Gamified IT-Security Awareness (GITSA)

This page contains automated translations.

Research duration: 1 May 2023 to 31 April 2027

Humans are still the underlying cause of most successful attacks on IT infrastructure in organisations; 91% of successful attacks via the internet start with employees. Be it ransomware, Trojans or financial damage caused by successful spear phishing or CEO fraud - all of these attacks require human intervention to be successful. In the vast majority of cases, this also happens in the best faith and trust of the affected employees, without any conscious intention to harm the company.

Eine Frau arbeitet an ihrem Computer in einem I T Labor

Apart from all technical measures and solutions, this problem can currently only be tackled through training and awareness-raising measures, whereby mandatory regular training on IT security is already well established in many companies (especially in areas of critical infrastructure). These IT security training courses are often only completed by employees with limited enthusiasm and participation and are perceived more as an annoying compulsory exercise than as an important pillar of the IT security strategy.

An even less widespread approach to increasing the acceptance and sustainability of these training courses is to enrich them with gamification elements, i.e. to incorporate playful concepts and reward systems. 
The platform developed in the project, including individual challenges, is to be offered to companies as part of the project and also after the end of the project to conduct internal awareness training courses for a wide variety of target groups, as well as being used in teaching at FH Campus Wien in various study programs. Fast configuration for different user groups and multi-client capability is therefore an inherent part of the solution to be implemented.

Research Goals

  • Structured survey and classification of the most common user errors that have led to IT security-critical incidents
  • Concept and development of a generic, expandable and quickly deployable platform for holding awareness training courses for different target groups
  • Evaluation and development of the necessary organisational and legal (especially with regard to the GDPR) framework conditions in order to be able to carry out such training courses in the best possible way
  • Concept, development, deployment and practical evaluation of corresponding challenges, taking into account the knowledge gained from objective 1
  • Evaluation of the extent to which such a platform can also support teaching (Master IT Security, Bachelor CSDC,...), especially with regard to the continuing trend towards remote teaching (e.g. for tasks in the area of white-hat hacking/penetration testing)
  • Development of metrics for measuring success after awareness training

Funding Partners

Logo mit drei roten verbundenen Punkten und dem Wortlaut F F G Forschung wirkt.

Austrian Research Promotion Agency (FFG)
COIN Aufbau, 9th call for proposals "FH - Research for Business"

Research Areas

Digital Innovation and Transformation

Inclusive, Social and Secure Society

Research Center

Research Center IT Security

Project Lead

Project Team

Study Programs Involved