Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.Comment: 1

Shaming as a Technique for Information Security Policy and Training Adherence

Information security policy and information security training are vital parts for maximizing information systems security (Dhillon and Backhouse, 2000; Rezgui and Marks, 2008; Siponen, 2001; Straub and Welke, 1998). However, employees not adhering to security policies and not practicing what they learned in training can lead to unintentional mistakes and financial losses for organizations (CSI, 2010). This research investigates Deterrence Theory’s shaming as a technique for encouraging employees to adhere more to information security policies and training. Results indicate that employees find peer shaming punishments more severe than typical corporate punishment methods. Implications are that employers using peer shaming as a punishment technique may see better security policy and training adherence

Gamified Digital Forensics Course Modules for Undergraduates

Cyber security and forensics are among the most critical areas of national importance with a rising demand for knowledgeable professionals. In response to the increasing need for advanced studies in forensics, we propose game-based modules using the game-based learning approach that enable first-year students to learn basic digital forensics concepts without pre-requisite knowledge. This paper focuses on the design and development of an interactive game framework and the educational digital forensics modules that will be plugged into the game framework in a real computing environment. In contrast to the traditional teaching approaches, this modular approach will use game-based learning and visualization techniques to engage students to learn abstract concepts and to explore forensics investigation technologies and procedures through interactive games. The general design of the game framework can be replicated and adapted by other science education programs

Game based cyber security training: are serious games suitable for cyber security training?

Security research and training is attracting a lot of investment and interest from governments and the private sector. Most efforts have focused on physical security, while cyber security or digital security has been given less importance. With recent high-profile attacks it has become clear that training in cyber security is needed. Serious Games have the capability to be effective tools for public engagement and behavioural change and role play games, are already used by security professionals. Thus cyber security seems especially well-suited to Serious Games. This paper investigates whether games can be effective cyber security training tools. The study is conducted by means of a structured literature review supplemented with a general web search. While there are early positive indications there is not yet enough evidence to draw any definite conclusions. There is a clear gap in target audience with almost all products and studies targeting the general public and very little attention given to IT professionals and managers. The products and studies also mostly work over a short period, while it is known that short-term interventions are not particularly effective at affecting behavioural change

SECURITY PRACTICES: KEEPING INDIVIDUALS SAFE AND AWARE IN THE CYBER WORLD

We currently live in a day and age where nearly everyone uses electronic devices and connects to the web. Whether it be from a desktop, laptop, or smartphone, staying connected and having information at your fingertips is easier than ever. Although technology has become so intermingled with our daily lives, the idea around security is not as momentous as it should be. As mentioned by the Multi-State Information Sharing and Analysis Center (MS-ISAC), “based on recent statistics, the average unprotected computer can be compromised in a matter of minutes. The majority of individuals who thought their computers were safe…were wrong.” (MS-ISAC 2) This paper specifically investigates what types of security practices individuals in Southern California are aware of, how much of these practices are actively implemented and how can we not only further spread awareness, but also keep them engaged in these practices. This study shows that most of the participants feel confident about their level of knowledge regarding basic cyber security practices. Similarly, they were also confident in their active and frequent implementation of security practices. Nonetheless, it is imperative that implementing security measures become an active part of people’s behavior. As technology and interconnectedness continues to grow, security will only become even more at risk. Since it is a difficult task to change the behavior of people, this study suggests the best route is to begin consistently teaching people at a young age. By doing so, many of these practices can become embedded within people and nearly function as second nature as they mature. Although this suggestion does not focus on security awareness and implementation on those individuals who currently use smartphones, computers, and other devices, it is a sure way of ensuring the future populations become more engaged in understanding the importance of security measures and practice them

Simulation of PKI-Enabled Communication for Identity Management Using CyberCIEGE

CyberCIEGE is a sophisticated network security simulation packaged as a video game and used by educators around the world to enhance information assurance education and training at universities, community colleges, within the DoD, and in other government agencies. The CyberCIEGE game engine was recently expanded to include Public Key Infrastructure (PKI) features including certification authorities, selection of installed roots and cross certification. CyberCIEGE Virtual Private Network (VPN) gateways, VPN clients and email clients were then extended to incorporate the new PKI features. CyberCIEGE PKI abstractions are described in terms of player configuration choices and the consequences of these choices on network management and vulnerabilities. The CyberCIEGE game engine modifications include modeling of chains of trust and risks of cross certification schemes. The benefits of these enhancements include coherent integration of identity management technologies, ranging from the human interface through to the supporting distributed infrastructure, into scenarios. Benefits also include support for recent new scenarios focused on the PKI infrastructure, identity management, or both; and the ability to tie both identity management and PKI to concepts of identification, authentication, provenance, and access control.These CyberCIEGE extensions were sponsored by the Biometrics Task Force.Approved for public release; distribution is unlimited

Get a Cue on IS Security Training: Explaining the Difference between how Security Cues and Security Arguments Improve Secure Behavior

Secure behavior, defined as users’ compliance with their organization’s password policy, is critical for sustaining a profitable and operational organization. Training that provides security arguments and promotes systematic cognitive processing has been shown to be an effective mechanism for improving secure behavior. Training by providing security cues, on the other hand, has been criticized as having a short-lived and unpredictable influence on secure behavior. This paper challenges this criticism by explaining how security cues influence secure behavior and when they are more effective in influencing secure behavior than security arguments. We hypothesize the different theoretical mechanisms through which security arguments and security cues influence secure behavior. We further hypothesize that when users’ attitude toward behaving secure is poor, security arguments should be used. However, when users’ attitude toward behaving secure is positive, security cues should be used. This paper suggests how to test our proposed hypotheses in an experimental setting

An e-ADR (elaborated Action Design Research) Approach Towards Game-based Learning in Cybersecurity Incident Detection and Handling

The growth of internet has significantly increased the cybersecurity threat instances. Therefore to equip people with skills to mitigate such attacks, this paper provides a Cybersecurity game-based learning artefact designed using the e-ADR approach. The artefact teaches the Incident Detection and Handling procedures that need to be undertaken in the event of a cybersecurity threat. As per NIST’s guide to malware incident prevention and handling, an incident response process has four major phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. Our gaming artefact delves into the detection and containment phase to design a game that teaches users to detect and then perform containment actions on the cybersecurity threat

Designing Cybersecurity Awareness Solutions for the Young People in Rural Developing Countries: The Need for Diversity and Inclusion

Cybersecurity challenges and the need for awareness are well-recognized in developed countries, but this still needs attention in less-developed countries. With the expansion of technology, security concerns are also becoming more prevalent worldwide. This paper presents a design and creation research study exploring which factors we should consider when designing cybersecurity awareness solutions for young people in developing countries. We have developed prototypes of mini-cybersecurity awareness applications and conducted a pilot study with eight participants (aged 16-30) from Gambia, Eritrea, and Syria. Our findings show that factors like the influence of culture and social constructs, literacy, and language competence, the way of introducing cybersecurity terms and concepts, and the need for reflection are essential to consider when designing and developing cybersecurity awareness solutions for target users in developing countries. The findings of this study will guide future researchers to design more inclusive cybersecurity awareness solutions for users in developing countries.Comment: 17 page