1 Introduction

Organisations cannot secure their information and systems without the active involvement of their employees. They are essential in bolstering organisational cyber security (Ahmed et al. 2014). In essence, employees need to know what to do, and how to do it, Hence they have to possess the required knowledge and skills (know-how) to play their part in maintaining cyber security. While awareness drives and training are undeniably valuable and essential, such drives are not sufficient. Of particular interest in this paper is cyber security knowledge sharing (SKS). Knowledge sharing, of all types, improves the organisation as a whole and engenders trust between employees (Dang and Nkhoma 2017). The knowledge held by an organisation’s employees is its most important asset (Wegner 1987). If cyber security knowledge is shared, it can potentially prevent security breaches (Dixon 2000) and help to reinforce the importance of cyber security (Rahim et al. 2015). The efficacy of deliberate engendering of informal SKS between employees should be investigated in terms of its potential to improve overall organisational cyber security (Mermoud et al. 2018).

The biggest SKS challenge lies in understanding the key factors which make it successful (Ortiz et al. 2017; Kim and Lee 2006). A previous study explored a number of different theories designed to mitigate the SKS challenge (Al Ahmari et al. 2018) and others focus on individual-focused aspects rather than the social aspects of SKS (Safa et al. 2018; Safa and Von Solms 2016; Bulgurcu et al. 2010; Abawajy 2014; Bada et al. 2019) These approaches neglect the impact of factors facilitating and motivating knowledge exchange within organisations and generally do not address social aspects influences on cyber security activities. We would be helpful for organisations to know how to promote cyber security knowledge sharing (Al Ahmari et al. 2018; Abawajy 2014). As such, the research questions are:

RQ1::

Can organisational security knowledge sharing (SKS) be modelled using Transactive Memory System (TMS) Theory?

RQ2::

Can individual SKS be encouraged by satisfying employees’ self-determination needs?

Section 2 reviews the background literature on SKS. Section 4 then lays out our research methodology which we engaged in to answer the two research questions. Section 5 reports the results, Section 6 returns to the research questions and then Sect. 7 discusses the findings and reflects on their implications. Section 8 concludes.

2 Related research

As business dependence on internet technologies increases, so does the likelihood of security breaches. Employees play a crucial role in enhancing cyber security (Ahmed et al. 2014). Their understanding of the cyber security risks and knowledge of mitigations can positively influence organisational cyber security behaviours (Becerra-Fernandez and Sabherwal 2014). The term ‘security is critical’ is one that all employees should be familiar with. Due to the rapid integration of internet technology into modern businesses, employees play a critical role in bolstering organisational systems’ cyber security.

An essential prerequisite for making such secure behaviour possible is for employees to know what they should do (knowledge), and how to do it (skills). However, in addition to that, a powerful additional way to increase and enhance cyber security knowledge is to encourage and facilitate SKS within organisations (Mermoud et al. 2018).

SKS, of all types, facilitates trust between employees (Dang and Nkhoma 2017; Politis 2003). Of particular interest in this paper is cyber SKS, which improves cyber security awareness (Dixon 2000). Organisations should therefore facilitate and engender SKS to make the knowledge accessible to all of those who need it and ultimately to enhance cyber security.

2.1 Cyber security awareness (CSA)

CSA can be described as “a state where users in an organisation are aware of ideally committed to their security mission” P.31, (Siponen 2000). According to Abawajy (2014), CSA may be described as users’ understanding of the critical nature of cyber security best practice. Employees, in general, have varying degrees of security knowledge. Several studies argue that employees’ CSA is among the most significant elements for achieving the objectives of cyber security in organisations (Siponen 2000; Bauer and Bernroider 2017; D’Arcy et al. 2009).

CSA offers significant insights into how to enhance employees’ awareness of security policies to mitigate risk (Siponen 2000; Vance and Siponen 2012). There have been multiple approaches to increasing employees’ awareness through traditional training programmes (Killmeyer 2006). According to Thomson and von Solms, programmes are most commonly delivered via presentations, workshops, and multimedia packages, email reminders and screen savers (Siponen 2000). Moreover, Bauer and Bernroider (2017) implemented an action programme to raise CSA associated with phishing, password security and clear screen policies. Consequently, Puhakainen and Siponen (2010) argued that there are two requirements to ensure a security training programme is effective. The first must provide theoretical clarification of why and who the programme works for. The second requirement, the theory, must deliver guidelines for how effective training is to be delivered in the workplace (Puhakainen and Siponen 2010). Bada et al. (2019) agreed that considering how employees perceive risks is key to building awareness.

Enhancing employees’ technology expertise is a significant precursor of CSA (Haeussinger and Kranz 2013). Information knowledge refers to understanding the fundamental information technology applications used in daily business, such as computers, email systems, and the internet. The level of general IT knowledge of employees positively affects their CSA (Haeussinger and Kranz 2013). Employees who are more knowledgeable about cyber security and information technology will be more aware of cyber security issues (Khando et al. 2021). Thus, organisations are recommended to improve their employees’ IT skills to avoid them from engaging in unintentional non-secure behaviour. Mejias confirmed this, stating that the constructs of technical expertise, organisational influence, and attacker assessment all had significant connections with CSA (Mejias 2012). Intriguingly, corporate influence and attacker evaluation were associated with CSA more strongly than technical knowledge (Mejias 2012).

People can gain security knowledge from training programmes (Bauer and Bernroider 2017; Killmeyer 2006; Thomson and von Solms 1998), from personal experience (Dang-Pham et al. 2017) or from other employees in the workplace (He and Johnson 2017). However, approaches of this type of carry with them a variety of well-known limitations, such as the difficulty in determining the effectiveness of such training (He and Johnson 2017).

One mechanism for improving CSA is for employees to transfer security-related knowledge to other employees (Siponen 2000). Organisations should implement suitable incentive schemes to foster employee cooperation and promote sharing, it is claimed. Several studies examined the impact of SKS processes and discovered that a well-developed cooperative theory enables effective information sharing, knowledge application, and informal SKS (Choi et al. 2010; Davison et al. 2013). In the following sections, we will discuss information SKS and its role in general terms.

2.2 Cyber security knowledge sharing (SKS)

Knowledge is gained when meaning is added to information. People can gain knowledge from others in their environment (Feledi et al. 2013) or from personal experience (Feledi and Fenz 2012). In the cyber security context, people can gain information from training drives, but are more likely to gain the knowledge they need from other employees in the workplace Alahmari et al. (2019). The cyber security field is characterised by it fluidity, emergent threats and, specifically, the fact that security behaviours have to evolve accordingly.

Zhang (2018) confirms that knowledge expires in this field, and needs to be renewed constantly. Moreover, Junger et al. (2017) showed that warnings, by themselves, do not necessarily make that much of a difference to susceptibility to social-engineering attacks. Gcaza and von Solms (2017) finds that cultivating a cyber security culture, which implies that SKS has become de rigueur, is the best approach for addressing human-related cyber security vulnerabilities.

SKS implies collaboration i.e., working together to achieve an objective. Safa et al. (2017) identified cyber security collaboration as a powerful and efficient approach to reducing the risks associated with managing cyber security. In particular, the goal is to facilitate SKS (Safa et al. 2017; Chen et al. 2014). While several studies have explored the organisational and individual aspects to enhance CSA (Tsohou et al. 2015), limited studies into collaboration have been conducted in the cyber security field into the organisational context.

2.3 Theory of transactive memory system (TMS)

TMS has been described as “a set of individual memory systems in combination with the communication that takes place between individuals” (Wegner 1987). TMS determines the specific division of cognitive labour within a group of people, as a means to facilitate encoding, storage, and retrieval of knowledge pertaining to various domains. When a TMS is being utilised, each group member is aware of “who knows what, and who knows who knows what” (Choi et al. 2010). Simply put, the characteristics of a TMS mean that three crucial qualities, common to other types of socially shared cognition, are present – i.e., differentiated knowledge; processes of transactive encoding, storage and retrieval; and the dynamic nature of TMS functions (Lewis and Herndon 2011). Thus, an alternative and more suitable approach might involve a shift of focus away from repositories towards processes (Jackson and Klobas 2008).

Liang et al. (1995) described three aspects of TMS:

(1) Specialisation is the term used to describe the degree of differentiation of the knowledge held by team members (Liang et al. 1995). Specialisation reduces the cognitive burden on community participants by allowing each to focus on his or her own area of expertise. It urges members to prioritise information integration through different domains in order to maximise team knowledge use (Lewis 2003). Moreover, differentiated group knowledge results in specialisation within the team, resulting from the team’s knowledge duties being divided. While expertise variety is a feature of the original team composition, specialisation occurs when team members collaborate and relates to task-specific knowledge obligations. Expertise diversity is different from the knowledge specialisation components of TMS structures in that it represents the breadth of each team member’s abilities, knowledge, and training before their collaboration (Cronin and Weingart 2007).

(2) Coordination describes the efficiency of the team in terms of knowledge processing while working together to enhance the coordination of information within teams (Ali et al. 2019). Moreover, coordination is a team process that entails the coordination, behaviour patterns, and skills among team members in order to achieve shared objectives (Rico et al. 2008). Zhong et al. (2012) confirmed that improved coordination and collaboration would increase task performance.

(3) Credibility is the way in which individual team members perceive the reliability of the knowledge held by the other members of the team (Kotlarsky et al. 2015; Liang et al. 1995). As Lewis asserts, these three variables “reflect transactive memory itself, as well as the cooperative processes illustrative of transactive memory use” (Lewis 2003; Wang et al. 2018). Davison et al. (2013) argue that TMS facilitates SKS, leading to improved team creative performance via team creative efficacy. Our premise is that organisations should facilitate and engender SKS by removing the challenges that prevent SKS, i.e., “specialisation, credibility and coordination” (Kotlarsky et al. 2015). The aim is to make security knowledge accessible to all of those who need it and ultimately to improve security awareness across the organisation. Our first qualitative study delivered insights about which factors impact SKS, and we are able to align these factors to the core tenets of TMS theory.

2.4 Motivating sharing

Motivation refers to an innate need shared by all humans to seek novelty and challenges, expand, and exercise their skills, and explore and discover (Ryan and Deci 2000). Regarding the area’s significance, there are several academic fields in which reward management may be theorised, for example, economics (Perkins and Jones 2020), password manager adoption (Alkaldi and Renaud 2019), and information security policy compliance (Alzahrani et al. 2018). This effect results from motivation’s essential role in assisting in the understanding of employee performance and reward. Indeed, the basis is one of psychology’s oldest ideas, and we depend on established theories to help us understand how it manifests in the workplace (Ambrose and Kulik 1999). Thus, examining a theory of human motivation seems to be an appropriate way to to encourage SKS.

The core of Self-Determination Theory (SDT) is that individuals may be motivated to perform certain behaviours both extrinsically and intrinsically. Deci, a social psychologist, and Ryan, a clinical psychologist, pioneered the creation of SDT, a theory of human motivation and development that elucidates the fundamental principles underpinning sustained motivation (Deci and Ryan 2010). According to DeCharms (1972) and Deci and Ryan (2010), intrinsic motivation works by motivating an individual through their own natural interest in activities that are new or challenging. With intrinsic motivation, there is no need for the individual to be rewarded for their behaviour (Deci and Ryan 2010; Arachchilage 2016). In fact, there is a natural desire to learn; people have an innate wish to master something, learn something new through interest, or to explore, and this is the driver to pursue mastery throughout life (Deci and Ryan 2010; Arachchilage 2016).

The core of SDT is that individuals may be motivated to perform certain behaviours (Wang and Hou 2015; Ryan and Deci 2000). In SDT, three key human needs must be met: autonomy, competence, and connectedness (Ryan and Deci 2002). Studies have shown that when these three core needs are satisfied, individuals are more likely to take part in and exhibit better performance on an activity (Roca and Gagné 2008; Alahmari et al. 2019).

(1) Autonomy refers to when individuals act in their own interests and ideals; the feeling of having choice over behaviour (Baard et al. 2004); and feeling like the initiator of one’s own activities. There is a need for autonomy, which is a person’s wish to organise their own actions (Ryan and Deci 2000). According to Deci et al. (1994), autonomy support is when a person in a position of power considers the viewpoint of others, recognises their emotions, and gives relevant information, reasoning, and opportunities for choice.

(2) Competence is the knowledge of how to engage effectively with one’s surroundings and the conviction that one can affect significant outcomes (Baard et al. 2004), and the need for a sense of competence, which is when a person desires self-efficacy (Ryan and Deci 2000). According to Deci and Ryan, individuals with a desire to engage successfully with the environment feel competent in generating desired results, and in order to avoid undesirable occurrences, competence is needed (Ryan and Deci 2002).

The need for (3) relatedness encompasses creating a sense of mutual respect and dependence (Baard et al. 2004), and the need for relatedness, i.e., a person’s wish for the support and feelings of connection with others around them (Rocha Flores et al. 2014). Deci and Ryan asserted that relatedness entails a feeling of belonging or a sense of connection to a particular social environment (Ryan and Deci 2002).

As a consequence, the study adopted the SDT as an intrinsic motivation to change human behaviour. To apply SDT to empirical research, the idea was to implement education games that use gamification elements while applying SDT dimensions to the gamification elements.

2.5 Summary

Previous research in social network and technical systems has indicated that various reward system indicators can have a significant positive effect on SKS (Gagné 2009; Wickramasinghe and Widyaratne 2012). Conversely, other studies have revealed the negative impacts of reward systems (Cabrera and Cabrera 2005). Such tactics focus on short-term motivation, yet SKS ought to be seen as a long-term solution to low levels of security awareness.

Our literature review revealed that cyber security investigations generally use a specific limited number of theories, such as the Theory of Planned Behaviour and Theory of Reasoned Action (Lebek et al. 2014). There have also been other approaches to improving security awareness. These have generally been based on individualistic models (considering an individual in isolation), but our proposal is to use a more collaborative model to improve security awareness (Bulgurcu et al. 2010; Safa et al. 2018; Safa and Von Solms 2016).

Individual-focused models have more to do with predicting factors leading to security-related behaviours than with factors that lead to security-related SKS within organisations. Recent studies show that conventional social engineering and cyber security training approaches often lack actual exposure for employees (Olusegun and Ithnin 2013; Aldawood and Skinner 2019). These techniques do not expose employees to real-world situations in the way that contemporary training methods do. Employees are educated about the assault via traditional methods, but they may fail to identify it when confronted with the actual attack. These conventional techniques alone are insufficient to foster a culture of security among employees (Olusegun and Ithnin 2013; Aldawood and Skinner 2019).

We thus consider using the lens offered by TMS in order to understand and encourage SKS. TMS has been used in other contexts to model SKS between employees (Lehner and Maier 2000). Moreover, researchers in information retrieval have adopted the individual experience directory of TMS to gain access to the data usage of IT-based expertise information (Yuan et al. 2007). Thus, this study selected the TMS to model the dissemination of security knowledge in organisations. Choi et al. (2010) argued that SKS activities have features that support specific communication and collaboration practices to facilitate team-related TMS. Yet TMS only describes existing SKS within organisations; our interest is also in encouraging such sharing. We thus propose incorporating the core tenets of SDT into our model as well, in order to enhance SKS. Furthermore, Tsohou et al. (2015) confirmed that there are limited studies examining security awareness at both levels (organisational and individual level) in terms of having effective cyber security awareness programmes . Moreover, it is claimed that organisations should implement suitable incentive schemes to foster employee cooperation and promote sharing (Choi et al. 2010). Several studies examined the impact of TMS on knowledge processes and discovered that a well-developed TMS enables effective information sharing, knowledge application, and informal SKS (Choi et al. 2010; Davison et al. 2013). According to Vance et al. (2012) prior work in an organisational setting has focused on employees’ compliance with security procedures.

3 Application design & development

3.1 Design

To test our intervention, we needed to create an app to facilitate knowledge sharing, incorporating the relevant aspects of SDT to encourage sharing. To encourage engagement with the app, we harness an educational game, widely recognised as a powerful teaching tool with the potential to result in an “instructional revolution” (Cone et al. 2007; Arachchilage 2016; Cone et al. 2007). Security games (SGs) give employees the opportunity to enjoy learning and to collaborate, as the games comprise a form of intrinsic motivation (Alzahrani and Johnson 2019; Hart et al. 2020; Aladawy et al. 2018).

3.2 Implementation

The instrument was created with the goal of allowing learners to learn and share their knowledge on the basis of the SKS model, as seen in Fig. 1. (Alahmari et al. 2020) . As a result, the learner was given as much influence over and interaction with the learning process as possible by constant input on the information transfer process (Alahmari et al. 2019). Moreover, the structuring and presentation of the instrument around critical aspects of baseline security expertise enabled them to address the challenges and validate the security knowledge. The SKS model was used to build the instrument components in line with the cooperation model established in provides work. The instrument, named STOW SYS, reflected the primary objective of the study (Alahmari et al. 2019).

Fig. 1
figure 1

The proposed research model

When developing the instrument, the study considered previous work in terms of how it tackled challenges and how the SKS model could be implemented to mitigate those challenges (Al Ahmari et al. 2018). Further, what security knowledge issues should the employees be informed of, and how should these topics be presented? To achieve these goals, we adapted e-learning scenarios to encourage reflection and discovery among employees that involve multiple-choice questions delivered through a virtual connection (Chen et al. 2014; Dixon et al. 2019). The scenarios are based on the Global cyber security policy, as well as basic human mistakes (in the real world) (Tsohou et al. 2015).

Many instructional concept models are available for use in developing effective e-learning in the workplace. Each researcher employs a unique approach, which varies based on the current aim and participants (Garrison 2011). The ADDIE model is the most traditional model for instructional design, and all others are based on it. The model’s name is an acronym of the five phases that are involved in the process: Analyse, Design, Development, Implementation, and Evaluation (Battou et al. 2016), as shown in Fig. 2.

Fig. 2
figure 2

The five processes of the ADDIE model

3.3 The STOW game overview and rules

The STOW is a security game presented as a mobile app (e-learning scenarios to encourage reflection and discovery by employees), which includes multiple-choice questions. The scenarios are based on the Global Information Security Policy and commonly made human errors. STOW is designed to be played by employees working together under the guidance of the IT department, who will control the game. Several features were included in the game to assist employees in interacting with each other. For example, we gave them scenarios to think about, and the correct answers were ranked based on their expertise. The experts could share their knowledge by adding their personal motivation for choosing a particular answer via the “Check Your Answer” button. The “Add a New Answer” button could be used if they were not satisfied with the current ‘best’ answer. The STOW system allowed employees to look at the newly posted answer. They could evaluate it and post a response. Moreover, the STOW provided a “The Best Answer” button based on the employees’ evaluations and by the IT department, who validated it. The flow of the game is as shown in Fig. 3.

Fig. 3
figure 3

The flow of the game

Appropriate competition dynamics will help persuade employees to become more engaged in their assignments which were developed using the SKS model, as shown in Fig. 11.

3.3.1 Interface design

This section details the STOW as it was applied to the employees during the experiment as seen in Fig. 4 .After registering for STOW, employees received a pre-assessment evaluation. Following this, they began the game and then wrote their nickname or email to match pre- and post-assessment with the STOW players.

Fig. 4
figure 4

Home screen

Several features were included in the game to assist employees with interactions, including ‘Check your Answer’ and ‘Evaluate’. Moreover, to authenticate the response, STOW allowed employees to evaluate it in the manner agreed upon by the SKS model. By pushing the same button, the best response is shown to the staff. Additionally, the information technology department developed a tag that verified the best response and awarded the best response badge (Figs. 5 and 6).

Fig. 5
figure 5

Steps to validate the best answer (AR)

Fig. 6
figure 6

STOW evaluate and check your answer (translate Fig. 4 into English)

4 Study methodology

In order to determine the impact of the intervention, we need to collect sufficient data. Data generation, according to Oates (2005), is the “method of producing analytical data or facts, which may be quantitative or qualitative”. During the exploratory case analysis, three data generation approaches were used, which are outlined in Table 1. Within the application, participants were allocated to either the control or experimental group, the latter interacting with the intervention.

Table 1 Data generation methods

The study was conducted to whether the effects of satisfaction of SDT needs mitigate SKS challenges between the intervention and control groups. After the study was approved by the FIMS ethics committee of the University of Glasgow, 300 employees at a large organization in Saudi Arabia were invited to participate in the study (in two different campuses and cities). One hundred and twenty-eight (43%)employees agreed to participate in the study and were allocated to one of two conditions: experimental (A) in (n = 64) and control (B) (n = 64). The study groups were not randomly allocated: our goal was to reduce the chance that the control group might learn about the intervention from the other two groups. As a result, participants were divided into groups based on their buildings’ geographic isolation to ensure that we reduced cross contamination.

For pre- and post-testing, we adopted the scaleproposed by Kruger and Kearney (2006) to measure CSA, which can quantify the level of awareness as shown in Table 14.

4.1 Study procedure

  1. Step 1:

    Obtain consent after providing full information.

  2. Step 2:

    Pre-test to assess baseline security knowledge.

  3. Step 3:

    Depending on the individual’s assigned condition:

    1. Group A – Experimental group:

      Employees were given a pre-questionnaire (Cyber Security Assessment). They were then given the game application which provided users with knowledge about how their security awareness can be improved (two-week intervention). Following this, participants were given a post-questionnaire (Cyber Security Assessment).

    2. Group B – Control group

      Participants in this group were given a pre- and post-test (Cyber Security Assessment) with no intervention to maximise SKS, as seen in Fig. 7.

  4. Step 4:

    Experimental group use the STOW app.

  5. Step 5:

    Post-test to assess post intervention/post delay security knowledge.

Fig. 7
figure 7

Assessment and game flow

4.2 Participants


hree hundred employees at a large organization in Saudi Arabia were invited to participate in the study. Participants were allocated to one of two study groups: experimental (A) (n = 64) and control (B) (n = 64). Study groups were not randomly allocated to ensure that we reduced cross-contamination. Participants who completed the steps are presented in Table 8, with participant statistics shown in Table 12.

4.3 Analysis

As indicated in the Data Collection Procedure section, the data for this stage came from a survey (questionnaire) which was measured the improvement in Security Awareness levels pre-and post-intervention, documents, and observations.

Quantitative data, taken from the pre- and post-intervention measurements were compared to see whether the intervention had made any changes to the employees’ security knowledge. Quantitative data analysis was the first phase, which included information taken from a questionnaire which was collected pre- and post-assessment. First of all, normality tests were performed on the data prior to running the analysis. To fulfil normality requirements, the research tested outliers in the intervention and control groups (Tabachnick et al. 2007). Engagement scores were normally distributed for the control and intervention groups, as seen in Table 2. The control group was assessed using Shapiro-Wilk’s test (p= 0.552< .05) as shown in Table 2. This group was also assessed by visual inspection of normal Q-Q plots, as shown in Fig. 8. Thus, as the p-value is larger than 0.05, we assume a normal distribution.

The intervention group was as assessed by Shapiro-Wilk’s test (p= 0.017 < .05) as shown in Table 2. Additionally, the participants were assessed by visual inspection of normal Q-Q plots, as shown in Fig. 8. Therefore, if the p-value is smaller than 0.05, we do not assume a normal distribution, as seen in Table 2.

The control group was dispersed normally, whereas the intervention group was not. Thus, non-parametric tests were used in the statistical analysis (Diggle et al. 2000; Luengo et al. 2009).

Table 2 Tests of normality
Fig. 8
figure 8

Visual inspection of normal Q-Q plots of control group

The Wilcoxon signed-rank test was used within groups to determine the median difference between pre and post-intervention (Gibbons and Chakraborti 2020). A between-group design was used in the Mann-Whitney U test to determine differences between the two groups on a continuous or ordinal dependent variable (Dinneen and Blakesley 1973).

The analysis analysed the qualitative data from three experimental steps:

  1. Step 2:

    Pre-assessment test:The pre-assessment test score was used to determine the players’ cyber security awareness before the game, as well as to measure SKS during work before STOW.

  2. Step 3:

    During the game: we followed the requirements of the factors which we have addressed in the SKS model in the document. The document included the employees’ scores before, after, and during the game. Also included are interactions during the game, such as contributions to the knowledge repository, evaluation of the players’ answers, and lower players before and after the game.

  3. Step 4:

    Post-assessment test: Following the game, the post-assessment test score was utilised to establish the players’ level of cyber security awareness, as well as to determine whether the STOW improved knowledge exchange during the workday after use.

5 Results

5.1 Scenario and questionnaire component validity

Validity was measured using a content validity expert panel consisting of two faculty members and six doctoral students experienced in quantitative analysis and quantitative research. The techniques established content validity for all scenarios (both formative and reflective) via a literature study (Gefen and Straub 2005). Our target in this experiment was to improve the delivery of training in cyber security awareness. To put this theory to the test, scenarios and questionnaires focused on password management, email usage, and general questions about incidents that occurred during the workday. For several reasons, both the recommendations in the Literature Review and the Data Breach Investigations Report confirmed that the most common causes of security breaches in many organisations were password management and email use (Ahmed et al. 2019; Hadlington 2021). Due to the short duration of the experiment, it was not possible to cover all aspects of cyber security awareness. Additionally, concentrating on specific elements aids in testing the research hypothesis and obtaining an answer.

After we implemented and empirically tested the application, the research question could be addressed. The results are divided into two sections: quantitative and qualitative.

5.2 Quantitative results


Step 3A: Experimental Group A: To determine whether the intervention increased employees’ level of cyber security awareness, a Wilcoxon signed-rank test revealed a statistically significant increase in employees’ security knowledge for the intervention group participants: z = − 5.35, p = 0.00, with a large effect size (r = 0.72) as seen in the descriptive statistics (Table 3) and Wilcoxon signed-rank test (Table 4). Participants’ pre-test and post-test scores are presented in Fig. 9.


Step 3B: Control Group B: There was no significant increase in the employees’ level of cyber security awareness: z = -5.31, p = 0.00, with a large effect size (r = 0.71), as seen the descriptive statistics (Table 5) and Wilcoxon signed-rank test (Table 6). Participants’ pre-test and post-test scores are presented in Fig. 10.

Table 3 Descriptive statistics: group A
Fig. 9
figure 9

Intervention group A

Table 4 Wilcoxon signed ranks test: group A
Table 5 Descriptive statistics: group B
Table 6 Wilcoxon signed ranks test: group B
Fig. 10
figure 10

Control group B

Comparison Between and Within Groups: There were no statistically significant differences in pre-test scores for security knowledge. The mean rank was 39.76 in Group A, while Group B was 40.24, illustrating no significant difference between control and intervention.

The intervention group significantly improved their knowledge (mean rank = 57.23) after the intervention. The control group demonstrated no significant differences between pre-test and post-test scores in security knowledge (mean rank = 23.2), as seen in Table 7. Unexpectedly, the control group result in the post-test was lower than the pre-test, most likely due to the fact that they did not know the answers and therefore did not spend much time answering the questions. The results were z = -6.59, p = 0.00, with a large effect size (r = 0.56). The decrease in group B’s scores was caused the participants disengaging and not caring about their scores the second time around. We noted that the average time taken to complete the pre-questionnaire was 10–12 minutes, whereas the post-questionnaire took 4–6 minutes on average. The pre- and post-scores were equal for only two players (B29 and B23). To find a scientific explanation, we looked at the data and the time spent taking the test. It became clear that B23 spent ten minutes completing the pre test, while spending 7 minutes on the post test. B29 spent 8 minutes doing the pre test, doing the post test in 10 minutes. Hence, these players spent the same amount of time doing the test. One of the biggest acknowledged problems with cyber security training is waning engagement and growing indifference. STOW improved engagement – and the control group’s disengagement confirms this tendence as well as STOW’s ability to counteract this tendency. The mean for both tests can be seen in Fig. 11.

Table 7 Mann-Whitney test - ranks
Fig. 11
figure 11

Mean of the average score A and B

5.3 Qualitative results

Step 2: pre-assessment test: Prior to the game, we evaluated each player’s level of cyber security knowledge. As shown in Fig. 13, the players’ awareness levels were a good 21%, an average 16%, and a poor 3%. We also counted how many times employees shared their information before using the STOW system. As shown in Fig. 12, the employees were 2% daily, 6% weekly, 16% monthly, and 76% never.

Fig. 12
figure 12

Frequency of employees sharing knowledge

Step 3A: during the game: Many players were registered on the STOW SYS as the record was confirmed from the file that tracked the players during the game. Forty players completed the steps of the games until they have completed all rounds of the games. One of the main goals of the STOW was to encourage employees to interact with one another during the game. Consequently, 39 out of 40 employees interacted with STOW and shared their knowledge with others. They evaluated 372 answers in order to evaluate the knowledge added by the employees and to obtain the correct answer, as seen in Table 8.

Table 8 STOW’s panel control

Best players based on contributions and evaluated answers: To track players and award them tags based on their expertise, the STOW offered them numerous tags, such as “Expert User”, based on their performance on the pre-assessment test. Furthermore, employee evaluation was used to find the best replies. Finally, based on the tags, the best three players were identified and validated by the IT department, who supplied the best response (Table 9).

Table 9 Best STOW players during the game

Lower players before and after the game: The experiment focused on lower-level players both before and after the game, with the findings reported by four employees who had improved their game knowledge. The first employee, B8, scored 48% in the pre-assessment, which was poor. After he used the STOW, completed all of the scenarios, and interacted with others to evaluate the best answers, he improved his score to 64% in the post-assessment, which is average. Employee B24 scored 58%, which was also low, but he improved to 68% after following all of the game instructions. The third user scored 66%, which is considered poor after scoring 85% in the first one. This user completed all of the scenarios but did not select the best answer because experts had recommended some of them. During the game, he also interacted with many other players. The last user, B29, scored 68% in the pre-assessment. After the interaction with the STOW, he completed all of the scenarios, but he also did not select the best answer because experts had recommended some of them. He also interacted with many other players during the game, and he improved to 85%, as shown in Table 10.

Table 10 Lower scoring players before and after the game
Fig. 13
figure 13

Group A: player awareness levels

Step 5: post-assessment test: After the game, each player’s level of cyber security knowledge was evaluated. As shown in Fig. 13, players’ awareness levels were good at 90% rather than 54%, an average 10% instead of 41%, and a poor 0% instead of 5%. Additionally, there was an increase in the frequency with which employees shared knowledge following the implementation of STOW. Following the game, we found that employees increased their daily sharing by 28% rather than 2%, their weekly sharing by 15% rather than 6%, their monthly sharing by 35% rather than 16%, and never sharing reduced to 31% from 76%. In contrast, as seen in Fig. 12, the control group did not improve.

6 Returning to the research questions

6.1 Contribution

The main experimental contribution of our study lies in extending TMS and SDT theory beyond the delivery of CSA training (Hamari et al. 2014), which tends to create an ‘objectivist’ view of the collaborative model (Safa et al. 2017).

RQ1: Can organisational security knowledge sharing (SKS) be modelled using Transactive Memory System (TMS) Theory?

Organisational shared knowledge was modeled using TMS during this investigation. The success of the intervention, especially in terms of increased SKS, suggests that this theory was indeed appropriate given that the SDT need satifaction was specifically targeted to enhance TMS constituents.

RQ2: Can individual SKS be encouraged by satisfying employees’ self-determination needs?

The findings from the experiment indicate that the experimental group, which met SDT needs, developed a superior knowledge of assessing and responding to security incidents, as compared to the control group. Their CSA improved (See Fig. 11), and their SKS increased (See Fig. 12).

6.2 In summary

This study extends the knowledge on how to deliver security training by exploring the positive effects of including autonomy as intrinsic motivation and relatedness into training (STOW). Both encouraged the employees to complete the training without any external influence, which led to enhancing the employees’ security knowledge.

Along with obtaining additional data, new findings explored the positive relationship between autonomy as intrinsic motivation and relatedness, which has not been investigated before

7 Reflection

This research was carried out to determine whether SKS could be increased if we used SDT need satisfaction to enhance the three constituent parts of TMS. Some researchers have speculated that the connection between motivation and SKS at work is an important issue, but the data on the topic are contradictory (Heilmann et al. 2013; Sáiz-Pardo et al. 2021). According to Choi et al. (2010), no empirical research has explicitly examined the impact of information technology in the enhancement of TMS.

We conducted an empirical investigation where half of participants received an intervention to satisfy SDT needs, with the transitive impact on TMS, while the control group did not. During the experiment, we consulted three sources which, together with supporting quotations from participants, make up the application’s observations. The three sources were: (1) interaction and facilitating learning, (2) self-efficacy and encouraging others, and (3) the impact of enjoyment on learning (Alahmari et al. 2020).

(1) Interaction and Facilitating Learning: Interaction and facilitating learning are essential factors required to develop an understanding of interaction among employees and understanding what needs must be met in the system (Alahmari et al. 2020, 2019). The study included interaction within the app to satisfy the relatedness of the SKS model (Alahmari et al. 2019). As mentioned in the literature review, relatedness is the need for connection, i.e., a person’s wish for support and feelings of connection with others around them (Roca and Gagné 2008). This is a type of intrinsic motivation which encourages humans to change their behaviour by being self-motivated (Roca and Gagné 2008). It connects employees via the app. Furthermore, the study satisfies the facilitated coordination requirements in our model, which was included in the app. As previously stated in the review of the literature, coordination describes the efficiency of the team in terms of knowledge processing while working together (Kotlarsky et al. 2015; Lewis and Herndon 2011).

The majority of the previous studies investigated a specific strategy for increasing employees’ security knowledge based on an individual theory (Alahmari et al. 2020; Sailer et al. 2017; Safa et al. 2018; Safa and Von Solms 2016). In particular, the individual approach considers a person in isolation (Alahmari et al. 2019). However, according to our findings, coordination and relatedness can make a difference in changing employees’ attention and interaction during training. These results match those observed in earlier studies using the SKS model that established a relationship between those factors (Alahmari et al. 2019, 2020). Empirical research has also confirmed such a link (Alahmari et al. 2019). with participants noting that knowledge repositories help to resolve recurring problems and enable employees to obtain solutions to problems from sources other than IT staff. This conveys the significance of those factors in managing knowledge and connecting employees via the app, especially when working from home during the COVID-19 pandemic. Additionally, the app’s recording revealed the actions that occurred during the game, as seen in Table 8, in which the employees interacted with one another in order to answer all the scenarios. This finding is consistent with (Tortorella et al. 2021)), whose results demonstrate the critical nature of organisational learning practices via TMS and individual behaviour when individuals are not in their usual work environment – for instance, during a pandemic.

(2) Self-Efficacy and Encouraging Others: Self-efficacy is an important factor in instilling trust in employees as well as validating their knowledge during SKS (Hsu et al. 2007). Credibility, specialisation at the organisational level, and individual competence were the elements adopted to achieve the self-efficacy factor in our app. As stated in the existing literature, Credibility is the way in which individual team members perceive the reliability of the knowledge held by the other members of the team. Specialisation is the term used to describe the degree of differentiation of the knowledge held by team members (Kotlarsky et al. 2015; Lewis and Herndon 2011). Moreover, competence is the need for a sense of competence, which is when a person desires self-efficacy, which shows the ability of the person to do something. Competence is one of the intrinsic motivations that can cause changes in the behaviour of humans.

To date, only a few studies on the effect of TMS on motivation have been conducted (Alahmari et al. 2020; David et al. 2020; Sáiz-Pardo et al. 2021). The SKS model adopted competence as an intrinsic motivation in order to demonstrate the ability of employees through the elements of our intervention (Ryan and Deci 2000). This study produced results which corroborate the findings of a great deal of the previous work on competence related to an individual’s sense of self-efficacy. When feelings of competence are experienced during a particular action as a result of evaluation and feedback, intrinsic motivation increases (Ryan and Deci 2000; Dixon et al. 2019). Positive performance feedback has been demonstrated to increase intrinsic motivation in previous research. Furthermore, recent evidence confirms that user feedback and evaluation can positively influence behavioural intentions to engage in secure behaviours (Dixon et al. 2019; Zhang et al. 2019). Moreover, the result of reinforcing a person’s competence in terms of computer-based activities was a rise in their confidence in their aptitude in this area (Menard et al. 2017). Credibility and specialisation define the extent to which team members trust that the relevant task expertise of another team member is correct and accurate (Lewis 2003).

The current study’s findings support our theoretical model, which was implemented in the STOW (Alahmari et al. 2020). The STOW created a feature that converted the challenge scenarios’ elements into points and badges. Additionally, a leader board was created, which was crucial in building confidence in employees regarding their ability to choose the correct answer during the game (Dixon et al. 2019; Ryan and Deci 2000). Likewise, the best answer tag was the means used to evaluate employees during the game (Dixon et al. 2019; Zhang et al. 2019). Our findings report that employees’ confidence improves when they have a sense of self-efficacy. As a result, we strive to maximise SKS within our organisations. The majority of participants expressed confidence in their ability to find the correct answer based on STOW. Comments from the participants supported this, mentioning how well the app facilitated communication among employees, and that the validity of the data was verifiable through the badges given to experts, further cementing their trust in the credibility of the information available. Moreover, employees appreciated the way in which the app enabled the exchange and preservation of knowledge, giving the opportunity for collaborative training and knowledge sharing.

(3) The Impact of Enjoyment on Learning: The impact of intrinsic motivation through autonomy was significant. Autonomy is defined as a person’s desire to self-organise his or her own actions in order to as if they have control over what they do. The fact that STOW was a game provided an intrinsic motivation (Alzahrani et al. 2018) by giving players complete control over their actions. Because of their enjoyment of the game, the majority completed their tasks, as shown in Table 8. Most previous studies have overlooked intrinsic motivational elements, which refer to doing something purely for the sake of intrinsic interest or enjoyment (Alzahrani and Johnson 2019; Son 2011). Moreover, some participants shared their experiences with the STOW, commenting that not only was it fun and facilitated communication, but also did not take them too long to complete the tasks.

Finally, as Alkaldi and Renaud Alkaldi and Renaud (2019) confirmed, enjoyment plays a vital role in achieving behavioural change. Moreover, a satisfactory SDT is effective at encouraging such compliance in organisations Alzahrani and Johnson (2019). Our study confirmed the positive impact of perceived autonomy, such as changing security training to gamification that includes features mentioned in the previous sections (Alahmari et al. 2020). According to Rigby and Ryan (2011), if a game is designed using meaningful stories, avatars, and teammates, a shared goal is introduced, and this leads to perceptions of relevance. Feelings of social relatedness were induced (Sailer et al. 2017). An important aspect of gamification is that players are provided with specific feedback that serves to induce feelings of competence in their performance. There is thus an expectation that leader boards, badges, and performance charts will induce these feelings of competence in our users (Sailer et al. 2017). Consequently, these features enable employees to develop social bonds, allowing them to cooperate. Designing appropriate competition dynamics will help persuade employees to be more engaged in cyber security (Sailer et al. 2017; Rigby and Ryan 2011).

Summary: STOW significantly improved employee security knowledge (as measured by a post-assessment test) in comparison to who did not receive the training. In addition, the intervention participants demonstrated attitude changes related to both positive and negative outcomes. Participants who completed the STOW game demonstrated significantly higher self-efficacy perceptions than those who did not receive the training. Finally, the results revealed that employees who received STOW training perceived and interacted with the game in a more positive light than employees who did not interact with the game.

The intervention group worked through a number of scenarios and debriefings that included a range of different types of learning methods, including active learning, cooperative learning, and expert evaluation. Deliberate practice and feedback have been found to enhance trust and validate knowledge (Zhang et al. 2019).

Overall, our study revealed that the intervention group participants, who received training, had superior knowledge in assessing and responding to security incidents compared to the control group. Moreover, due to the lack of studies confirming the association, the study eliminated autonomy and relatedness. However, a limited study conducted in a security context confirmed that autonomy positively affects human behaviour changes. According to recently published policy compliance research, satisfying SDT successfully encourages such compliance in organisations (Alzahrani and Johnson 2019; Alzahrani et al. 2018). Alkaldi and Renaud (2019) confirmed the critical effect of applying autonomy to security tool adoption decisions. The new findings explored the positive relationship between autonomy as intrinsic motivation and relatedness, which previous research did not investigate.

7.1 Research limitations

We did not randomly assign participants to experimental conditions, which is contrary to usual practice in this kind of experiment. We did this to ensure that we reduced the possibility of cross-contamination, but we have to acknowledge the possibility that the two differently located groups had different security cultures. Given that they both worked for the same organisation this is unlikely, but not impossible.

The number of participants is relatively small, although the numbers were large enough to support statistical analysis. It is always difficult to get participants when there is a requirement to install an app and to engage with the app for more than a few minutes. If funding can be secured to pay participants in subsequent studies, it is possible that more participants could be recruited, and the study re-run to confirm our findings.

A pre and post-survey instrument were developed to measure the impact of information security knowledge sharing. The pre and post-surveys are identical and include a total of 24 questions. The post-questionnaire was in random order after two weeks. However, the main point of the randomising was not to change the meaning of the questionnaire but to reduce the chance of someone remembering the pre-questionnaire. The results of group B (in the case of the control group) should return the same results, but we noted that the decrease caused the participants not to care about their score the second time around. After noting that the average time taken to complete the pre-questionnaire was 10–12 minutes, we noticed that the post-questionnaire took 4–6 minutes."

7.2 Research implications

This study was concerned with the fundamentals of TMS for different teams, where team members benefit from the successful utilisation and coordination of various expertise. The findings have provided insights into why expertise variety may stimulate TMS (Cronin and Weingart 2007). Thus, the findings shed light on why expertise variety has the potential to both boost and harm TMS. The SKS model has deduced this issue using a combination of motivation and collaboration theory. For instance, employees can find expertise (specialisation) through feedback and evaluation via the STOW system (competence). Future work may consider these findings to adapt e-learning among employees or students.

Recent studies show that conventional social engineering and cyber security training approaches often lack actual exposure for employees (Aldawood and Skinner 2019; Olusegun and Ithnin 2013). These techniques do not expose employees to real-world situations in the way that contemporary training methods do. Employees are educated about the assault via traditional methods, but they may fail to identify it when confronted with the actual attack. These conventional techniques alone are insufficient to foster a culture of security among employees (Aldawood and Skinner 2019; Olusegun and Ithnin 2013).

Additionally, expanding the cycle of the SKS model to incorporate additional iterations of awareness sessions and a greater number of assessment tests may be a future extension of this study. Due to the fact that awareness gains in SKS are time and location dependent, extended studies will examine the importance of the two dynamic factors (TMS and SDT) in the SKS model, which may be expanded upon in future studies.

7.3 Practical implications

IT practitioners must change their organisational culture to foster an attitude toward cyber security rules that views them as a necessary evil rather than a hindrance to workers performing their jobs. The training plan should be changed to consider individual and organisational factors to deliver practical training to the employees.

Cyber security has become an organised process as more and more companies recognise its importance. One of the most difficult aspects of managing an information system is implementing appropriate security measures. Various studies have shown the critical importance of protecting valuable information, and one critical element that must be addressed is cyber security awareness. CSA is about ensuring that all employees of the cyber security function understand their role and are aware of the rules and regulations they must follow.

The majority of CSA training is developed using the traditional method, which does not accurately reflect reality in organisations. The evidence of this is that the employees attended training, but they could not defend themselves when they encountered a security breach. This study utilised a unique technique based on real-world scenarios to educate employees about security risks. Any subsequent study must take these findings into account and construct the CSA based on real-world settings. IT practitioners must consider the findings to create interactive training capable of changing employee behaviour.

Organisations would benefit if IT practitioners and security experts would change their organisational culture to foster security knowledge sharing. At the moment, there is often a regrettable view of information security rules being a necessary evil and a hindrance to workers performing their jobs. The training plan should be changed to consider individual and organisational factors to deliver practical training to the employees. In this context, the study provides practical implications for system designers and developers who seek to improve cyber security within organisations via a collaborative model. Moreover, the study encourages employees to engage in prosocial behaviour through educational security games. The interaction impact on procedural and conceptual knowledge may be achoeved via the deployment of educational games, web-based training materials, contextual training, and embedded training to enhance users’ capacity to detect and avoid phishing assaults and other security incidents.

8 Conclusion

This study proposed a SKS model that aims to improve how employees are made aware of cyber security risks. The empirical study shows that it can help enhance security knowledge and deliver training by adopting the cooperation model. Based on the study findings, ignoring the difficulties inherent in social engineering training and CSA programmes may end in victimisation. Security training that is provided effectively is considered the first line of protection against security attacks. The IT department must consider the effective delivery of CSA. If an employee is not updated on the current security risk fraud methods, attackers may obtain access to the organisation’s information systems via an open door. The STOW’s objective is to offer an interactive and user-friendly approach to enhance employees’ cybersecurity knowledge. The system utilises several strategies to ensure that employees acquire necessary expertise at the appropriate time: a set of interactive scenarios that need the adoption of cybersecurity threats to address one or more actual security concerns. This strategy ensures that employees are kept up to date with potential risks and damage due to security incidents.