Gamification of cybersecurity training to improve awareness
Hoque, Hossain Md Saiful (2025)
2025
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
Hyväksymispäivämäärä
2025-06-05
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202506036628
https://urn.fi/URN:NBN:fi:tuni-202506036628
Tiivistelmä
In this digital world, cybersecurity education has become one of the essential requirements for safe online practice. Effective cybersecurity training is important for providing the necessary knowledge and skills. To examine the effectiveness of gamified cybersecurity education, a game-based training tool called CyberBee was developed. The aim of this thesis is to assess the impact of the gamified cybersecurity training on participants’ knowledge, confidence, skills, attitude, and competence in managing cybersecurity threats, with a specific focus on phishing and password security.
This thesis was completed using mixed methods such as pre- and post-training surveys, non-parametric analysis (Wilcoxon Signed-Rank test, Mann-Whitney U test), and thematic feedback analysis. The study includes 15 participants, a mix of university students and employees from an organization.
After playing the game confidence level increased directionally and showed strong reliability metrics. Although, the changes narrowly missed statistical significance, the effect size (r = 0.49) indicates meaningful improvement in confidence. Knowledge and skills did not show statistically significant improvement due to the ceiling effect, but item-level analysis revealed a meaningful gain in specific areas such as using a password manager (knowledge improved by 13.3%) and managing phishing email (skills improved by 13.3%).
Awareness has demonstrated a statistically significant improvement with a large effect size r = 0.62. Attitude and competence remained stable and suggests a ceiling effect. Evaluation of the gamified training experience emphasized excellent engagement (median = 4.33), ease of use (median = 5.00), and positive learning motivation, though suggestions for more complex con-tent and additional modules were noted.
Findings in this study indicate that gamification of cybersecurity training is an effective way to improve awareness, but they also indicate the areas where training design and scope could be better. Future research could explore larger sample sizes, extended data collection periods, and more diverse training modules.
This thesis was completed using mixed methods such as pre- and post-training surveys, non-parametric analysis (Wilcoxon Signed-Rank test, Mann-Whitney U test), and thematic feedback analysis. The study includes 15 participants, a mix of university students and employees from an organization.
After playing the game confidence level increased directionally and showed strong reliability metrics. Although, the changes narrowly missed statistical significance, the effect size (r = 0.49) indicates meaningful improvement in confidence. Knowledge and skills did not show statistically significant improvement due to the ceiling effect, but item-level analysis revealed a meaningful gain in specific areas such as using a password manager (knowledge improved by 13.3%) and managing phishing email (skills improved by 13.3%).
Awareness has demonstrated a statistically significant improvement with a large effect size r = 0.62. Attitude and competence remained stable and suggests a ceiling effect. Evaluation of the gamified training experience emphasized excellent engagement (median = 4.33), ease of use (median = 5.00), and positive learning motivation, though suggestions for more complex con-tent and additional modules were noted.
Findings in this study indicate that gamification of cybersecurity training is an effective way to improve awareness, but they also indicate the areas where training design and scope could be better. Future research could explore larger sample sizes, extended data collection periods, and more diverse training modules.