Assessing the role of conceptual knowledge in an anti-phishing game

Copyright @ 2014 IEEE. This is the author accepted version of this article.Games can be used to support learning and confidence development in several domains, including the secure use of computers. However, emphasizing different types of knowledge in a game design can lead to different outcomes. This study explores two game designs that aim to enhance students' ability to identify phishing hyperlinks. One design focuses on procedural knowledge: developing students' tacit ability to recognize phishing hyperlinks through systematic practice. The other design focuses on conceptual knowledge: helping students to explicitly reflect upon and identify the features of phishing hyperlinks. The results of a double-blind randomized trial with 66 participants suggests that using a game designed for conceptual knowledge leads to a greater increase in learners' ability to identify phishing hyperlinks. Hence, incorporating conceptual knowledge development into educational games enhances their efficacy within the computer security context

Security awareness of computer users: A game based learning approach

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The research reported in this thesis focuses on developing a framework for game design to protect computer users against phishing attacks. A comprehensive literature review was conducted to understand the research domain, support the proposed research work and identify the research gap to fulfil the contribution to knowledge. Two studies and one theoretical design were carried out to achieve the aim of this research reported in this thesis. A quantitative approach was used in the first study while engaging both quantitative and qualitative approaches in the second study. The first study reported in this thesis was focused to investigate the key elements that should be addressed in the game design framework to avoid phishing attacks. The proposed game design framework was aimed to enhance the user avoidance behaviour through motivation to thwart phishing attack. The results of this study revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity and perceived susceptibility elements should be incorporated into the game design framework for computer users to avoid phishing attacks through their motivation. The theoretical design approach was focused on designing a mobile game to educate computer users against phishing attacks. The elements of the framework were addressed in the mobile game design context. The main objective of the proposed mobile game design was to teach users how to identify phishing website addresses (URLs), which is one of many ways of identifying a phishing attack. The mobile game prototype was developed using MIT App inventor emulator. In the second study, the formulated game design framework was evaluated through the deployed mobile game prototype on a HTC One X touch screen smart phone. Then a discussion is reported in this thesis investigating the effectiveness of the developed mobile game prototype compared to traditional online learning to thwart phishing threats. Finally, the research reported in this thesis found that the mobile game is somewhat effective in enhancing the user’s phishing awareness. It also revealed that the participants who played the mobile game were better able to identify fraudulent websites compared to the participants who read the website without any training. Therefore, the research reported in this thesis determined that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived threat and perceived susceptibility elements have a significant impact on avoidance behaviour through motivation to thwart phishing attacks as addressed in the game design framework

The Phishing Master Anti-Phishing Game

Games are one type of measure developed to raise security awareness. We present the design of a anti-phishing game for public events or for public spaces. We collected feedback on the game and got an impression of individuals\u27 interaction with the game, through a small user study with a convenience sample at a public event. Participants left overall positive feedback on the game. Our anti-phishing game seems to be a good alternative to classical anti-phishing measures -- in particular for public security awareness events. However, further work is required to integrate the received feedback and then evaluate the game in a controlled study

Development and Evaluation of an Anti-Phishing Shooting Game

Phishing attacks continue to pose a great threat to citizens and companies. This paper introduces a newly developed anti-phishing shooting game and describes the design and results of an evaluation study. The conclusion of the study is that the game can be an engaging measure to raise awareness among Internet users regarding phishing messages and to support users in recognizing such messages

The Best Defense is a Good Offense: Teaching Phishing Defense Tactics Through a High Agency Playable Experience

Phishing attacks are challenging to detect and can have severe consequences. For example, in 2020 alone, phishing attacks cost organizations more than $1.8 billion. Numerous phishing training programs such as reading materials, training videos, and games aim to mitigate the incurred losses. However, regardless of the medium, nearly all existing training places the learner in the role of the victim. We hypothesize placing the players as an attacker tasked with strategically creating emails will naturally lead to players better recognizing phishing emails. Based on this hypothesis, we have developed an interactive game that trains the users against phishing attacks as an attacker. Our players actively craft simulated emails that employ various phishing techniques rather than passively receiving emails and being asked to classify them. We conducted user testing with 11 participants, and our results showed that participants recognized and understood phishing emails better after playing the game

Developing and evaluating a five minute phishing awareness video

Confidence tricksters have always defrauded the unwary. The computer era has merely extended their range and made it possible for them to target anyone in the world who has an email address. Nowadays, they send phishing messages that are specially crafted to deceive. Improving user awareness has the potential to reduce their effectiveness. We have previously developed and empirically-validated phishing awareness programmes. Our programmes are specifically designed to neutralize common phish-related misconceptions and teach people how to detect phishes. Many companies and individuals are already using our programmes, but a persistent niggle has been the amount of time required to complete the awareness programme. This paper reports on how we responded by developing and evaluating a condensed phishing awareness video that delivered phishing awareness more efficiently. Having watched our video, participants in our evaluation were able to detect phishing messages significantly more reliably right after watching the video (compared to before watching the video). This ability was also demonstrated after a retention period of eight weeks after first watching the video