Assessing the role of conceptual knowledge in an anti-phishing game

Copyright @ 2014 IEEE. This is the author accepted version of this article.Games can be used to support learning and confidence development in several domains, including the secure use of computers. However, emphasizing different types of knowledge in a game design can lead to different outcomes. This study explores two game designs that aim to enhance students' ability to identify phishing hyperlinks. One design focuses on procedural knowledge: developing students' tacit ability to recognize phishing hyperlinks through systematic practice. The other design focuses on conceptual knowledge: helping students to explicitly reflect upon and identify the features of phishing hyperlinks. The results of a double-blind randomized trial with 66 participants suggests that using a game designed for conceptual knowledge leads to a greater increase in learners' ability to identify phishing hyperlinks. Hence, incorporating conceptual knowledge development into educational games enhances their efficacy within the computer security context

A Proposal for Social Ethical Hacking Framework for Detecting and Managing Human-Induced Vulnerabilities in Organizational Cybersecurity

Organizations carry out an ethical hacking approach to combat cybersecurity challenges, focusing on the technical aspects of cybersecurity vulnerabilities. The practice persists despite evidence that shows that human-induced cybersecurity vulnerabilities constitute a significant threat to organizational cybersecurity. To address this gap, we propose the social-ethical hacking framework to deal with human-induced cybersecurity vulnerabilities in organizations. We adopted the interpretive case study research method, the community of practice theory as the theoretical study lens, and university undergraduate students as the study context. Research data was collected through interviews and participatory observation. The study reveals how the communities of practice undergraduate students established in the study context enabled the institutionalization of social actions and behaviors that constitute cybersecurity vulnerabilities. Organizational actors jointly create the social behaviors and actions that make organizations vulnerable to cybersecurity challenges and should focus on social-ethical hacking practices. The result shows the crucial role of competence in degenerating similar behaviors among undergraduate students; and how their social behaviors make their institution susceptible to cyber security threats

Tabletop Exercise For Cybersecurity Educational Training; Theoretical Grounding And Development

Haridus- ja treeningaspektid on riiklike küberturvalisuse strateegiate vitaalsed komponendid, et kujundada, tugevdada ning proovile panna otsustajate valmisolekut nii aktuaalsete kui võimalike tulevaste küberväljakutsete ees. Küberkaitses ja -julgeolekus on otsuste langetamisel üliolulised kriisijuhtimisoskused, et suuta adekvaatselt vastata juhtumitele, mil era- või avalik heaolu ja turvalisus on ohustatud. Selle magistritöö eesmärk on välja pakkuda küberjulgeoleku strateegiate hariduslike komponentide võimalike ning teadaolevate nõrkuste parandamine, arutledes teadlikkuse väljaõpete mudeleid märkimisväärse mõjuga osavõtjatele, fookusega strateegilise otsustamisvõimega personalil, mis võiks osaleda küberjuhtumis. Töö toetab simulatsioonil põhinevate stsenaariumite kasutamist ning keskendub mudelõppuste kujundamisele. Käesolev töö näitab, kuidas mudelõpe võib olla tõhus viis küberjuhtumites strateegiliste otsuste langetamisel teadlikkuse, mõistmise ja ettevalmistuse kujundamiseks, parandamiseks ning proovilepanemiseks. Lõputöö tugineb ditsiplinaarsel ja kontseptuaalsel õpinguteooriate integratsioonil mängustamisel põhinevate ajenditega ning juhtimisteooriatega. Stsenaariumil põhinev treening pakub turvalist ja paindlikku keskkonda, kus osavõtja on pandud kriitilisse situatsiooni, säilitades realistlikku ülevaate küberkriisi tunnustest ning võimalikest ohtudest. Simulatsioon väljendab võimalikke väljakutseid, nõudes kriisijuhtimisoskusi ning kohast reaktsiooni. Mudelõppused võimaldavad andragoogilise kasu ja hariduslike eesmärkide realiseerimist innovatiivsel ja kaasaval meetodil. Selle treeningmudeli tulemused mõõdetakse kasutades Bloomi õppe-kasvatustöö eesmärkide liigituse kontrollitud taksonoomiat, arvesse võttes kogemusõppe ja paiknevustunnetuse elemente. VOOT-tsükkel pakub läbimõeldud otsustusprotsessi, mis samuti sobib antud ettepaneku dünaamikasse. Lisaks panustab töö originaalse modulaarse juhendiga, mida treenijad ning õppejõud saavad kasutada mudelõppe teostamiseks küberjulgeolekus. Riikliku ja rahvusvahelise tasandi mudelõppuste kogemus ja osavõtt sai empiirilist tuge teoreetilisele integratsioonile ning teadustas modulaarse juhendi arengut. Töö on kvalitatiivne. Lõputöö panustab asjakohasesse akadeemilisse dialoogi selle teoreetiliste alustega. Samuti praktiliselt, kuna pakub vahendeid simulatsioonipõhise mudelõppe läbiviimiseks.Education and training aspects are vital components of national cybersecurity strategies, to shape, enhance and test the decision maker’s level of preparedness before current and future challenges that can arise from a cyber incident. Decision-making processes in cyber defense and security require crucial crisis management competences capable of generating a comprehensive response where safety, well-being and other public and private assets could be put at stake. The purpose of this thesis is to suggest the improvement of potential and perceived weaknesses on the educational components of cyber security strategies, discussing awareness-training models with significant impact on the participants, focusing on strategic decision-making level personnel that could partake of cyber related incidents. The work supports the use of simulation-based scenarios, and concentrates on the design of Tabletop exercises. This thesis shows when a tabletop exercise could be an effective mechanism to shape, enhance and test the awareness, understanding and preparation for strategic decision makers in cyber related incidents. The thesis draws from a disciplinary integration of learning, human computer interaction, and management theories. A scenario-based training provides a safe and flexible environment where the participant is placed into a critical situation while maintaining a realistic insight into the characteristics of cyber crisis and the threats and attacks that may take place. The simulation represents possible challenges, demanding crisis management capacity and an appropriate response. Tabletop exercises permits that andragogical benefits and educational purposes be realized through an innovative and engaging method. Considering elements from experiential learning and situated cognition the learning outcomes of this training model will be measured, using Bloom’s revised taxonomy of educational objectives. The OODA Loop will suggest a thoughtful decision making process that also fits well the dynamic of the current proposal. Additionally, the thesis will contribute with an original modular guide that trainers and educators can use for the implementation of a Tabletop exercise on cyber security. National and international level tabletop exercises experience and participation provided empirical support to the theoretical contribution on theory integration, and informed the modular guide development. The work is qualitative and therefore seeks to observe, interpret and understand, by using documental analysis, and observation methods. The work contributes to the relevant academic dialog on its theoretical grounds and also in practical terms, by providing with tools readily applicable to the creation of simulation based tabletop exercises

Gamification as a neuroergonomic approach to improving interpersonal situational awareness in cyber defense

In cyber threat situations, the establishment of a shared situational awareness as a basis for cyber defense decision-making results from adequate communication of a Recognized Cyber Picture (RCP). RCPs consist of actively selected information and have the goal of accurately presenting the severity and potential consequences of the situation. RCPs must be communicated between individuals, but also between organizations, and often from technical to non-/less technical personnel. The communication of RCPs is subject to many challenges that may affect the transfer of critical information between individuals. There are currently no common best practices for training communication for shared situational awareness among cyber defense personnel. The Orient, Locate, Bridge (OLB) model is a pedagogic tool to improve communication between individuals during a cyber threat situation. According to the model, an individual must apply meta-cognitive awareness (O), perspective taking (L), and communication skills (B) to successfully communicate the RCP. Gamification (applying game elements to non-game contexts) has shown promise as an approach to learning. We propose a novel OLB-based Gamification design to improve dyadic communication for shared situational awareness among (technical and non-technical) individuals during a cyber threat situation. The design includes the Gamification elements of narrative, scoring, feedback, and judgment of self. The proposed concept contributes to the educational development of cyber operators from both military and civilian organizations responsible for defending and securing digital infrastructure. This is achieved by combining the elements of a novel communication model with Gamification in a context in urgent need for educational input.publishedVersio

SOK:young children’s cybersecurity knowledge, skills & practice: a systematic literature review

The rise in children’s use of digital technology highlights the need for them to learn to act securely online. Cybersecurity skills require mature cognitive abilities which children only acquire after they start using technology. As such, this paper explores the guidance and current curriculum expectations on cybersecurity aspects in Scotland. Additionally, a systematic review was undertaken of the literature pertaining to cybersecurity education for children on a wider scale including papers from around the world, with 27 peer reviewed papers included in the final review. We discovered that most research focused on assessing children’s knowledge or investigating the efficacy of interventions to improve cybersecurity knowledge and practice. Very few investigated the skills required to carry out the expected cybersecurity actions. For example, high levels of literacy, mature short- and long-term memory, attention, and established meta cognition are all pre-requisites to be able to carry out cybersecurity activities. Our main finding is that empirical research is required to explore the ages at which children have developed essential cognitive abilities and thereby the potential to master cybersecurity skills

Digital and Media Literacy: A Plan of Action

Outlines a community education movement to implement Knight's 2009 recommendation to enhance digital and media literacy. Suggests local, regional, state, and national initiatives such as teacher education and parent outreach and discusses challenges

Developing and Assessing a Workshop That Utilizes a Serious Game to Introduce Joint All-domain Operations

The DoD has begun developing Joint All-Domain Operations (JADO) to prepare for the future of warfare. As complexity and technological capability increases, the U.S. military needs to adapt to provide a more lethal and capable force, able to compete and win against near-peer adversaries. This research describes the development of an Introduction to JADO Workshop designed to provide a structured primer into JADO concepts. The research also presents an extension of BSN in the form of BSN scenarios. These scenarios alter the rules to lessen the learning curve for the game and to engage with JADO concepts. This research proposed a format for future JADO education course, refined the BSN tool to improve effectiveness, measurement of the response to JADO education, and an assessment of the workshop from JADO leaders across the Air Force

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

Forging Wargamers

How do we establish or improve wargaming education, including sponsors, participants, and future designers? The question stems from the uncomfortable truth that the wargaming discipline has no foundational pipeline, no established pathway from novice to master. Consequently, the wargaming community stands at a dangerous precipice at the convergence of a stagnant labor force and a patchwork system of passing institutional war-gaming knowledge. Unsurprisingly, this can lead to ill-informed sponsors, poorly scoped wargames, an unreliable standard of wargaming expertise, and worst of all, risks the decline of wargaming as an educational and analytical tool. This fundamental challenge is a recurring theme throughout this volume and each author offers their own perspective and series of recommendations