Mike Nkongolo

DOI: https://doi.org/10.34190/iccws.19.1.1957

2024-03-15

Abstract:Numerous studies confirm Cybersecurity Awareness Games (CAGs) effectively bolster organisational security against cyberattacks. This article introduces a serious CAG, integrating the traditional South African Morabaraba board game into cybersecurity education. Players adopt roles of defenders or attackers, strategically placing tokens to enhance awareness. Evaluation shows positive outcomes, enhancing understanding and enjoyment among participants.

Human-Computer Interaction

Merijke Coenraad,Anthony Pellicone,Diane Jass Ketelhut,Michel Cukier,Jan Plane,David Weintrop

DOI: https://doi.org/10.1177/1046878120933312

2020-06-19

Abstract:Background. Cybersecurity is of increasing importance in our interconnected world, yet the field has a growing workforce deficit and an underrepresentation of women and people of color. In an effort to address these issues, many digital games have been created to teach individuals about cybersecurity and keeping themselves, their data, and their networks safe. Intervention. We present the results of a systematic review of digital games related to cybersecurity as a means to understand how players are being introduced to cybersecurity in game-based contexts. Methods. Using a systematic search, we identified 181 games related to cybersecurity (either through content or aesthetics) by searching the Apple App Store, the Google Play Store, Steam, and the web broadly. Each game was played for up to an hour and characteristics such as the game story, game elements, and presentation of cybersecurity were gathered. Results. We found diverse conceptualizations of cybersecurity and of cybersecurity professionals. Further, the nature of games and the framing of cybersecurity varied by the platform and device on which the game was available (computer, mobile, or web). Web games were most likely to present cybersecurity as cyber safety and were more likely to be a gamified quiz or worksheet. Computer and mobile games tended to present cybersecurity through game aesthetics or deep content engagement. The games mirrored the underrepresentation of women and minoritized individuals in the field. Discussion. With the variety of digital cybersecurity games and the differences in games based on the platform on which the game is available, it is important game developers move beyond presenting cybersecurity through gamification and focusing on cyber safety. The current scope of cybersecurity games leaves room for the development of games focused on deeper content engagement with cybersecurity topics in an environment conducive to the broadening participation goals of the cybersecurity field.

Affan Yasin,Rubia Fatima,Zheng JiangBin,Wasif Afzal,Shahid Raza

DOI: https://doi.org/10.1016/j.infsof.2024.107426

IF: 3.9

2024-02-25

Information and Software Technology

Abstract:Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals' limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants' awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the "PhishDefend Quest" game successfully improved players' comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks.

computer science, information systems, software engineering

Christopher Scherb,Luc Bryan Heitz,Frank Grimberg,Hermann Grieder,Marcel Maurer

DOI: https://doi.org/10.48550/arXiv.2305.03062

2023-05-04

Cryptography and Security

Abstract:With the rising number of cyberattacks, such as ransomware attacks and cyber espionage, educating non-cybersecurity professionals to recognize threats has become more important than ever before. However, traditional training methods, such as phishing awareness campaigns, training videos and assessments have proven to be less effective over time. Therefore, it is time to rethink the approach on how to train cyber awareness. In this paper we suggest an alternative approach -- a serious game -- to educate awareness for common cyberattacks. While many serious games for cybersecurity education exist, all follow a very similar approach: showing people the effects of a cyber attack on their own system or company network. For example, one of the main tasks in these games is to sort out phishing mails. We developed and evaluated a new type of cybersecurity game: an attack simulator, which shows the entire setting from a different perspective. Instead of sorting out phishing mails the players should write phishing mails to trick potential victims and use other forms of cyberattacks. Our game explains the intention of each attack and shows the consequences of a successful attack. This way, we hope, players will get a better understanding on how to detect cyberattacks.

Katie Shilton,Donal Heidenblad,Adam Porter,Susan Winter,Mary Kendig

DOI: https://doi.org/10.1007/s11948-020-00250-0

Abstract:There is growing consensus that teaching computer ethics is important, but there is little consensus on how to do so. One unmet challenge is increasing the capacity of computing students to make decisions about the ethical challenges embedded in their technical work. This paper reports on the design, testing, and evaluation of an educational simulation to meet this challenge. The privacy by design simulation enables more relevant and effective computer ethics education by letting students experience and make decisions about common ethical challenges encountered in real-world work environments. This paper describes the process of incorporating empirical observations of ethical questions in computing into an online simulation and an in-person board game. We employed the Values at Play framework to transform empirical observations of design into a playable educational experience. First, we conducted qualitative research to discover when and how values levers-practices that encourage values discussions during technology development-occur during the design of new mobile applications. We then translated these findings into gameplay elements, including the goals, roles, and elements of surprise incorporated into a simulation. We ran the online simulation in five undergraduate computer and information science classes. Based on this experience, we created a more accessible board game, which we tested in two undergraduate classes and two professional workshops. We evaluated the effectiveness of both the online simulation and the board game using two methods: a pre/post-test of moral sensitivity based on the Defining Issues Test, and a questionnaire evaluating student experience. We found that converting real-world ethical challenges into a playable simulation increased student's reported interest in ethical issues in technology, and that students identified the role-playing activity as relevant to their technical coursework. This demonstrates that roleplaying can emphasize ethical decision-making as a relevant component of technical work.

Jeffrey Pawlick,Edward Colbert,Quanyan Zhu

DOI: https://doi.org/10.1145/3337772

IF: 16.6

2020-07-31

ACM Computing Surveys

Abstract:Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this article, we survey 24 articles from 2008 to 2018 that use game theory to model defensive deception for cybersecurity and privacy. Then, we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models that can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.

computer science, theory & methods

Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1610.09511

2016-10-29

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, passwords and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This book focuses on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. The mobile game design aimed to enhance the user's avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework through the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society,Cryptography and Security

Dayong Ye,Tianqing Zhu,Shen Sheng,Wanlei Zhou

DOI: https://doi.org/10.48550/arXiv.2008.05629

2020-08-13

Abstract:Cyber deception is one of the key approaches used to mislead attackers by hiding or providing inaccurate system information. There are two main factors limiting the real-world application of existing cyber deception approaches. The first limitation is that the number of systems in a network is assumed to be fixed. However, in the real world, the number of systems may be dynamically changed. The second limitation is that attackers' strategies are simplified in the literature. However, in the real world, attackers may be more powerful than theory suggests. To overcome these two limitations, we propose a novel differentially private game theoretic approach to cyber deception. In this proposed approach, a defender adopts differential privacy mechanisms to strategically change the number of systems and obfuscate the configurations of systems, while an attacker adopts a Bayesian inference approach to infer the real configurations of systems. By using the differential privacy technique, the proposed approach can 1) reduce the impacts on network security resulting from changes in the number of systems and 2) resist attacks regardless of attackers' reasoning power. The experimental results demonstrate the effectiveness of the proposed approach.

Cryptography and Security

Nalin Asanka Gamagedara Arachchilage

DOI: https://doi.org/10.48550/arXiv.1511.03459

2015-11-11

Abstract:Phishing is an online identity theft that aims to steal sensitive information such as username, password and online banking details from its victims. Phishing education needs to be considered as a means to combat this threat. This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Game design principles served as guidelines for structuring and presenting information. Our mobile game design aimed to enhance the users' avoidance behaviour through motivation to protect themselves against phishing threats. A think-aloud study was conducted, along with a pre- and post-test, to assess the game design framework though the developed mobile game prototype. The study results showed a significant improvement of participants' phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants' threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it.

Computers and Society

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1809.02013

2018-09-09

Abstract:Security challenges accompany the efficiency. The pervasive integration of information and communications technologies (ICTs) makes cyber-physical systems vulnerable to targeted attacks that are deceptive, persistent, adaptive and strategic. Attack instances such as Stuxnet, Dyn, and WannaCry ransomware have shown the insufficiency of off-the-shelf defensive methods including the firewall and intrusion detection systems. Hence, it is essential to design up-to-date security mechanisms that can mitigate the risks despite the successful infiltration and the strategic response of sophisticated attackers. In this chapter, we use game theory to model competitive interactions between defenders and attackers. First, we use the static Bayesian game to capture the stealthy and deceptive characteristics of the attacker. A random variable called the \textit{type} characterizes users' essences and objectives, e.g., a legitimate user or an attacker. The realization of the user's type is private information due to the cyber deception. Then, we extend the one-shot simultaneous interaction into the one-shot interaction with asymmetric information structure, i.e., the signaling game. Finally, we investigate the multi-stage transition under a case study of Advanced Persistent Threats (APTs) and Tennessee Eastman (TE) process. Two-Sided incomplete information is introduced because the defender can adopt defensive deception techniques such as honey files and honeypots to create sufficient amount of uncertainties for the attacker. Throughout this chapter, the analysis of the Nash equilibrium (NE), Bayesian Nash equilibrium (BNE), and perfect Bayesian Nash equilibrium (PBNE) enables the policy prediction of the adversary and the design of proactive and strategic defenses to deter attackers and mitigate losses.

Computer Science and Game Theory,Cryptography and Security

Affan Yasin,Rubia Fatima,Lijie Wen,Zheng Jiangbin,Mahmood Niazi

DOI: https://doi.org/10.1016/j.entcom.2024.100815

IF: 2.072

2025-01-01

Entertainment Computing

Abstract:Context: In recent years, there has been a significant surge in global Social Engineering (phishing) attacks. This upsurge has prompted governmental bodies, organizations, and educational institutions to formulate strategies aimed at mitigating this threat. Objective: The primary objective of this research is to create a game-based solution that educates participants about URLs and evaluates their understanding through multiple-choice questions. Methodology: To attain the aforementioned objectives, a multifaceted approach has been adopted in this study. Firstly, an extensive literature review was conducted to gain insights into the problem and prior research on the subject. This review was instrumental in comprehending the game development framework, , developmental tools, and various design models for game design. A digital adaptation of the game has been created utilizing the CONSTRUCT 3 platform. Secondly, an empirical evaluation was executed, involving participants engaging with the game and their learning assessed through survey. A survey method was employed to further gauge participants' knowledge and to solicit feedback on the game's design. Results and Conclusion: The survey results indicate a lack of significant outcomes or dependencies on the dependent variable. fun to play, , ease to play, , and game-based learning did not significantly predict avoidance behavior while the intention to play and phishing knowledge were the significant positive predictors of avoidance behavior, with intention to play showing the biggest contribution in the models 2 and 3. Correspondingly, the negligible difference between the R2 value and Delta R2 in models 2 and 3 also confirmed the small variance of model 2 (explained in the paper). Consequently, the research asserts that the assessment of the gaming method has not yielded success and underscores the necessity for enhancements and further evaluation.

Lukas Hafner,Florian Wutz,Daniela Pöhn,Wolfgang Hommel

DOI: https://doi.org/10.48550/arXiv.2308.15161

2023-08-29

Cryptography and Security

Abstract:Data breaches resulting from targeted attacks against organizations, e.g., by advanced persistent threat groups, often involve social engineering (SE) as the initial attack vector before malicious software is used, e.g., for persistence, lateral movement, and data exfiltration. While technical security controls, such as the automated detection of phishing emails, can contribute to mitigating SE risks, raising awareness for SE attacks through education and motivation of personnel is an important building block to increasing an organization's resilience. To facilitate hands-on SE awareness training as one component of broader SE awareness campaigns, we created a SE tabletop game called Tabletop As Social Engineering Prevention (TASEP) in two editions for (a) small and medium enterprises and (b) large corporations, respectively. Its game design is inspired by Dungeons & Dragons role-playing games and facilitates LEGO models of the in-game target organizations. Participants switch roles by playing a group of SE penetration testers and conducting a security audit guided by the game master. We evaluated the created game with different student groups, achieving highly immersive and flexible training, resulting in an entertaining way of learning about SE and raising awareness.

William Casey,Rhiannon Weaver,Leigh Metcalf,Jose Morales,Evan Wright,Bud Mishra

DOI: https://doi.org/10.4108/icst.bict.2014.257967

2015-01-01

Abstract:We present a game theoretic framework, modeling strategic interactions among humans and things, which are assumed to be interconnected by a social-technological network, as in Internet of Humans and Things (IOHT). Often a pair of agents in the network interacts in order for an informed sender-agent to signal an uninformed receiver-agent to take an action that benefits each of the players -- the benefits to the pair of agents are modeled by two separate utility functions, both depending on the sender's private information, the signal exchanged, and the receiver's revealed (and unrevealed) action. In general, the two agents' utilities may not be aligned and may encourage deceptive behavior. For example, a sender, aware of his own private "state of ignorance," may seek useful information from a receiver who owns powerful computational resources to search a large corpora of webpages; the sender does so by sending a signal to the receiver in the-form of a keyword. Obvious examples of deceptiveness here range from attempts to hide one's intentions to auctioning the keywords on an ad exchange through real-time bidding. A rather troublesome situation occurs when deceptions are employed to breach the security of the system, thus making the entire social-technological network unreliable. Earlier, we proposed a signaling-game-theoretic framework to alleviate this problem. This paper further enhances it by reconfiguring signals to possess more complex structures (epistatic signals to represent attack and defense options over a given set of vulnerabilities). We explore two augmentations to the original evolutionary signaling game by first enhancing mutation bias toward strategies performing well in previous populations and secondly by allowing the parameters of the utility functions to dependent on population preferences giving rise to a minority game with epistatic signaling. The resulting game systems are empirically studied through extensive computer simulation.

Affan Yasin,Lin Liu,Tong Li,Jianmin Wang,Didar Zowghi

DOI: https://doi.org/10.1016/j.infsof.2017.12.002

IF: 3.9

2018-01-01

Information and Software Technology

Abstract:Context: Security, in digitally connected organizational environments of today, involves many different perspectives, including social, physical, and technical factors. In order to understand the interactions among these correlated aspects and elicit potential threats geared towards a given organization, different security requirements analysis approaches are proposed in the literature. However, the body of knowledge is yet to unleash its full potential due to the complex nature of security problems, and inadequate ways to improve security awareness of key players in the organization. Objective: Objective(s) of the research study is to improve the security awareness of players utilizing serious games via: (i) Know-how of security concepts and security protection; (ii) guided process of identifying valuable assets and vulnerabilities in a given organizational setting; (iii) guided process of defining successful security attacks to the organization. Method: Important methods used to address the above objectives include: (i) a comprehensive review of the literature to better understand security and game design elements; (ii) designing a serious game using cyber security knowledge and game-based techniques combined with security requirements engineering concepts; (iii) using empirical evaluation (observation and survey) to verify the effectiveness of the proposed game design. Result: The solution proposed is a serious game for security requirements education, which: (i) can be an effective and fun way of learning security related concepts; (ii) mimics a real life problem setting in a presentable and understandable way; (iii) motivates players to learn more about security related concepts in future. Conclusion: From this study, we conclude that the proposed Security Requirement Education Game (SREG) has positive results and is helpful for players of the game to get an understanding of security attacks and vulnerabilities.

Matt Dixon,Nalin Asanka Gamagedara Arachchilage,James Nicholson

DOI: https://doi.org/10.48550/arXiv.1903.03019

2019-03-08

Abstract:Phishing continues to be a difficult problem for individuals and organisations. Educational games and simulations have been increasingly acknowledged as enormous and powerful teaching tools, yet little work has examined how to engage users with these games. We explore this problem by conducting workshops with 9 younger adults and reporting on their expectations for cybersecurity educational games. We find a disconnect between casual and serious gamers, where casual gamers prefer simple games incorporating humour while serious gamers demand a congruent narrative or storyline. Importantly, both demographics agree that educational games should prioritise gameplay over information provision - i.e. the game should be a game with educational content. We discuss the implications for educational games developers.

Computers and Society

Affan Yasin,Lin Liu,Tong Li,Rubia Fatima,Wang Jianmin

DOI: https://doi.org/10.1049/iet-sen.2018.5095

2019-01-01

IET Software

Abstract:Protecting people from cyber threats imposes great challenges, not only technically, but also socially. To achieve the intended level of awareness, software security principles need to be shown with concrete examples during security education. This study aims to design a serious game integrating software security knowledge and concepts into the processes to make it more engaging to learn while playing. In this paper, we have: (i) designed a serious game to compensate the deficiencies in the literature; (ii) performed empirical evaluations including survey, brainstorming and observation to the proposed game. Results: Our study shows that: (i) Cyber Security-Requirements Awareness Game (CSRAG) has a positive effect on players security learning outcomes, level of engagement and participation; (ii) Game-based learning can be an effective way of teaching security related scenarios.

Gaurav Misra,Nalin Asanka Gamagedara Arachchilage,Shlomo Berkovsky

DOI: https://doi.org/10.48550/arXiv.1710.06064

2017-10-17

Abstract:Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.

Cryptography and Security,Computers and Society

Baptiste Prebot,Yinuo Du,Cleotilde Gonzalez

2023-04-04

Abstract:Given the increase in cybercrime, cybersecurity analysts (i.e. Defenders) are in high demand. Defenders must monitor an organization's network to evaluate threats and potential breaches into the network. Adversary simulation is commonly used to test defenders' performance against known threats to organizations. However, it is unclear how effective this training process is in preparing defenders for this highly demanding job. In this paper, we demonstrate how to use adversarial algorithms to investigate defenders' learning of defense strategies, using interactive cyber defense games. Our Interactive Defense Game (IDG) represents a cyber defense scenario that requires constant monitoring of incoming network alerts and allows a defender to analyze, remove, and restore services based on the events observed in a network. The participants in our study faced one of two types of simulated adversaries. A Beeline adversary is a fast, targeted, and informed attacker; and a Meander adversary is a slow attacker that wanders the network until it finds the right target to exploit. Our results suggest that although human defenders have more difficulty to stop the Beeline adversary initially, they were able to learn to stop this adversary by taking advantage of their attack strategy. Participants who played against the Beeline adversary learned to anticipate the adversary and take more proactive actions, while decreasing their reactive actions. These findings have implications for understanding how to help cybersecurity analysts speed up their training.

Cryptography and Security,Human-Computer Interaction

Valdemar Švábenský,Jan Vykopal

DOI: https://doi.org/10.48550/arXiv.1903.04174

2019-03-11

Computers and Society

Abstract:This Work-In-Progress Paper for the Innovative Practice Category presents a novel experiment in active learning of cybersecurity. We introduced a new workshop on hacking for an existing science-popularizing program at our university. The workshop participants, 28 teenagers, played a cybersecurity game designed for training undergraduates and professionals in penetration testing. Unlike in learning environments that are simplified for young learners, the game features a realistic virtual network infrastructure. This allows exploring security tools in an authentic scenario, which is complemented by a background story. Our research aim is to examine how young players approach using cybersecurity tools by interacting with the professional game. A preliminary analysis of the game session showed several challenges that the workshop participants faced. Nevertheless, they reported learning about security tools and exploits, and 61% of them reported wanting to learn more about cybersecurity after the workshop. Our results support the notion that young learners should be allowed more hands-on experience with security topics, both in formal education and informal extracurricular events.

Rubia Fatima,Affan Yasin,Lin Liu,Jianmin Wang

DOI: https://doi.org/10.3233/jcs-181253

2019-01-01

Journal of Computer Security

Abstract:CONTEXT: In the current era of digital technology, social engineers are using various tactics to undermine human weaknesses. Social Engineers target human psychology to achieve their target(s) which are in the form of data, account details, or IT devices etc. According to our research, one of the first methods social engineers used to target victims is Phishing/Spear Phishing. OBJECTIVE: The objective of this study is to utilize serious game to: i) educate players regarding phishing and spear-phishing attacks; ii) make aware and educate players regarding dangers associated with excessive online information disclosure. METHOD: In order to address the objectives we have: i) performed an in-depth literature review to extract insights related to social engineering, phishing, game design, learning functions, human interaction, and game-based learning etc; ii) proposed and aligned the game design with social engineering ontology concepts; iii) performed an empirical evaluation to evaluate the effectiveness of the designed board game. CONCLUSION: From this research study, we conclude that: i) PhishI game is useful in educating players regarding excessive online information disclosure and phishing awareness; ii) game-based learning is an effectivemethod for inculcating and general cyber-related awareness in players.