. Although there are similarities between the CS behavior of home users and the CS behavior of employees in an organizational context, there is a need to understand their differences and to further develop research and practice focused on the CS behavior of individuals [9].
The results of Fallahdoust indicate that individual and organizational factors influence CS behavior and, in some cases, impede secure behavior [14]. Employee understanding, gender, computer skills and prior experience, attitudes toward cybersecurity, age group, individual perception, personality type and traits, and individual perception are identified as discrete factors influencing behavior [14]. Likewise, systemic factors such as organizational culture, the clarity and transparency of communication, organizational norms and perceptions, leadership style and its reward system, and company size have an influence on employee behavior [14]. In addition, heuristics and biases influence CS behavior. Exploring the anger factor, information avoidance, and social norms as psychological barriers to CS behaviors can drive the successful implementation of policies that promote safer CS behaviors on a sustained basis. Talking about security can be successfully used based on serious games with immersive stories like those presented here. Moreover, the results show that organizational factors such as management involvement, organizational culture, and the organization’s CS norms directly influence individuals’ CS behaviors [14].
A diverse mix of different measures will be necessary to sustainably increase the ISA/CSA of all members of an organization. The framework of Eiza et al. compiles several approaches, current standards, practices, tools, and strategies that are suitable for improving CS when working from home. It also provides a common language for expressing, managing, and communicating WFH-related CS risks on the following aspects [6]:
WFH Cyber Policies Development
WFH Cyber Risks Identification
WFH Cyber Risks Assessment
WFH CS Controls
WFH CS Monitoring
Elimination & Recovery and Post-Incident Feedback.
Based on the experience from our project, it would make sense to prepare all these aspects in interactive, short learning scenarios that are clear and understandable, and to make them available to people working from home.
The final versions of the serious games on HO/WFH and mobile/remote communication presented here, like the other analog and digital learning scenarios developed in the project “ALARM information security,” will be available for noncommercial use free from the project website [61]. The development and evaluation results will be recorded in the final project documentation in German. Individual aspects will also be made available on an ongoing basis in scientific publications in English. Awareness training was carried out with different participants at a number of events. Our experience has shown that the measures and the serious games presented are very well received by the interested participants, who are keen to use them. The research team is often asked to conduct awareness training within a company or as a workshop at CS events.
Our evaluation, based on playing the serious games and interviewing participants from external SMEs, is that the project’s learning scenarios and associated games represent demanding, energizing awareness tools [60, 63]. However, no learning scenario works equally well everywhere. This means that defining an exact fit between the developed learning scenarios and their use in a particular SME is made difficult by the great cultural heterogeneity in the SME environment. To compensate for variances such that a clearly presentable, quantitative statement can be made about the compatibility of the analog learning scenarios with the corporate or security culture, the focus must be on the security awareness maturity level of the specific SME—this requires further research.
Our second study [63] suggests that a higher degree of awareness maturity in SMEs is essential for the introduction of certain learning scenarios so that the intended degree of effectiveness can be achieved. In particular, it can be assumed that gamified settings in companies with a very low level of security awareness trigger effects that are different from the originally intended prevention service. If the topic to be dealt with does not relate to operational reality—for example, if information classification is not yet a standard process in the company, or if the thematic complexity in the game is not sufficiently reduced or is too generic, this may produce more recalcitrance than positive effects. Even nudges that are frequently recommended [14] would then fail to have their potential effect.
In another task area of the project, seven “on-site attacks” are planned, which are designed, carried out, and evaluated by the subcontractor Thinking Objects in consultation with the university’s research team. These “attacks,” coordinated with the management of the companies, were, like the digital and analog learning scenarios, based on the needs of IS from the first study [56, 57] in order to raise awareness among the employees of the pilot companies of the project and to give concrete instructions for action. The particular challenge here, however, is to get the pilot companies enthusiastic about such on-site training courses, as these can disrupt the day-to-day business of the company. In addition, a special relationship of trust is required between the subcontractor and the specific SME or intensive agreements with the management and information for the employees. All pilot companies involved in this training have received a confidential evaluation of the attacks and specific instructions from the subcontractor. The following on-site attacks have been carried out so far:
LS 1 (“Phishing”; electronic action), completed with three pilot companies
LS 2 (“Have I Been Pwned?”/“Password Database Check”), completed with three pilot companies
LS 3 (“Smishing”; type of attack via smartphone via SMS), analogous to LS 1
LS 4 (“Tailgating”; physical action), completed at three pilot companies
LS 5 (“Shutdown”; simulated ransomware attack), carried out in March 2023 with a pilot company
LS 6 and LS 7 are planned in 2023. Information sheets, instructions, and low-threshold security concepts are created for each on-site attack; they will be published in a bundle on the project website at the end of the project in September 2023.
SMEs can be seen as the new big target for cyberattacks, while cybercrime prevention in their environment is often neglected [74]. The COVID pandemic triggered a large, sustained shift to HO/WFH, and the traditional skepticism in Germany seems to have diminished; many employees do not want to work without also working from home [75, 76]. However, the sudden shift to HO/WFH increased the opportunities for cyberattacks on individuals. According to Vakakis et al., in the future—especially with regard to the integration of IoT devices—there will be a need for more effective technical CS solutions that can be easily tailored to the evolving needs of each individual company and quickly adapted to the changing cyber-threat landscape [74]. Nevertheless, it is important to understand that the use of new technologies and new processes will not bring comprehensive security to our everyday lives, so we need to become, and remain, more careful about IS/CS [23]. IS/CS is the backbone of the successful digitization of society, and awareness of cyber situations is an essential aspect of managing them [23]. Human beings are the target of cyberattacks, but also the last line of defense, especially when technology fails.
The continuous development of ISA/CSA is an existential necessity for SMEs. Fichtenkamm et al. underline the importance of a holistic approach to awareness-raising measures, covering both personal benefits and usage in the workplace, and targeting the entire spectrum from end users to CS specialists [12]. Issues related to awareness and education are located at both the user level (in terms of lack of support) and the practitioner level (in terms of a skills shortage) [12]. It is particularly important for us to talk more about risks and IS/CS in the concrete working environment. Interactive, game-based learning scenarios with emotional design in a discursive setting covering real-life situations enable promising access to a practical exchange of experience. According to Haney et al., we need to understand that the pure transfer of knowledge in training courses is considered to have failed because the raising of awareness is about much more than knowledge [77]. For the sustainable development of a security culture in SMEs, practicable awareness measurements must also be established in the future, which will lead to statements about the degree of IS maturity of the organization. So far, however, there has been relatively little progress made in research and practice toward creating a practicable model of a security awareness maturity level for SMEs. It became evident in the course of research and during the project that awareness measurements are still an evolving field of research and cannot be carried out for the pilot SMEs within the planned scope of the project. Further intensive research on awareness measurements and maturity statements is necessary if high-quality results are to be delivered. The conclusion we draw from this is that within the current project, we can only summarize tendencies moving in the direction of a change in consciousness. We are aiming to instigate a follow-up project that deals intensively with awareness measurements in awareness training. Such a follow-up project must be even more interdisciplinary than before because it requires far more in-depth analyses of psychology, behavioral change, and brain research.
Many organizations offer only an hour or two of knowledge training per year to raise security awareness among their employees [78]—this fails to produce any lasting knowledge, attention, or behavioral change. Instead, short, interactive game-based learning scenarios should be used continuously. Our game-based approaches instill the kind of security thinking that can turn employees into a critical layer of defense. Developing any degree of long-term effect relies on the provision of appropriate and compelling security stories that stick in the memory, as well as the opportunity for exchange between employees. The project represents a contribution to self-help for SMEs. Other service and training companies can also benefit directly from the developed materials for their own business practice. These materials can also be used in public administrations, even if some specific features of the administrations should be dealt with separately in the discursive exchange. Downloading the materials makes the results available for use; these are provided with specific instructions. The learning scenarios can be integrated into corporate practice at any time and used for training and awareness-raising purposes. However, this requires the willingness of the SMEs to do this, so the management must be convinced of the necessity. In a follow-up project, management and executives should be made aware of the need to develop a security strategy and a sustainable security culture. After the project in 2023, the awareness-raising events outlined in this paper and training courses for CISOs/ISOs [79] can be booked through the Wildau Institute for Innovative Teaching, Lifelong Learning, and Design Evaluation (WILLE), which is part of the Technology Transfer and Continuing Education Center (TWZ e.V.) at TH Wildau [80].
It should be noted that serious games are highly topical for awareness-raising measures to increase ISA/CSA and can be used successfully in a wide variety of constellations. However, they are not a surefire success; rather, they must be carefully designed and used within a practice-oriented mix for SME target groups. The awareness laboratory that has been developed is to be retained and made available to SMEs in the long term so that IS is made tangible and comprehensible as a result. It will be necessary to train moderators in SMEs so that they can establish IS as an ongoing element in their operational processes and use our developed and tested materials to carry out their own awareness-raising measures in the future. Such moderator training should be built up sustainably and possibly accompanied by a certification; this could be offered in the short term at the beginning of 2024 for a fee via the affiliated institute TWZ e.V. [80]. However, since German SMEs—and microenterprises, in particular—first need to be persuaded to make investments here, the demand must first be stimulated, and this will probably require state funds, necessarily made available via a continuous funding program.
In addition, many English-speaking employees work in German SMEs, and there are English-speaking business partners who should be involved in security issues and the development of the security culture. For this reason, the materials developed should, in principle, also be made available in English in the future. Our experiences with the pilot SMEs also suggest that in a follow-up project, the SMEs need to be specifically supported and taken by the hand in order to develop a sustainable awareness-raising strategy and to establish continuous awareness-raising measures in the relevant business processes. In addition, based on the concrete everyday situation in SMEs with economic pressure and stress, it is to be expected that SMEs will need further assistance in order to introduce awareness-raising measures in the long term. Here, a structured and research-based approach on a systemic basis can be of great importance for SME managers in order to give SMEs the necessary assistance and to scientifically support them in their efforts. For that purpose, a third project study is planned in 2023 to provide more insight into the special needs of managers who want to build a sustainable security culture in their particular SME. Moreover, a theoretical model to elucidate the main factors involved in building the security culture is currently being developed in a second project report and will be verified as part of a third report in the period up to September 2023.
Here, it is important that ISA/CSA is not just about knowledge but also about 5 what you have learned into practice [53]. Awareness is a process that needs to be adjusted in subsequent iterations to improve its usability and long-term efficacy. The authors argue that this is only possible if an ISA/CSA program is reviewed and evaluated in a timely manner [53]. However, as there is not yet a common understanding of what factors to measure and how to measure them during the assessment process, Chaudhary et al. adapted the four indicators used in awareness assessment by the European Literacy Policy Network (impact, sustainability, accessibility, surveillance) to make it suitable for the assessment of an ISA/CSA program and to make the assessment process systematic, complete, and reproducible [53].
As the initiator of “Awareness Lab SME (ALARM) Information Security” and project manager, I am grateful to our long-standing security awareness partner, the company known_sense, for doing the project studies and developing the seven analog learning scenarios in conjunction with the university’s research team. Moreover, I would like to thank the other subcontractors, Gamebook Studio and Thinking Objects, whose special input into the project is the development of the serious digital games and the on-site attacks. My special thanks to the pilot companies for their active involvement and to my research team—featured on the project website [61]—who have moved the project forward in different constellations. Finally, I would like to acknowledge the anonymous reviewers for their helpful critical comments. Many thanks, too, to Simon Cowper for his detailed and professional proofreading of the text.
I would like to thank the Federal Ministry for Economic Affairs and Climate Action (BMWK) for funding the project “ALARM Information Security.” This work is supported by the BMWK under grant number 01MS19002A with cash register number 810304574931.
References
1.Morgan S. Cybercrime to Cost the World $10.5 Trillion Annually by 2025. Cybercrime Magazine. 2020;13(11). Available from: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016 [Accessed: November 13, 2020]
2.Dukes S. Safety and cybersecurity in a digital age. In: Dastbaz M, Naudé W, Manoochehri J, editors. Smart Futures, Challenges of Urbanisation, and Social Sustainability. Cham: Springer; 2018. pp. 241-258. DOI: 10.1007/978-3-319-74549-7_13
3.Sample C, Loo SM, Justice C, Taylor E, Hampton C. Cyber-informed: Bridging cybersecurity and other disciplines. In: Proceedings of the 19th European Conference on Cyber Warfare and Security, ECCWS 2020. UK: University of Chester; 2020. pp. 334-341 ACPI, UK
4.Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025, Statista Research, 2016. Available from: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ [Accessed: May 3, 2023]
5.Global IoT Market Forecast [in billion connected IoT devices], IOT Analytics Research. 2022. Available from: https://iot-analytics.com/number-connected-iot-devices/ [Accessed: March 23, 2023]
6.Eiza M, Okeke RI, Dempsey J, Ta VT. Keep calm and carry on with cybersecurity@home: A framework for securing homeworking IT environment. International Journal on Cyber Situational Awareness. 2021;5(1):1-2
7.Pietenpol L. Cybersecurity in the time of covid. Quality Progress. 2020;53(8):7-8
8.Barrein A. The Right to Home Office/Das Recht Auf Home-Office (German) [Thesis]. Universität Hannover, Germany, 2021. Berlin: Duncker & Humblot; 2022. pp. 1-467
9.Li Y, Xin T, Siponen M. Citizens’ cybersecurity behavior: Some major challenges. IEEE Security & Privacy. 2021;20(1):54-61. DOI: 10.1109/MSEC.2021.3117371
10.Škiljić A. Cybersecurity and remote working: Croatia’s (non-) response to increased cyber threats. International Cybersecurity Law Review. 2020;1(1):51-61
11.Fadinger H, Schymik J. The costs and benefits of home office during the covid-19 pandemic: Evidence from infections and an input-output model for Germany. COVID Economics. 2020;9(24):107-134
12.Fichtenkamm M, Burch GF, Burch J. Cybersecurity in a COVID-19 world: Insights on how decisions are made. ISACA Journal. 2022;2(1):1-11
13.Berg A. (president of Bitkom e.V.). Available from: https://www.bitkom.org/sites/main/files/2022-08/Bitkom-sharts_Wirtschaftsschutz_Cybercrime_31.08.2022.pdf (German) [Accessed: October 15, 2022], Available from: https://www.bitkom.org/Presse/Presseinformation/Wirtschaftsschutz-2022 (German) [Accessed: November 5, 2022]
14.Fallahdoust M. Nudges and Cybersecurity: Harnessing Choice Architecture for Safer Work-from-Home Cybersecurity Behavior [Thesis]. Canada: Carleton University; 2022
15.Machado TJX, Gouveia LB. Covid-19 effects on cybersecurity issues. International Journal of Advanced Engineering Research and Science. 2021;8:222-229
16.AGCS—Allianz Global Corporate & Specialty SE (Ed.). Allianz Risk Barometer 2022 (German version: results of Germany). 2022. Available from: https://www.agcs.allianz.com/news-and-insights/news/allianz-risk-barometer-2022-press-de.html [Accessed: Mai 3, 2023]
17.Reinhardt, C, & Gerdes J. Cyber risk “human factor” in transition: How hackers exploit hybrid working models, “Cyberrisiko Human Faktor” im Wandel: Wie Hacker hybride Arbeitsmodelle ausnutzen (German), SoSafe Presentation at the Security Insider Webinar, Risk “Human Factor”–Social Engineering in the “New Normal” on 10/27/2022. SoSafe presentation within the Webinars of Security Insider, Risiko “Human Faktor”–Social Engineering is the “New Normal,” 27 October 2022 (German). Available from: https://www.security-insider.de/risiko-human-faktor--social-engineering-im-new-normal-w-615c1cd70e599/ [Accessed: November 5, 2022]
18.DIHK—Deutscher Industrie- und Handelskammertag e. V. (Ed.). Time for the Digital Awakening. The IHK Survey on Digitization. Zeit für den digitalen Aufbruch: Die IHK-Umfrage zur Digitalisierung (German). Berlin: German Chamber of Industry and Commerce; 2022. Available from: https://www.dihk.de/de/themen-und-positionen/wirtschaft-digital/digitalisierung/digitaler-aufbruch-mit-hindernissen [Accessed: Mai 3, 2023]
19.Proofpoint (Ed.). State of the Phish 2022 (German Version): Security Awareness and Threat Prevention in Focus—A Comprehensive Inventory, Sicherheitsbewusstsein und Bedrohungsabwehr im Fokus – eine umfassende Bestandsaufnahme. Germany, Landshut; 2022. Available from: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-de-tr-state-of-the-phish-2022.pdf [Accessed: October 27, 2022]
20.Johansson K, Paulsson T, Bergström E, Seigerroth U. Improving cybersecurity awareness among SMEs in the manufacturing industry. In: Ng AHC, et al, editor. Sweden: SPS2022, Open Access by IOS Press; 2022. pp. 209-220. DOI: 10.3233/ATDE220140
21.Nyikes Z. The cybersecurity challenges of COVID-19. IPSI Transactions on Advanced Research. 2021;17(2):57-62
22.Bispham M, Creese S, Dutton WH, Esteve-Gonzalez P, Goldsmith M. Cybersecurity in working from home: An exploratory study. In: TPRC49: The 49th Research Conference on Communication, Information and Internet Policy. Rochester, NY: Elsevier; 2021. DOI: 10.2139/ssrn.3897380. Available from: https://ssrn.com/abstract=3897380 [Accessed: October 11, 2023]
23.Andreasson A, Artman H, Brynielsson J, Franke U. A census of Swedish government administrative authority employee communications on cybersecurity during the COVID-19 pandemic. In: 2020 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), The Hague, Netherlands. 2020. pp. 727-733. DOI: 10.1109/ASONAM49781.2020.9381324 [Accessed: October 11, 2023]
24.Pranggono B, Arabo A. COVID-19 pandemic cybersecurity issues. Internet Technology Letters. 2021;4(2):e247
25.De Kimpe L, Walrave M, Verdegem P, Ponnet K. What we think we know about cybersecurity: An investigation of the relationship between perceived knowledge, internet trust, and protection motivation in a cybercrime context. Behaviour & Information Technology. 2022;41(8):1796-1808
26.Merlevede J, Johnson B, Grossklags J, Holvoet T. Exponential discounting in security games of timing. Journal of Cybersecurity. 2021;7(1):tyaa008
27.Sample C, Justice C. Suggestions for Addressing the Changing Needs of the Cybersecurity Workforce 2018. Available from: https://www.cerias.purdue.edu/nace/papers/Sample.pdf [Accessed: Mai 3, 2023]
28.Agrafiotis I, Nurse JR, Goldsmith M, Creese S, Upton D. A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity. 2018;4(1):tyy006
29.BSI—Federal Office for Information Security (Ed.). Standard 200–2 (English Version). Bonn, Germany. 2018. p. 79 and p. 126. Available from: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2002_en_pdf.html?nn=128640 [Accessed: March 17, 2023]
30.Kellner T, Albrecht T, Löffl J. How Are you Working Today? Changes in Work and Organizational Structures Due to the Introduction of Home Offices in Times of the Covid-19 Pandemic/Wie arbeitest du heute? Veränderungen von Arbeits-und Organisationtionsstrukturen durch die Einführung von Home-Office in Zeiten der Covid-19 Pandemie (German). University of Applied Sciences and Arts, Institut für Wissenschaftsdialog (Ed.). 2020. DOI: 10.13140/RG.2.2.24636.05767. Available from: https://www.th-owl.de/elsa/download/3673/3674/20201007_erhebung_wie%20arbeitest%20du%20heute_broschuere_final.pdf [Accessed: May 5, 2023]
31.Brenke K. Home office: The possibilities are far from being exhausted, Home Office: Möglichkeiten werden bei weitem nicht ausgeschöpft (German). Diw Wochenbericht. 2016;83(5):95-105
32.Antczak J, Horzela I. Home office as new approach to smart city idea in pandemic time. Procedia Computer Science. 2021;192:3832-3847
33.Borkovich DJ, Skovira RJ. Working from home: Cybersecurity in the age of COVID-19. Issues in Information Systems. 2020;21(4):234-246
34.von Gaudecker HM, Holler R, Janys L, Siflinger B, Zimpelmann C. Labour Supply in the Early Stages of the CoViD-19 Pandemic: Empirical Evidence on Hours, Home Office, and Expectations. IZA Institute of Labor Economics, IZA DP No. 13158; 2020 ISSN: 2365-9793
35.Messenger JC, Gschwind L. Three generations of telework: New ICT s and the (R) evolution from home office to virtual office. New Technology, Work and Employment. 2016;31(3):195-208
36.BSI—Federal Office for Information Security (Ed.). The Situation of IT Security in Germany in 2022, 2022, Die Lage der IT-Sicherheit in Deutschland 2022 (German). Bonn, Germany. Available from: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2022.html?nn=129410 [Accessed: Oktober 27, 2022]
37.BNetzA—Federal Network Agency/Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen (Ed.). Use of Online Communication Services in Germany—Results of the 2021 Consumer Survey, Nutzung von Online-Kommunikationsdiensten in Deutschland - Ergebnisse der Verbraucherbefragung 2021 (German). Bonn, Germany. 2022. Available from: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/Digitales/OnlineKom/befragung_lang21.pdf?__blob=publicationFile&v=3 [Accessed: October 30, 2022]
38.von Wolff Schutter, F. The Internet of Things (IoT) for a Connected World, IoT Cybersecurity—Threats and Regulation, Das Internet der Dinge (IoT) für eine vernetzte Welt, IoT Cybersicherheit – Bedrohungen und Regulierung (German). TÜV SÜD Product Service GmbH (Ed.), Whitepaper, 2022. Available from: https://www.tuvsud.com/de-de/-/media/de/product-service/pdf/whitepaper/iot-cybersicherheit-whitepaper.pdf [Accessed: May 3, 2023]
39.Karjalainen M, Siponen M, Sarker S. Towards a theory of information systems security behaviors of organizational employees: A dialectical perspective. Information Systems Research. 2019;30(2):687-704. DOI: 10.1287/isre.2018.0827
40.Furnell SM, Vasileiou I. A holistic view of cybersecurity education requirements. In: Research Anthology on Advancements in Cybersecurity Education. IGI Global; 2022. pp. 289-307
41.Brown, PM. Cybersecurity Awareness and Technologies for Remote Work. Buffer. Old Dominion University, USA, 2020. Available from: https://www.cyberpaul.space/assets/research/remote-work.pdf [Accessed: September 10, 2022]
42.European Commission, Directorate-General for Migration and Home Affairs (Ed.). Special Eurobarometer 464a: Europeans’ Attitudes towards Cyber Security, 2017. Update: European Commission (Ed.), 2020. Available from: https://data.europa.eu/doi/10.2837/672023 [Accessed: May 3, 2023]
43.Vogels, EA, Anderson, M. Americans and Digital Knowledge. Pew Research Center, 2019. Available from: https://www.pewresearch.org/internet/2019/10/09/americans-and-digital-knowledge [Accessed: May 3, 2023]
44.Cho H, Lee JS, Chung S. Optimistic bias about online privacy risks: Testing the moderating effects of perceived controllability and prior experience. Computers in Human Behavior. 2010;26(5):987-995
45.Shillair R, Cotten SR, Tsai HYS, Alhabash S, LaRose R, Rifon NJ. Online safety begins with you and me: Convincing internet users to protect themselves. Computers in Human Behavior. 2015;48:199-207
46.Aldawood H, Skinner G. An academic review of current industrial and commercial cybersecurity social engineering solutions. In: ICCSP '19: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy. 2019. pp. 110-115. Available from: https://dl.acm.org/doi/10.1145/3309074.3309083 [Accessed: October 11, 2023]
47.Xu H, Hamari J. How to improve creativity: A study of gamification, money, and punishment. Behaviour & Information Technology. 2022:1-15. DOI: 10.1080/0144929X.2022.2133634. Taylor & Francis
48.Bada M, Sasse AM, Nurse JR. Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672. 2019. pp. 1-11. Available from: https://arxiv.org/ftp/arxiv/papers/1901/1901.02672.pdf [Accessed: May 3, 2023]
49.Slusky L, Partow-Navid P. Students information security practices and awareness. Journal of Information Privacy and Security. 2012;8(4):3-26
50.Cialdini RB. Descriptive social norms as underappreciated sources of social control. Psychometrika. 2007;72(2):263-268
51.Popova L. The extended parallel process model: Illuminating the gaps in research. Health Education & Behavior. 2012;39(4):455-473. DOI: 10.1177/1090198111418108
52.Borg, S, & Unit, UCC. Seven overlapping theses on cyber-security education. In New Approaches to Cybersecurity Education (NACE) Workshop, 2018. Available from: https://www.cerias.purdue.edu/nace/papers/Borg.pdf [Accessed: May 3, 2023]
53.Chaudhary S, Gkioulos V, Katsikas S. Developing metrics to assess the effectiveness of cybersecurity awareness program. Journal of Cybersecurity. 2022;8(1):tyac006
54.Wang G, Tse D, Cui Y, Jiang H. An exploratory study on sustaining cybersecurity protection through SETA implementation. Sustainability. 2022;14(14):8319
55.Ghafir I, Prenosil V, Alhejailan A, Hammoudeh M. Social engineering attack strategies and defense approaches. In: Proceedings of the 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), Vienna, Austria, 22–24 August 2016. 2016. pp. 145-149. DOI: 10.1109/FiCloud.2016.28
56.Pokoyski D, Matas I, Haucke A, Scholl M. Qualitative Wirkungsanalyse security awareness in KMU. In: Scholl M, editor. Projekt “ALARM Informationssicherheit”. Wildau: Technische Hochschule Wildau; 2021. p. 72 Available from: https://alarm.wildau.biz/
57.Scholl M. Foreword with an introduction to and summary of the study “added value for SMEs” (translation). In: Vorwort Zur Qualitative Wirkungsanalyse Security Awareness in KMU Tiefenpsychologische Grundlagenstudie im Projekt Awareness Labor KMU (ALARM) Informationssicherheit. 2021. DOI: 10.13140/RG.2.2.21236.88961
58.von Tippelskirch H, Schuktomow R, Scholl M, Walch MC. Report zur Informationssicherheit in KMU–Sicherheitsrelevante Tätigkeitsprofile (Report 1). Wildau: TH Wildau; 2022. p. 111 Available from: https://alarm.wildau.biz/static/20b6d15448c0ba23729e0f45daa20650/alarm-informationssicherheit-report-1.pdf
59.ISF (Ed.). From Promoting Awareness to Embedding Behaviors, Secure by Choice Not by Chance, 2014. ISF. Available from: https://www.securityforum.org/solutions-and-insights/isf-cyber-awarenessstay-safe-with-isf/ [Accessed: March 24, 2023]
60.Prott F, Scholl M. Raising information security awareness using digital serious games with emotional design. IADIS International Journal on WWW/Internet. 2022;20(2):18-34
61.Available from: https://alarm.wildau.biz/en [Accessed: May 4, 2023]
62.Scholl M. Sustainable information security sensitization in SMEs: Designing measures with long-term effect. (University of Hawai’i at Manoa). In: Proceedings of the 56th Hawaii International Conference on System Sciences. Honolulu, HI: University of Hawai’i at Manoa, Hamilton Library; 2023
63.Pokoyski, D, & Hauck, A. Enabling vs. Entmündigung, Qualitativer Konzepttest analoger Security Awareness Lernszenarien für KMU im Projekt “ALARM Informationssicherheit” (German). In Scholl, M (Ed.), Wildau: Technische Hochschule (TH) Wildau, 2022, 1-68. Available from: https://alarm.wildau.biz/static/c0e4d00beefe1dc5fac9b50b6087265f/studie-2-master-final.pdf [Accessed: May 4, 2023]
64.Mauß Datenschutz (Ed.). Why 2-Factor Authentication (2FA) Is Important, Warum 2-Faktor-Authentifizierung (2FA) wichtig ist (German) Hamburg: Mauß Datenschutz GmbH (Ed.). Hamburg; Feb 15, 2023. Available from: https://datenschutzbeauftragter-hamburg.de/2023/02/warum-2-faktor-authentifizierung-2fa-wichtig-ist/ [Accessed: March 1, 2023]
65.Susi, T, Johannesson, M, & Backlund, P. Serious Games: An Overview. Technical Report HS-IKI-TR-07-001, 2007. Available from: https://www.diva-portal.org/smash/get/diva2:2416/FULLTEXT01.pdf [Accessed: May 4, 2023]
66.Laamarti F, Eid M, El Saddik A. An overview of serious games. International Journal of Computer Games Technology. 2014;2014:1-15. Article ID: 358152. Available from: https://dl.acm.org/doi/pdf/10.1155/2014/358152. Hindawi Publishing Corporation
67.Hart, S, Margheri, A, Paci, F, & Sassone V Riskio. A serious game for cybersecurity awareness and education. Computers & Security, 2020;95:101827. Available from: https://iris.univr.it/bitstream/11562/1021160/4/riskio-final.pdf [Accessed: July 27, 2022]
68.Hart S, Halak B, Motens SV. A pedagogical design model for serious cyber games. arXiv preprint arXiv:2110.11765. 2021. pp 1-22. Available from: https://arxiv.org/pdf/2110.11765.pdf [Accessed: May 4, 2023]
69.Brown S, Vaughan C. Play. In: How it Shapes the Brain, Opens the Imagination, and Invigorates the Soul. Avery, New York, USA: Penguin Group; 2009
70.Scholl M. Raising awareness of CEO fraud in Germany: Emotionally engaging narratives are a MUST for long-term efficacy. In: Proceedings ICITS'23. Springer; 2023
71.Naul E, Liu M. Why story matters: A review of narrative in serious games. Journal of Educational Computing Research. 2020;58(3):687-707
72.Green, MC. Storytelling in Teaching aps – Association for Psychological Science, 2004. Available from: https://www.psychologicalscience.org/observer/storytelling-in-teaching [Accessed: May 4, 2023]
73.Landrum RE, Brakke K, McCarthy MA. The pedagogical power of storytelling. Scholarship of Teaching and Learning in Psychology. 2019;5(3):247-253
74.Vakakis N, Nikolis O, Ioannidis D, Votis K, Tzovaras D. Cybersecurity in SMEs: The smart-home/office use case. In: IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD). IEEE (Ed.); 2019. pp. 1-7
75.Ifo (Ed.). Press release of September 16, 2022/Pressemitteilung vom 16. September 2022 (German). Available from: https://www.ifo.de/pressemitteilung/2022-09-16/homeoffice-etabliert-sich-deutschland-mit-14-tagen-pro-woche [Accessed: October 30, 2022]
76.Aksoy, CG, Barrero, JM, Bloom, N, Davis, SJ, Dolls, M, & Zarate, P. Working from Home around the World. CESifo (Ed.), Munich, 2022, CESifo Working Paper No. 9938. Available from: https://www.cesifo.org/de/publikationen/2022/working-paper/working-home-around-world [Accessed: October 30, 2022]
77.Haney JM, Jacobs JL, Furman SM. An investigation of roles, backgrounds, knowledge, and skills of US government security awareness professionals. In: Nah FFH, Siau K, editors. HCII 2023, LNCS 14038. Proceedings of the Conference on Computers and People Research. Switzerland AG: Springer Nature; 2023. pp. 14-33. Available from: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934639. DOI: 10.1007/978-3-031-35969-9_2 [Accessed: February 28, 2023]
78.Proofpoint (Ed.). Beyond Awareness Training. Available from: https://www.proofpoint.com/sites/de-fault/files/e-books/pfpt-us-eb-beyond-awareness-training.pdf [Accessed: August 22, 2022]. Otherwise update: Available from: https://www.proofpoint.com/us/resources/e-books/beyond-awareness-training [Accessed: May 4, 2023]
79.Scholl M. Information security officer: Job profile, necessary qualifications, and aware-ness raising explained in a practical way: Basis. In: ISO/IEC 2700x, BSI Standards 200-x, and IT-Grundschutz Compendium. BoD–Books on Demand and Buchwelten-Verlag; 2021
80.TWZ Homepage. Available from: https://twz-ev.org/institute/wildau-institut-fuer-innovative-lehre-le-benslanges-machen-und-gestaltende-evaluation/#tab-id-1 [Accessed: October 17, 2022]
Written By
Margit C. Scholl
Submitted: 29 August 2023Reviewed: 06 September 2023Published: 30 October 2023
Open access peer-reviewed chapter
