ABSTRACT We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To do so, we created a gamified security training system focusing on two factors: (1) enhancing intrinsic motivation through gamification and (2) improving security learning and efficacy. Our key theoretical contribution is proposing a recontextualized kernel theory from the hedonic-motivation system adoption model that can be used to assess employee security constructs along with their intrinsic motivations and coping for learning and compliance. A six-month field study with 420 participants shows that fulfilling users’ motivations and coping needs through gamified security training can result in statistically significant positive behavioral changes. We also provide a novel empirical demonstration of the conceptual importance of “appropriate challenge” in this context. We vet our work using the principles of proof-of-concept and proof-of-value, and we conclude with a research agenda that leads toward final proof-in-use.

中文翻译：

---

使用基于设计科学的游戏化改进组织安全培训和合规性

摘要 我们进行了一个设计科学研究项目，以改善组织的复合问题：(1) 员工网络钓鱼预防不成功和 (2) 内部安全培训不足。为此，我们创建了一个游戏化的安全培训系统，重点关注两个因素：(1) 通过游戏化增强内在动机；(2) 提高安全学习和效率。我们的主要理论贡献是从享乐激励系统采用模型中提出了一种重新语境化的内核理论，可用于评估员工安全结构及其内在动机以及应对学习和合规性。一项对 420 名参与者进行的为期六个月的实地研究表明，通过游戏化的安全培训来满足用户的动机和应对需求可以导致统计上显着的积极行为变化。我们还提供了一个新颖的经验证明，说明在这种情况下“适当挑战”的概念重要性。我们使用概念证明和价值证明的原则来审查我们的工作，最后我们制定了一个研究议程，以实现最终的使用证明。