Snakes and ladders for digital natives: information security education

0 downloads 0 Views 251KB Size Report
Aug 20, 2015 - educational game that can be used to introduce information security ... Keywords Case study, Information security, Brain-compatible ..... pre-game survey, it was found that a low majority (54.55 per cent) .... Furnell, S.M., Bryant, P. and Phippen, A.D. (2007), “Assessing the security perceptions of personal.
Information Management & Computer Security Snakes and ladders for digital natives: information security education for the youth Rayne Reid Johan Van Niekerk

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

Article information: To cite this document: Rayne Reid Johan Van Niekerk , (2014),"Snakes and ladders for digital natives: information security education for the youth", Information Management & Computer Security, Vol. 22 Iss 2 pp. 179 - 190 Permanent link to this document: http://dx.doi.org/10.1108/IMCS-09-2013-0063 Downloaded on: 20 August 2015, At: 05:39 (PT) References: this document contains references to 18 other documents. To copy this document: [email protected] The fulltext of this document has been downloaded 147 times since 2014*

Users who downloaded this article also downloaded: Rayne Reid, Johan van Niekerk, (2014),"Brain-compatible, web-based information security education: a statistical study", Information Management & Computer Security, Vol. 22 Iss 4 pp. 371-381 http:// dx.doi.org/10.1108/IMCS-11-2013-0081 Mario Silic, Andrea Back, (2014),"Information security: Critical review and future directions for research", Information Management & Computer Security, Vol. 22 Iss 3 pp. 279-308 http://dx.doi.org/10.1108/ IMCS-05-2013-0041 Kathryn Parsons, Agata McCormac, Malcolm Pattinson, Marcus Butavicius, Cate Jerram, (2014),"A study of information security awareness in Australian government organisations", Information Management & Computer Security, Vol. 22 Iss 4 pp. 334-345 http://dx.doi.org/10.1108/IMCS-10-2013-0078

Access to this document was granted through an Emerald subscription provided by emerald-srm:207521 []

For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services. Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download.

The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm

Snakes and ladders for digital natives: information security education for the youth Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

Rayne Reid and Johan Van Niekerk Institute of ICT Advancement, Nelson Mandela Metropolitan University, Port Elizabeth, South Africa

Information security education 179 Received 5 September 2013 Accepted 17 December 2013

Abstract Purpose – This paper aims to educate the youth about information security. Cyber technologies and services are increasingly becoming integrated into individual’s daily lives. As such, individuals are constantly being exposed to the benefits and risks of these technologies. Cyber security knowledge and skills are becoming fundamental life skills for today’s users. This is particularly true for the current generation of digital natives. Design/methodology/approach – Within the design science paradigm, several case studies are used to evaluate the research artefact. Findings – The authors believe that the presented artefact could effectively convey basic information security concepts to the youth. Research limitations/implications – This study had a number of limitations. First, all the learner groups who participated in this study were too small to enable analysis of findings for statistical significance. Second, the data compiled on the long-term effectiveness of the game for Group B was incomplete. This limitation was the result of School B’s ethical concerns regarding learners being a vulnerable target audience. Originality/value – This paper presents and evaluates a brain-compatible, information security educational game that can be used to introduce information security concepts to the youth from a very young age. Keywords Case study, Information security, Brain-compatible education, Educational gameplay, Information security education Paper type Research paper

1. Introduction Information security knowledge and skills is becoming a crucial life skill for current information technology users. Users are becoming increasingly exposed to cyber security threats as their dependence on information technologies and services grows (Furnell et al., 2007). This is occurring because information technologies and services are becoming increasingly integrated into our daily lives. Consequently, users have become over dependent on them. This is particularly true for the younger generations. The current Professor R. Von Solms is acknowledged for his game content contribution. The financial assistance by the Vodacom/NMMU scholarship towards this research is also hereby acknowledged. Opinions expressed and conclusions arrived at are those of the author and are not necessarily to be attributed to the sponsors.

Information Management & Computer Security Vol. 22 No. 2, 2014 pp. 179-190 © Emerald Group Publishing Limited 0968-5227 DOI 10.1108/IMCS-09-2013-0063

IMCS 22,2

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

180

digital natives (Generation Y, born in 1977-1994; and Generation Z, born in 1995-2012) account for ⬎ 23 million users of the Internet and other technologies (Schroer, 2012). Their communication, socialisation, creation and learning processes are all strongly affected by technology (Prensky, 2001). Therefore, these digital natives should be educated about information security. However, how these users, particularly Generation Z, can be effectively educated about information security is problematic. Traditionally, learners look to their parents and teachers (customarily more knowledgeable individuals) to teach required knowledge and skills. However, in the case of information technology and security, the learners are often more technology-literate than their teachers. Additionally, “digital immigrant instructors, who speak an outdated language (that of the pre-digital age), are struggling to teach a population that speaks an entirely new language” (Prensky, 2001). This paper introduces a novel approach for educating the youth about information security. It will present a brain-compatible, information security educational game. 2. Background 2.1 Information security education Information security education provides the knowledge and skills needed to implement information security practices. Traditionally, information security has mainly been implemented in organisations. However, recent national legislation and cyber awareness campaigns (such as the campaigns run in the UK and USA) target the general public (UK Cabinet Office, 2011; White House, 2003). This target audience includes the youth whose educational needs differ from those of traditional organisational end-users. 2.1.1 Educational gameplay. This research is targeting the youth. The current generation often perceived learning as a “boring” activity because existing teaching methods are incompatible with how they learn (Tang and Hanneghan, 2011). Therefore, traditional approaches for information security education may not be suitable for this young target audience. Educational studies have shown that school children have shown an interest in using the games for learning purposes (Roslina and Jaafar, 2009). This is an educational approach that will build on natural learning methods used by the young of each species to gather important life skills. Fun education is an effective mechanism for children, as it engages their interest and discourages them from disassociating from what is being learnt (Reid et al., 2011). Not all games are necessarily educational. Compliance with a proven pedagogy increases the games potential for being an effective education tool. This research complies with the brain-compatible pedagogy. 2.1.2 Brain-compatible education. Brain-compatible education (BCE) is a formal pedagogy encompassing educational principles, methods and techniques which endeavour to teach subject matter in a manner and format which is naturally complementary to the physical and psychological processing functions of the brain (Caine et al., 2005; Jensen, 2008). Overall, the techniques aim at attracting the learner’s attention and ensuring that the learner processes the educational experience in a way that promotes the extraction of meaning from the material (Caine & Caine, 1991). During an educational experience, it achieves this by stimulating the sections of the brain that are involved in the learning practices. This encourages learners to process information more effectively so as to

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

ensure maximum understanding, retention and recall of learnt material (Banikowski, 1999). BCE includes several neurologically sound principles as a general theoretical foundation (Caine & Caine, 1991). Table I lists eight of these principles. The purpose of brain-compatible principles is to manipulate a learning environment directly so as to foster learners cognitive growth and understanding (Lombardi, 2008). These principles have been effectively used in real-world classrooms and some online environments in the presentation of formal lessons. When applied to educational material, the principles guide educators in the definition and selection of appropriate educational activities and presentation techniques. Some of these principles will be applied to the creation of the research artefact. The next section will present the methodology followed by this research.

Information security education 181

3. Methodology This research was conducted in compliance with the seven guidelines for conducting research within the design – science research paradigm, as described by Hevner et al. (2004). This section will detail how this research has complied with each guideline: • Design as an artefact: This guideline recommends the production of a viable artefact. A tangible, brain-compatible, information security snake and ladder board game was designed and developed during the research process. • Problem relevance: The objective of the research is to solve an important and relevant problem. Cyber security is a topic that is seldom addressed in current South African school environments. Until recently, this has been an acceptable practice. However, the current generation is growing up as digital natives who are constantly exposed to information technologies and related threats. Therefore, the digital generation (children) need to be educated about cyber security. • Design evaluations: This guideline states that utility, quality and efficacy of a design artefact must be rigorously demonstrated. BCE is a formal pedagogy. The artefact developed by this research was developed in compliance with this

No. 1

Principle

A learning experience should be as multifaceted as possible, catering to as many learning styles as possible and providing as many opportunities for each learner to develop as possible 2 Positive emotions should be used to aid recognition and recall 3 Relate all new material back to old material and, thereby, build new knowledge on old knowledge 4 The search for meaning is innate and occurs through patterning 5 Every brain simultaneously perceives and creates parts and wholes during the learning process 6 It is necessary to review material repetitively to solidify recall and recognition 7 Both the focused and peripheral attention of a learner should be involved in the learning Table I. process Brain-compatible principle 8 Allow learners to progress through the course at their own pace applied in the design of the artifact Source: Reid et al. (2011)

IMCS 22,2 •

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

182







pedagogy’s principles. Additionally, the suitability and effectiveness of the artefact were evaluated by means of multiple case studies (further explanation in subsection 3.1). Research contributions: This guideline states that a problem must be solved by the research. The contributions which have been derived from this research are as follows: – the use of brain-compatible pedagogy in the development of an information security educational game (explanation in Section 3.2.1); and – the artefact itself, which is a tangible result of the research. Research rigor: The guideline recommended that rigorous methods be used in the creation and evaluation of the research artefact. This guideline was applied by: – complying with brain-compatible pedagogical principles in the artefact’s design; and – verifying the design and effectiveness via multiple case studies (see subsection 3.4). Design as a search process: This guideline requires that the creation of the artefact be designed using an iterative “searching” process. The board game’s design process adhered to this stipulation. Communication of research: The final guideline recommends that the research results be presented to affected audiences. This has been fulfilled through the: – distribution of the brain-compatible, information security games to primary schools; – publication of the pilot study’s results at the WISE conference (Reid and Van Niekerk, 2013); and – communication of further research conducted within this article.

This section demonstrated how this research complies with the design research paradigm. The next section will elaborate on the design of the artefact and its evaluation. 3.1 Case studies This evaluation portion of the research will follow procedures from the case study protocols described by Yin (2009). The context of the case study was presented within the previous section as part of the problem relevance. The rest of this paper will present the research artefact; the research instrument and the implementation details of the case studies. Finally, the results and analysis of the research will be presented with accompanying conclusions which have been reached. 3.2 The artefact The artefact is targeted at a primary school audience. Therefore, the following characteristics were considered while creating the artefact: age-appropriateness, content, user-friendliness, learnability and the potential for compliance with BCE principles. Existing children’s games, which targeted this age group, were considered as the basis for the artefact’s design. “Snakes and Ladders”, a popular board game played by

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

children worldwide, was chosen as the artefact’s foundation. The reasons this game was chosen are as follows: • having existed since the 2nd century in India, it is a popular game, rules of which are known to the target audience (Avedon, 2010); • its original purpose of teaching children the difference between “good and evil” is similar to teaching children good and bad information security lessons (Avedon, 2010); • third, it currently targets children aged ⱖ 7 years; and • pedagogical principles and appropriate information security educational content could be easily incorporated into the design. The design, content and game play rules of the developed artefact will be discussed in the below subsections. 3.2.1 Design. This section will present the reasons why “Snakes and Ladders” was selected as a good redevelopment candidate for this research. These reasons will also be linked to implementation considerations from a BCE perspective. The focus of this section is, therefore, the presentation design. First, the game had to cater for multiple learners’ learning rates. BCE advocates self-paced progression (Principle 8). The game achieved this via the turn-based play, which requires the player to throw dice and move a token, and read a lesson. This allowed the learners to play and learn at their own pace, while encouraging progression. Second, the games’ design had to be interactive and “fun”. This was necessary to provide a social and communicative, peer-supported learning experience. This was considered essential, as it implements Principle 1 by appealing multiple learning styles, especially those favoured by kinaesthetic and auditory (social) learners. Additionally, these characteristics gain and hold the learner’s interest/focus, while positively stimulating their emotions (Principles 7 and 2). The “fun factor” of the game is especially aimed at appealing to the learner’s positive emotions (Principle 2). This allows a learner to focus, learn and retain learned content better. Aspects of the game’s design appealing to this principle include: a game’s inherent fun, interactive and socially competitive nature; and its reinforcement mechanisms which encourage changes in emotional state (e.g. happiness for ascending a ladder). The incentive of winning also increases the fun factor and appeals to Principle 2 while encouraging progression through the game (Principle 8). The colours used on the board also aimed to influence the state of the learner’s emotions and focus, thereby implementing Principles 2 and 7. The background of the board’s squares were coloured various shades of yellow and green (Figure 1). Yellow elicits positive moods and attracts the learners’ attention, while Green encourages productivity and long-term energy (Taylor, 2007). This design decision also fulfilled Principle 1, by engaging visual learners. The final design considerations relate to the educational reinforcement mechanisms. The educational game needed to provide consequences for lessons learned during the game. This was easily introduced into “Snakes and Ladders”, as its original purpose was to teach the difference between good and evil using such mechanisms. The Snakes and Ladders were placed randomly throughout the board, alongside information security lessons (Figure 1). Positive lessons (below ladders) provided

Information security education 183

IMCS 22,2

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

184

Figure 1. The research artefact – Snakes and Ladders password board

reinforcement by enabling ascension of the ladders. Conversely, negative lessons (above snakes) were reinforced by forcing the player to descend the board via snakes. This design associated negative consequence with negative message and positive consequence with positive message. This facilitated behaviour and knowledge patterning of multiple concepts (Principles 4 and 5). The lesson content presented in this research’s artefact will be addressed by the next section. 3.2.2 Content. Multiple games were created for many topics, including social networking, password security and virus security. Each of the boards had a similar

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

design, but different content. The board, which relates to the results reported by this paper presented secure password management content. Various rules specifying the Dos and Don’ts of password security were placed above snakes and below ladders (Figure 1). The included lessons are listed in Table II. The lessons were written as if the player had, or had, not complied with a rule of secure password management. This ‘learner-centric’ perspective serves to implement Principle 3 of the brain compatible pedagogy. The lessons were then learnt in accordance with the rules of the gameplay which are presented in the next section. 3.2.3 Rules. “Snakes and Ladders” can be played by 2-6 players. In sequential order and starting from “Start”, each player rolls the dice and moves their representative token along the board’s sequential squares according to the number thrown. If the square a player lands on contains an information security educational message, they read it aloud and perform the accompanying action. The verbal sharing of the message helps the learners to cognitively consider the lesson (Principle 1). If the message was a “do not” lesson, they are swallowed by the snake and move their token to the square containing the snake’s tail. If it was a “do” lesson they ascend the squares ladder and place their token in the square at the top of the ladder. The first player to reach the 50th square (Finish) is the winner. The effectiveness of this research artefact as an information security educational tool was assessed by means of experiment. The research instrument used to do this will be presented in the next section.

Information security education 185

3.3 The research instrument A two-part research instrument was used. The first part was a survey designed to acquire quantitative data about the learners’ information security awareness levels. They were close-ended, multiple choice questions which related to a few select lessons that were included on the board. The second part of the research instrument was open-ended interview questions. These questions aimed to gather the teacher’s perceptions of the effectiveness of the game as a teaching tool and its effect on the learner’s knowledge and behaviour. Both parts of this research instrument were implemented alongside the research artefact in the context of the case study. This is presented by the next section. 3.4 Implementation details For the research to be conducted, a number of evaluations were required. The implementation of these methods will be discussed in this section. Dos

Don’ts

You gave you password to your parent or guardian Your password is at least eight characters long You change your password at least once a month Your password is not a word in the dictionary

You gave your password to a friend Your password is less than five characters You wrote your password down You used your name or your pets name as a password You used the same password everywhere Your password is easy to guess

You used characters like !,#,$ in your password

Table II. Password lessons of dos and don’ts

IMCS 22,2

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

186

The first step was the free distribution of the research artefact to several South African primary schools. Some of the schools targeted in the distribution were also given an introductory information security awareness talk and lesson using the research artefact. Then for the evaluation component of this research, a single class from two separate schools was selected as target group for case studies. These classes are, henceforth, referred to as Groups A and B. Each case study involved the learners answering a pre-play survey to test their information security awareness levels for the artefact’s topic content. They were then allowed to play the game among themselves. Once the games had concluded, the learners answered the post-play survey to re-test their awareness levels. The class teachers were later also interviewed. The research was conducted in this manner to comply with ethical research policies. To comply with the ethical research considerations of both the Nelson Mandela Metropolitan University (NMMU) and the involved schools, the researcher did not interact directly with the learners. An involved teacher from each school distributed the surveys and monitored the gameplay. The researchers later interviewed the teachers. The results from the initial studies of Groups A and B were combined to form the pilot study for this research. The results of the study were presented within a paper presented at the Kaspersky student paper competition, and later published at WISE 2013 (Reid and Van Niekerk, 2013). The following research questions were raised as feedback from the publication: RQ1. Can the results be replicated in other case studies? RQ2. Is this particular game suitable for children of all age groups? RQ3. Is the impact of the game short-term or long-term? Based on the feedback received from these conferences, further studies were conducted. All data gathered after Group A’s initial study are, therefore, new data which were sought to confirm the findings. The resultant findings will now be addressed. To answer these research questions, the results from the pilot were split back into their original case study groups and three new experiments were conducted. These case studies followed the same procedure as the initial studies. The first new experiment targeted a class of older learners (12-14 years old) at the same school as the pilot group. These older learners are referred to as Group C. The initial study had already partially answered research question 1; however, this study aimed to add further evidence. It was also used to determine the answer to the second research question. It provided a comparison of the results of learners in different age ranges being newly exposed to the game. The second and third studies aimed to determine the answer to the third research question. After a period of time, two follow-up studies were conducted to determine whether the games had influenced the learners’ long-term information security awareness. These follow-up studies were carried out with Groups A and C. Group B could not be included due to issues relating to learner availability. Three learner groups were required to participate in these studies. The data from the original case studies were used in addition to the new case studies. The various case study learner groups and their biographical details are shown in Table III. This section described the research artefact, instrument and implementation procedure. The next section will present the gathered data results and analysis.

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

3.5 Results and discussion As discussed in the methodology section, a series are experimental case studies were conducted. These experiments involved the use of surveys as the research instrument. The gathered data are presented in subsection 4.5.1 Qualitative data were also gathered from the teachers via interview. The discussion of this data will be presented in subsection 4.5.2. 3.5.1 Research instrument results This section discussed the results gathered from the surveys used during the case studies. The aggregated data gathered using this instrument are shown in Table IV. Group A was the first group of children to test and play the game. Within the pre-game survey, it was found that a low majority (54.55 per cent) knew not to record their passwords; and 63.64 per cent know how to construct a strong password. Therefore, the basic knowledge of password construction and confidentiality did partially exist. However, thorough understanding of confidentiality practices, which are necessary for children, is not fully developed. Only 45.45 per cent of the learners knew not to share their password with anyone besides their parents. Overall, an initial level of information security awareness did exist. This may be partially attributed to awareness talks which had been presented to this school earlier in the year. The post-play survey results showed a substantial improvement in the Group A’s awareness levels. The percentage of learners who answered the security knowledge questions increased in all categories. Within Group A, 90.91 per cent now knew not to record their password; 72.73 per cent now knew to only share their password with their parents; and 81.82 per cent now knew how to create a secure password. Overall, the increase in correct responses to all questions indicates that awareness was improved among the learners after playing the game. Therefore, based on these results, an initial conclusion was drawn that the brain-compatible information security game was an effective method for educating children about information security (Reid and Van Niekerk, 2013). Group name

Age range (years)

Number of participants

10-12 9-11 12-14

11 15 9

Group A Group B Group C

Question 1 Where should you write down your password? Before After (per cent) (per cent) Group A Group A (return) Group B Group C

54.55 90.91 53.33 66.77

90.91 100 93.33 100

School A School B School A

Question 3

Who can you share your password with? Before After (per cent) (per cent)

Your password should be [. . .] Before After (per cent) (per cent)

72.73 90.91 73.33 88.89

187

School

Question 2

45.45 81.82 26.67 22.22

Information security education

63.64 100 66.67 55.56

81.82 100 93.33 100

Table III. Participating learner groups

Table IV. Pre- and post-play survey results

IMCS 22,2

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

188

A second test was done to corroborate the previous results. Group B, a second group of learners, was exposed to the Snakes and Ladders game. The targeted class of learners was within the same age-range but from a different school. Within the pre-play survey, it was found that this group’s pre-play information security awareness levels closely resembled those of Group A. They too were moderately aware of secure password structure and storage practices. Additionally, their confidentiality practices were also their awareness’s weak point. Their confidentiality knowledge relating to sharing passwords was even lesser than the original test group’s, with only 26.67 per cent answering the question correctly (Group A, 45.45 per cent). In the post-play survey, Group B, like Group A, also showed a definite increase in the number of learners correctly answering the information security awareness questions. Questions 1 (increase of 40 per cent) and 2 (increase of 46.66 per cent) indicated that the learners level of awareness about child suitable password confidentiality practices definitely increased. Question 3 also showed a definite increase in secure password creation knowledge. Group B’s results, therefore, confirm the Group A’s findings. The first research question has, therefore, been answered. Within multiple cases, playing the brain-compatible information security Snakes and Ladders game has had a definite impact on learner’s awareness levels. Groups A and B were from the same age-range. Therefore, the conclusions drawn from their results were specific to that age range. The aim of the next experimental case study was to determine whether the game was suitable for other age groups. A study using Group C was conducted. Results from Group C’s pre-play survey indicate that the older children also had a reasonable level of information security awareness. A moderate percentage of Group C was aware of appropriate password creation and storage principles; however, few of them knew appropriate password confidentiality practices. Playing the game had a strong impact on Group C’s awareness levels. The post-play’s survey results indicated that all of the learners were now aware of how to securely create and store a password. The majority (88.89 per cent) also now knew not to share their password with anyone beside their parents. The results of this study, therefore, further answered the first research question, while answering the second research question. The game is suitable for raising the information security awareness levels of learners in multiple age groups. Based on the results of these initial case studies, it has definitively been shown that the game is an effective method for raising children’s short-term information security awareness levels. The question of whether there was a long-term impact on their long-term awareness had not, however, been answered. This was the focus of the next two experiments. In both return studies, the pre-play surveys showed that the majority of the learners, in Groups A and B, had maintained or improved their long-term awareness levels. Post-play surveys on the return studies also indicated that playing the game again raised awareness levels. Overall, these two studies indicated that the answer to the third research question is that the game has a long-term impact on the children’s information security awareness levels. This is likely to due to repeated play sessions, which maintains their awareness.

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

Overall, the data gathered via surveys indicate that the game is an effective information security education tool for children. These results were further supported by the teachers. 3.5.2 Teacher interview results. A secondary verification method which was used for this research was interviews with each participating class’s teacher. This section discusses the results of the interviews. All three teachers felt that the learners had definitely learned valuable lessons, relating to the topic via the game and become more security-conscious about their personal information. Additionally, the teachers of the younger classes stated that the learners in their classes had undergone small behaviour changes, such as asking questions and reporting new findings or incidents. This indicates that the game had created higher awareness of the security issues. All of the teachers concluded that they perceived the ‘Secure Password – Snakes and Ladders’ game to be an effective education tool. 4. Conclusion Digital natives are constantly being exposed to information technologies and services. Consequently, they are being exposed to a variety of information security risks and threats. Therefore, information security education is a necessary life skill for today’s youth. Gameplay is proven to be an effective life skill and knowledge delivery system for the youth. Therefore, it can be used as a delivery mechanism for information security educational lessons to children. Within the design – science paradigm, using multiple case studies, this research has shown that a traditional game-based approach, modified to include information security lessons, can be effectively used to raise basic information security awareness among learners within multiple age groups and contexts. Additionally, it has shown that that the game has long-term effect on the learner’s awareness levels and behaviour. It is, therefore, the conclusion of this author that gameplay in this format could be a viable option for the education of the future generation. 5. Limitations of research This study had a number of limitations. First, all the learner groups who participated in this study were too small to enable analysis of findings for statistical significance. Second, the data compiled on the long-term effectiveness of the game for Group B were incomplete. This limitation was the result of School B’s ethical concerns regarding learners being a vulnerable target audience. 6. Future research This research showed that the artefact can be used to increase children’s awareness of information security principles. However, this is not statistically proven. Providing statistically significant verification will be the aim of future research. References Avedon, E. (2010), “Snakes & ladders or chutes and ladders”, Elliott Avedon Museum & Archive of Games, available at: www.gamesmuseum.uwaterloo.ca/VirtualExhibits/Whitehill/snakes/ index.html (accessed 7 February 2013). Banikowski, A.K. (1999), “Strategies to enhance memory based on brain-research”, Focus on Exceptional Children, Vol. 32 No. 2.

Information security education 189

IMCS 22,2

Downloaded by NELSON MANDELA METROPOLITAN UNIVERSITY At 05:39 20 August 2015 (PT)

190

Caine, R.N. and Caine, G. (1991), Making Connections: Teaching and the Human Brain, Association for Supervision and Curriculum Development, Alexandria, VA, p. 180. Caine, R.N., Caine, G., McClintic, C.L. and Klimek, K.J. (2005), “12 brain/mind learning principles in action: the fieldbook for making connections”, Teaching, and the Human Brain, Teaching Theology & Religion, Vol. 9, Corwin Press, Thousand Oaks, CA. Furnell, S.M., Bryant, P. and Phippen, A.D. (2007), “Assessing the security perceptions of personal Internet users”, Computers & Security, Vol. 26 No. 5, pp. 410-417. Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004), “Design science in information systems research”, MIS Quarterly, Vol. 28 No. 1, pp. 75-105. Jensen, E.P. (2008), “Teaching with the brain in mind”, New Directions for Adult and Continuing Education, Vol. 119, Association for Supervision & Curriculum Development, pp. 49-60. Lombardi, J. (2008), “Beyond learning styles: brain-based research and english language learners”, The Clearing House, Vol. 81 No. 5, pp. 219-222. Prensky, M. (2001), “Digital natives, digital immigrants”, On the Horizon, Vol. 9 No. 5, pp. 1-6. Reid, R. and Van Niekerk, J. (2013), “Back to basics: information security education for the youth via gameplay”, in Dodge, R.C. and Futcher, L. (Eds), 8th World Conference on Information Security Education, Springer, Auckland, NZ, pp. 1-10. Reid, R., Van Niekerk, J. and Von Solms, R. (2011), “Guidelines for the creation of brain-compatible cyber security educational material in Moodle 2. 0”, Proceeding of Information Security South Africa (ISSA), Johannesburg, pp. 1-8. Roslina, I. and Jaafar, A. (2009), “Educational games (EG) design framework: combination of game design, pedagogy and content modeling”, Electrical Engineering and Informatics, Vol. 1 No. 1, pp. 293-298. Schroer, W.J. (2012), “Generations X, Y, Z and the Others”, The Social Librarian, available at: www.socialmarketing.org/newsletter/features/generation3.htm (accessed 29 May 2013). Tang, S. and Hanneghan, M. (2011), “Fusing games technology and pedagogy for games-based learning through a model driven approach”, Humanities, Science and Engineering (CHUSER), Vol. 20 No. 2, pp. 380-385. Taylor, A. (2007), “How the brain learns best”, Journal of Adventist Education, Vol. 70 No. 2, pp. 42-45. UK Cabinet Office (2011), “The UK cyber security strategy: protecting and promoting the UK in a digital world”, Cabinet Office, London. White House (2003), “The national strategy to secure cyberspace, priority III: a national cyberspace security awareness and training program. [WWW document]”, available at: www.iwar.org.uk/cip/resources/pcipb/priority 3.pdf Yin, R.K. (2009), Case Study Research: Design and Methods, 4th ed, Sage Publications, Thousand Oaks, CA, pp. 1-240. Corresponding author Rayne Reid can be contacted at: [email protected]

To purchase reprints of this article please e-mail: [email protected] Or visit our web site for further details: www.emeraldinsight.com/reprints