Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1511.03459

2015-11-11

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, password and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Game design principles served as guidelines for structuring and presenting information. Our mobile game design aimed to enhance the users' avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework though the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society

Gaurav Misra,Nalin Asanka Gamagedara Arachchilage,Shlomo Berkovsky

DOI: https://doi.org/10.48550/arXiv.1710.06064

2017-10-17

Abstract:Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.

Cryptography and Security,Computers and Society

Affan Yasin,Rubia Fatima,Lijie Wen,Zheng Jiangbin,Mahmood Niazi

DOI: https://doi.org/10.1016/j.entcom.2024.100815

IF: 2.072

2025-01-01

Entertainment Computing

Abstract:Context: In recent years, there has been a significant surge in global Social Engineering (phishing) attacks. This upsurge has prompted governmental bodies, organizations, and educational institutions to formulate strategies aimed at mitigating this threat. Objective: The primary objective of this research is to create a game-based solution that educates participants about URLs and evaluates their understanding through multiple-choice questions. Methodology: To attain the aforementioned objectives, a multifaceted approach has been adopted in this study. Firstly, an extensive literature review was conducted to gain insights into the problem and prior research on the subject. This review was instrumental in comprehending the game development framework, , developmental tools, and various design models for game design. A digital adaptation of the game has been created utilizing the CONSTRUCT 3 platform. Secondly, an empirical evaluation was executed, involving participants engaging with the game and their learning assessed through survey. A survey method was employed to further gauge participants' knowledge and to solicit feedback on the game's design. Results and Conclusion: The survey results indicate a lack of significant outcomes or dependencies on the dependent variable. fun to play, , ease to play, , and game-based learning did not significantly predict avoidance behavior while the intention to play and phishing knowledge were the significant positive predictors of avoidance behavior, with intention to play showing the biggest contribution in the models 2 and 3. Correspondingly, the negligible difference between the R2 value and Delta R2 in models 2 and 3 also confirmed the small variance of model 2 (explained in the paper). Consequently, the research asserts that the assessment of the gaming method has not yielded success and underscores the necessity for enhancements and further evaluation.

Affan Yasin,Rubia Fatima,Zheng JiangBin,Wasif Afzal,Shahid Raza

DOI: https://doi.org/10.1016/j.infsof.2024.107426

IF: 3.9

2024-02-25

Information and Software Technology

Abstract:Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals' limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants' awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the "PhishDefend Quest" game successfully improved players' comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.

computer science, information systems, software engineering

Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1610.09511

2016-10-29

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, passwords and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This book focuses on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. The mobile game design aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework through the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society,Cryptography and Security

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.3233/jcs-181253

2019-01-01

Journal of Computer Security

Abstract:CONTEXT: In the current era of digital technology, social engineers are using various tactics to undermine human weaknesses. Social Engineers target human psychology to achieve their target(s) which are in the form of data, account details, or IT devices etc. According to our research, one of the first methods social engineers used to target victims is Phishing/Spear Phishing. OBJECTIVE: The objective of this study is to utilize serious game to: i) educate players regarding phishing and spear-phishing attacks; ii) make aware and educate players regarding dangers associated with excessive online information disclosure. METHOD: In order to address the objectives we have: i) performed an in-depth literature review to extract insights related to social engineering, phishing, game design, learning functions, human interaction, and game-based learning etc; ii) proposed and aligned the game design with social engineering ontology concepts; iii) performed an empirical evaluation to evaluate the effectiveness of the designed board game. CONCLUSION: From this research study, we conclude that: i) PhishI game is useful in educating players regarding excessive online information disclosure and phishing awareness; ii) game-based learning is an effectivemethod for inculcating and general cyber-related awareness in players.

Nalin Asanka Gamagedara Arachchilage,Mumtaz Abdul Hameed

DOI: https://doi.org/10.48550/arXiv.1706.07748

2017-06-23

Abstract:Security exploits can include cyber threats such as computer programs that can disturb the normal behavior of computer systems (viruses), unsolicited e-mail (spam), malicious software (malware), monitoring software (spyware), attempting to make computer resources unavailable to their intended users (Distributed Denial-of-Service or DDoS attack), the social engineering, and online identity theft (phishing). One such cyber threat, which is particularly dangerous to computer users is phishing. Phishing is well known as online identity theft, which targets to steal victims' sensitive information such as username, password and online banking details. This paper focuses on designing an innovative and gamified approach to educate individuals about phishing attacks. The study asks how one can integrate self-efficacy, which has a co-relation with the user's knowledge, into an anti-phishing educational game to thwart phishing attacks? One of the main reasons would appear to be a lack of user knowledge to prevent from phishing attacks. Therefore, this research investigates the elements that influence (in this case, either conceptual or procedural knowledge or their interaction effect) and then integrate them into an anti-phishing educational game to enhance people's phishing prevention behaviour through their motivation.

Cryptography and Security,Computers and Society

Nalin Asanka Gamagedara Arachchilage,Steve Love,Carsten Maple

DOI: https://doi.org/10.48550/arXiv.1511.01622

2015-11-05

Abstract:Phishing is an online fraudulent technique, which aims to steal sensitive information such as usernames, passwords and online banking details from its victims. To prevent this, anti-phishing education needs to be considered. This research focuses on examining the effectiveness of mobile game based learning compared to traditional online learning to thwart phishing threats. Therefore, a mobile game prototype was developed based on the design introduced by Arachchilage and Cole [3]. The game design aimed to enhance avoidance behaviour through motivation to thwart phishing threats. A website developed by Anti-Phishing Work Group (APWG) for the public Anti-phishing education initiative was used as a traditional web based learning source. A think-aloud experiment along with a pre- and post-test was conducted through a user study. The study findings revealed that the participants who played the mobile game were better able to identify fraudulent web sites compared to the participants who read the website without any training.

Computers and Society,Cryptography and Security,Human-Computer Interaction

Gitanjali Baral,Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1811.09024

2018-11-22

Abstract:Phishing attacks are prevalent and humans are central to this online identity theft attack, which aims to steal victims' sensitive and personal information such as username, password, and online banking details. There are many anti-phishing tools developed to thwart against phishing attacks. Since humans are the weakest link in phishing, it is important to educate them to detect and avoid phishing attacks. One can argue self-efficacy is one of the most important determinants of individual's motivation in phishing threat avoidance behavior, which has co-relation with knowledge. The proposed research endeavors on the user's self-efficacy in order to enhance the individual's phishing threat avoidance behavior through their motivation. Using social cognitive theory, we explored that various knowledge attributes such as observational (vicarious) knowledge, heuristic knowledge and structural knowledge contributes immensely towards the individual's self-efficacy to enhance phishing threat prevention behavior. A theoretical framework is then developed depicting the mechanism that links knowledge attributes, self-efficacy, threat avoidance motivation that leads to users' threat avoidance behavior. Finally, a gaming prototype is designed incooperating the knowledge elements identified in this research that aimed to enhance individual's self-efficacy in phishing threat avoidance behavior.

Cryptography and Security

Saboor Zahir,John Pak,Jatinder Singh,Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1505.05570

2015-05-21

Computers and Society

Abstract:Cyber literacy merits serious research attention because it addresses a confluence of specialization and generalization; cybersecurity is often conceived of as approachable only by a technological intelligentsia, yet its interdependent nature demands education for a broad population. Therefore, educational tools should lead participants to discover technical knowledge in an accessible and attractive framework. In this paper, we present Protection and Deception (P&G), a novel two-player board game. P&G has three main contributions. First, it builds cyber literacy by giving participants "hands-on" experience with game pieces that have the capabilities of cyber-attacks such as worms, masquerading attacks/spoofs, replay attacks, and Trojans. Second, P&G teaches the important game-theoretic concepts of asymmetric information and resource allocation implicitly and non-obtrusively through its game play. Finally, it strives for the important objective of security education for underrepresented minorities and people without explicit technical experience. We tested P&G at a community center in Manhattan with middle- and high school students, and observed enjoyment and increased cyber literacy along with suggestions for improvement of the game. Together with these results, our paper also presents images of the attractive board design and 3D printed game pieces, together with a Monte-Carlo analysis that we used to ensure a balanced gaming experience.

Nalin Asanka Gamagedara Arachchilage,Melissa Cole

DOI: https://doi.org/10.48550/arXiv.1602.03929

2016-02-12

Abstract:This research aims to design an educational mobile game for home computer users to prevent from phishing attacks. Phishing is an online identity theft which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Mobile games could facilitate to embed learning in a natural environment. The paper introduces a mobile game design based on a story which is simplifying and exaggerating real life. We use a theoretical model derived from Technology Threat Avoidance Theory (TTAT) to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance avoidance behaviour through motivation of home computer users to protect against phishing threats. The prototype game design is presented on Google App Inventor Emulator. We believe by training home computer users to protect against phishing attacks, would be an aid to enable the cyberspace as a secure environment.

Computers and Society,Cryptography and Security

Nalin Asanka Gamagedara Arachchilage,Ali Tarhini,Steve Love

DOI: https://doi.org/10.48550/arXiv.1511.07093

2015-11-23

Abstract:Phishing is an online identity theft, which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Game based education is becoming more and more popular. This paper introduces a mobile game prototype for the android platform based on a story, which simplifies and exaggerates real life. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. The prototype mobile game design was presented on MIT App Inventor Emulator.

Computers and Society,Cryptography and Security

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.1504/ijics.2024.138492

2024-01-01

International Journal of Information and Computer Security

Abstract:The COVID-19 pandemic has sparked considerable alarm amongst the general community and has significantly affected the societal attitudes and perceptions. In the current era, social engineers are applying various strategies to exploit human weakness. Phishing, a social engineering technique, is one of the most widely used and effective ways to undermine human assets. In this research study, firstly, we aim to educate the participants regarding phishing attacks; secondly, the dangers associated with excessive online sharing; and thirdly, how to utilise game scenarios developed by the participants to elicit security requirements. We have employed various research methods, such as, survey, observation, personas development, and scenario-based technique to achieve these objectives. Our re-evaluation results show that the PhishI game effectively educates participants regarding phishing attacks and dangers associated with disclosing excessive online information.

Rene Roepke,Vincent Drury,Ulrike Meyer,Ulrik Schroeder

DOI: https://doi.org/10.17083/ijsg.v9i3.501

2022-09-09

International Journal of Serious Games

Abstract:Anti-phishing learning games are a promising approach to teach end-users about phishing, as they offer a scalable and engaging environment for active learning. Existing games have been criticized for their limited game mechanics that do not allow for detailed assessment of the players' acquired knowledge, instead focusing mostly on factual and conceptual knowledge to remember or understand. To extend the research field, this paper presents the design and evaluation of two new anti-phishing learning games: The first game implements an extended classification mechanic to better assess the player's decision process, while the second game implements a different game mechanic, which requires players to combine URL parts to construct their own phishing URLs. We compare the games with each other and with a baseline implementation that uses binary decisions similar to existing games in a user study with 133 participants. The study shows, that while all three games lead to performance increases, none of the new games offer significant improvements over the baseline. Furthermore, results of a longitudinal test three months after playing the games show that knowledge can be retained as participants still perform significantly better than before playing either one of the games.

Matt Dixon,Nalin Asanka Gamagedara Arachchilage,James Nicholson

DOI: https://doi.org/10.48550/arXiv.1903.03019

2019-03-08

Abstract:Phishing continues to be a difficult problem for individuals and organisations. Educational games and simulations have been increasingly acknowledged as enormous and powerful teaching tools, yet little work has examined how to engage users with these games. We explore this problem by conducting workshops with 9 younger adults and reporting on their expectations for cybersecurity educational games. We find a disconnect between casual and serious gamers, where casual gamers prefer simple games incorporating humour while serious gamers demand a congruent narrative or storyline. Importantly, both demographics agree that educational games should prioritise gameplay over information provision - i.e. the game should be a game with educational content. We discuss the implications for educational games developers.

Computers and Society

Christopher Scherb,Luc Bryan Heitz,Frank Grimberg,Hermann Grieder,Marcel Maurer

DOI: https://doi.org/10.48550/arXiv.2305.03062

2023-05-04

Cryptography and Security

Abstract:With the rising number of cyberattacks, such as ransomware attacks and cyber espionage, educating non-cybersecurity professionals to recognize threats has become more important than ever before. However, traditional training methods, such as phishing awareness campaigns, training videos and assessments have proven to be less effective over time. Therefore, it is time to rethink the approach on how to train cyber awareness. In this paper we suggest an alternative approach -- a serious game -- to educate awareness for common cyberattacks. While many serious games for cybersecurity education exist, all follow a very similar approach: showing people the effects of a cyber attack on their own system or company network. For example, one of the main tasks in these games is to sort out phishing mails. We developed and evaluated a new type of cybersecurity game: an attack simulator, which shows the entire setting from a different perspective. Instead of sorting out phishing mails the players should write phishing mails to trick potential victims and use other forms of cyberattacks. Our game explains the intention of each attack and shows the consequences of a successful attack. This way, we hope, players will get a better understanding on how to detect cyberattacks.

Sam Scholefield,Lynsay A. Shepherd

DOI: https://doi.org/10.48550/arXiv.1903.08454

IF: 6.4588

2019-03-20

Human-Computer Interaction

Abstract:Due to the prevalence of online services in modern society, such as internet banking and social media, it is important for users to have an understanding of basic security measures in order to keep themselves safe online. However, users often do not know how to make their online interactions secure, which demonstrates an educational need in this area. Gamification has grown in popularity in recent years and has been used to teach people about a range of subjects. This paper presents an exploratory study investigating the use of gamification techniques to educate average users about password security, with the aim of raising overall security awareness. To explore the impact of such techniques, a role-playing quiz application (RPG) was developed for the Android platform to educate users about password security. Results gained from the work highlighted that users enjoyed learning via the use of the password application, and felt they benefitted from the inclusion of gamification techniques. Future work seeks to expand the prototype into a full solution, covering a range of security awareness issues.

Sean Loesch,Ryan Hrastich,Jordan Herbert,Ben Drangstveit,Jacob Weber,Mounika Vanamala

DOI: https://doi.org/10.48550/arXiv.2311.16131

2023-11-01

Cryptography and Security

Abstract:In modernity, we continually receive increasingly intricate technologies that allow us to increase our lives convenience and efficiency. Our technology, particularly technology available over the internet, is advancing at unprecedented speed. However, this speed of advancement allows those behind malicious attacks to have an increasingly easier time taking advantage of those who know little about computer security. Unfortunately, education in the computer security field is generally limited only to tertiary education. This research addresses this problem through a gamified web-based application that drives users to reach learning goals to help them become more vigilant internet users: 1. Learn and memorize general computer security terminology, 2. Become familiar with basic cryptography concepts, 3. Learn to recognize potential phishing scams via email quickly, and 4. Learn common attacks on servers and how to deal with them.

Affan Yasin,Lin Liu,Tong Li,Rubia Fatima,Wang Jianmin

DOI: https://doi.org/10.1049/iet-sen.2018.5095

2019-01-01

IET Software

Abstract:Protecting people from cyber threats imposes great challenges, not only technically, but also socially. To achieve the intended level of awareness, software security principles need to be shown with concrete examples during security education. This study aims to design a serious game integrating software security knowledge and concepts into the processes to make it more engaging to learn while playing. In this paper, we have: (i) designed a serious game to compensate the deficiencies in the literature; (ii) performed empirical evaluations including survey, brainstorming and observation to the proposed game. Results: Our study shows that: (i) Cyber Security-Requirements Awareness Game (CSRAG) has a positive effect on players security learning outcomes, level of engagement and participation; (ii) Game-based learning can be an effective way of teaching security related scenarios.

Lukas Hafner,Florian Wutz,Daniela Pöhn,Wolfgang Hommel

DOI: https://doi.org/10.48550/arXiv.2308.15161

2023-08-29

Cryptography and Security

Abstract:Data breaches resulting from targeted attacks against organizations, e.g., by advanced persistent threat groups, often involve social engineering (SE) as the initial attack vector before malicious software is used, e.g., for persistence, lateral movement, and data exfiltration. While technical security controls, such as the automated detection of phishing emails, can contribute to mitigating SE risks, raising awareness for SE attacks through education and motivation of personnel is an important building block to increasing an organization's resilience. To facilitate hands-on SE awareness training as one component of broader SE awareness campaigns, we created a SE tabletop game called Tabletop As Social Engineering Prevention (TASEP) in two editions for (a) small and medium enterprises and (b) large corporations, respectively. Its game design is inspired by Dungeons & Dragons role-playing games and facilitates LEGO models of the in-game target organizations. Participants switch roles by playing a group of SE penetration testers and conducting a security audit guided by the game master. We evaluated the created game with different student groups, achieving highly immersive and flexible training, resulting in an entertaining way of learning about SE and raising awareness.