Affan Yasin,Rubia Fatima,Lijie Wen,Zheng Jiangbin,Mahmood Niazi

DOI: https://doi.org/10.1016/j.entcom.2024.100815

IF: 2.072

2025-01-01

Entertainment Computing

Abstract:Context: In recent years, there has been a significant surge in global Social Engineering (phishing) attacks. This upsurge has prompted governmental bodies, organizations, and educational institutions to formulate strategies aimed at mitigating this threat. Objective: The primary objective of this research is to create a game-based solution that educates participants about URLs and evaluates their understanding through multiple-choice questions. Methodology: To attain the aforementioned objectives, a multifaceted approach has been adopted in this study. Firstly, an extensive literature review was conducted to gain insights into the problem and prior research on the subject. This review was instrumental in comprehending the game development framework, , developmental tools, and various design models for game design. A digital adaptation of the game has been created utilizing the CONSTRUCT 3 platform. Secondly, an empirical evaluation was executed, involving participants engaging with the game and their learning assessed through survey. A survey method was employed to further gauge participants' knowledge and to solicit feedback on the game's design. Results and Conclusion: The survey results indicate a lack of significant outcomes or dependencies on the dependent variable. fun to play, , ease to play, , and game-based learning did not significantly predict avoidance behavior while the intention to play and phishing knowledge were the significant positive predictors of avoidance behavior, with intention to play showing the biggest contribution in the models 2 and 3. Correspondingly, the negligible difference between the R2 value and Delta R2 in models 2 and 3 also confirmed the small variance of model 2 (explained in the paper). Consequently, the research asserts that the assessment of the gaming method has not yielded success and underscores the necessity for enhancements and further evaluation.

Affan Yasin,Rubia Fatima,Zheng JiangBin,Wasif Afzal,Shahid Raza

DOI: https://doi.org/10.1016/j.infsof.2024.107426

IF: 3.9

2024-02-25

Information and Software Technology

Abstract:Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals' limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants' awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the "PhishDefend Quest" game successfully improved players' comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.

computer science, information systems, software engineering

Gaurav Misra,Nalin Asanka Gamagedara Arachchilage,Shlomo Berkovsky

DOI: https://doi.org/10.48550/arXiv.1710.06064

2017-10-17

Abstract:Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.

Cryptography and Security,Computers and Society

Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1511.03459

2015-11-11

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, password and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Game design principles served as guidelines for structuring and presenting information. Our mobile game design aimed to enhance the users' avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework though the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.1504/ijics.2024.138492

2024-01-01

International Journal of Information and Computer Security

Abstract:The COVID-19 pandemic has sparked considerable alarm amongst the general community and has significantly affected the societal attitudes and perceptions. In the current era, social engineers are applying various strategies to exploit human weakness. Phishing, a social engineering technique, is one of the most widely used and effective ways to undermine human assets. In this research study, firstly, we aim to educate the participants regarding phishing attacks; secondly, the dangers associated with excessive online sharing; and thirdly, how to utilise game scenarios developed by the participants to elicit security requirements. We have employed various research methods, such as, survey, observation, personas development, and scenario-based technique to achieve these objectives. Our re-evaluation results show that the PhishI game effectively educates participants regarding phishing attacks and dangers associated with disclosing excessive online information.

Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1610.09511

2016-10-29

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, passwords and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This book focuses on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. The mobile game design aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework through the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society,Cryptography and Security

Nalin Asanka Gamagedara Arachchilage,Steve Love,Carsten Maple

DOI: https://doi.org/10.48550/arXiv.1511.01622

2015-11-05

Abstract:Phishing is an online fraudulent technique, which aims to steal sensitive information such as usernames, passwords and online banking details from its victims. To prevent this, anti-phishing education needs to be considered. This research focuses on examining the effectiveness of mobile game based learning compared to traditional online learning to thwart phishing threats. Therefore, a mobile game prototype was developed based on the design introduced by Arachchilage and Cole [3]. The game design aimed to enhance avoidance behaviour through motivation to thwart phishing threats. A website developed by Anti-Phishing Work Group (APWG) for the public Anti-phishing education initiative was used as a traditional web based learning source. A think-aloud experiment along with a pre- and post-test was conducted through a user study. The study findings revealed that the participants who played the mobile game were better able to identify fraudulent web sites compared to the participants who read the website without any training.

Computers and Society,Cryptography and Security,Human-Computer Interaction

Nalin Asanka Gamagedara Arachchilage,Mumtaz Abdul Hameed

DOI: https://doi.org/10.48550/arXiv.1706.07748

2017-06-23

Abstract:Security exploits can include cyber threats such as computer programs that can disturb the normal behavior of computer systems (viruses), unsolicited e-mail (spam), malicious software (malware), monitoring software (spyware), attempting to make computer resources unavailable to their intended users (Distributed Denial-of-Service or DDoS attack), the social engineering, and online identity theft (phishing). One such cyber threat, which is particularly dangerous to computer users is phishing. Phishing is well known as online identity theft, which targets to steal victims' sensitive information such as username, password and online banking details. This paper focuses on designing an innovative and gamified approach to educate individuals about phishing attacks. The study asks how one can integrate self-efficacy, which has a co-relation with the user's knowledge, into an anti-phishing educational game to thwart phishing attacks? One of the main reasons would appear to be a lack of user knowledge to prevent from phishing attacks. Therefore, this research investigates the elements that influence (in this case, either conceptual or procedural knowledge or their interaction effect) and then integrate them into an anti-phishing educational game to enhance people's phishing prevention behaviour through their motivation.

Cryptography and Security,Computers and Society

Matt Dixon,Nalin Asanka Gamagedara Arachchilage,James Nicholson

DOI: https://doi.org/10.48550/arXiv.1903.03019

2019-03-08

Abstract:Phishing continues to be a difficult problem for individuals and organisations. Educational games and simulations have been increasingly acknowledged as enormous and powerful teaching tools, yet little work has examined how to engage users with these games. We explore this problem by conducting workshops with 9 younger adults and reporting on their expectations for cybersecurity educational games. We find a disconnect between casual and serious gamers, where casual gamers prefer simple games incorporating humour while serious gamers demand a congruent narrative or storyline. Importantly, both demographics agree that educational games should prioritise gameplay over information provision - i.e. the game should be a game with educational content. We discuss the implications for educational games developers.

Computers and Society

Nalin Asanka Gamagedara Arachchilage,Melissa Cole

DOI: https://doi.org/10.48550/arXiv.1602.03929

2016-02-12

Abstract:This research aims to design an educational mobile game for home computer users to prevent from phishing attacks. Phishing is an online identity theft which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Mobile games could facilitate to embed learning in a natural environment. The paper introduces a mobile game design based on a story which is simplifying and exaggerating real life. We use a theoretical model derived from Technology Threat Avoidance Theory (TTAT) to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance avoidance behaviour through motivation of home computer users to protect against phishing threats. The prototype game design is presented on Google App Inventor Emulator. We believe by training home computer users to protect against phishing attacks, would be an aid to enable the cyberspace as a secure environment.

Computers and Society,Cryptography and Security

Adebukola S. Onashoga,Oluwafolake E. Ojo,Oluwadamilola O. Soyombo

DOI: https://doi.org/10.1080/23742917.2019.1624011

2019-04-03

Journal of Cyber Security Technology

Abstract:Majority of Internet users lack anti-phishing skills in identifying a phishing attack. This paper introduces a 3D-game prototype named Securix which simplifies and exaggerates real life scenario and conveys different game design principles. Securix is divided into three levels, depicted in scenarios, namely: URL, E-mail and Website which addresses different types of phishing attack. 3D characters and tools were designed to be imported into the game engine using C# programming language for scripting. A Technology Acceptance Model was used for evaluation of the game. To ascertain the liability and acceptability of this design, 50 questionnaires were administered. The results revealed perceived usefulness as the most significant determinant of adoption of Securix than all the other variables. All the relationships between Perceived Ease Of Use (PEOU), Perceived Usefulness (PU), Attitude Towards Using (ATU), and Actual Usage of the System (AUOS) were tested and found to be significant and positive. Analysis from the questionnaire revealed that PU was a strong predictor of actual usage with ninety-five percent (95%) of users as compared to PEOU which was sixty-eight percent (68%) and AUOS which had a result of seventy-four percent (74%). The overall game design enhances the user’s avoidance behaviour through motivation to protect themselves against phishing threats.

Nalin Asanka Gamagedara Arachchilage,Ali Tarhini,Steve Love

DOI: https://doi.org/10.48550/arXiv.1511.07093

2015-11-23

Abstract:Phishing is an online identity theft, which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Game based education is becoming more and more popular. This paper introduces a mobile game prototype for the android platform based on a story, which simplifies and exaggerates real life. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. The prototype mobile game design was presented on MIT App Inventor Emulator.

Computers and Society,Cryptography and Security

Gitanjali Baral,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1811.09024

2018-11-22

Abstract:Phishing attacks are prevalent and humans are central to this online identity theft attack, which aims to steal victims' sensitive and personal information such as username, password, and online banking details. There are many anti-phishing tools developed to thwart against phishing attacks. Since humans are the weakest link in phishing, it is important to educate them to detect and avoid phishing attacks. One can argue self-efficacy is one of the most important determinants of individual's motivation in phishing threat avoidance behavior, which has co-relation with knowledge. The proposed research endeavors on the user's self-efficacy in order to enhance the individual's phishing threat avoidance behavior through their motivation. Using social cognitive theory, we explored that various knowledge attributes such as observational (vicarious) knowledge, heuristic knowledge and structural knowledge contributes immensely towards the individual's self-efficacy to enhance phishing threat prevention behavior. A theoretical framework is then developed depicting the mechanism that links knowledge attributes, self-efficacy, threat avoidance motivation that leads to users' threat avoidance behavior. Finally, a gaming prototype is designed incooperating the knowledge elements identified in this research that aimed to enhance individual's self-efficacy in phishing threat avoidance behavior.

Cryptography and Security

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.1109/qrs-c57518.2022.00120

2022-01-01

Abstract:The increase in Social Engineering (SE) attacks during COVID-19 pandemic has made it imperative to educate people about SE techniques and methods. For the last many years, we have worked on games, which disseminate awareness among the participants about Social Engineering concepts. The aim of this study is to share our newly designed card-based game, which is simple to understand, and can be conducted in classroom environment.

Kalam Khadka

2024-12-24

Abstract:This study extends the research of Ferreira and Teles (2019), who synthesized works by Cialdini (2007), Gragg (2003), and Stajano and Wilson (2011) to propose a unique list of persuasion principles in social engineering. While Ferreira and Teles focused on email subject lines, this research analyzed entire email contents to identify principles of human persuasion in phishing emails. This study also examined the goals and targets of phishing emails, providing a novel contribution to the field. Applying these findings to the ontological model by Mouton et al. (2014) reveals that when social engineers use email for phishing, individuals are the primary targets. The goals are typically unauthorized access, followed by financial gain and service disruption, with Distraction as the most commonly used compliance principle. This research highlights the importance of understanding human persuasion in technology-mediated interactions to develop methods for detecting and preventing phishing emails before they reach users. Despite previous identification of luring elements in phishing emails, empirical findings have been inconsistent. For example, Akbar (2014) found 'authority' and 'scarcity' most common, while Ferreira et al. (2015) identified 'liking' and 'similarity.' In this study, 'Distraction' was most frequently used, followed by 'Deception,' 'Integrity,' and 'Authority.' This paper offers additional insights into phishing email tactics and suggests future solutions should leverage socio-technical principles. Future work will apply this methodology to other social engineering techniques beyond phishing emails, using the ontological model to further inform the research community.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Kalam Khadka,Abu Barkat Ullah,Wanli Ma,Elisa Martinez Marroquin

DOI: https://doi.org/10.1109/TrustCom60117.2023.00222

2024-12-24

Abstract:Research shows that phishing emails often utilize persuasion techniques, such as social proof, liking, consistency, authority, scarcity, and reciprocity to gain trust to obtain sensitive information or maliciously infect devices. The link between principles of persuasion and social engineering attacks, particularly in phishing email attacks, is an important topic in cyber security as they are the common and effective method used by cybercriminals to obtain sensitive information or access computer systems. This survey paper concluded that spear phishing, a targeted form of phishing, has been found to be specifically effective as attackers can tailor their messages to the specific characteristics, interests, and vulnerabilities of their targets. Understanding the uses of the principles of persuasion in spear phishing is key to the effective defence against it and eventually its elimination. This survey paper systematically summarizes and presents the current state of the art in understanding the use of principles of persuasion in phishing. Through a systematic review of the existing literature, this survey paper identifies a significant gap in the understanding of the impact of principles of persuasion as a social engineering strategy in phishing attacks and highlights the need for further research in this area.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Jingguo Wang,Tejaswini Herath,Rui Chen,Arun Vishwanath,H. Raghav Rao

DOI: https://doi.org/10.1109/tpc.2012.2208392

2012-01-01

IEEE Transactions on Professional Communication

Abstract:Research problem: Phishing is an email-based scam where a perpetrator camouflages emails to appear as a legitimate request for personal and sensitive information. Research question: How do individuals process a phishing email, and determine whether to respond to it? Specifically, this study examines how users' attention to “visual triggers” and “phishing deception indicators” influence their decision-making processes and consequently their decisions. Literature review: This paper draws upon the theory of deception and the literature on mediated cognition and learning, including the critical role of attention and elaboration in deception detection. From this literature, we developed a research model to suggest that overall cognitive effort expended in email processing decreases with attention to visual triggers and phishing deception indicators. The likelihood to respond to phishing emails increases with attention to visceral cues, but decreases with attention to phishing deception indicators and cognitive effort. Knowledge of email-based scams increases attention to phishing deception indicators, and directly decreases response likelihood. It also moderates the impact of attention to visceral triggers and that of phishing deception indicators on likelihood to respond. Methodology: Using a real phishing email as a stimulus, a survey of 321 members of a public university community in the Northeast US, who were intended victims of a spear phishing attack that took place, was conducted. The survey used validated measures developed in prior literature for the most part and tested results using the partial least-squares regression. Results and discussion: Our research model and hypotheses were supported by the data except that we did not find that cognitive effort significantly affects response likelihood. The implication of the study is that attention to visceral triggers, attention to phishing deception indicators, and phishing knowledge play critical roles in phishing detection. The limitations of the study were that the data were drawn from students, and the study explored one phishing attack, relied on some single-item measures, cognitive effort measure, and a one-round survey. Future research would examine the impact of a varying degree of urgency and a varying level of phishing deception indicators, and actual victims of phishing attacks.

Rene Roepke,Vincent Drury,Ulrike Meyer,Ulrik Schroeder

DOI: https://doi.org/10.17083/ijsg.v9i3.501

2022-09-09

International Journal of Serious Games

Abstract:Anti-phishing learning games are a promising approach to teach end-users about phishing, as they offer a scalable and engaging environment for active learning. Existing games have been criticized for their limited game mechanics that do not allow for detailed assessment of the players' acquired knowledge, instead focusing mostly on factual and conceptual knowledge to remember or understand. To extend the research field, this paper presents the design and evaluation of two new anti-phishing learning games: The first game implements an extended classification mechanic to better assess the player's decision process, while the second game implements a different game mechanic, which requires players to combine URL parts to construct their own phishing URLs. We compare the games with each other and with a baseline implementation that uses binary decisions similar to existing games in a user study with 133 participants. The study shows, that while all three games lead to performance increases, none of the new games offer significant improvements over the baseline. Furthermore, results of a longitudinal test three months after playing the games show that knowledge can be retained as participants still perform significantly better than before playing either one of the games.

Marcus Butavicius,Kathryn Parsons,Malcolm Pattinson,Agata McCormac

DOI: https://doi.org/10.48550/arXiv.1606.00887

2016-05-28

Abstract:We examined the influence of three social engineering strategies on users' judgments of how safe it is to click on a link in an email. The three strategies examined were authority, scarcity and social proof, and the emails were either genuine, phishing or spear-phishing. Of the three strategies, the use of authority was the most effective strategy in convincing users that a link in an email was safe. When detecting phishing and spear-phishing emails, users performed the worst when the emails used the authority principle and performed best when social proof was present. Overall, users struggled to distinguish between genuine and spear-phishing emails. Finally, users who were less impulsive in making decisions generally were less likely to judge a link as safe in the fraudulent emails. Implications for education and training are discussed.

Computers and Society,Cryptography and Security

Franklin Tchakounte,Virgile Sime Nyassi,Duplex Elvis Houpa Danga,Kalum Priyanath Udagepola,Marcellin Atemkeng

DOI: https://doi.org/10.4108/eai.26-5-2020.166354

2018-01-01

ICST Transactions on Scalable Information Systems

Abstract:A solution to help victims against phishing is anticipating and leveraging impacts related to phisher actions.In this regard, this work reshapes game theoretical logic between Intrusion Detection System (IDS) agents andinsiders to email spear-phishing interactions. The email spear-phishing attack is designed as a non-cooperativeand repeated game between opponents. Additionally, this work relies on Quantal Response Equilibrium (QRE)to build a game theoretical approach to predict the phisher’s future intent based on past actions of bothplayers. This approach is coupled with a recommendation strategy of appropriate allocation of resources toinvest to strengthen user protection. Simulations on spear-phishing scenarios demonstrate the ability of thefinal system to intuitively guess the most likely phisher decisions. This work provides intelligence to spear-phishing detectors and humans such that they can anticipate next phisher actions.