Assessing the role of conceptual knowledge in an anti-phishing game

Copyright @ 2014 IEEE. This is the author accepted version of this article.Games can be used to support learning and confidence development in several domains, including the secure use of computers. However, emphasizing different types of knowledge in a game design can lead to different outcomes. This study explores two game designs that aim to enhance students' ability to identify phishing hyperlinks. One design focuses on procedural knowledge: developing students' tacit ability to recognize phishing hyperlinks through systematic practice. The other design focuses on conceptual knowledge: helping students to explicitly reflect upon and identify the features of phishing hyperlinks. The results of a double-blind randomized trial with 66 participants suggests that using a game designed for conceptual knowledge leads to a greater increase in learners' ability to identify phishing hyperlinks. Hence, incorporating conceptual knowledge development into educational games enhances their efficacy within the computer security context

Changing users' security behaviour towards security questions: A game based learning approach

Fallback authentication is used to retrieve forgotten passwords. Security questions are one of the main techniques used to conduct fallback authentication. In this paper, we propose a serious game design that uses system-generated security questions with the aim of improving the usability of fallback authentication. For this purpose, we adopted the popular picture-based "4 Pics 1 word" mobile game. This game was selected because of its use of pictures and cues, which previous psychology research found to be crucial to aid memorability. This game asks users to pick the word that relates to the given pictures. We then customized this game by adding features which help maximize the following memory retrieval skills: (a) verbal cues - by providing hints with verbal descriptions, (b) spatial cues - by maintaining the same order of pictures, (c) graphical cues - by showing 4 images for each challenge, (d) interactivity/engaging nature of the game.Comment: 6, Military Communications and Information Systems Conference (MilCIS), 2017. arXiv admin note: substantial text overlap with arXiv:1707.0807

Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.Comment: 1