Can serious gaming tactics bolster spear-phishing and phishing resilience?: Securing the human hacking in Information SecurityShow others and affiliations
2024 (English)In: Information and Software Technology, ISSN 0950-5849, E-ISSN 1873-6025, Vol. 170, article id 107426Article in journal (Refereed) Published
Abstract [en]
Context: In the digital age, there is a notable increase in fraudulent activities perpetrated by social engineers who exploit individuals’ limited knowledge of digital devices. These actors strategically manipulate human psychology, targeting IT devices to gain unauthorized access to sensitive data. Objectives: Our study is centered around two distinct objectives to be accomplished through the utilization of a serious game: (i) The primary objective entails delivering training and educational content to participants with a focus on phishing attacks; (ii) The secondary objective aims to heighten participants’ awareness regarding the perils associated with divulging excessive information online. Methodology: To address these objectives, we have employed the following techniques and methods: (i) A comprehensive literature review was conducted to establish foundational knowledge in areas such as social engineering, game design, learning principles, human interaction, and game-based learning; (ii) We meticulously aligned the game design with the philosophical concept of social engineering attacks; (iii) We devised and crafted an advanced hybrid version of the game, incorporating the use of QR codes to generate game card data; (iv) We conducted an empirical evaluation encompassing surveys, observations, discussions, and URL assessments to assess the effectiveness of the proposed hybrid game version. Results: Quantitative data and qualitative observations suggest the “PhishDefend Quest” game successfully improved players’ comprehension of phishing threats and how to detect them through an interactive learning experience. The results highlight the potential of serious games to educate people about social engineering risks. Conclusion: Through the evaluation, we can readily arrive at the following conclusions: (i) Game-based learning proves to be a viable approach for educating participants about phishing awareness and the associated risks tied to the unnecessary disclosure of sensitive information online; (ii) Furthermore, game-based learning serves as an effective means of disseminating awareness among participants and players concerning prevalent phishing attacks. © 2024 The Authors
Place, publisher, year, edition, pages
Elsevier B.V. , 2024. Vol. 170, article id 107426
Keywords [en]
Computer crime; Cybersecurity; Digital devices; Ethical technology; Game design; Sensitive data; Digital age; Game design; Game-based Learning; Human factor in security; Phishing; Phishing attacks; Scam; Serious gaming; Social engineering; Spear phishing; Serious games
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:ri:diva-72770DOI: 10.1016/j.infsof.2024.107426Scopus ID: 2-s2.0-85187177892OAI: oai:DiVA.org:ri-72770DiVA, id: diva2:1858325
Note
This paper is partially supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 883054 (EU-HYBNET).
2024-05-162024-05-162025-09-23Bibliographically approved