{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T15:37:15Z","timestamp":1743089835986,"version":"3.40.3"},"publisher-location":"Cham","reference-count":23,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031830716"},{"type":"electronic","value":"9783031830723"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,3,13]],"date-time":"2025-03-13T00:00:00Z","timestamp":1741824000000},"content-version":"vor","delay-in-days":71,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"Abstract<\/jats:title>\n Qualitative research methods from psychology and social sciences are feasible tools to gain deep understandings of people\u2019s IT security behaviour, knowledge, sentiments and routines. One\u00a0of these methods, individuals\u2019 own expression in the form of drawings, sketches, charts and other visual representations, are important\u00a0to understand deep knowledge and mental models. However, those methods are, to some degree, dependent on the artistic skills<\/jats:italic>\u00a0of the participants \u2013 those that are not confident in\u00a0their handwriting and drawing might engage less. Building Blocks (sets\u00a0of interlocking bricks) require less artistic ability and it is\u00a0very easy to engage participants \u2013 they can just\u00a0start building<\/jats:italic>. IT security researchers already used such bricks to\u00a0model participants thoughts, but in heterogeneous ways. We on the\u00a0other hand used the LEGO\n $$^{\\copyright }$$<\/jats:tex-math>\n <\/jats:inline-formula> SERIOUS PLAY\n $$^{\\copyright }$$<\/jats:tex-math>\n <\/jats:inline-formula> (LSP) method \u2013 that describes a structured way on how to build models \u2013 to conduct four workshops (with \n $$n=48$$<\/jats:tex-math>\n <\/jats:inline-formula> participants in total), in which the participants were asked\u00a0to build multiple models of everyday IT security in different contexts. We performed a first initial coding of the pictures we took during the workshops. In this paper we report our research method, what\u00a0we did to improve the workshops and data collection and what we learned so far by using LSP.<\/jats:p>","DOI":"10.1007\/978-3-031-83072-3_8","type":"book-chapter","created":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T19:00:31Z","timestamp":1741806031000},"page":"134-145","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Work in\u00a0Progress \u2013 Brick by\u00a0Brick: Using a\u00a0Structured Building Blocks Method to\u00a0Engage Participants and\u00a0Collect IT Security Insights"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1016-5672","authenticated-orcid":false,"given":"Uta","family":"Menges","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5159-3868","authenticated-orcid":false,"given":"Jonas","family":"Hielscher","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8123-0427","authenticated-orcid":false,"given":"Annette","family":"Kluge","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1823-5505","authenticated-orcid":false,"given":"M. Angela","family":"Sasse","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,3,13]]},"reference":[{"issue":"3","key":"8_CR1","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MSP.2016.57","volume":"14","author":"D Ashenden","year":"2016","unstructured":"Ashenden, D., Lawrence, D.: Security dialogues: building better relationships between security and business. IEEE Secur. Priv. 14(3), 82\u201387 (2016). https:\/\/doi.org\/10.1109\/MSP.2016.57","journal-title":"IEEE Secur. Priv."},{"key":"8_CR2","first-page":"22","volume":"20","author":"PM Asprion","year":"2020","unstructured":"Asprion, P.M., Schneider, B., Moriggl, P., Grimberg, F.: Exploring cyber security awareness through LEGO serious play Part I: the learning experience. Management 20, 22 (2020)","journal-title":"Management"},{"doi-asserted-by":"publisher","unstructured":"Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Keromytis, A., Somayaji, A., Probst, C.W., Bishop, M. (eds.) Proceedings of the 2008 Workshop on New Security Paradigms, p.\u00a047. Association for Computing Machinery, New York (2008). https:\/\/doi.org\/10.1145\/1595676.1595684","key":"8_CR3","DOI":"10.1145\/1595676.1595684"},{"unstructured":"Bodker, S.: Through the Interface: A Human Activity Approach to User Interface Design. Taylor & Francis Group, Milton (1990)","key":"8_CR4"},{"issue":"4","key":"8_CR5","doi-asserted-by":"publisher","first-page":"81","DOI":"10.3390\/safety5040081","volume":"5","author":"A Cerezo-Narv\u00e1ez","year":"2019","unstructured":"Cerezo-Narv\u00e1ez, A., C\u00f3rdoba-Rold\u00e1n, A., Pastor-Fern\u00e1ndez, A., Aguayo-Gonz\u00e1lez, F., Otero-Mateo, M., Ballesteros-P\u00e9rez, P.: Training competences in industrial risk prevention with lego$${\\text{\\textregistered} }$$ serious play: a case study. Safety 5(4), 81 (2019)","journal-title":"Safety"},{"doi-asserted-by":"publisher","unstructured":"Coles-Kemp, L., Jensen, R.B., Heath, C.P.R.: Too much information: questioning security in a post-digital society. In: Bernhaupt, R., et al. (eds.) Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1\u201314. ACM, New York, NY, USA (2020). https:\/\/doi.org\/10.1145\/3313831.3376214","key":"8_CR6","DOI":"10.1145\/3313831.3376214"},{"doi-asserted-by":"publisher","unstructured":"Hall, P., Heath, C., Coles-Kemp, L.: Critical visualization: a case for rethinking how we visualize risk and security. J. Cybersecur. tyv004 (2015). https:\/\/doi.org\/10.1093\/cybsec\/tyv004","key":"8_CR7","DOI":"10.1093\/cybsec\/tyv004"},{"doi-asserted-by":"crossref","unstructured":"Hayashi, E., Hong, J.: A diary study of password usage in daily life. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2627\u20132630 (2011)","key":"8_CR8","DOI":"10.1145\/1978942.1979326"},{"doi-asserted-by":"publisher","unstructured":"Heath, C.P.R., Crivellaro, C., Coles-Kemp, L.: Relations are more than bytes: re-thinking the benefits of smart services through people and things. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1\u201312. CHI \u201919, Association for Computing Machinery, New York, NY, USA (2019). https:\/\/doi.org\/10.1145\/3290605.3300538,","key":"8_CR9","DOI":"10.1145\/3290605.3300538"},{"issue":"2","key":"8_CR10","doi-asserted-by":"publisher","first-page":"65","DOI":"10.4013\/sdrj.2018.112.03","volume":"11","author":"CP Heath","year":"2018","unstructured":"Heath, C.P., Hall, P.A., Coles-Kemp, L.: Holding on to dissensus: participatory interactions in security design. Strateg. Des. Res. J. 11(2), 65\u201378 (2018). https:\/\/doi.org\/10.4013\/sdrj.2018.112.03","journal-title":"Strateg. Des. Res. J."},{"doi-asserted-by":"crossref","unstructured":"Herbert, F., Farke, F.M., Kowalewski, M., D\u00fcrmuth, M.: Vision: developing a broad usable security & privacy questionnaire. In: European Symposium on Usable Security 2021, pp. 76\u201382 (2021)","key":"8_CR11","DOI":"10.1145\/3481357.3481526"},{"doi-asserted-by":"publisher","unstructured":"Hielscher, J., Kluge, A., Menges, U., Sasse, M.A.: Taking out the trash: why security behavior change requires intentional forgetting. In: New Security Paradigms Workshop, pp. 108\u2013122. ACM, New York, NY, USA (2021). https:\/\/doi.org\/10.1145\/3498891.3498902","key":"8_CR12","DOI":"10.1145\/3498891.3498902"},{"doi-asserted-by":"crossref","unstructured":"Hillmer, D.: PLAY! Der unverzichtbare LEGO SERIOUS PLAY Praxis-Guide f\u00fcr Trainer, Coaches und Moderatoren (German). Hanser, M\u00fcnchen (2021)","key":"8_CR13","DOI":"10.3139\/9783446470552.fm"},{"doi-asserted-by":"crossref","unstructured":"Kocksch, L., Korn, M., Poller, A., Wagenknecht, S.: Caring for it security: accountabilities, moralities, and oscillations in it security practices. Proc. ACM Hum.-Comput. Interact. 2(CSCW), 1\u201320 (2018)","key":"8_CR14","DOI":"10.1145\/3274361"},{"doi-asserted-by":"publisher","unstructured":"Kranawetleitner, T., Krebs, H., Kuhn, N., Menner, M.: Needs analyses with LEGO serious play. In: Ma, M., Fletcher, B., G\u00f6bel, S., Baalsrud Hauge, J., Marsh, T. (eds.) Serious Games, LNCS, vol. 12434, pp. 99\u2013104. Springer International Publishing, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-61814-8","key":"8_CR15","DOI":"10.1007\/978-3-030-61814-8"},{"doi-asserted-by":"crossref","unstructured":"Kuckartz, U.: Qualitative Text Analysis: A Guide to Methods, Practice & Using Software. SAGE, Los Angeles and London and New Delhi and Singapore and Washington, DC (2014)","key":"8_CR16","DOI":"10.4135\/9781446288719"},{"issue":"1","key":"8_CR17","first-page":"27","volume":"2","author":"S McCusker","year":"2014","unstructured":"McCusker, S.: Lego, seriously: thinking through building. Int. J. Knowl. Innov. Entrep. 2(1), 27\u201337 (2014)","journal-title":"Int. J. Knowl. Innov. Entrep."},{"doi-asserted-by":"publisher","unstructured":"Menges, U., Hielscher, J., Buckmann, A., Kluge, A., Sasse, M.A., Verret, I.: Why IT Security Needs Therapy. In: Computer Security. ESORICS 2021 International Workshops. Springer (2022). https:\/\/doi.org\/10.1007\/978-3-030-95484-0","key":"8_CR18","DOI":"10.1007\/978-3-030-95484-0"},{"doi-asserted-by":"publisher","unstructured":"R\u00e4diker, S., Kuckartz, U.: Videodaten, Audiodaten und Bilder codieren (German). In: R\u00e4diker, S., Kuckartz, U. (eds.) Analyse qualitativer Daten mit MAXQDA, pp. 85\u201394. Springer Fachmedien Wiesbaden, Wiesbaden (2019). https:\/\/doi.org\/10.1007\/978-3-658-22095-2","key":"8_CR19","DOI":"10.1007\/978-3-658-22095-2"},{"unstructured":"Redmiles, E.M., Acar, Y.G., Fahl, S., Mazurek, M.L.: A summary of survey methodology best practices for security and privacy researchers (2017)","key":"8_CR20"},{"unstructured":"Uslar, M., Hanna, S.: Teaching domain-specific requirements engineering to industry: applying lego serious play to smart grids. In: 1st Workshop on Innovative Software Engineering Education (2018)","key":"8_CR21"},{"doi-asserted-by":"crossref","unstructured":"Winograd, T.: Bringing design to software. ACM (1996)","key":"8_CR22","DOI":"10.1145\/229868"},{"doi-asserted-by":"crossref","unstructured":"Zenk, L., Primus, D.J., Sonnenburg, S.: Alone but together: flow experience and its impact on creative output in lego serious play. Eur. J. Innov. Manag. (2021)","key":"8_CR23","DOI":"10.1108\/EJIM-09-2020-0362"}],"container-title":["Lecture Notes in Computer Science","Socio-Technical Aspects in Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-83072-3_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T19:00:36Z","timestamp":1741806036000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-83072-3_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783031830716","9783031830723"],"references-count":23,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-83072-3_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"13 March 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"STAST","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Workshop on Socio-Technical Aspects in Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Copenhagen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Denmark","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 September 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 September 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"stast2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/stast.uni.lu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Easychair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"20","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"6","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"30% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"1 external reviewers involved (outside the PC)","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}