ABSTRACT
Phishing attacks are a major problem, as evidenced by the DNC hackings during the 2016 US presidential election, in which staff were tricked into sharing passwords by fake Google security emails, granting access to confidential information. Vulnerabilities such as these are due in part to insufficient and tiresome user training in cybersecurity. Ideally, we would have more engaging training methods that teach cybersecurity in an active and entertaining way. To address this need, we introduce the game What.Hack, which not only teaches phishing concepts but also simulates actual phishing attacks in a role-playing game to encourage the player to practice defending themselves. Our user study shows that our game design is more engaging and effective in improving performance than a standard form of training and a competing training game design (which does not simulate phishing attempts through role-playing).
- 2007. The Carnegie Cyber Academy - An Online Safety site and Games for Kids. http://www.carnegiecyberacademy.com/Google Scholar
- 2008. MAVI interactive. Agent Surefire. http://maviinteractive.com/ mavi_products.asp. Accessed: 2018-09--20.Google Scholar
- 2016. Cyber Security Challenge UK Cyphinx. https://www. cybersecuritychallenge.org.uk/competitions/play-demand-cyphinx. Accessed: 2018-09--20.Google Scholar
- 2017. Game Sets Sights on Fake News. https://www.american.edu/ soc/news/fake-news-game.cfm. Accessed: 2018-09--20.Google Scholar
- 2018. The Federal Bureau of Investigations, "Kids Games.". https://archives.fbi.gov/archives/fun-games/kids/kids-games. Accessed: 2018-09--20.Google Scholar
- 2018. Information Assurane Support Environment Cyber Protect. https://iatraining.disa.mil/eta/cyber-protect/launchcontent.html. Accessed: 2018-09--20.Google Scholar
- 2018. Information Security Office Carnegie Mellon University "Anti-Phihsing Phil.". https: //www.cmu.edu/iso/aware/phil/index.html. Accessed: 2018-09--20.Google Scholar
- 2018. OnGuardOnline. https://www.onguardonline.gov/media. Accessed: 2018-09--20.Google Scholar
- 2018. PhishLine Training. https://www.phishline.com/ complimentary-content/Google Scholar
- Gupta BB Atawneh S. Meulenberg A. & Almomani E. Almomani, A. 2013. A survey of phishing email filtering techniques. In IEEE communications surveys & tutorials, Vol. 15.Google Scholar
- Erik Andersen, Eleanor O'Rourke, Yun-En Liu, Rich Snider, Jeff Lowdermilk, David Truong, Seth Cooper, and Zoran Popovic. 2012. The impact oftutorialsongamesofvaryingcomplexity.InProceedingsoftheSIGCHI Conference on Human Factors in Computing Systems. ACM, 59--68. Google ScholarDigital Library
- John R Anderson, Lynne M Reder, and Herbert A Simon. 1996. Situated learning and education. Educational researcher 25, 4 (1996), 5--11.Google Scholar
- Nalin Asanka Gamagedara Arachchilage and Steve Love. 2013. A game design framework for avoiding phishing attacks. Computers in Human Behavior 29, 3 (2013), 706--714. Google ScholarDigital Library
- Nalin Asanka Gamagedara Arachchilage, Steve Love, and Konstantin Beznosov. 2016. Phishing threat avoidance behaviour: An empirical investigation. Computers in Human Behavior 60 (2016). Google ScholarDigital Library
- Ian Arawjo, Cheng-Yao Wang, Andrew C Myers, Erik Andersen, and François Guimbretière. 2017. Teaching Programming with Gamified Semantics. In Proceedings of the CHI Conference on Human Factors in Computing Systems. Google ScholarDigital Library
- Suranjith Ariyapperuma and Amina Minhas. {n. d.}. Internet security games as a pedagogic tool for teaching network security. In 35th Annual Frontiers in Education. IEEE, S2D--1.Google Scholar
- Sasha Barab, Michael Thomas, Tyler Dodge, Robert Carteaux, and Hakan Tuzun. 2005. Making learning fun: Quest Atlantis, a game without guns. Educational technology research and development 53, 1 (2005), 86--107.Google Scholar
- Peter Chapman, Jonathan Burket, and David Brumley. 2014. PicoCTF: A Game-Based Computer Security Competition for High School Students.. In 3GSE.Google Scholar
- Naomi C Chesler, Golnaz Arastoopour, Cynthia M D'Angelo, Elizabeth A Bagley, and David Williamson Shaffer. 2013. Design of a professional practice simulator for educating and motivating first-year engineering students. Advances in Engineering Education 3, 3 (2013), n3.Google Scholar
- Benjamin D Cone, Cynthia E Irvine, Michael F Thompson, and Thuy D Nguyen. 2007. A video game for cyber security training and awareness. computers & security 26, 1 (2007), 63--72. Google ScholarDigital Library
- Dan Conway, Ronnie Taib, Mitch Harris, Kun Yu, Shlomo Berkovsky, and Fang Chen. 2017. A Qualitative Investigation of Bank Employee Experiences of Information Security and Phishing. In Thirteenth Symposium on Usable Privacy and Security. Google ScholarDigital Library
- Seth Cooper, Firas Khatib, Adrien Treuille, Janos Barbero, Jeehyung Lee, Michael Beenen, Andrew Leaver-Fay, David Baker, Zoran Popovic, et al. 2010. Predicting protein structures with a multiplayer online game. Nature 466, 7307 (2010), 756--760.Google ScholarCross Ref
- National Research Council et al. 2000. How people learn: Brain, mind, experience, and school: Expanded edition. National Academies Press.Google Scholar
- Mihaly Csikszentmihalyi. 1991. Flow: The psychology of optimal experience. Vol. 41. HarperPerennial New York.Google Scholar
- Gabriel Culbertson, Erik Andersen, Walker White, Daniel Zhang, and Malte Jung. {n. d.}. Crystallize: An Immersive, Collaborative Game for Second Language Learning. In CSCW 2016. Google ScholarDigital Library
- Gabriel Culbertson, Shiyu Wang, Malte Jung, and Erik Andersen. 2016. Social Situational Language Learning through an Online 3D Game. In Proceedings of the CHI Conference on Human Factors in Computing Systems. Google ScholarDigital Library
- Andy Davis, Tim Leek, Michael Zhivich, Kyle Gwinnup, and William Leonard. 2014. The Fun and Future of CTF. In USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14).Google Scholar
- Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno. 2013. Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. Google ScholarDigital Library
- Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. Google ScholarDigital Library
- Julie S Downs, Mandy B Holbrook, and Lorrie Faith Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the second symposium on Usable privacy and security. Google ScholarDigital Library
- James Paul Gee. 2003. What video games have to teach us about learning and literacy. Computers in Entertainment (CIE) 1, 1 (2003). Google ScholarDigital Library
- Mark Gondree and Zachary NJ Peterson. 2013. Valuing Security by Getting {d0x3d!} Experiences with a network security board game. (2013).Google Scholar
- Jason Hong. 2012. The state of phishing attacks. Commun. ACM 55, 1 (2012). Google ScholarDigital Library
- Fares Kayali, Günter Wallner, Simone Kriglstein, Gerhild Bauer, Daniel Martinek, Helmut Hlavacs, Peter Purgathofer, and Rebbeca Wölfle. 2014. A case study of a learning game about the Internet. In International Conference on Serious Games. Springer, 47--58.Google ScholarCross Ref
- Diane Jass Ketelhut, Brian C Nelson, Jody Clarke, and Chris Dede. 2010. A multi-user virtual environment for building and assessing higher order inquiry skills in science. British Journal of Educational Technology 41, 1 (2010), 56--68.Google ScholarCross Ref
- Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of phish: a real-world evaluation of anti-phishing training. In Proceedingsofthe5thSymposiumonUsablePrivacyandSecurity.ACM,3. Google ScholarDigital Library
- Ponnurangam Kumaraguru, Yong Rhee, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the SIGCHI conference on Human factors in computing systems. Google ScholarDigital Library
- Ponnurangam Kumaraguru, Yong Rhee, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Protecting people from phishing: the design and evaluation of an embedded training email system. In Proceedings of the SIGCHI conference on Human factors in computing systems. ACM, 905--914. Google ScholarDigital Library
- Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT) 10, 2 (2010). Google ScholarDigital Library
- Elmer Lastdrager, Inés Carvajal Gallardo, Pieter Hartel, and Marianne Junger. 2017. How Effective is Anti-Phishing Training for Children. In Symposium on Usable Privacy and Security. Google ScholarDigital Library
- Jean Lave and Etienne Wenger. 1991. Situated learning: Legitimate peripheral participation. Cambridge university press.Google Scholar
- 3909 LLC Lucas P. 2013. Papers, Please: a dystopian document thriller. http://store.steampowered.com/app/239030/Google Scholar
- Jelena Mirkovic and Peter A. H. Peterson. 2014. Class Capture-the-Flag Exercises. In USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14).Google Scholar
- Gaurav Misra, Nalin Asanka Gamagedara Arachchilage, and Shlomo Berkovsky. 2017. Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks. arXiv preprint arXiv:1710.06064 (2017).Google Scholar
- Jason J Morrissette. 2017. Glory to Arstotzka: Morality, Rationality, and theIronCageofBureaucracyinPapers,Please. GameStudies17,1(2017).Google Scholar
- Casey O'Donnell. 2014. Getting played: Gamification, bullshit, and the rise of algorithmic surveillance. Surveillance & Society 12, 3 (2014), 349.Google ScholarCross Ref
- Marc Olano, Alan T Sherman, Linda Oliva, Ryan Cox, Deborah Firestone, Oliver Kubik, Milind Patil, John Seymour, and Donna Thomas. {n. d.}. SecurityEmpire: Development and Evaluation of a Digital Game to Promote Cybersecurity Education.Google Scholar
- Cas Pars. 2017. PHREE of Phish: The Effect of Anti-Phishing Training on the Ability of Users to Identify Phishing Emails. Master's thesis. University of Twente.Google Scholar
- PwC. 2017. Game of Threats -- A cyber threat simulation. http: //www.pwc.com/us/en/financial-services/cybersecurity-privacy/ game-of-threats.htmlGoogle Scholar
- Prashanth Rajivan and Cleotilde Gonzalez. 2018. Creative Persuasion: A study on adversarial behaviors and strategies in phishing attacks. Frontiers in psychology 9 (2018), 135.Google Scholar
- C Reigeluth and R Stein. 1983. Elaboration theory. Instructional-design theories and models: An overview of their current status (1983), 335--381.Google ScholarCross Ref
- Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L Mazurek, and Piotr Mardziel. 2016. Build It, Break It, Fix It: Contesting Secure Development. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 690--703. Google ScholarDigital Library
- Wombat Security. 2017. State of the Phish. http://usdatavault.com/ library/Wombat%20State%20of%20the%20Phish%202017.pdfGoogle Scholar
- David W Shaffer. 2006. Epistemic frames for epistemic games. Computers & education 46, 3 (2006), 223--234. Google ScholarDigital Library
- SteveSheng,MandyHolbrook,PonnurangamKumaraguru,LorrieFaith Cranor, and Julie Downs. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Google ScholarDigital Library
- Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd symposium on Usable privacy and security. Google ScholarDigital Library
- Adam Shostack. 2017. Security Games & Resources. https: //adam.shostack.org/games.htmlGoogle Scholar
- Michael F. Thompson and Cynthia E. Irvine. 2014. CyberCIEGE Scenario Design and Implementation. In USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14).Google Scholar
- Jin-Ning Tioh, Mani Mina, and Douglas W Jacobson. 2017. Cyber security training a survey of serious games in cyber security. In Frontiers in Education Conference (FIE). IEEE, 1--5.Google ScholarCross Ref
- Endel Tulving and Donald M Thomson. 1973. Encoding specificity and retrievalprocessesinepisodicmemory. Psychologicalreview 80,5(1973).Google Scholar
- Lev Semenovich Vygotsky. 1980. Mind in society: The development of higher psychological processes. Harvard university press.Google Scholar
- Chad Walker. 2015. Cryptomancer: A Fantasy Role-Playing Game about Hacking. http://cryptorpg.com/Google Scholar
- Rick Wash and Molly M Cooper. 2018. Who Provides Phishing Training?: Facts, Stories, and People Like Me. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. ACM, 492. Google ScholarDigital Library
- Gregory B White, Dwayne Williams, and Keith Harrison. 2010. The CyberPatriot national high school cyber defense competition. IEEE Security & Privacy 5 (2010), 59--61. Google ScholarDigital Library
- Wikipedia. 2017. Podesta emails. http://en.wikipedia.org/w/index. php?title=Podesta%20emails&oldid=759435543.Google Scholar
- Emma J Williams, Amy Beardmore, and Adam N Joinson. 2017. Individual differences in susceptibility to online influence: a theoretical review. Computers in Human Behavior 72 (2017), 412--421. Google ScholarDigital Library
- Che-Ching Yang, Shian-Shyong Tseng, Tsung-Ju Lee, Jui-Feng Weng, and Kaiyuan Chen. 2012. Building an anti-phishing game to enhance network security literacy learning. In 2012 IEEE 12th International Conference on Advanced Learning Technologies. IEEE, 121--123. Google ScholarDigital Library
Index Terms
- What.Hack: Engaging Anti-Phishing Training Through a Role-playing Phishing Simulation Game
Recommendations
Mood and learning in navigation-based serious games
Games are played for entertainment and have the ability to stimulate a variety of moods during gameplay, including happiness. Serious or applied games are created and used to serve a specific purpose rather than for pure entertainment. The relationship ...
Itrustpage: a user-assisted anti-phishing tool
EuroSys '08Despite the many solutions proposed by industry and the research community to address phishing attacks, this problem continues to cause enormous damage. Because of our inability to deter phishing attacks, the research community needs to develop new ...
Anti-phishing: A comprehensive perspective
AbstractPhishing is a form of deception technique that attackers often use to acquire sensitive information related to individuals and organizations fraudulently. Although Phishing attacks have been known for more than two decades, and there is ongoing ...
Highlights- Classification and discussion of various phishing attacks, motives, and their types.
- The role of social and cognitive factors in the success of a phishing attack.
- A comprehensive survey of various phishing detection and prevention ...
Comments