Motivational synergy : combining the effects of game-based learning and fear appeals on generating spear phishing knowledge

(1)

1

Motivational Synergy:

Combining the Effects of Game-based Learning and Fear

Appeals on Generating Spear Phishing Knowledge

Master Thesis Adinda Hahn 10338306 23th of June, 2017 Final Draft MSc. In Business Administration – Digital Business

ABS, University of Amsterdam Supervisor: Nick van der Meulen Second Reader: Peter van Baalen

(2)

2

Statement of Originality

This document is written by Adinda Hahn, who declares to take full responsibility for the contents of this document.

I declare that the text and the work presented in this document is original and no sources other than those mentioned in the text and its references have been used in creating it. The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not

(3)

3

Acknowledgement

I wrote this thesis as part of the Business Administration Master, in which the track Digital Business became first choice. This new track perfectly reflects the on-going digitization around us, leading to its relevance during this turbulent time. Therefore, choosing a topic seemed rather easy, however an overload on interesting topics made it harder than expected.

Eventually, I believe that this topic characterizes me as an individual; I love gaming (game-based learning), I always possessed a profound interest in hackers and people like Edward Snowden (spear phishing), and with my background in Psychology, adding

constructs such as motivation and fear appeals seemed right. I likewise believe this topic to be of interest to both theory and management practice; the current digitization leads to almost half of the world’s population having access to the internet, leaving them continually

susceptible to spear phishing attacks. Moreover, this study combines existing methods in a new way, which could provide researchers with new ideas for future studies. With this note, I would like to reflect to the people that helped me during my thesis.

To start with Nick, my supervisor, who truly took the time when providing me with feedback: either face-to-face or in the form of critical and precise points of improvement on paper. He came across as someone with high expectations, which led to increased motivation on my side. Secondly, my friends and family, who were willing to read my thesis, which is not something to be taken lightly regarding the size of this thesis. Therefore, I would likewise like to thank my second reader, Peter van Baalen, in advance for the effort of reading my thesis. And last but not least, Poppy Watson, who volunteered to collaborate on my research, in which she assisted me to request Ethics Committee Approval from the FMCG faculty, leading to reaching the sufficient amount of participants.

(4)

4

List of Tables

Table 1 Relative Cost and Benefit from Spear Phishing Campaigns (Caputo et al., 2014) Table 5.1 Means, Standard Deviations and Correlations

Table 5.2 Results of Hierarchical Regression Analyses: Game-based Learning, Fear Appeals, Intrinsic Motivation, Protection Motivation and Spear Phishing Knowledge

List of Figures

Figure 1 The Self-Determination Continuum

Figure 3.1 All Hypotheses Represented in the Conceptual Model

Figure 5.1 Outcomes of the Factorial ANOVA, Represented in Sub-model 1

Figure 5.2 All Hypotheses with their Corresponding Regression Model Represented in the Conceptual Model

Figure 5.3 Outcomes of PROCESS Model 4, Represented in Sub-model 2 Figure 5.4 Outcomes of PROCESS Model 14, Represented in Sub-model 3 Figure 5.5 Outcomes of PROCESS Model 1, Represented in Sub-model 4

Figure 5.6 The Conditional Effect of the Degree of Intrinsic Motivation on the Amount of Spear Phishing Knowledge, at Values of the Degree of Protection Motivation

Figure 5.7 Outcomes of PROCESS Model 1, Additional Analysis Including Extrinsic Motivation

Figure 5.8 The Interaction Effect Between the Degree of Intrinsic Motivation and Extrinsic Motivation (Rewards vs. No Reward), on the Amount of Spear Phishing Knowledge

(8)

8

Abstract

Nowadays, the majority of businesses perceive spear phishing as their top one cybersecurity concern, tripling in numbers over the past few years and accounting for 91% of all

cyberattacks; characterizing the continuing threat of spear phishing’s proliferation. Technical tools are inconsistent in accurately detecting these vicious attacks, leaving users susceptible to spear phishing. As such, an apparent need exists in educating individuals about spear phishing. Therefore, this research contributes to the pursuance of designing an optimal

training standard, since no accepted training standard predominates in contemporary research. Users declare current training to be too time-consuming and spear phishing to not be their top priority, which results in a definite lack of motivation. Thence, this study focuses on

motivational synergy, in which game-based learning enhances intrinsic motivation and fear appeals provoke protection motivation. This study emphasizes on their reciprocal

relationship; involving users that perceive spear phishing threats as their concern (protection motivation), which in turn is reasoned to intensify the effect of users perceiving the way they learn as enjoyable and fun (intrinsic motivation) on generating spear phishing knowledge.

The moderated mediation framework is tested through a 2 x 2 experimental design, in which 186 participants are randomly assigned to four conditions to assess the combined effects of game-based learning (game vs. no game) and fear appeals (fear vs. no fear).

Overall, the findings corroborate the positive effect of game-based learning on spear phishing knowledge indeed to be explained by intrinsic motivation. However, the results revealed no intensifying effect of protection motivation; though alternative explanations shed light on these insubstantial results, involving meaningful contributions to future research and

management practice. Notably, an additional observation of the effect of receiving rewards, resembling being motivated by external motives (extrinsic motivation), demonstrated to intensify the positive effect of intrinsic motivation on spear phishing knowledge.

(9)

9

Key words: spear phishing knowledge; game-based learning; fear appeals; intrinsic motivation; protection motivation

1 Introduction

Due to our environment digitizing at a breath-taking pace, the reliance on the Internet and email has grown excessively, leading to incessantly being available and online. In spite of this resulting in facilitated communication between individuals, it simultaneously led to substantial security threats (Parmar, 2012). According to Cloudmark, trusted leader in intelligent threat protection,the most frequently occurring cyber-attack today is spear phishing, accounting for 91% of all cyber-attacks (Cloudmark, 2016). Spear phishing is a specific type of phishing. Phishing, compared to spear phishing, involves retrieving personal and valuable information through sending their targets malicious emails in which they provide certain links containing false attachments or URL’s (Ramzan & Zufikar, 2010). These phishing attacks are mostly organized on large scales, simultaneously targeting the mass in the hope of ‘phishing’ as many as possible. Contrariwise, spear phishing involves a far more specific and sophisticated type of phishing. Often their attacks originate from fine-tuned emails, containing personally tailored information and resembling trustworthy sources, such as banks or even friends, to enlarge the likelihood of users clicking their malicious links (Stephenson, 2014). Even large companies like Google have successfully been penetrated by these attacks, to illustrate all businesses’ susceptibility and vulnerability to spear phishing. According to a Cisco report (2011) on email attacks, cybercrime activities, such as phishing, have been reduced by 50% in the past year. Contrariwise, spear phishing has rapidly

increased, tripling in number during the same period. Due to the dramatically enlarging number of spear phishing attacks over the years, organizations nowadays perceive spear

(10)

10

phishing as their number one cybersecurity concern. 20% of them even claim spear phishing to be the top threat facing their company, apart from cybercrimes. Moreover, 84% had a spear phishing attack penetrating their organization’s security, which for 90% consisted out of spear phishing attacks (Cloudmark, 2016).

These staggering numbers give a solid explanation to the widespread proliferation of current research on creating actual spear phishing knowledge among employees, in particular when considering that a lack of spear phishing knowledge often results in substantial

financial losses and the loss of personal and valuable data (FireEye, 2012). However, current research on both educational methods as well as technical methods in preventing spear phishing attacks demonstrate incoherence in achieving an optimal training standard.

Concomitantly, the persistent augmentation of spear phishing attacks indicates these attacks not in the least being under control. Existing sophisticated anti-phishing tools are not

continuously being adequate in safely detecting tailored and high-tech spear phishing attacks, leading to users’ susceptibility when solely relying on technical tools (Abbasi et al., 2012). Also, even if these technical methods correctly identify spear phishing attacks, people frequently choose to ignore them; trusting their judgment over that of automated phishing tools (Abbasi et al., 2015). Due to this inadequacy of technical methods and the incautious way in which users employ them, one might emphasize on educational methods instead.

However, educational methods in anti-phishing training simultaneously lack and especially regarding highly targeted and specified spear phishing attacks. Previously

conducted research on training methods demonstrated that 70% of participants consequently fell target to spear phishing attacks, and in some cases even in spite of the fact that they had just received training on spear phishing (Dodge et al., 2007; Jagatic et al., 2007; Ferguson, 2005). Likewise, more recent research conducted by cybersecurity research firm Vanson Bourne in collaboration with Cloudmark (2016) on spear phishing threats, found the human

(11)

11

factor to evidently remain the continuing top priority. They held over 300 structured interviews with over 300 IT decision makers to uncover what businesses perceived as their biggest threats, which proved to be human’s inconsistency in employing technical tools and their apparent lack of interest in training. Moreover, according to EY’s 19th Global

Information Security Survey Research of 2016/2017, Dutch companies regard (un)aware errors made by employees to be the greatest concern and risk towards cyber-attacks. They conducted massive-scaled research involving 1735 organizations within 73 countries. The results demonstrated 83% of respondents to consider negligent employees as the most presumable source of all succeeded cyber-attacks experienced within their firm (van Kessel, 2016).

Altogether, this appears to be an explicit indication of spear phishing threats being a widespread and global concern. Therefore, one might argue a profound eagerness to prevail on contriving an accepted standard that should primarily be focused on the comprehension of underlying drivers in the learning process about spear phishing. Especially, as this may be useful for a more fully understanding on how to create actual spear phishing knowledge, which could potentially lead to the acceptance of a particular training standard. According to Schuetz et al. (2016), people mainly complain about spear phishing training being too time-consuming and not perceived as their top priority, which resulted into experiencing boredom and a definite lack of motivation. However, one of the most important drivers behind learning and education, in general, is motivation (Christophel, 1990). People might possess sufficient amounts of knowledge, expertise, and experience, though if they do not feel motivated, they will not be moved to pursue in the direction of their goal (Amabile, 1996). Enhancing people’s motivation has shown to be a secular discussed concept within academic literature, characterized by the great amount of articles that has been written on its topic (Cameron & Pierce, 1994; Floyd, 2000; Deci & Ryan, 1985; Aguinis et al., 2017). Deci & Ryan (1985)

(12)

12

made the considerable distinction within motivation between intrinsic motivation and

extrinsic motivation. Intrinsic motivation refers to the motivation that arises from within and is triggered by experiencing pleasure and enjoyment. Contrariwise, extrinsic motivation refers to the motivation that is triggered by experiencing external pressures and control. Remarkably, the focus in previous research is either on intrinsic motivation or extrinsic motivation to enhance spear phishing knowledge.

Enhancing intrinsic motivation to create spear phishing knowledge has been demonstrated through game-based learning, a technique that is based on the principles of gamification, which refers to the use of game elements in non-game contexts (Deterding et al., 2011). The link between intrinsic motivation and gamification is well represented by the following; the aspects of experiencing intrinsic motivation consist of a clear goal, the means to attain that goal and immediate feedback; all of which can be accomplished through games (Kapp, 2012; McGonigal, 2011). Although the literature on game-based learning has proven quite effective in creating spear phishing knowledge (Hays; 2005; Sitzmann, 2011; Blunt, 2007), simultaneously a fixed share of researchers remains not entirely convinced (Ke, 2009; Clark, 2013). This leads to the pursuing existence of disagreement on the spear phishing training matter.

Enhancing extrinsic motivation to create spear phishing knowledge has been theorized to be effective in Schuetz et al.’s (2016) article on motivating users to create spear phishing knowledge through fear appeal manipulations. Fear appeals describe a strategy for motivating individuals to take a particular action by arousing fear (Rogers, 1975; Boss et al., 2015; Schuetz et al., 2016). However, these researchers do not refer to fear appeals provoking the more broadly defined concept of ‘extrinsic motivation’ in their articles, but underline the emergence of a more refined type of extrinsic motivation, namely,’ protection motivation’. Protection motivation involves individuals experiencing a certain threat as personally relevant

(13)

13

and that they are capable of protection against it (Rogers, 1975; Boss et al., 2015; Schuetz et al., 2016), though the threat remains to be triggered externally. Boss et al. (2015) mainly base their reasoning on the recent developments taking place in current Information System research, demonstrating a shift from using coercive methods to including fear appeals that provoke a personal sense of urgency within cyber security contexts. This shift simultaneously implies the shift from extrinsic motivation (coercive methods) to protection motivation (personal sense of urgency). They further argue that fear appeals provide an increased positive effect on creating spear phishing knowledge compared to other tools, especially due to users experiencing spear phishing as greater priority.

Overall, people appear to be the cause of failed ‘knowledge creating’ attempts within both technical and educational methods. In technical methods due to people’s presumption of having greater knowledge of potential spear phishing attacks than sophisticated phishing tools. In educational methods due to these methods being too time-consuming and not being perceived as a number one priority, which results in experiencing a lack of motivation to training. Opportunities to enhance their motivation may be established through game-based learning techniques or fear appeal manipulations, or potentially a combination of both. However, game-based learning as suitable training solution has not yet reached prevailing consensus on its effectiveness. Moreover, the effectiveness of fear appeals in creating spear phishing knowledge has solely been theorized to exist; no relationship between the two has been established within current research. Though, combining the effect of game-based learning, involving users that experience joy and fun within their learning process, and the effect of fear appeals, involving users that perceive spear phishing as their concern, may cause motivational synergy. Therefore, this study involves a substantial contribution to a deeper understanding of the underlying drivers characterizing ‘gaining spear phishing

(14)

14

input for future research, not solely on the spear phishing subject, but possibly on security behaviour as a whole. Furthermore, apart from spear phishing, this research may serve as starting point for a wide variety of motivation-enhancing training methods. Combining these particular types of motivation that emerge through games (intrinsic motivation) and fear (protection motivation) has received little attention in contemporary research. Likewise, incorporating both the techniques of game-based learning and fear appeals within one study does not seem to have been employed in prior studies. Though, emphasizing on both to determine an optimal training standard for creating spear phishing knowledge does sound plausible. Hence, the following research question is stated:

How do game-based learning and fear appeals play a role in generating motivation to create spear phishing knowledge?

2 Literature Review

In this literature review, a sufficient amount of research will be discussed in order to establish an extensive overview of existing literature on all involved key constructs; spear phishing, game-based learning, fear appeals and multiple types of motivation. The explicit goal of this research is establishing a standardized training method to create spear phishing knowledge in order to prevent users to succumb to these spear phishing attacks. Therefore, this literature review consists of six components to shed light on the contemporary course of events. Thence, spear phishing’s definitions; previous and current literature on the subject and people’s tendency to be susceptible to spear phishing will be reviewed in the first and the second paragraph. As lack of motivation tends to be the main issue in generating spear phishing knowledge among users, the Self-Determination Theory and sub-theories will be discussed in the third paragraph. Thereafter, techniques in enhancing users' motivation and

(15)

15

their corresponding theories are analysed in the fourth and fifth paragraph, namely the effects of game-based learning and the effects of fear appeals. Moreover, these paragraphs consider the combined effect of game-based learning and fear appeals on spear phishing knowledge and the potential synergy of their emerged motivational outcomes. A short summary will be provided in paragraph six, in which all presented findings of the literature review come together to create an integrated and coherent overview. Conclusively, this literature review leads to a deeper understanding of the current situation regarding the apparent lack of spear phishing knowledge among individuals, and the subsequent opportunities for improving present training methods.

2.1 Phishing and Spear Phishing

The most successful cybercrime technique on the Internet today is spear phishing and involves a specific type of phishing. Phishing is the overarching concept of cyber-attacks employed by cyber-criminals seeking to acquire sensitive information such as passwords, credit card details and other personal information, like for example social security numbers and usernames, by disguising themselves as trustworthy entities wrapped into an electronic communication. It mainly occurs on a massive scale, simultaneously attacking many users (Ramzan & Zufikar, 2010; Van der Merwe, Loock & Dabrowski, 2005). Eventually, cyber-criminals their goal is to obtain information leading to financial gain and/or damaging organizations’ brand and reputation, in which phishing provides a mean to accomplish that goal. Phishing falls within the broader categorization of semantic attacks that take advantage of human-computer interaction and their susceptibility in misinterpreting electronic

communications. They particularly differ from non-semantic attacks that profit from system vulnerabilities (Schneier, 2000; Sheng et al., 2007). Typically, phishing encourages receivers to download an attachment that is twined with malware or an email that contains a false link to a fake website, attempting to look trustworthy, to convince users of clicking their link

(16)

16

(Parmar, 2012). Therefore, phishing attacks demonstrate higher success rates compared to non-semantic attacks due to accurately responding to the humans’ tendency of easily trusting all their email messages and websites, even though both are based on simplistic cues that accommodate individuals with hardly any reliable trust information (Jakobsson & Myers, 2006; Sheng et al., 2007).

The ever-growing nature of life and work on the Internet enables far-reaching opportunities for cyber-criminals and their phishing attacks. However, over the past few years, a substantial shift has occurred from massive-scaled phishing attacks to more targeted email-based-phishing attacks (FireEye, 2012). This ‘’context-specific and highly targeted attack aimed at specific individuals, groups of individuals or organizations’’, is known as spear phishing (Wang et al., 2012). Although spear phishing and phishing share a similar goal, spear phishing has proven to be far more effective. Schuetz, et al., (2016) gave a clear overview of the four main differences between phishing and spear phishing to illustrate spear phishing’s rapid increase. Spear phishing is more dangerous by magnitude (Jagatic et al., 2007); 40 times more effective regarding return rates (APWG, 2014); more sophisticated in pursuance (Hong, 2012) and more frequent in number (FireEye, 2012). FireEye (2012) further elaborated on spear phishing’s high success rate. Instead of phishing’s attempt to target the mass in hope of individuals falling target to its deception, spear-phishing aims at specific individuals within a particular company on a specific mission. They roam social networks to obtain valuable and personal information on specific individuals to eventually develop a rather convincing electronic message that may come from trustworthy sources, like for example from banks or even close friends. Due to spear phishing attacks being personally designed for one specific individual, the likelihood of people being deceived increases tremendously. To illustrate the far greater reach of spear phishing, table 1 (Caputo et al., 2014) provides an overview of the comparison between massive scaled phishing attacks and

(17)

17

highly targeted spear phishing attacks. Though spear phishing attackers employ far less emails than phishing attackers; spear phishing requires solely a quarter of victims to fall for these attacks, while simultaneously involving over ten times the financial gain.

Table 1. Relative Cost and Benefit from Spear Phishing Campaigns (Caputo et al., 2014)

Internet users are increasingly being flooded with warnings on massive cyber-attacks, such as phishing, through several channels; newspapers, television and the Internet itself (Parmar, 2012). However, spear phishing’s highly targeted attacks show poor resemblance with massive cyber-attacks, leading to even security experts being deceived and to well-established anti-phishing tools no longer sufficing (FireEye, 2012). This leads to believe that all types of organizations may fall target to spear phishing attacks and according to

Cloudmark (2016) and their article on spear phishing threats, indeed any business or individual can become target. They demonstrated the penetration by such attacks within businesses ranging from JPMorgan Chase & Co to eBay to Sony or even Governments.

2.2 Individual’s Susceptibility to Spear Phishing Attacks

Due to its continuous growth, it is of great importance to create sufficient amounts of spear phishing knowledge through learning and training to prevent individuals from succumbing to spear phishing attacks. In particular, due to spear phishing often resulting into the loss of valuable and personal data or suffering heavy financial losses, both rather damaging to businesses (FireEye, 2012). Counteracts against spear phishing can broadly be classified into

(18)

18

two methods: technical and educational. Technical methods refer to tools that automatically identify deceptive messages and either get rid of them instantly or alarm users of their possibly damaging nature. According to research, these technical solutions have led to

advancements on detection accuracy (Abbasi et al., 2015). However, these technical methods endure serious weaknesses, caused by their deficiencies and the deficiencies of people

employing them. Research on why people tend to be susceptible to phishing found that people deliberately neglected warnings in which they trusted their judgment over specialized phishing detection tools (Egelman et al., 2008; Wu et al., 2006). This leads to believe that solely installing these detection tools is hardly enough.

Parmar (2012) argues that spear phishing mainly owes its success to taking advantage of humans’ weakest link; trust. Through resembling reliable and well-known sources (emails of your bank, a friend, etc.), it seems nearly inevitable that people are being deceived.

Anderson, Vance & Eargle (2013) aim to provide an explanation of the underlying factors of why individuals are susceptible to phishing. They reason that individuals’ susceptibility to phishing might depend on memory. They indirectly measured memory through the eye movement-based memory effect (EMM); a phenomenon in which people pay less attention to images that they have viewed before. In their article, they demonstrate the negative effect of memory on spear phishing knowledge through tracking an individual’s eye movement. They showed that similar images, compared to new and changed images, receive less attention. This might be an explanation of why individuals are more susceptible to phishing. Moreover, due to spear phishing resembling more targeted attacks than phishing, the demonstrated effect of people paying less attention to images they have viewed before may be even more harmful with regards to highly specific spear phishing attacks.

(19)

19

Educational methods can reduce the probability of falling for spear phishing attacks (Wright & Marett 2010). The authors claim that training increases three factors that turned out to be significant in decreasing deception success; a user's self-efficacy, security

knowledge, and suspicion. However, other researchers argue differently. Caputo et al., (2014) conducted a large-scale experiment, with a total of 1500 participants, to explore the

effectiveness of embedded training on creating spear phishing knowledge. Their findings contradicted their expectations. Instead of increased knowledge, their results showed that many participants did not read the training and clicked either on all phishing links or none, across three trials. Likewise, Ferguson (2005) illustrated the difficulty of making anti-phishing training salient. He managed to successfully phish 90% of the users even though they had received a four-hour training session on the same day. These studies accurately impersonate the previously discussed room for improvement to be present in current training programs.

The previous studies (Caputo et al., 2014; Ferguson, 2005) concluding training to be lacking success underline the notion that an absence of motivation might play a role in these disappointing results. In accordance, Scott Greaux (2013) argues one of the greatest

challenges facing cybersecurity knowledge initiatives to be; providing employees with an experience they will remember, retain and utilise. To enlarge the probability of people remembering, retaining and utilising an experience; users need to acquire the motivation to actively engage in protective behaviours, especially regarding spear phishing, as these kinds of attacks are well disguised and hard to detect based on visual cues alone (Schuetz et al., 2016). Schuetz et al. (2016) indeed argues the definite lack of motivation to be one of the greatest problems in spear phishing training programs, due to people not perceiving spear phishing as their concern and declare to be bored with time-consuming training.

(20)

20 2.3 Self-Determination Theory: Intrinsic and Extrinsic Motivation

The most important aspect of driving learning processes is motivation (Christophel, 1990). To support this solid statement, consider the following: even though an individual holds an infinite amount of expertise and skills, he or she will not be moved to pursue without motivation (Amabile, 1996). Therefore, motivation plays a crucial role within

individuals’ learning processes in general and regarding individuals’ learning processes on how to detect spear phishing attacks. Motivation is a theoretical construct attempting to explain behaviour and aims to translate a person’s actions, desires and needs into valuable insights of peoples’ motives. In other words: to be motivated means to be moved to do something (Deci & Ryan, 2000).

Self-Determination Theory (SDT) is a widely accepted macro theory of human motivation concerning individuals’ innate growth propensities and their ingrained

psychological needs (Deci & Ryan, 1985; Deci & Ryan 2000). SDT argues that motivation is not a unitary concept; on the contrary, it differentiates between two rather opposing and multi-faceted types of motivation. Intrinsic motivation refers to the type of motivation in which individuals experience the innate drive to discover new challenges and opportunities that are related to cognitive and social development. It emerges from within and is

accompanied by the experience of freedom and autonomy. Contrariwise, extrinsic motivation refers to peoples’ motivation stemming from external sources and is accompanied by the experience of pressure and control. In the next section, two sub-theories of SDT will be elaborated on. According to these theories, intrinsic motivation and extrinsic motivation are subdivided into multiple components, enabling a deepened understanding of both constructs.

SDT distinguishes in three fundamental needs as underlying drivers of human behaviour that are to be met to maximize their psychological well-being and are claimed to be universal: the need for autonomy, competence, and relatedness (Deci & Ryan, 1985). The

(21)

21

Cognitive Evaluation Theory (Deci & Ryan, 1985) is a sub-theory of SDT that proposed two of these needs to be the foundation of intrinsic motivation and behaviour. The need for competence and autonomy demonstrate a link between individuals’ basic needs and their motivations. Competence, or self-efficacy, which refers to the extent or strength of one’s belief in their abilities to complete tasks and reach goals, is required for people to engage in intrinsically motivated behaviour (Deci & Ryan, 1985). Likewise, the presence of autonomy is necessary for people to perceive their actions as emerging out of their own choices, which refers to self-determined behaviour.

To further deepen the understanding of the processes underlying extrinsic motivation, Deci & Ryan (1985) expanded SDT by incorporating the Organismic Integration Theory. This theory includes contextual factors under which extrinsic motivation may emerge and distinguishes in four various forms that reflect the increasing autonomy from the first to the last form:

1) Externally regulated behaviour is performed out of the involvement of externalities, such as rewards.

2) Introjected regulation of behaviour refers to partially accepting regulations, however not accepting them as your own. Even though this type of behaviour is performed to retain self-worthiness, the causality of the behaviour is perceived to be external. 3) Regulation through identification, the process in which the behaviour is perceived

and accepted as personally relevant and relates to consciously willing to pursue a goal.

4) Integrated regulation reflects the most autonomously driven form of extrinsic motivation and emerges when regulations are entirely integrated with one’s self. Therefore this form of extrinsic motivation comes closest to intrinsic behaviour as it is strong-willed and valued by the self. However, this process remains extrinsic due to

(22)

22

the eventual goal and outcome being independent of the self-determined behaviour. In particular when comparing it to the enjoyment and/or interest in the task, as is

experienced within intrinsic behaviour and motivation.

Intrinsically motivated behaviours are performed out of people’s own interest and fulfil the inherent psychological needs for autonomy and competence. They are the ideal example of determined behaviour and are positioned on the outer right side of the

self-determination continuum (Figure 1). Extrinsically motivated behaviours, however, are contributory to somewhat more separable outcomes, outside one's self. They can differ in their degree of self-determined behaviour. The two processes of extrinsic motivation by which individuals can obtain an increased likelihood of self-determinedness are

internalization and integration (number 3 and 4 of the previous paragraph). Amotivation is positioned on the opposite side of the self-determination continuum, the outer left side. It resembles the entire absence of motivation.

Figure 1. A Clear Overview of the Self-Determination Continuum, in which All the Previously Describes Types of Motivation are Obtained with their Corresponding Regulatory

(23)

23

Due to intrinsic motivation being voluntarily and arising out of individuals their motives, it leads to the highest probability of people engaging in learning as they truly enjoy what they pursue, compared to extrinsic motivation (Deci & Ryan, 1985). Logically, it led to the profound interest in provoking intrinsic motivation, particularly within education and work as reflected by the widespread existence of its subject in former and contemporary literature (Gottfried, 1985; Van Yperen & Hagedoorn, 2003; Van Yperen et al., 2016). A quite recent learning technique that implements all factors of provoking intrinsic motivation is gamification, the use of game design elements in non-game contexts (Deterding, et al., 2011). This salient resemblance is fairly well demonstrated by Jane McGonigal, one of America’s most recognized researchers on gamification. According to McGonigal (2012), the ideal way to naturally trigger people’s interest is through gamification, due to it closely being linked with theories on intrinsic motivation. Intrinsically rewarding work demands a clear goal, the means to attain that goal and immediate feedback; all of which can be accomplished through games (McGonigal, 2011). Therefore, this resemblance simultaneously meets both needs for competence and autonomy, as discussed earlier. Since strengthening people’s beliefs of the ability to complete their goals is provided by games, as they supply people with means to attain that goal, the need for competence is met. Since playing games is mostly considered as fun and enjoyable, which subsequently leads to more self-determined users, compared to other learning techniques; the need for autonomy is met (Kapp, 2012).

To further strengthen McGonigal’s reasoning, an article on the effectiveness of game-based learning discussed quite promising and strong results within a variety of studies. Connolly et al. (2011) conducted a meta-analysis consisting of 129 studies of which 121 employed quantitative methods and the residual eight employed qualitative methods. They indicated one of their firmly substantiated conclusions to be the positive effect of game-based learning on motivational outcomes. Kapp (2013) further elaborates on several studies and

(24)

24

papers that come to the nearly unanimous conclusion of the supporting role of serious games within learning processes, positively impacting motivation (Blunt, 2007; Hays; 2005;

Sitzmann, 2011). Moreover, Deci & Ryan (2002) reason how game-based learning can be particularly useful in enhancing intrinsic motivation. Games are often experienced as being more interesting and/or enjoyable, in which learners feel more engaged in gaming activities compared to non game-based learning activities.

2.4 Gamification, Game-based Learning, and Serious Games

The proliferation of gamification in the academic literature over the past decade reflects the growing interest in this topic. Gamification, game-based learning, and serious games can partially be viewed as similar, due to all concepts aiming to accomplish the same goal; to solve a problem, motivate and promote learning using game-based thinking and techniques (Kapp, 2012; Cook, 2013). However, the difference can be argued to lie within gamification being a more broadly defined concept, in which serious games are the means aiming to achieve the goal and game-based learning the technique on which gamification is based.

Several researchers demonstrated the positive effect of game-based learning on motivation. Ricci et al. (1996) concluded that when training instructions integrate game features, student motivation enlarged, leading to increasingly more attention to training, as well as more retention. In accordance, Druckman (1995) demonstrated games to be effective in enlarging motivation along with students’ interest in certain subjects. Furthermore, Amory and Seagram (2003) found that computer games did not only provide education but also led to potentially accommodating users with a rich learning environment as they motivated them and kept their attention through procuring immediate feedback. Finally, according to a literature review of empirical studies on gamification (Hamari, Koivisto & Sarsa, 2014), the majority of the reviewed studies demonstrate the overall positive effects and benefits of gamification. Nevertheless, they provide a sufficient amount of methodological limitations:

(25)

25

1) too small sample sizes; 2) no proper, validated psychometric measurements were used; 3) missing control groups and relying entirely on user evaluation and 4) most of the studies solely presented descriptive statistics, not inferring among the relationships between constructs. Improving these shortcomings might lead to enlarging the probability of successfully finding (positive) effects of gamification, game-based learning, and serious games even more.

The serious game Anti-Phishing Phill (Sheng et al., 2007) is an example of a game-based learning technique aimed at enhancing phishing knowledge through presenting false and correct URL links. The authors found positive effects of the game on spear phishing knowledge, in comparison with non-game-based learning. However, their study involved insufficient amounts of participants per condition, namely 14 per condition, which is well below the rule of thumb of 30 participants per condition (Luck, 2005). In other words, no substantial interpretations can be drawn of these results. Kumaraguru et al., (2010) replicated their research on anti-phishing Phil’s effectiveness and included more conditions. They demonstrated that participants who played the game performed better in identifying phishing websites than participants who completed two other types of training. Moreover, the anti-phishing Phil game solely focuses on anti-phishing instead of spear anti-phishing, though the results still indicate positive effects of serious games on learning processes within phishing contexts.

A more recent serious game designed by researchers at the Carnegie Mellon University (2010), is anti-phishing Phyllis and in comparison with anti-phishing Phil, does emphasize on creating spear phishing knowledge, instead of phishing knowledge. Likewise, these researchers (Sheng et al., 2010) found positive results of game-based learning’s enhancing effect on intrinsic motivation and on expanding spear phishing knowledge. These training games attempt to trigger users in a more engaging way through responding to their intrinsic needs of experiencing joy and arousing interest, which is more likely to be

(26)

26

experienced within games than within non-gaming learning techniques. Though, both studies employed small sample sizes, leading to the need of replicating these studies, in which larger sample sizes are used. Nevertheless, these findings might be an indicator of the effectiveness of game-based learning on creating spear phishing knowledge; hence the following

hypotheses of this study are proposed:

H1a: Game-based learning increases the degree of intrinsic motivation.

H1b: High degrees of intrinsic motivation increase spear phishing knowledge.

H1c: Game-based learning increases spear phishing knowledge, regardless of intrinsic

motivation.

Research on the effectiveness of provoking extrinsic motivation within learning processes tends to be inconsistent. Several studies on distinguishing between intrinsic and extrinsic motivation demonstrate the undermining role that extrinsic motivation often plays in self-determined behaviour and how it negatively impacts intrinsic motivation (Deci 1975; McGraw, 1979; Deci, & Ryan, 1985). Contrariwise, more recent literature exemplifies their concurrence. Garris, Ahlers & Drikell (2002) argue based on Deci & Ryan’s SDT (1985) that self-determined learner behaviour indeed emerges from intrinsic motivation, for example, the learner engages in an activity because it is interesting or enjoyable. However, it also emerges from extrinsic motivation, for example, the learner engages in an activity because he or she desires the outcome and values it as important. This statement emphasizes to not solely focus on generating intrinsic motivation within learners, but to focus on extrinsic motivation simultaneously. They illustrate the ideal situation of creating learners who are both self-directed and self-motivated because the task itself is interesting (intrinsic) and because achieving the outcome is important (extrinsic). Moreover, notwithstanding the fact that SDT is founded on the assumption that intrinsic motivation is distinct from extrinsic motivation

(27)

27

and do not tend to co-exist (Deci & Ryan 1985), more recent research by Deci and Ryan (2012) emphasizes that some behaviours can concurrently be motivated both intrinsically and extrinsically.

In accordance, Amabile (1993) emphasizes on the positive effect extrinsic motivation may have on intrinsic motivation. However, it is important to note that Amabile does not deny the potential undermining role of extrinsic motivation on intrinsic motivation; on the contrary, she fully acknowledges its possibility. Indeed, most literature confirms the undermining role of extrinsic motivation on intrinsic motivation, in which it suggests an antagonism: ‘as extrinsic motivation for a certain activity increases, intrinsic motivation must decrease’. Experiencing extrinsic motivational drivers, such as being constrained and/or controlled, has proven to undermine intrinsic motivation. Nevertheless, Amabile elaborates on the fact that there are circumstances in which both types of motivation may positively coexist. She demonstrated this based on a field study in which children that experienced intrinsic motivation became more motivated once they were offered a reward on top of being intrinsically motivated. Intrinsic motivation was provoked through making the children aware of their intrinsic motives for learning and helped them focus on these. This suggests a

possible synergetic effect of extrinsic motivation on intrinsic motivation on performance.

Apart from learning processes in general, a rather recent article underlines the positive effect of extrinsic motivation within cybersecurity contexts. Boss et al. (2015) emphasize on uncovering new ways to motivate employees, end users and customers to enhance protection of their personal and organizational information properties. Even though they gave no clear mention of extrinsic motivation, they did elaborate on several theoretical approaches involving extrinsic motivation to improve cyber security behaviour. General Deterrence Theory (GDT; Herath & Rao, 2009; Hu et al., 2011) emphasizes on imposing employees with commands and control to engage them in protective cyber security behaviour. As mentioned

(28)

28

before, Amabile indicated the undermining role of extrinsic motivational drivers, such as being constrained and/or controlled, on intrinsic motivation. This may be a plausible reason for the current shift taking place from General Deterrence Theory to Protection Motivation Theory (PMT; Crossler & Bélanger, 2013; Lee & Larsen, 2009). This shift is well

substantiated by the extensive research published on combining information security and PMT (Herath & Rao, 2009; Jenkins et al., 2013; Johnston & Warkentin, 2010; Lee et al., 2008; Lee & Larsen, 2009; Liang & Xue, 2010) and likewise acknowledged by Boss et al. (2015).

Protection Motivation Theory (PMT) underlines the importance of employing persuasive messages to convince people of the urgent need to prevent a negative outcome from occurring. Moreover, it provides users with compensating measures on how to prevent this negative outcome. Boss et al. (2015) further argue PMT to naturally fit information cybersecurity contexts, since the consequences of spear phishing should be perceived as severe, leading to these particular contexts to require end users to perceive certain outcomes as personal and relevant. Moreover, they substantiated their reasoning through demonstrating the positive effect of generating fear, as included in the PMT, on the performance of

participants that received cybersecurity training (Lee et al., 2008; Herath & Rao, 2009; Jenkins et al., 2013). Naturally, spear phishing threats are a cybersecurity concern, and therefore PMT could provide useful insights. More specifically, assuming similar effectiveness of generating fear within creating spear phishing knowledge does seem plausible, as it has proven to be successful before in cyber security training. This will be elaborated on in the next section.

2.5 Protection-Motivation Theory: Fear Appeals and Extrinsic Motivation

Today, a leading theory within the field of information security research is the Protection Motivation Theory. PMT is a theory that was originally developed to help

(29)

29

elucidate on fear appeals. Fear appeals describe a strategy for motivating individuals to take a specific action by arousing fear (Rogers, 1975; Schuetz et al., 2016). More simply put, fear appeals ‘’are persuasive messages designed to scare people by describing the terrible things that will happen to them if they do not do what the message recommends’’ (Witte 1992). The desired result of employing fear appeals is for these targeted individuals to experience the need to engage in protection motivation. Protection motivation may be defined as a specific type of motivation; the motivation to prevent negative outcomes from happening due to perceiving the threat as personally relevant (threat appraisal) and to believe to be personally capable of prevention (coping appraisal). According to Floyd (2000), the protection

motivation derives from both the ‘threat appraisal' as well as the ‘coping appraisal'. The threat appraisal consists out of the following factors: the perceived severity of a threatening event and the perceived vulnerability to a threatening event. The coping appraisal consists of the efficacy of the protective behaviour and the perceived self-efficacy. Therefore, a successful fear appeal strengthens protection motivation through communicating a threat after which an adequate coping response is presented. Moreover, Floyd (2000) added a fifth component: ‘intend to act upon the fear appeal’, which corresponds with individuals’ willingness to follow the presented advice to prevent the negative outcome from occurring. Increasing protection motivation secures an individual’s intent to engage in protective behaviours in an attempt to avoid the represented risks (Floyd et al., 2000). Thence, protection motivation is a specific type of motivation, in which individuals aim to prevent negative consequences from occurring and emerges through successfully generating fear within individuals through fear appeals (Schuetz et al., 2016).

Once individuals perceive the threat as (1) severe (the perceived severity), (2) easily becoming target (the perceived vulnerability); and the presented coping mechanism as (3) feasible in general (the efficacy of the protective behaviour) and (4) feasible within their

(30)

30

reach (the perceived self-efficacy), they may experience a more autonomous form of extrinsic motivation. The third most autonomous form of extrinsic motivation, as mentioned in the SDT (Self-Determination Theory) section of this literature review, tends to coincide with PMT's goal within cybersecurity contexts, provided that the fear appeal manages to provoke all factors. The third form refers to regulation through identification, in short; identified regulation, the process in which the behaviour is perceived and accepted as personally relevant and relates to consciously willing to pursue a goal, which most likely is the case once the fear appeal succeeds. In other words, it is argued that protection motivation is a form of extrinsic motivation, as the motivation is generated externally (through fear appeals) and achieving the outcome of becoming more competent in preventing spear phishing attacks, is perceived as personally relevant. Therefore, out of all motivation definitions regarding extrinsic motivation, protection motivation will further on be employed throughout this thesis. Protection motivation appears to be the best fit to spear phishing contexts, as reflected by the use of Protection Motivation Theory (PMT) in cyber security contexts (Boss et al., 2015). When individuals are made aware of serious spear phishing threats; the consequences are perceived as personal, and the potential outcome is of value (as is the case when

experiencing protection motivation), the likelihood of creating spear phishing knowledge will most likely increase.

An interesting finding that partially contradicts the self-determination theory is that of Cokley (2000). In his research, he examined the Academic Motivation Scale's construct validity and their subscale correlations in order to determine whether the fundamental basis of self-determination should continuously be supported. The author proposed that the initial distinction between intrinsic and extrinsic motivation, which positioned them as two

opposites, might not be asadversely as previously believed. He found that a-motivation (the opposite of motivation) had a stronger negative relationship with identified regulation, than

(31)

31

any of the intrinsic motivation subscales had with a-motivation. This might be an indication of identified regulation being a stronger motivational driver than intrinsic motivation, due to it correlating more negatively with a-motivation, than intrinsic motivation. This provides more reason to believe that creating identified regulation (through the use of fear appeals), will be substantially effective within learning processes and especially within the learning process of spear phishing (related to cybersecurity behaviour), which already turned out to be effective in Boss et al (2015)’s article. However, further substantiation of this finding did not become evident within current literature. Therefore, this study may be considered as being an indicator of the effectiveness of identified regulation, rather than as solid proof of identified regulation being more effective than intrinsic motivation. Conclusively, Cokley underlines the possible efficacy of identified regulation; as mentioned before, identified regulation tended to largely coincide with protection motivation, and protection motivation in turn has demonstrated to succeed in cybersecurity contexts. Altogether, one might argue protection motivation to be of value within the learning process of creating spear phishing knowledge. Thence, the following hypotheses are stated:

H2a: The use of fear appeals increases the degree of protection motivation.

H2b: High degrees of protection motivation increase spear phishing knowledge.

Moreover, game-based learning has demonstrated to be an effective way of learning based on several studies, including a meta-analysis (Connolly et al., 2011), both in general (McGonigal, 2012) and within spear phishing contexts (Sheng et al., 2007). Some of these studies underlined game-based learning’s positive and direct effect on learning processes, regardless of intrinsic motivation. Likewise, fear appeals have demonstrated to be an

effective way of learning within cybersecurity contexts (Boss et al., 2015) and theorized to be effective within spear phishing contexts (Schuetz et al., 2016). However, fear appeals are not

(32)

32

theorized to have a direct effect on spear phishing knowledge in this study, as it is argued that without protection motivation fear appeals will not necessarily engage people into certain learning processes, since individuals do not perceive the threat as personally relevant and/or personally capable of protection. Though, fear appeals may intensify the effect of game on spear phishing knowledge. For example, if people play the game, they may consider the game as an adequate coping appraisal of protecting them against spear phishing threats. However, without playing the game; which would correspond to fear appeals directly affecting the emergence of spear phishing knowledge, this coping appraisal of gaming may be absent. Therefore, the following hypothesis is proposed:

H3: The use of fear appeals will intensify the relationship between game-based learning and

spear phishing knowledge.

As previously argued, the relationship between intrinsic and extrinsic motivation can be reciprocal under certain circumstances, meaning the possibility of them positively

influencing each other exists. Amabile (1993) emphasized that the type of extrinsic

motivation should not be perceived as coercive, in which individuals feel either controlled and/or constrained. These types of extrinsic motivation have a high probability of leading to undermining the positive effects of intrinsic motivation. However, it is reasoned that once extrinsic motivation is generated through perceiving the goal as personally relevant, this may lead to experiencing the desire of wanting to prevent a negative outcome from occurring. According to the previously discussed literature, this may be attained through the use of fear appeals, which in turn will provoke protection motivation. Moreover, perceiving the threat as personal and relevant may enhance participants’ commitment to perform on any task, and in this particular case it may encourage individuals in obtaining a higher need of wanting to protect themselves against spear phishing attacks. In accordance, Riemann and McNally (1995) state that once information is perceived as personally relevant, as is the case with

(33)

33

provoking protection motivation through fear appeals, the alertness within participants

increases. Moreover, an increase in alertness leads to greater performance and commitment in following tasks (Wright et al., 2002). Therefore, the potential reciprocal relationship between intrinsic and protection motivation is argued to exist, in which protection motivation will strengthen the effect of intrinsic motivation on spear phishing knowledge. Accordingly, the role of the underlying mechanisms in this study, namely intrinsic and protection motivation, are hypothesized to affect each other in the same way as game-based learning and fear appeals combined and both their effects on spear phishing knowledge (see H3). Hence, the following hypothesis is formulated:

H4: High degrees of protection motivation intensify the effect of intrinsic motivation on spear

phishing knowledge, provided that intrinsic motivation is high; however, if intrinsic

motivation is low, high degrees of protection motivation will not intensify this effect.

2.6 Short Summary

Conclusively and as evidenced by all previously discussed literature, both technical and educational methods on creating spear phishing knowledge do not seem to suffice in its learning process. Technical methods seem to fall short due to people’s ignorance and

stubbornness in employing them. Educational methods seem to fall short due to people’s lack of motivation. Therefore, they need to be triggered otherwise to become aware and trained in detecting spear phishing attacks. Intrinsic as well as protection motivation may play a

supporting role in educating employees to engage in training on spear phishing attacks. Serious games could be a means by which intrinsic motivation is generated through engaging in the process of game-based learning, which may lead to experiencing pleasure and

enjoyment within training. Exposing employees to fear appeals could be a means by which protection motivation is generated through perceiving fear of its potential negative outcomes, which may lead to adopting spear phishing as personally relevant within training. As

(34)

34

elaborated on in previous paragraphs, combining both game-based learning/intrinsic motivation and fear appeals/protection motivation may lead to a potential synergetic effect, which in turn would involve an optimal outcome in creating spear phishing knowledge, compared to them separately. Therefore, the ultimate goal would be to develop learners that are both intrinsically and extrinsically motivated. Ultimately, this study aspires to add to the pursuance of attaining a widely accepted training method on creating spear phishing

knowledge by combining both game-based learning techniques and fear appeals, with the emergence of both intrinsic and protection motivation as synergetic ideal outcome within learning processes.

3. Conceptual Model & Hypotheses

All hypotheses were included in the literature review in order to provide a more structured and comprehensible reasoning of how these hypotheses are derived from existing literature. Nevertheless, all previously discussed and linked hypotheses are both summed up and presented below in the form of the constructed conceptual model (Figure 3.1). The displayed arrows within the model reflect the associated linkages between all constructs. Moreover, all hypotheses are summarized and subsequently integrated into one coherent story.

Summary of hypotheses:

H1a: Game-based learning increases the degree of intrinsic motivation.

H1b: High degrees of intrinsic motivation increase spear phishing knowledge.

H1c: Game-based learning increases spear phishing knowledge, regardless of intrinsic motivation.

(35)

35

H2b: High degrees of protection motivation increase spear phishing knowledge.

H3: The use of fear appeals will intensify the relationship between game-based learning and spear phishing knowledge

H4: High degrees of protection motivation intensify the effect of intrinsic motivation on spear phishing knowledge, provided that intrinsic motivation is high; however, if intrinsic

motivation is low, high degrees of protection motivation will not intensify this effect.

Hypothesis 1a was developed to test whether game-based learning indeed enhances intrinsic motivation. Hypothesis 2a was obtained to test whether fear appeals indeed provoke protection motivation. Both hypotheses were required to test the manipulations’ successes of game-based learning and fear appeals to enable further testing of hypotheses H1b, H2b and H3. Logically, these three hypotheses can solely be tested if differences in both motivation types emerge, to assess whether their increases lead to the desired effect of creating spear phishing knowledge. Game-based learning was already reasoned to have a positive effect on spear phishing knowledge (H1c). Moreover, researchers continuously established the positive effect of intrinsic motivation (H2b) within any type of learning environment. Therefore, the expected mediating effect of intrinsic motivation between game-based learning and spear phishing knowledge seems rather plausible. Furthermore, fear appeals were argued to positively affect spear phishing knowledge solely through protection motivation (H2b). No direct effect was hypothesized to exist due to the possible absence of the coping appraisal (game), as mentioned in the literature review. This mediating effect of protection motivation between fear appeals and spear phishing knowledge has solely been theorized to exist within current literature (Schuetz et al., 2016), meaning no relationships have been established yet. However, Boss et al., (2015) did employ fear appeals within their cyber security field of research, pointing to positive effects of fear appeals on protection motivation and

(36)

36

subsequently causing participants to actually secure their data through backups. As such, this study assumes the effectiveness of fear appeals in spear phishing contexts (H2b), since spear phishing threats are a cybersecurity concern. Notably, this conceptual model holds important contributions to academic literature through obtaining hypotheses on the potential combined effect of both game-based learning and fear appeals (H3), and the combined effect of their underlying mechanisms, intrinsic motivation and protection motivation (H4). Apart from spear phishing, this may provide insights into new ways of learning, in which this research can be considered as a modest starting point.

Figure 3.1 All Hypotheses Represented in the Conceptual Model

4 Methods

The aim of this research is finding a suitable training method to enhance an individual's spear phishing knowledge, potentially accomplished through game-based learning and fear appeals. In this thesis the hypotheses are consequently derived out of existing literature, which

involves applying a deductive reasoning approach. To test all hypotheses and finding an answer to the research question, this study was based on quantitative experimental research, realized through a 2 x 2 between subjects design; two independent variables both on two

Fear Appeals _MotivationProtection

Game-based Learning Spear Phishing Knowledge Intrinsic Motivation H1a H1b H1c H2a H3 H4 H2b

(37)

37

levels (fear vs. no fear and game vs. no game). The main purpose of experimental research is construing substantiated support for causal relationships between variables. In this case; game-based learning is supposed to increase intrinsic motivation, which in turn positively affects spear phishing knowledge. Furthermore, fear appeals are supposed to increase protection motivation, which in turn intensifies the effect of intrinsic motivation on spear phishing knowledge. Finally, game-based learning and fear appeals, as well as intrinsic motivation and protection motivation, generate an increasingly positive effect on spear phishing knowledge, compared to them separately.

The following paragraphs elaborate on how this study was conducted. First, the research setting will be introduced, after which the operationalization of constructs and their accompanying type of materials will be discussed. Hereafter the sample and a concise procedure will follow, and lastly, the obtained control variables are presented. Altogether, this eventually enables future researchers with the opportunity of replicating this experiment.

4.1 Measurement and Validation of Constructs

An experimental design with an explanatory approach was employed to assess the

relationships between all involved variables in the shape of a 2 x 2 between subjects design. Through Qualtrics an online experiment was set up in the form of a survey questionnaire, to gain the largest possible reach in a relatively short time frame. Qualtrics provided the

opportunity of randomly assigning participants to one of four conditions through the ‘survey flow' option. Within survey flow, randomizers were added to enable randomization of all conditions through evenly distributing both receiving a text containing fear appeals or a neutral text, and evenly distributing either playing the serious game or receiving a text based on the game. The other questions were presented to all participants, irrespective of condition (fear appeal questionnaire; intrinsic motivation inventory; the spear phishing knowledge test). Naturally, all questionnaires contained counter-indicative items to address human’s tendency

(38)

38

to respond in either a prevalent positive or prevalent negative manner, which is known as the acquiescence bias (Watson, 1992).

Two independent variables were operationalized to manipulate participants within the fear condition to experience protection motivation, participants within the game condition to experience intrinsic motivation, and participants within the game X fear condition to experience both.

4.1.1 Independent Variable – Game-based Learning

Game-based learning was operationalized through the serious game anti-phishing Phyllis (Appendix B, 9.5). This game was originally developed at the Carnegie Mellon University, specialized in technical and robotic topics and prestigious regarding this type of research. Participants played the free demo version as made public by Wombat Security, a

cybersecurity firm concerned with all types of cyber-threats, including spear phishing. The game consisted of three rounds in which participants acquired more knowledge on the spear phishing subject from round to round. In this game, Phyllis, an animated fish, accompanied players in teaching them to detect potential spear phishing attacks and provided them with protection mechanisms. Within each round, participants received three emails containing several phishing traps, two to four on average. Participants were instructed to move their mouse pads over these potential traps, characterized by red bubbles emerging from the potential traps. Within each trap, participants were provided with the choice to click the ‘ignore' button or the ‘disarm' button. In case the potential trap was not a direct threat, such as what was obtained in subject lines of the emails, participants were instructed to choose the ignore button. In case the potential trap was a direct threat, such as when personal details were requested, they were instructed to choose the disarm button. The red bubbles eventually turned cream coloured once either the ‘ignore' or ‘disarm' button was chosen. After every made decision participants received immediate feedback, in which they were directly praised

(39)

39

after every correct decision or punished after every incorrect decision. A decision was labelled incorrectly when either a non-threat was disarmed (false positive) or a direct threat was ignored (false negative). The consequences involved time-reduction in the case of false positives and the loss of one life (the game provided 3 lives) in the case of false negatives; since false negatives implicate more harmful consequences than false positives; if individuals ignore direct threats, this would be equal to being spear phished. After every round,

participants received an assessment of their performance and what to pay attention to in next rounds. The game took approximately 10 minutes to complete. Participants were either assigned to the game condition in which they were requested to play the game, or in the non-game condition in which they received an informative text based on the non-game (Appendix B, 9.6). The core elements of gamification point to immediate feedback, a clear goal and the means to attain that goal, which simultaneously resembles experiencing intrinsic motivation (McGonigal, 2011). Participants moved through three rounds in which they received several images. This could have led to information dissimilarity; in which participants in the game condition were presented with more information than in the condition where they solely received a text based on the game. Therefore, the non-game condition included sketches of the anti-phishing game (through screenshots of the game itself) to resemble the game as closely as possible, to eventually ascribe the potential differences in performance on the spear phishing knowledge test to the principles of game-based learning, and not to differences in the amount of information received. In both conditions participants were made aware of the fact that the provided knowledge (within game or text) would be tested later on, to enhance the likelihood of their willingness to learn.

Motivational synergy : combining the effects of game-based learning and fear appeals on generating spear phishing knowledge