Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1610.09511

2016-10-29

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, passwords and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This book focuses on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. The mobile game design aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework through the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society,Cryptography and Security

Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1511.03459

2015-11-11

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, password and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Game design principles served as guidelines for structuring and presenting information. Our mobile game design aimed to enhance the users' avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework though the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society

Affan Yasin,Rubia Fatima,Zheng JiangBin,Wasif Afzal,Shahid Raza

DOI: https://doi.org/10.1016/j.infsof.2024.107426

IF: 3.9

2024-02-25

Information and Software Technology

Abstract:Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals' limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants' awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the "PhishDefend Quest" game successfully improved players' comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.

computer science, information systems, software engineering

Affan Yasin,Rubia Fatima,Lijie Wen,Zheng Jiangbin,Mahmood Niazi

DOI: https://doi.org/10.1016/j.entcom.2024.100815

IF: 2.072

2025-01-01

Entertainment Computing

Abstract:Context: In recent years, there has been a significant surge in global Social Engineering (phishing) attacks. This upsurge has prompted governmental bodies, organizations, and educational institutions to formulate strategies aimed at mitigating this threat. Objective: The primary objective of this research is to create a game-based solution that educates participants about URLs and evaluates their understanding through multiple-choice questions. Methodology: To attain the aforementioned objectives, a multifaceted approach has been adopted in this study. Firstly, an extensive literature review was conducted to gain insights into the problem and prior research on the subject. This review was instrumental in comprehending the game development framework, , developmental tools, and various design models for game design. A digital adaptation of the game has been created utilizing the CONSTRUCT 3 platform. Secondly, an empirical evaluation was executed, involving participants engaging with the game and their learning assessed through survey. A survey method was employed to further gauge participants' knowledge and to solicit feedback on the game's design. Results and Conclusion: The survey results indicate a lack of significant outcomes or dependencies on the dependent variable. fun to play, , ease to play, , and game-based learning did not significantly predict avoidance behavior while the intention to play and phishing knowledge were the significant positive predictors of avoidance behavior, with intention to play showing the biggest contribution in the models 2 and 3. Correspondingly, the negligible difference between the R2 value and Delta R2 in models 2 and 3 also confirmed the small variance of model 2 (explained in the paper). Consequently, the research asserts that the assessment of the gaming method has not yielded success and underscores the necessity for enhancements and further evaluation.

Gaurav Misra,Nalin Asanka Gamagedara Arachchilage,Shlomo Berkovsky

DOI: https://doi.org/10.48550/arXiv.1710.06064

2017-10-17

Abstract:Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.

Cryptography and Security,Computers and Society

Oteng Ntsweng,Ransome Bawack,Xixian Peng,Shem Amalaya

DOI: https://doi.org/10.1109/istas57930.2023.10305976

2023-01-01

Abstract:Over the past decade, gameful systems have been widely used in training and behavior modification. However, the mechanisms by which these systems influence desired outcomes remain unclear. Consequently, the literature on their impact is riddled with contradictory findings, suggesting that researchers have overlooked crucial variables, especially those related to the science of learning. Consistent with recommendations from educational psychology, we focus on the core cognitive processes involved in cybersecurity protective tasks. Reflective thinking is at the heart of these tasks. Given that gameful systems aim to simulate real-world tasks, we study the effects of coupling cybersecurity training games with reflective practices. Drawing upon the theoretical perspectives of the reflective practitioner and the theory of flow, we hypothesize that incorporating guided reflection during interaction with a gameful system will result in superior experiential and learning outcomes compared to reflecting after the interaction or playing without reflection.

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.3233/jcs-181253

2019-01-01

Journal of Computer Security

Abstract:CONTEXT: In the current era of digital technology, social engineers are using various tactics to undermine human weaknesses. Social Engineers target human psychology to achieve their target(s) which are in the form of data, account details, or IT devices etc. According to our research, one of the first methods social engineers used to target victims is Phishing/Spear Phishing. OBJECTIVE: The objective of this study is to utilize serious game to: i) educate players regarding phishing and spear-phishing attacks; ii) make aware and educate players regarding dangers associated with excessive online information disclosure. METHOD: In order to address the objectives we have: i) performed an in-depth literature review to extract insights related to social engineering, phishing, game design, learning functions, human interaction, and game-based learning etc; ii) proposed and aligned the game design with social engineering ontology concepts; iii) performed an empirical evaluation to evaluate the effectiveness of the designed board game. CONCLUSION: From this research study, we conclude that: i) PhishI game is useful in educating players regarding excessive online information disclosure and phishing awareness; ii) game-based learning is an effectivemethod for inculcating and general cyber-related awareness in players.

Nalin Asanka Gamagedara Arachchilage,Mumtaz Abdul Hameed

DOI: https://doi.org/10.48550/arXiv.1706.07748

2017-06-23

Abstract:Security exploits can include cyber threats such as computer programs that can disturb the normal behavior of computer systems (viruses), unsolicited e-mail (spam), malicious software (malware), monitoring software (spyware), attempting to make computer resources unavailable to their intended users (Distributed Denial-of-Service or DDoS attack), the social engineering, and online identity theft (phishing). One such cyber threat, which is particularly dangerous to computer users is phishing. Phishing is well known as online identity theft, which targets to steal victims' sensitive information such as username, password and online banking details. This paper focuses on designing an innovative and gamified approach to educate individuals about phishing attacks. The study asks how one can integrate self-efficacy, which has a co-relation with the user's knowledge, into an anti-phishing educational game to thwart phishing attacks? One of the main reasons would appear to be a lack of user knowledge to prevent from phishing attacks. Therefore, this research investigates the elements that influence (in this case, either conceptual or procedural knowledge or their interaction effect) and then integrate them into an anti-phishing educational game to enhance people's phishing prevention behaviour through their motivation.

Cryptography and Security,Computers and Society

Nalin Asanka Gamagedara Arachchilage,Melissa Cole

DOI: https://doi.org/10.48550/arXiv.1602.03929

2016-02-12

Abstract:This research aims to design an educational mobile game for home computer users to prevent from phishing attacks. Phishing is an online identity theft which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Mobile games could facilitate to embed learning in a natural environment. The paper introduces a mobile game design based on a story which is simplifying and exaggerating real life. We use a theoretical model derived from Technology Threat Avoidance Theory (TTAT) to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance avoidance behaviour through motivation of home computer users to protect against phishing threats. The prototype game design is presented on Google App Inventor Emulator. We believe by training home computer users to protect against phishing attacks, would be an aid to enable the cyberspace as a secure environment.

Computers and Society,Cryptography and Security

Nalin Asanka Gamagedara Arachchilage,Steve Love,Carsten Maple

DOI: https://doi.org/10.48550/arXiv.1511.01622

2015-11-05

Abstract:Phishing is an online fraudulent technique, which aims to steal sensitive information such as usernames, passwords and online banking details from its victims. To prevent this, anti-phishing education needs to be considered. This research focuses on examining the effectiveness of mobile game based learning compared to traditional online learning to thwart phishing threats. Therefore, a mobile game prototype was developed based on the design introduced by Arachchilage and Cole [3]. The game design aimed to enhance avoidance behaviour through motivation to thwart phishing threats. A website developed by Anti-Phishing Work Group (APWG) for the public Anti-phishing education initiative was used as a traditional web based learning source. A think-aloud experiment along with a pre- and post-test was conducted through a user study. The study findings revealed that the participants who played the mobile game were better able to identify fraudulent web sites compared to the participants who read the website without any training.

Computers and Society,Cryptography and Security,Human-Computer Interaction

Nalin Asanka Gamagedara Arachchilage,Ali Tarhini,Steve Love

DOI: https://doi.org/10.48550/arXiv.1511.07093

2015-11-23

Abstract:Phishing is an online identity theft, which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Game based education is becoming more and more popular. This paper introduces a mobile game prototype for the android platform based on a story, which simplifies and exaggerates real life. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. The prototype mobile game design was presented on MIT App Inventor Emulator.

Computers and Society,Cryptography and Security

Rene Roepke,Vincent Drury,Ulrike Meyer,Ulrik Schroeder

DOI: https://doi.org/10.17083/ijsg.v9i3.501

2022-09-09

International Journal of Serious Games

Abstract:Anti-phishing learning games are a promising approach to teach end-users about phishing, as they offer a scalable and engaging environment for active learning. Existing games have been criticized for their limited game mechanics that do not allow for detailed assessment of the players' acquired knowledge, instead focusing mostly on factual and conceptual knowledge to remember or understand. To extend the research field, this paper presents the design and evaluation of two new anti-phishing learning games: The first game implements an extended classification mechanic to better assess the player's decision process, while the second game implements a different game mechanic, which requires players to combine URL parts to construct their own phishing URLs. We compare the games with each other and with a baseline implementation that uses binary decisions similar to existing games in a user study with 133 participants. The study shows, that while all three games lead to performance increases, none of the new games offer significant improvements over the baseline. Furthermore, results of a longitudinal test three months after playing the games show that knowledge can be retained as participants still perform significantly better than before playing either one of the games.

Nicholas Micallef,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1710.03888

2017-10-11

Cryptography and Security

Abstract:When using security questions most users still trade-off security for the convenience of memorability. This happens because most users find strong answers to security questions difficult to remember. Previous research in security education was successful in motivating users to change their behaviour towards security issues, through the use of serious games (i.e. games designed for a primary purpose other than pure entertainment). Hence, in this paper we evaluate the design of a serious game, to investigate the features and functionalities that users would find desirable in a game that aims to educate them to provide strong and memorable answers to security questions. Our findings reveal that: (1) even for security education games, rewards seem to motivate users to have a better learning experience; (2) functionalities which contain a social element (e.g. getting help from other players) do not seem appropriate for serious games related to security questions, because users fear that their acquaintances could gain access to their security questions; (3) even users who do not usually play games would seem to prefer to play security education games on a mobile device.

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.1504/ijics.2024.138492

2024-01-01

International Journal of Information and Computer Security

Abstract:The COVID-19 pandemic has sparked considerable alarm amongst the general community and has significantly affected the societal attitudes and perceptions. In the current era, social engineers are applying various strategies to exploit human weakness. Phishing, a social engineering technique, is one of the most widely used and effective ways to undermine human assets. In this research study, firstly, we aim to educate the participants regarding phishing attacks; secondly, the dangers associated with excessive online sharing; and thirdly, how to utilise game scenarios developed by the participants to elicit security requirements. We have employed various research methods, such as, survey, observation, personas development, and scenario-based technique to achieve these objectives. Our re-evaluation results show that the PhishI game effectively educates participants regarding phishing attacks and dangers associated with disclosing excessive online information.

Saboor Zahir,John Pak,Jatinder Singh,Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1505.05570

2015-05-21

Computers and Society

Abstract:Cyber literacy merits serious research attention because it addresses a confluence of specialization and generalization; cybersecurity is often conceived of as approachable only by a technological intelligentsia, yet its interdependent nature demands education for a broad population. Therefore, educational tools should lead participants to discover technical knowledge in an accessible and attractive framework. In this paper, we present Protection and Deception (P&G), a novel two-player board game. P&G has three main contributions. First, it builds cyber literacy by giving participants "hands-on" experience with game pieces that have the capabilities of cyber-attacks such as worms, masquerading attacks/spoofs, replay attacks, and Trojans. Second, P&G teaches the important game-theoretic concepts of asymmetric information and resource allocation implicitly and non-obtrusively through its game play. Finally, it strives for the important objective of security education for underrepresented minorities and people without explicit technical experience. We tested P&G at a community center in Manhattan with middle- and high school students, and observed enjoyment and increased cyber literacy along with suggestions for improvement of the game. Together with these results, our paper also presents images of the attractive board design and 3D printed game pieces, together with a Monte-Carlo analysis that we used to ensure a balanced gaming experience.

Adebukola S. Onashoga,Oluwafolake E. Ojo,Oluwadamilola O. Soyombo

DOI: https://doi.org/10.1080/23742917.2019.1624011

2019-04-03

Journal of Cyber Security Technology

Abstract:Majority of Internet users lack anti-phishing skills in identifying a phishing attack. This paper introduces a 3D-game prototype named Securix which simplifies and exaggerates real life scenario and conveys different game design principles. Securix is divided into three levels, depicted in scenarios, namely: URL, E-mail and Website which addresses different types of phishing attack. 3D characters and tools were designed to be imported into the game engine using C# programming language for scripting. A Technology Acceptance Model was used for evaluation of the game. To ascertain the liability and acceptability of this design, 50 questionnaires were administered. The results revealed perceived usefulness as the most significant determinant of adoption of Securix than all the other variables. All the relationships between Perceived Ease Of Use (PEOU), Perceived Usefulness (PU), Attitude Towards Using (ATU), and Actual Usage of the System (AUOS) were tested and found to be significant and positive. Analysis from the questionnaire revealed that PU was a strong predictor of actual usage with ninety-five percent (95%) of users as compared to PEOU which was sixty-eight percent (68%) and AUOS which had a result of seventy-four percent (74%). The overall game design enhances the user’s avoidance behaviour through motivation to protect themselves against phishing threats.

Gitanjali Baral,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1811.09024

2018-11-22

Abstract:Phishing attacks are prevalent and humans are central to this online identity theft attack, which aims to steal victims' sensitive and personal information such as username, password, and online banking details. There are many anti-phishing tools developed to thwart against phishing attacks. Since humans are the weakest link in phishing, it is important to educate them to detect and avoid phishing attacks. One can argue self-efficacy is one of the most important determinants of individual's motivation in phishing threat avoidance behavior, which has co-relation with knowledge. The proposed research endeavors on the user's self-efficacy in order to enhance the individual's phishing threat avoidance behavior through their motivation. Using social cognitive theory, we explored that various knowledge attributes such as observational (vicarious) knowledge, heuristic knowledge and structural knowledge contributes immensely towards the individual's self-efficacy to enhance phishing threat prevention behavior. A theoretical framework is then developed depicting the mechanism that links knowledge attributes, self-efficacy, threat avoidance motivation that leads to users' threat avoidance behavior. Finally, a gaming prototype is designed incooperating the knowledge elements identified in this research that aimed to enhance individual's self-efficacy in phishing threat avoidance behavior.

Cryptography and Security

Yin Pan,Sumita Mishra,David Schwartz

DOI: https://doi.org/10.1145/3017680.3017709

2017-01-01

Abstract:The growing shortage of skilled professionals in cybersecurity and forensics has increased global demand for information systems professionals. To identify and attract more students to cybersecurity and forensics programs, the authors developed a game engine along with a sequence of entertaining, engaging, and educational games, suitable for forensics and cybersecurity courses. This paper focuses on the design and development of a modular educational game framework composed of a game engine and a GUI-based game creator. Following narrative and storylines of the game via interactive dialogs and visualized abstract concepts, students are motivated and engaged to obtain the necessary knowledge. Students will also develop their problem solving skills by using real tools and technologies while playing the game. The GUI-based game creator allows educators to create and develop new educational games by only focusing on game content.

Christopher Scherb,Luc Bryan Heitz,Frank Grimberg,Hermann Grieder,Marcel Maurer

DOI: https://doi.org/10.48550/arXiv.2305.03062

2023-05-04

Cryptography and Security

Abstract:With the rising number of cyberattacks, such as ransomware attacks and cyber espionage, educating non-cybersecurity professionals to recognize threats has become more important than ever before. However, traditional training methods, such as phishing awareness campaigns, training videos and assessments have proven to be less effective over time. Therefore, it is time to rethink the approach on how to train cyber awareness. In this paper we suggest an alternative approach -- a serious game -- to educate awareness for common cyberattacks. While many serious games for cybersecurity education exist, all follow a very similar approach: showing people the effects of a cyber attack on their own system or company network. For example, one of the main tasks in these games is to sort out phishing mails. We developed and evaluated a new type of cybersecurity game: an attack simulator, which shows the entire setting from a different perspective. Instead of sorting out phishing mails the players should write phishing mails to trick potential victims and use other forms of cyberattacks. Our game explains the intention of each attack and shows the consequences of a successful attack. This way, we hope, players will get a better understanding on how to detect cyberattacks.

Nalin Asanka Gamagedara Arachchilage,Mumtaz Abdul Hameed

DOI: https://doi.org/10.1145/3417113.3422149

2020-09-12

Abstract:Software applications continue to challenge user privacy when users interact with them. Privacy practices (e.g. Data Minimisation (DM), Privacy by Design (PbD) or General Data Protection Regulation (GDPR)) and related "privacy engineering" methodologies exist and provide clear instructions for developers to implement privacy into software systems they develop that preserve user privacy. However, those practices and methodologies are not yet a common practice in the software development community. There has been no previous research focused on developing "educational" interventions such as serious games to enhance software developers' coding behaviour. Therefore, this research proposes a game design framework as an educational tool for software developers to improve (secure) coding behaviour, so they can develop privacy-preserving software applications that people can use. The elements of the proposed framework were incorporated into a gaming application scenario that enhances the software developers' coding behaviour through their motivation. The proposed work not only enables the development of privacy-preserving software systems but also helping the software development community to put privacy guidelines and engineering methodologies into practice.

Cryptography and Security,Human-Computer Interaction