ArticlePDF Available

Abstract

Phishing is a form of online identity theft, which attempts to appropriate confidential and sensitive information such as usernames and passwords from its victims. To facilitate cyberspace as a secure environment, phishing education needs to be made accessible to home computer users and mobile games enable embedded learning in a natural environment. Previously, we have introduced a mobile game design that aimed to enhance avoidance motivation and behavior to protect against phishing threats. This paper focuses on a design that develops the conceptual knowledge that is necessary to combat phishing threats, home computer teaching users about phishing emails and web addresses. The prototype game design is presented on Google App Inventor Emulator.
Designing a Mobile Game to Teach Conceptual Knowledge of Avoiding
“Phishing Attacks”
Nalin Asanka Gamagedara Arachchilage, Steve Love, Michael Scott
School of Information Systems, Computing and Mathematics
Brunel University
Uxbridge, Middlesex, UK
Abstract
Phishing is a form of online identity theft, which
attempts to appropriate confidential and sensitive
information such as usernames and passwords from
its victims. To facilitate cyberspace as a secure
environment, phishing education needs to be made
accessible to home computer users and mobile
games enable embedded learning in a natural
environment. Previously, we have introduced a
mobile game design that aimed to enhance
avoidance motivation and behavior to protect
against phishing threats. This paper focuses on a
design that develops the conceptual knowledge that
is necessary to combat phishing threats, home
computer teaching users about phishing emails and
web addresses. The prototype game design is
presented on Google App Inventor Emulator.
Keywords - mobile game design; phishing attacks;
security awareness; human computer interaction;
mobile game based learning
1. Introduction
Security exploits can include IT threats such as
viruses, malicious software (malware), unsolicited e-
mail (spam), and monitoring software (spyware).
Phishing, however, is a form of semantic attack [1,
8] that leverages human vulnerabilities, rather than
exploiting technical pitfalls. Attackers will attempt to
trick Internet users into following malformed URLs
(Uniform Resource Locators) that mimic legitimate
versions as closely as possible. These will typically
lead to fraudulent websites that share the same look-
and-feel as the real version. Users may then
unintentionally provide private information such as
usernames, passwords or bank details to a third
party.
This research comprehends the need of which the
human aspect of security can be influenced to avoid
malicious IT threats in the context of home computer
use. These users are susceptible to phishing threats
due to the rapid growth of Internet technology [9]. It
is so ubiquitous today that it provides the baseline for
modern living, enabling ordinary people to socialize,
shop, and be entertained all through their home
computers. As people’s reliance on the Internet
grows, the possibility of hacking, attacking and other
security breaches increases day by day [5].
Therefore, home computer users make a significant
contribution in helping to make cyberspace a safer
place for everyone and the message “security starts
at home” should be spread to all home computer
users [2].
In the past, phishing attacks have been distributed
through scam emails [10, 17]. For example, urging
people to participate in a survey or verify their bank
account information. Now it has become a persistent
threat as people consume and distribute a significant
amount of information through links in social media.
This includes internet enabled services such as
Facebook, Hi5, Skype, Twitter, Orkut, Google+, and
even more professional social networking website
such as LinkedIn.
In addition, as organizations have become
increasingly ‘virtual’ there has been a technological
move from work to the domestic environment [7].
Employees have freedom to work at home or bring
unfinished work home due to the pervasiveness of
Internet technology. This increases the opportunity
for home computer users to open a “back door” to
vulnerable IT threats. These home computer users
are unlikely to have a sufficient IT infrastructure or
technology to protect themselves from malicious IT
attacks, or may not have a proper standard or strict
IT security policies in place. For example, most
home computer users are not IT professionals and
lack the necessary computer literacy to establish a
secure home computing system. Home computer
users also tend to display unsafe computer behavior
that is particularly vulnerable to IT threats. For
example, browsing unsafe websites, downloading
suspicious software, sharing passwords among
family and peers, and using unprotected home
wireless networks [5].
As phishing attacks become increasingly
sophisticated, it becomes more challenging to protect
against them [3, 13] and without an appropriate level
of security awareness, some home computer users
are becoming vulnerable to these new threats [12,
14]. A number of automated software tools have
been developed to alert users of potentially
fraudulent emails and websites [13]. Ye and Sean
International Journal for e-Learning Security (IJeLS), Volume 2, Issues 1/2, March/June 2012
Copyright © 2012, Infonomics Society
127
[21] and Dhamija and Tygar [15] have developed a
prototype called “trusted paths” for the Mozilla web
browser that is designed to help users verify that
their browser has made a secure connection to a
trusted website. However, these systems are not
totally reliable in detecting phishing attacks [19].
Previous research has revealed that the available
anti-phishing tools such as Calling ID Toolbar,
Cloudmark Anti-Fraud Toolbar, EarthLink Toolbar,
Firefox 2, eBay Toolbar, and Netcraft Anti-Phishing
Toolbar are insufficient to combat phishing threats
[18]. Even the best toolbars miss over 20% of
phishing websites [20]. On the one hand, software
application designers and developers, with the help
of security expertise, will continue to improve
phishing and spam detection. Nonetheless, the
human factor risk is high and people are the weakest
link in information security [4]. Therefore, it is
appropriate to mitigate human factor risks by
educating users against phishing threats [16, 18].
In this paper, we present the design of a mobile
game that aims to develop conceptual knowledge of
phishing URLs. The most significant feature of
mobile environment is mobility itself such as
mobility of the user, mobility of the device, and
mobility of the service [11, 22]. It enables users to be
in contact while they are outside the reach of
traditional communicational spaces. For example, a
person can play a game on his mobile device while
travelling on the bus or train. The reminder of this
paper is organized as follows: section two discusses
related work; section three describes the game
prototype design we created on Google App Inventor
Emulator; and the paper concludes in section four
opening future work directions.
2. Related work
All Arachchilage and Cole [11, 12] designed a
mobile game design prototype as an educational tool
to teach home computer users to protect themselves
against phishing attacks. Their research proposed a
mobile game design for learning, based on a story,
which simplifies and exaggerates real life situations.
The research asked the following questions: The first
question is how does the system developer identify
which issues the game needs to address? Once the
developer has identified the salient issues, they are
faced with second question, what principles should
guide the structure of this information. A theoretical
model derived from Technology Threat Avoidance
Theory (TTAT) was used to address those mobile
game design issues and the mobile game design
principles were used as a set of guidelines for
structuring and presenting information in the mobile
game design context [6, 11]. The objective of their
anti-phishing mobile game design was to teach the
user how to identify phishing URLs and emails,
which is one of many ways to identify a phishing
attack. The overall mobile game design was focused
to enhance avoidance behavior through motivation of
home computer users to thwart phishing threats. The
prototype game design was presented on Google App
Inventor Emulator.
The proposed mobile game design was focused
almost entirely on procedural knowledge. However,
some conceptual knowledge about the parts of URL
and email might help the user to distinguish phishing
URLs and email messages from legitimate ones [19].
Therefore, this research attempts to address this issue
in the mobile game design context. For example,
when a user correctly identifies a phishing URL, they
should be asked which portion of the URL indicates
phishing, to determine whether or not they have
understood the concept of a phishing URL.
Alternatively, when a user is presented with a portion
of a phishing email, addressing “Dear Valued
Customer” this can also be used to determine
whether or not they have understood the concept of
phishing email. Therefore, this research attempts to
extend Arachchilage and Cole’s [11, 12] mobile
game design by addressing conceptual knowledge of
phishing URLs and emails to thwart phishing
attacks.
3. Game prototype design
To explore the viability of using a game to thwart
phishing attacks based on conceptual knowledge, a
prototype was implemented using Google App
Inventor Emulator. We created a story addressing
conceptual knowledge of phishing URLs and emails
within a game design context.
3.1 Story
The game is based on a scenario of the character
of a small fish and a big fish that both live in a big
pond. The main character is the small fish, who
wants to eat worms to become a big fish. Worms are
randomly generated in the game design. The user
role-plays as the small fish. However the small fish
should be careful of phishers those who try to trick
him with fake worms. This represents phishing
attacks by developing threat perception. The other
character is the small fish’s teacher, who is
experienced fish in the pond. The proposed mobile
game design prototype contains two sections:
teaching the concept of phishing URLs and phishing
emails. In the mobile game design, the user is
presented a combination of phishing and legitimate
URLs (in this case 15 URLs) and emails (in this case
15 emails). Both URLs and emails are targeted to
teach user conceptual knowledge of phishing attacks.
International Journal for e-Learning Security (IJeLS), Volume 2, Issues 1/2, March/June 2012
Copyright © 2012, Infonomics Society
128
3.1.1 Concepts of phishing website addresses
(URLs)
Each worm is associated with a URL, which
appears as a dialog box. The small fish’s job is to eat
all the real worms which are associated with URLs
and avoid fake worms which are associated with fake
URLs before the time is up (Fig. 1). This attempts to
develop the severity and susceptibility of the
phishing threat through the game design. If a
phishing URL is correctly identified, then users are
prompted to indicate which portion of the URL
indicates phishing in order to determine whether or
not they have understood the conceptual knowledge
of the phishing URL (Fig. 2). At this time the users
score will be doubled in order to encourage them to
complete the game. Nevertheless, if the phishing
URL is incorrectly identified, then users get real time
feedback saying why their decision was wrong with
an example such as “Legitimate websites usually do
not have numbers at the beginning of their URLs.
For example,
http://181.57.97.116/.www.hsbc.co.uk”. Therefore,
this attempts to teach conceptual knowledge of
phishing URLs within the game design context.
If the worm associated with the URL is
suspicious or if it is difficult to identify, the small
fish can go to the ‘teacher’ and request help. The big
fish would then provide some tips on how to
recognize bad worms. For example, “website
addresses associated with numbers in the front are
generally scams,” or “a company name followed by a
hyphen in a URL is generally a scam”. Whenever the
small fish demands help from the teacher, the time
left will be reduced by certain amount (in this case
by 1 minute) as a payback for safeguard measure.
This attempts to address the safeguard effectiveness
and the cost needs to pay for the safeguard in the
game design context. The consequences of the
player’s actions are shown in Table 1.
Table 1. Scoring scheme and consequences of the
player’s action.
Good worm
(associate with
legitimate URL)
Bad worm
(associate with
phishing URL)
Player
eats Correct, gain 15
points (each attempt
= 1 point)
False negative,
(each attempt loses
1 minute out of 10
minutes)
Player
reject False positive, (each
attempt loses 1
minute out of 10
minutes)
Correct, gain 15
points (each attempt
= 1 point)
Figure 1. Main Menu of the game prototype design
displayed on Google App Inventor Emulator.
Figure 2. Phishing URL dialog box: Learning
conceptual knowledge of phishing URL.
3.1.2 Teaching the concept of phishing emails
Each worm is randomly generated with an email
icon in the game design, so the small fish needs to
eat the worm to open the email (Fig. 3 and Fig. 5).
This task is done once the user clicks on the worm.
At this point, a portion of an email will appear asking
the user to identify whether it is legitimate or
phishing email. This represents phishing attacks by
developing threat perception. The reason for using a
portion of an email, instead of an email, is to
determine whether or not the user has understood the
conceptual knowledge about phishing emails. The
small fish’s job is to eat all the real worms by
clicking the “ACCEPT” button while avoiding fake
worms by clicking the “AVOID” button (Fig. 6). If
the user falsely accepted a legitimate or phishing
email, they are susceptible to a phishing attack. This
causes to lose one life at each attempt in the game
Teache
r
http://181.5
7.97.116/.w
ww.hsbc.co
.uk
Hook
Worm
Small
fish
Legitimate
websites
usually do not
have numbers
at the
beginning of
their URLs.
For example,
http://81.153.1
92.106/.www.
h
sbc.co.uk
International Journal for e-Learning Security (IJeLS), Volume 2, Issues 1/2, March/June 2012
Copyright © 2012, Infonomics Society
129
design. At this point, the game design emphasizes
both the likelihood of phishing attack and severity
caused by the attack. The different sections of an
email help user to identify the legitimacy of email
[9]. For example, phishing emails often contain
generic salutation such as “Dear Valued Customer”
or use of a trusted company logo. It could also be a
statement urging immediate action or mimicking the
email address (Fig.7). Each worm associated with a
portion of an email may contain phishing email traps
as well as legitimate ones. The phishing email traps
covered in the game design include fake links or
email addresses, generic salutations, statements
urging immediate actions and much more.
If the portion of an email is suspicious and if it is
difficult to identify, the small fish can go to ‘his’
teacher and demand help. The teacher could help him
by giving some tips on how to identify phishing
emails. For example, “phishing emails often contain
a generic salutation” or “emails associated with
urgent requests are generally phishing emails”.
Whenever the small fish demands help from the
teacher, the time left will be reduced by certain
amount (in this case by 1 minute) as a payback for
safeguard measure. This attempts to address the
safeguard effectiveness and the cost needs to pay for
the safeguard in the game design. The small fish’s
teacher may also help the player throughout the
game until it is completed by providing some tips
(Fig. 3 and Fig. 4). This can enhance the learnability
of the game itself for the user.
The proposed game design is presented in
different levels such as beginner, intermediate and
advance. When the user moves from the beginner to
advanced level, the complexity of the combination of
URLs and emails is dramatically increased while
considerably decreasing the time period to complete
the game. Therefore, self-efficacy of preventing from
phishing attacks will be addressed in the game
design. Furthermore, a reference guide in the game
design provides useful information on where the user
can learn more about phishing attacks. The reference
guide is linked to the education section of the Anti-
Phishing Work Group website (APWG -
http://education.apwg.org/). The overall game design
is used to teach conceptual knowledge of phishing
emails and URLs for home computer users to thwart
phishing threats.
Figure 3. The small fish’s teacher provides tips:
Click on the worm to “OPEN” the email.
Figure 4. The small fish’s teacher provides tips: If
you think this is a portion of a phishing email, Click
“AVOID”. However, if you think this is a portion of
a legitimate email, Click “ACCEPT”.
Figure 5. The small fish is waiting for open the
email.
Figure 6. Learning the concepts of phishing emails
“AVOID
” button
Hook
Small
fish Teacher
If you think this is
a portion of a
phishing email,
click “AVOID”
However, if you
think this is a
portion of a
legitimate email,
click “ACCEPT”
“ACCEPT”
button
Email
icon
Hook
Small
fish Teacher
Click on the
worm to
“OPEN” the
email
Worm
International Journal for e-Learning Security (IJeLS), Volume 2, Issues 1/2, March/June 2012
Copyright © 2012, Infonomics Society
130
Figure 7. Different sections of a phishing email:
mimicked email address, salutation, logo, urging
message.
4. Conclusion
Author This research focused on designing a
mobile game as an educational tool for home
computer users to develop the conceptual knowledge
behind phishing attacks. Previous research resulted
in a mobile game to educate home computer users
about phishing attacks, but it was aimed almost
entirely on procedural knowledge. Conceptual
knowledge helps users avoid phishing attacks more
robustly, due to the necessity to teach users to
identify phishing concepts in order to avoid evolving
threats on new platforms, such as social media. We
believe that by providing this type of education and
training for home computer users, it could make a
considerable contribution to enabling cyberspace to
be a more secure environment.
5. References
[1] B. Schneier, “Semantic Attacks, The Third Wave of
Network Attacks”, Crypto-Gram Newsletter, October
2000, Retrieved from
http://www.schneier.com/crypto-gram-
0010.html.(Accessed date: 02 April 2011.)
[2] B. Y. Ng and M. A. Rahim, “A Socio-Behavioral
Study of Home Computer Users' Intention to Practice
Security”, The Ninth Pacific Asia Conference on
Information Systems, Bangkok, Thailand, 2005.
[3] C. E. Drake, J. J. Oliver and E. J. Koontz, “Mail
Frontier Anatomy of a Phishing Email”, February
2006, Retrieved from
http://www.mailfrontier.com/docs/MF_Phish_Anato
my.pdf.(Accessed date: 03 April 2011.)
[4] CNN. com, “A convicted hacker debunks some
myths”, 2005,
http://www.cnn.com/2005/TECH/internet/10/07/kevin
.mitnick.cnna/index.html.(Accessed date: 04 April
2011.)
[5] H. Liang and Y. Xue, “Avoidance of Information
Technology Threats: A Theoretical Perspective”, MIS
Quarterly, vol. 33 (1), pp. 71-90, 2009.
[6] H. Liang and Y. Xue, “Understanding Security
Behaviours in Personal Computer Usage: A Threat
Avoidance Perspective”, Journal of the Association
for Information Systems, vol. 11 (7), pp. 394-413,
July 2010.
[7] J. O'Brien, T. Rodden, M. Rouncefield and J. Hughes,
“At Home with the Technology: An Ethnographic
Study of a Set-Top-Box Trial”, ACM Transactions on
Computer-Human Interaction, vol. 6 (3), pp.282-308,
1999.
[8] J. S. Downs, M. Holbrook and L. F. Cranor,
“Behavioural response to phishing risk”, Proceedings
of the anti-phishing working groups - 2nd annual
eCrime researchers summit, pp.37-44, October 2007,
Pittsburgh, Pennsylvania, Retrieved from
doi>10.1145/1299015.1299019.(Accessed date: 25
March 2011)
[9] K. Ponnurangam, Y. Rhee, S. Sheng, S. Hasan, A.
Acquisti, L. F. Cranor and J. Hong, "Getting Users to
Pay Attention to Anti-Phishing Education: Evaluation
of Retention and Transfer", APWG eCrime
Researchers Summit, October,4-5, Pittsburgh, PA,
USA, 2007.
[10] L. James, “Phishing Exposed”, Syngress, Canada,
2005.
[11] N.A.G. Arachchilage and M. Cole, "Design a mobile
game for home computer users to prevent from
“phishing attacks”," Information Society (i-Society),
2011 International Conference on , vol., no., pp.485-
489, 27-29 June 2011
URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&
arnumber=5978543&isnumber=5978433. (Accessed
Date: 22 December 2011)
[12] N.A.G. Arachchilage and M. Cole, "Designing a
mobile game for home computer users to protect
against “phishing attacks”," Intenatioal Journal for e-
Learning Security (IJeLS), Volume 1, Issue 1/2,
March/June 2011.
[13] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor,
J. Hong and E. Nunge, “Protecting people from
phishing: the design and evaluation of an embedded
training email system”, Proceedings of the SIGCHI
conference on Human Factors in Computing Systems,
San Jose, California, USA, April - May 2007.
[14] P. Michael, The Magazine for the IT Professional,
British Computer Society, The Charted Institute for
IT, March 2011.
[15] Dhamija, R. and Tygar, J. D. 2005. The battle against
phishing: Dynamic Security Skins. In Proceedings of
the 2005 Symposiumon Usable Privacy and Security
(Pittsburgh, Pennsylvania, July 06 - 08, 2005).
SOUPS '05, vol. 93. ACM Press, New York,NY, 77-
88. DOI=
http://doi.acm.org/10.1145/1073001.1073009.
(Accessed Date: 20 March 2011)
[16] R. G. Brody, E. Mulig and V. Kimball, "Phishing,
pharming and identity theft", Journal of Academy of
Accounting and Financial Studies, vol. 11, pp. 43-56,
2007.
[17] R. Richmond, “Hackers set up attacks on home PCs,
Financial Firms: study”, September 2006, Retrieved
from
http://www.marketwatch.com/News/Story/Story.aspx
?dist=new
sfinder&siteid=google&guid=%7B92615073-95B6-
452EA3B9
International Journal for e-Learning Security (IJeLS), Volume 2, Issues 1/2, March/June 2012
Copyright © 2012, Infonomics Society
131
569BEACF91E8%7D&keyword=.(Accessed date: 27
March 2011.)
[18] S. A. Robila, J. W. Ragucci, “Don't be a phish: steps
in user education”, Proceedings of the 11th annual
SIGCSE conference on Innovation and technology in
computer science education, 26 – 28 June 2006,
Bologna, Italy, Retrieved from
doi>10.1145/1140124.1140187.(Accessed date: 29
March 2011.)
[19] S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti,
L. F. Cranor, J. Hong and E. Nunge, “Anti-Phishing
Phil: the design and evaluation of a game that teaches
people not to fall for phish”, Proceedings of the 3rd
symposium on Usable privacy and security,
Pittsburgh, Pennsylvania, July 2007.
[20] Y. Zhang, S. Egelman, L. Cranor and J. Hong,
Phinding Phish: Evaluating Anti-Phishing Tools. In
Proceedings of the 14th Annual Network and
Distributed System Security Symposium (NDSS
2007), San Diego, CA, 28 February -2 March, 2007.
[21] Z. Ye and S. Sean, Trusted Paths for Browsers,
Proceedings of the 11th USENIX Security
Symposium, USENIX Association. Berkeley, CA,
USA, pp. 263 – 279, 2002.
[22] D. Parsons, H. Ryu and M. Cranshaw, "A Study of
Design Requirements for Mobile Learning
Environments", Proceedings of the Sixth IEEE
International Conference on Advanced Learning
Technologies, pp. 96-100, 2006
International Journal for e-Learning Security (IJeLS), Volume 2, Issues 1/2, March/June 2012
Copyright © 2012, Infonomics Society
132
... Plant (1994) has stated that procedural knowledge is remarkably close to the idea of ''know how'' and the conceptual knowledge is ''know that''. Furthermore, he explained that such conceptual knowledge allows us to explain why, hence the distinction of ''know how'' and ''know why'' (Arachchilage, Love & Scott, 2012). Additionally, McCormick (1997) argued that the two ideas of conceptual and procedural knowledge are frequently seen as separate, with their relationship being ignored. ...
... Self-efficacy is influenced by procedural knowledge and conceptual knowledge. Therefore, user-centred security educational tools should consider the user SEF factor that will directly motivate them to perceive threat while working on cyber-space to avoid PA (Arachchilage, Love & Scott, 2012). According to authors in (Arachchilage, et al., 2017), it is essential to build threat perception in user so that they will motivate themselves to combat PA through their avoidance behaviour. ...
Article
Full-text available
Although acceptance of Internet Banking (IB) has improved among banking customers due to the suitability it offers, there are quite a few risks accompanying with its since it depends heavily towards the usage of Internet network, which has increased the chances of Phishing Attacks (PA). PA referred to as the most defiant of all information security threats and often perpetuated by conning user’s information systems to inadvertently disclose their personal information or by modifying or deleting sensitive information and maliciously destructing and destroying users’ resources Despite this huge enhancement, the ratio of usage has been relatively low, among IB users in Nigeria. This evidence indicates that there is an urgent requirement to investigate the factors behind the issue. Therefore, this study is conducted to develop a conceptual model based on Technology Threat Avoidance Theory (TTAT) to evaluate the PA among IB users in Nigeria and to enhance avoidance behaviour. This paper will present the initial investigation that leads to the development of the conceptual model. Researchers in this field can use the model in different populations and settings, and thus create an avenue in stopping the factors that contribute to the PA.
... El acrónimo phishing se define como un fraude informático (Samper & Bolaño, 2015) o un ataque fraudulento de ingeniería social y puede ser entendido observando una típica actividad de pesca (fishing), en donde un pescador ofrece un anzuelo a los pescados y espera a que ellos caigan en la trampa (Asanka et al., 2012). En el mundo cibernético, los pescadores siguen la misma estrategia; la diferencia en este caso, es que el anzuelo se convierte en sitio web falso con información sensitiva en la interfaz gráfica que demanda la información personal de las credenciales de autenticación del usuario que accede. ...
... Además de la interfaz gráfica, los ataques phishing intentan convencer a las personas para abrir un sitio falso desde espacios web gratuitos en internet y dominios personalizados (Asanka et al., 2012). Un ejemplo de estos dominios se suele presentar en la red social de Facebook. ...
Article
Full-text available
Una credencial de autenticación es una orden que autoriza el acceso a una red social, correo electrónico u otros sitios web que requieren información personal de un usuario registrado. El phishing (suplantación de identidad) es un ataque fraudulento desde sitios web engañosos a credenciales de autenticación. Algunos autores plantean enfoques basados en la detección y prevención de estos ataques phishing en redes sociales y correos electrónicos. Sin embargo, las cifras de estos ataques continúan incrementando, debido a que los usuarios siguen incurriendo en errores como la falta de conocimiento, el descuido visual y la falta de atención, que facilitan estos ataques. En este artículo se realiza un análisis de los riesgos y causas de ataques phishing a credenciales de autenticación en redes sociales y correos electrónicos. Además, se propone una técnica de protección para estas credenciales, mediante procedimientos de fácil recordación. Los procedimientos de la técnica se realizan para prevenir los riesgos a partir del conocimiento, atención y cuidado visual del usuario. Así también, se aplica la técnica a algunos usuarios.
... Education is a core component of the defence-in-depth model and in the instance of semantic attacks relates to areas where technical security mechanisms have proven to be inadequate. Interactive training maximises learning and awareness, such as bite-size quizzes, tests or games [26,145,146,147], which when applied periodically provide education on the characteristics of different attack types. A large proportion of research into awareness training has focused on the approach of content, the methodology of its delivery and how data gathered from testing and formal application can be used to shape security policy and user training programmes [148,149]. ...
... Furthermore, compliance guidelines are usually static in nature and therefore can quickly become out-of-date when new attack methods appear. User education and awareness training have been evaluated extensively and in practice have been shown to improve user responses to specific attack scenarios[225,146], but it is difficult to automate this process and even more difficult to measure its lasting effect. Moreover, training material tends to be limited to known exploitations and requires regular updates to include new attack vectors. ...
... For example, Arachchilage, et. al. [1] developed a game to teach players to recognize phishing URLs in which the player avatars are fish (using the pun on phishing), and they need to eat worms with URLs written on their sides. The worms with URLs corresponding to phishing attempts are poison, while the ones with standard URLs are food. ...
... This study has investigated and analysed knowledge transfer processes within online retailing in the UK and proposes practical improvements to the process of knowledge sharing to prevent ID theft within organisations. Various frameworks have been studied in the literature such as Arachchilage et al., (2012), Trkman and Desouza, (2012), Yan Li and Zetian Fu ,(2007), Amin and Hussain, (2010), WenJie Wang and Yufei Yuan (2006), Noor and Salim, (2012), and Salleh, (2010) (see Table 1). ...
Article
Full-text available
Information Security, Case Study Research. Abstract This research investigates knowledge transfer processes within online retail organisation to prevent identity theft. An analysis of the ways in which individuals and teams transfer identity theft prevention knowledge within the organisation is presented. A qualitative case study research approach using guiding framework proposed by Salleh (2010) was adopted and extended to improve identity theft prevention knowledge sharing processes in online retail organisations. Fourteen one-to-one semi-structured interviews were conducted. Internal documents from a leading online retailer in the UK were also analysed. Research shows that knowledge regarding identity theft prevention is not being shared and individuals are learning from their own experiences which is time consuming. Existing knowledge transfer barriers in the organisation were identified and improvements in knowledge sharing processes within the retail industry in the UK are proposed. Only one case study has been investigated and further case studies need to be conducted in different organisations and internationally and a cross-comparisons conducted. This study provides managers with useful information in developing appropriate training systems to educate staff on sharing institutional knowledge to prevent identity theft. This research provides new insights into identity theft prevention by extending an existing framework proposed by Salleh (2010) in terms of enhancing knowledge transfer process to prevent identity theft in the retail industry.
... As susceptibility to deception vectors triggers user exploitation, it is gener- ally agreed that semantic attack education is a core element of defense-in- depth against semantic attacks where technical mechanisms fail to prevent or proactively detect threats. As a result, research has explored interactive training through bitesize quizzes, test and games and attack simulations to maximise the effectiveness of learning ( [81,76,77]), some of which have empirically proven to reduce susceptibility to deception vectors and have been converted into popular commercial offerings, with examples including PhishGuru [35], Anti-Phishing Phil and Phyllis [36] and PhishMe's Simulator [37] applications. However, most commercial solutions for security awareness training focus almost exclusively on phishing emails and websites, which constitute only a small portion of dif- ferent semantic attacks possible deception vectors. ...
Chapter
Full-text available
Phishing, drive-by downloads, file and multimedia masquerading, domain typosquatting, malvertising and other semantic social engineering attacks aim to deceive the user rather than exploit a technical flaw to breach a system's security. We start with a chronological overview to illustrate the growing prevalence of such attacks from their early inception 30 years ago, and identify key milestones and indicative trends which have established them as primary weapons of choice for hackers, cyber-criminals and state actors today. To demonstrate the scale and widespread nature of the threat space, we identify over 35 individually recognised types of semantic attack, existing within and cross-contaminating between a vast range of different computer platforms and user interfaces. Their extreme diversity and the little to no technical traces they leave make them particularly difficult to protect against. Technical protection systems typically focus on a single attack type on a single platform type rather than the wider landscape of deception-based attacks. To address this issue, we discuss three high-level defense approaches for preemptive and proactive protection, including adopting the semantic attack killchain concept which simplifies targeted defense; principles for preemptive and proactive protection for passive threats; and platform based defense-in-depth lifecycle designed to harness technical and non-technical defense capabilities of platform providers and their user base. Here, the human-as-a-security-sensor paradigm can prove particularly useful by leveraging the collective natural ability of users themselves in detecting deception attempts against them.
... Besides the previously described work, in our research we use a game-based learning approach because previous work in the security field (Arachchilage and Love 2013) has successfully used this approach to educate users about the susceptibility to phishing attacks, to teach users to be less prone to these types of security vulnerabilities (Arachchilage et al. 2012(Arachchilage et al. , 2014(Arachchilage et al. , 2016. Thus, our main contribution to the field of fall-back authentication is to investigate whether or not the proposed serious game has the potential of improving users' memorability of stronger answers to security questions. ...
... However, we know to our cost, no-one has attempted to use serious games to improve the users' memorability of systems-generated answers for security questions. Thus, in our research, we attempt to use a gamified approach to improve users' memorability during fallback authentication because previous work in the security field [40] has successfully used this approach to educate users about the susceptibility to phishing attacks [41] with the aim of teaching users to be less prone to these types of security vulnerabilities [42]. Hence, this paper contributes to the field of fallback authentication by proposing a game design which uses longterm memory and memory retrieval skills [13] to improve the memorability of security answers based on a system-generated avatar profile. ...
Article
Full-text available
Fallback authentication is used to retrieve forgotten passwords. Security questions are one of the main techniques used to conduct fallback authentication. In this paper, we propose a serious game design that uses system-generated security questions with the aim of improving the usability of fallback authentication. For this purpose, we adopted the popular picture-based "4 Pics 1 word" mobile game. This game was selected because of its use of pictures and cues, which previous psychology research found to be crucial to aid memorability. This game asks users to pick the word that relates to the given pictures. We then customized this game by adding features which help maximize the following memory retrieval skills: (a) verbal cues - by providing hints with verbal descriptions, (b) spatial cues - by maintaining the same order of pictures, (c) graphical cues - by showing 4 images for each challenge, (d) interactivity/engaging nature of the game.
Article
Purpose – Lack of individual awareness of knowledge sharing practices to prevent identity theft is a significant issue for online retail organisations (OROs). Agile learning processes and sharing of knowledge is essential, but the lack of relevant training inhibits these processes within the online industry. This study aims to identify the inhibiting factors in agile learning and knowledge sharing process with recommendations for best practice for organisations and staff to effectively share knowledge on identity theft prevention. Design/methodology/approach – Three qualitative case studies were undertaken in OROs in the UK. Data were collected using semi-structured interviews, internal documents and related external material. The data were analysed using a thematic analysis method. Findings – The findings identified that individual staff members within OROs from the information security and fraud prevention departments often share their knowledge as a community. However, there is no formal knowledge sharing process or any related training facilitating this exchange. There is a need for agile learning environment in OROs of the UK. Originality/value – The study offers both theoretical and practical contributions to the extant literature of agile learning of knowledge sharing to prevent identity theft in OROs. Existing learning opportunities are not being used to enhance the knowledge of individuals, and OROs need to increase the skills and trust of their staff to share knowledge efficiently. This study identifies the systemic weaknesses inherent in the process of knowledge sharing and existing training provision within OROs. It provides ORO managers with practical guidelines in facilitating trust between individuals and developing appropriate training systems to educate staff on sharing organisational knowledge. This study contributes by extending the knowledge sharing framework proposed by Chong et al. (2011) for enhanced individual knowledge sharing processes to prevent identity theft within OROs. It also identifies OROs’ weaknesses in knowledge sharing learning processes for theft prevention and offers prevention guidelines and recommendations for developing effective agile learning environments.
Article
Full-text available
Identity theft is the fastest growing crime in America, occurring when the criminal obtains confidential information from an individual or business and uses it to access private financial accounts. In today's world of information technology, many thieves prey on their victims via the Internet. The level of disclosure of personal information in many of today's information age transactions is what leaves so many individuals and businesses open to identity theft. Two of the most common ways that thieves acquire personal information to aid them in identity theft are phishing and pharming. Phishing utilizes bulk e-mail messages to entice recipients into revealing personal information. Pharmers, on the other hand, cast a wide net for the unwary. There is a huge potential reward for criminals who succeed in these malicious acts. In addition, now that organized crime has become involved, the money available to help thieves carry out the crimes is immense.
Article
Full-text available
There are currently dozens of freely available tools to combat phishing and other web-based scams, many of which are web browser extensions that warn users when they are browsing a suspected phishing site. We developed an automated test bed for testing anti-phishing tools. We used 200 verified phishing URLs from two sources and 516 legitimate URLs to test the effectiveness of 10 popular anti-phishing tools. Only one tool was able to consistently identify more than 90% of phishing URLs correctly; however, it also incorrectly identified 42% of legitimate URLs as phish. The performance of the other tools varied considerably depending on the source of the phishing URLs. Of these remaining tools, only one correctly identified over 60% of phishing URLs from both sources. Performance also changed significantly depending on the freshness of the phishing URLs tested. Thus we demonstrate that the source of phishing URLs and the freshness of the URLs tested can significantly impact the results of anti-phishing tool testing. We also demonstrate that many of the tools we tested were vulnerable to simple exploits. In this paper we describe our anti-phishing tool test bed, summarize our findings, and offer observations about the effectiveness of these tools as well as ways they might be improved.
Conference Paper
Full-text available
This paper proposes a conceptual framework for mobile learning applications that provides systematic support for mobile learning experience design. It is based on a combination of a game metaphor and several studies of mobile learning contexts. An account of the Ambient Wood project is used to explore the relationship between the framework and mobile learning design requirements in practice
Conference Paper
Full-text available
Phishing attacks, in which criminals lure Internet users to websites that impersonate legitimate sites, are occ urring with increasing frequency and are causing considera ble harm to victims. In this paper we describe the desi gn and evaluation of an embedded training email system tha t teaches people about phishing during their normal u se of email. We conducted lab experiments contrasting the effectiveness of standard security notices about ph ishing with two embedded training designs we developed. We found that embedded training works better than the current practice of sending security notices. We also deriv ed sound design principles for embedded training systems.
Conference Paper
Full-text available
Educational materials designed to teach users not t o fall for phishing attacks are widely available but are often ignored by users. In this paper, we extend an embedded trainin g methodology using learning science principles in which phishing education is made part of a primary task for users. The goal is to motivate users to pay attention to the training materials. I n embedded training, users are sent simulated phishing attacks and trained after they fall for the attacks. Prior studies test ed users immediately after training and demonstrated that embedded training improved users' ability to identify phishi ng emails and websites. In the present study, we tested users to determine how well they retained knowledge gained through embedded training and how well they transferred this knowledge to ide ntify other types of phishing emails. We also compared the effe ctiveness of the same training materials delivered via embedded training and delivered as regular email messages. In our experim ents, we found that: (a) users learn more effectively when the tra ining materials are presented after users fall for the attack (embe dded) than when the same training materials are sent by email (non- embedded); (b) users retain and transfer more knowledge after embe dded training than after non-embedded training; and (c) users wit h higher Cognitive Reflection Test (CRT) scores are more lik ely than users with lower CRT scores to click on the links in the phishing emails from companies with which they have no account.
Conference Paper
Full-text available
In this paper we describe the design and evaluation of Anti- Phishing Phil, an online game that teaches users good habits to help them avoid phishing attacks. We used learning science principles to design and iteratively refine the game. We evaluated the game through a user study: participants were tested on their ability to identify fraudulent web sites before and after spending 15 minutes engaged in one of three anti-phishing training activities (playing the game, reading an anti-phishing tutorial we created based on the game, or reading existing online training materials). We found that the participants who played the game were better able to identify fraudulent web sites compared to the participants in other conditions. We attribute these effects to both the content of the training messages presented in the game as well as the presentation of these materials in an interactive game format. Our results confirm that games can be an effective way of educating people about phishing and other security attacks.
Conference Paper
Full-text available
Phishing, e-mails sent out by hackers to lure unsuspecting victims into giving up confidential information, has been the cause of countless security breaches and has experienced in the last year an increase in frequency and diversity. While regular phishing attacks are easily thwarted, designing the attack to include user context information could potentially increase the user's vulnerability. To prevent this, phishing education needs to be considered. In this paper we provide an overview of phishing education, focusing on context aware attacks and introduce a new strategy for educating users by combining phishing IQ tests and class discussions. The technique encompasses displaying both legitimate and fraudulent e-mails to users and having them identify the phishing attempts from the authentic e-mails. Proper implementation of this system helps teach users what to look for in e-mails, and how to protect their confidential information from being caught in the nets of phishers. The strategy was applied in Introduction to Computing courses as part of the computer security component. Class assessment indicates an increased level of awareness and better recognition of attacks.
Conference Paper
Home computer users play a crucial role in securing the cyberspace, but the protection of home computers is left to the initiative of the users. In this study, we focus on the socio- behavioral perspective, as the behavior of home computer users on security issues is one of the most important factors in securing the cyberspace. The decomposed Theory of Planned Behavior is adapted to investigate the factors that influence a user's intention to practice home computer security. A survey instrument was developed and administered to 233 home computer users. The findings revealed that attitude and subjective norm determined intention to practice computer security, and perceived usefulness, family and peer influence, mass media influence and self-efficacy are important factors that influence a home computer user's intention to practice computer security. Findings also provide an impetus for researchers to conduct future studies in this domain.
Conference Paper
Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We describe the design of an extension to the Mozilla Firefox browser that implements this scheme.We present two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields.Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This image creates a "skin" that automatically customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the user's browser to independently compute the image that it expects to receive from the server. To authenticate content from the server, the user can visually verify that the images match.We contrast our work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators.