Gamification in IT Security – Raising Awareness through Phishing Challenges

Summary

Phishing remains one of the most prevalent forms of cyberattacks in the field of IT security. According to a survey conducted by KPMG, 53% of the German companies surveyed reported having been affected by a phishing attack [1]. Phishing attacks often exploit human vulnerabilities rather than technical weaknesses, making user awareness a critical line of defense. Many employees fail to recognize such threats, often due to training sessions being too abstract or unengaging. This project explores how gamified elements, commonly referred to as gamification, can enhance the effectiveness of cybersecurity awareness efforts. The aim was to develop a phishing challenge that is both easily accessible and conducive to learning.

Background & Motivation

Traditional e-learning modules and video-based training sessions frequently suffer from low engagement and limited motivational impact. In contrast, gamification leverages interactive elements, points, rewards, and storytelling to positively influence user behavior. In the context of phishing awareness, gamification can help simulate realistic scenarios in a safe learning environment, allowing users to experience and recognize manipulation tactics without real-world consequences. The motivation behind this project was to foster awareness through a simple yet effective game-based approach. The target audience consisted primarily of individuals without extensive IT knowledge.

Theoretical Framework

To establish a sound foundation for the challenge, the structure of typical cybersecurity awareness training programs was first examined. Subsequently, the key characteristics of so called awareness challenges, short, active learning units with game-like features, were analyzed. Widely recognized success factors in phishing awareness training include:

• Use of real-world phishing examples to illustrate threats users are likely to encounter in daily work.

• Simulated phishing campaigns, in which users unknowingly interact with fake phishing emails and receive feedback based on their actions.

• Just-in-time training, offering short learning interventions immediately after risky behavior is observed.

• Immediate and personalized feedback, which helps reinforce or correct behavior directly after user decisions.

• Repetition and spaced learning, ensuring that the knowledge and recognition skills are retained over time.

• Managerial support and culture of openness, encouraging users to report suspicious messages without fear of reprimand.

A particular focus was placed on identifying cognitive and behavioral patterns that influence how users detect phishing attempts, such as attention to sender details, awareness of language inconsistencies, and recognition of suspicious links or attachments. Another area of focus was assessing learning outcomes, for example using the HAIS-Q questionnaire, which evaluates users’ knowledge and behavior [2]. This instrument was considered suitable for measuring both declarative knowledge (e.g., what phishing is) and procedural knowledge (e.g., how to act when encountering a suspicious email). Finally, didactic principles that support the effective integration of gamification into learning processes were reviewed.

Concept & Implementation of the Challenge

Based on theoretical insights, a custom phishing challenge was designed. The goal was to communicate the common features of phishing emails through an interactive format. The challenge was structured around core phishing indicators such as:

• Urgent language or pressure to act immediately

• Unusual sender addresses or misspelled domain names

• Generic greetings instead of personal salutations

• Unexpected attachments or links

• Requests for login credentials or financial information

These elements were embedded in multiple-choice questions and branching storylines. Users were asked to assess emails and decide whether to open links, report the message, or ignore it. Gamified elements such as point systems, rankings, and immediate feedback were used to increase engagement and support behavior reinforcement. The challenge was implemented using Mentimeter, a web-based tool selected for its accessibility and ease of integration. The design prioritized simplicity and intuitive navigation to ensure usability for non-technical users.

Evaluation & Feedback

The challenge was subsequently tested with a small group of participants. The objective was to gather initial feedback on usability and content comprehension. Feedback indicated that users found the interactive elements particularly helpful in recognizing phishing cues, especially when the scenarios reflected realistic work-related contexts. Participants appreciated the immediate feedback and explanation after each decision, which helped them better understand phishing tactics. Suggestions included making the scenarios even more personalized, introducing simulated email inboxes, and expanding the range of phishing types covered (e.g., CEO fraud, smishing, or voice phishing). Some users also emphasized the value of ongoing reinforcement rather than one-off training.

Challenges & Limitations

Time constraints posed one of the main challenges, particularly in testing different formats and technologies. Technical implementation also presented minor difficulties. Furthermore, a comprehensive evaluation of the challenge's effectiveness was deliberately omitted, as the project was intended to serve as a prototype. The primary audience consisted of users without advanced IT knowledge, and regulatory or compliance-based requirements were intentionally excluded. Furthermore, the challenge did not include simulated phishing attacks, which are considered one of the most effective—but also most resource-intensive—methods for sustainable behavior change.

Conclusion & Outlook

Gamification offers a promising approach to promoting cybersecurity awareness in an engaging and accessible manner. The developed challenge demonstrates that even simple, interactive formats can significantly enhance user attention and understanding of phishing threats. When combined with recognized success factors, such as realistic scenarios, repetition, immediate feedback, and optional simulations—gamified phishing awareness programs can produce measurable improvements in organizational security culture. Future developments may include additional scenarios, expanded target groups, or the creation of a full training program. From a personal perspective, the project provided valuable experience in didactics, user experience design, and cybersecurity.

Authors

Marvin Müller

Courses

• Einführendes Wahlfachprojekt (2025)

References

• [1] https://t3n.de/news/wer-die-meisten-phishing-mails-bekommt-statistik-der-woche-1660187/
• [2] Kathryn Parsons, Agata McCormac, Marcus Butavicius, Malcolm Pattinson, Cate Jerram,Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q),Computers & Security,Volume 42,2014,Pages 165-176,ISSN 0167-4048,https://doi.org/10.1016/j.cose.2013.12.003.
• K. Jansson & R. von Solms (2013) Phishing for phishing awareness, Behaviour &Information Technology, 32:6, 584-593, DOI: 10.1080/0144929X.2011.632650
• Huang, C.-Y., Ma, S.-P. and Chen, K.-T., 2011. Using one-time passwords toprevent password phishing attacks. Journal of Network and Computer Applications,34(4), pp.1292–1301. Available at: https://doi.org/10.1016/j.jnca.2011.02.004.
• M. Rakhra and D. Kaur, "Studying user's computer security behaviour in developingan effective antiphishing educational framework," 2018 2nd International Conferenceon Inventive Systems and Control (ICISC), Coimbatore, India, 2018, pp. 832-836, doi:10.1109/ICISC.2018.8398916.
• Kudalkar, M., Singh, J. & Singh, S., 2024. Exploring phishing awareness and userbehavior: A survey-based investigation. International Journal for Research in AppliedScience & Engineering Technology (IJRASET)
• https://www.mentimeter.com/de-DE