Preprint

Malicious User Experience Design Research for Cybersecurity

Authors:
Preprints and early-stage research may not have been peer reviewed yet.
To read the file of this research, you can request a copy directly from the authors.

Abstract

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approach

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Deceptive techniques played a prominent role in many human conflicts throughout history. Digital conflicts are no different as the use of deception has found its way to computing since at least the 1980s. However, many computer defenses that use deception were ad-hoc attempts to incorporate deceptive elements. In this paper, we present a model that can be used to plan and integrate deception in computer security defenses. We present an overview of fundamental reasons why deception works and the essential principles involved in using such techniques. We investigate the unique advantages deception-based mechanisms bring to traditional computer security defenses. Furthermore, we show how our model can be used to incorporate deception in many part of computer systems and discuss how we can use such techniques effectively. A successful deception should present plausible alternative(s) to the truth and these should be designed to exploit specific adversaries' biases. We investigate these biases and discuss how can they be used by presenting a number of examples.
Article
Full-text available
Aims: Video games provide opportunities for positive psychological experiences such as flow-like phenomena during play and general happiness that could be associated with gaming achievements. However, research has shown that specific features of game play may be associated with problematic behaviour associated with addiction-like experiences. The study was aimed at analysing whether certain structural characteristics of video games, flow, and global happiness could be predictive of video game addiction. Method: A total of 110 video game players were surveyed about a game they had recently played by using a 24-item checklist of structural characteristics, an adapted Flow State Scale, the Oxford Happiness Questionnaire, and the Game Addiction Scale. Results: The study revealed decreases in general happiness had the strongest role in predicting increases in gaming addiction. One of the nine factors of the flow experience was a significant predictor of gaming addiction - perceptions of time being altered during play. The structural characteristic that significantly predicted addiction was its social element with increased sociability being associated with higher levels of addictive-like experiences. Overall, the structural characteristics of video games, elements of the flow experience, and general happiness accounted for 49.2% of the total variance in Game Addiction Scale levels. Conclusions: Implications for interventions are discussed, particularly with regard to making players more aware of time passing and in capitalising on benefits of social features of video game play to guard against addictive-like tendencies among video game players.
Article
Full-text available
Start with talent and skills driven by curiosity and hormones, constrained only by moral values and judgment.
Article
Full-text available
This paper reviews the literature on the motivations that encourage hacking, from the perspective of both informal observation and formal psychological theories. Both Ajzen's Theory of Planned Behaviour and Beveren's lesser known Flow Theory model are examined in detail, and when jointly applied to the domain of computer hacking are found to explain many of the observed characteristics of early hacker activity. It is shown that flow theory provides a rationale for the development of hackers from new entrants to skilled hackers, and potentially on to cyber criminals. The Beveren model of hacker development is expanded to incorporate additional cyber actors existing in the cybercrime and information warfare fields. The implications of this model are discussed, and using results from the Theory of Planned Behaviour a number of significant control variables are identified. Police strategies for addressing cyber crime, and hacking in parti-cular, are considered and a comprehensive approach to proactively reducing the proclivity of teenagers to start hacking is proposed, as an important early step in addressing the more serious issue of computer crime.
Article
Full-text available
The aim of this study was to develop and validate a scale to measure computer and videogame addiction. Inspired by earlier theories and research on game addiction, we created 21 items to measure seven underlying criteria (i.e., salience, tolerance, mood modification, relapse, withdrawal, conflict, and problems). The dimensional structure of the scale was investigated in two independent samples of adolescent gamers (N = 352 and N = 369). In both samples, a second-order factor model described our data best. The 21-item scale, as well as a shortened 7-item version, showed high reliabilities. Furthermore, both versions showed good concurrent validity across samples, as indicated by the consistent correlations with usage, loneliness, life satisfaction, social competence, and aggression.
Article
Full-text available
This article analyzes the possible models for regulating the use of Internet-based virtual worlds by minors. While virtual worlds introduce a unique experience to their users, there is a strong indication that such use, if left unregulated, may cause harm, especially to minors. This article explains that the dangers associated with virtual worlds are different from those created by other types of media. The various phenomena which may be caused due to the use of virtual worlds and the damages likely to be caused by such phenomena, rest on two assumptions: that minors are especially prone to suffer from such dangers, since the exposure of minors to the experiences offered by virtual worlds is not mitigated by factors such as a more developed sense of reality and responsibility, and, that in the use of virtual worlds there is a greater potential to induce such harms when compared to the use of video games or other Internet applications. The methodology underlying this article is based on a comparativecritical review of the existing literature in the fields relevant to this interdisciplinary realm: technology, psychology, philosophy and law. This article concludes that non-legal regulation is insufficient and puts forth several suggestions for legal regulation. The proposed regulation is based on four principles: Awareness – forcing virtual worlds companies to issue a warning of the possible damages similar to the warnings printed on cigarettes packs; Prevention – operating technological measures to identify minor users and tracking their use length; Help – establishing help centers and posting distress buttons in the virtual world; and Liability – imposing tort liability on virtual worlds companies that fail to implement the proposed changes.
Article
Full-text available
The activity of play has been ever present in human history and the Internet has emerged as a playground increasingly populated by gamers. Research suggests that a minority of Internet game players experience symptoms traditionally associated with substance-related addictions, including mood modification, tolerance and salience. Because the current scientific knowledge of Internet gaming addiction is copious in scope and appears relatively complex, this literature review attempts to reduce this confusion by providing an innovative framework by which all the studies to date can be categorized. A total of 58 empirical studies were included in this literature review. Using the current empirical knowledge, it is argued that Internet gaming addiction follows a continuum, with antecedents in etiology and risk factors, through to the development of a “full-blown” addiction, followed by ramifications in terms of negative consequences and potential treatment. The results are evaluated in light of the emergent discrepancies in findings, and the consequent implications for future research. KeywordsInternet gaming addiction–Video games–Excessive play–Etiology–Pathology–Consequences
Article
User satisfaction in computer games seems to be influenced by game balance, the level of challenge faced by the user. This work presents an evaluation, performed by human players, of dynamic game balancing approaches. The results indicate that adaptive approaches are more effective. This paper also enumerates some issues encountered in evaluating users' satisfaction, in the context of games, and depicts some learned lessons.
Conference Paper
The benefits of collaborating across disciplines, such as social sciences, applied statistics and computer science, primarily affect the security arena regarding the fields of open source intelligence, information warfare, and strategic studies of security. Computer science and psychology are becoming more and more involved with the advancements in big data analytics. Contemporary studies in this intersection show that personality traits such as neuroticism, extroversion, openness, agreeableness, and conscientiousness can be predicted through sensors, logs, and active user behaviors. In the security systems, it is now a need for psychoanalysis to become more proactive, as it plays an important role in the understanding of a cyber threat. The research question that leads the suggestions in this paper is, "How much can be learned from logs, honeypots and collected security-related data about a hacker's psychology, personality, and sophistication?" Hackers' traits have been investigated in the following dimensions: persistence, skill, greed, motivation, confidence, and stealth. Honeypots have been designed to create a passive trap for the adversaries. This unlocks and reveals actionable information about the adversaries regarding their identities, locations, types of attacks they choose to use, and their motivations. When a standard, private honeypot server is online, it will fill out its logs with many attacks from botnets and other automated malicious activities within a short time. In this mass production of logs and activities, the quantity within the collection of useful information becomes unfeasible to have gathered without such a program. So far, honeypots have been categorized according to their interaction levels and service types. A low-interaction honeypot emulates a few steps and replies of the vulnerable network protocol, and the network stack is imitated while a high-interaction honeypot provides a full experience of the service for which it is designed. The amount of transferred data, number of failed logins, CPU and memory usage, and the search sophistication levels are the characteristics which can be derived from a honeypot. This work-in-progress study will detail the specifications of a special type of honeypot that is designed to capture the aforementioned characteristics and sophistication of a hacker.
Conference Paper
The central premise behind risk homeostasis theory is that humans adapt their behaviors, based on external factors, to align with a personal risk tolerance level. In essence, this means that the safer or more secure they feel, the more likely it is that they will behave in a risky manner. If this effect exists, it serves to restrict the ability of risk mitigation techniques to effect improvements. The concept is hotly debated in the safety area. Some authors agree that the effect exists, but also point out that it is poorly understood and unreliably predicted. Other re-searchers consider the entire concept fallacious. It is important to gain clarity about whether the effect exists, and to gauge its impact if such evidence can indeed be found. In this paper we consider risk homeostasis in the context of information security. Similar to the safety area, information security could well be impaired if a risk homeostasis effect neutralizes the potential benefits of risk mitigation measures. If the risk homeostasis effect does indeed exist and does impact risk-related behaviors, people will simply elevate risky behaviors in response to feeling less vulnerable due to following security procedures and using protective technologies. Here we discuss, in particular, the challenges we face in confirming the existence and impact of the risk homeostasis effect in information security, especially in an era of ethical research practice.
Article
Although much has been written on topic of hacker motivations, little empirical research has been conducted and even less research has attempted to quantify hackers' motivations. The present study analyses relationships between the frequency of several hacking behaviours and motivations to hack in a sample of male hackers and potential hackers. Motivations frequently recurring in the literature are assessed and Schwartz's (1992) Theory of Motivational Types of Values is applied. A preference for self-transcendence and openness to change values was found in the whole sample. Intellectual challenge and curiosity were rated as the most important motivators to circumvent security systems. However, correlation analyses signified the importance of aversion of conservation values. Hackers appear to be more motivated by what they dislike rather than by what they value. Future studies are needed to further examine the discrepancy between hackers' ranking of motivations and the relationship between motivations and hacking behaviours.
Article
This is the first comprehensive history of human-computer interaction (HCI). Whether you are a user-experience professional or an academic researcher, whether you identify with computer science,human factors, information systems, information science, design, or communication, you can discover how your experiences fit into the expanding field of HCI. You can determine where to look for relevant information in other fields—and where you won't find it.This book describes the different fields that have participated in improving our digital tools.It is organized chronologically, describing major developments across fields in each period. Computer use has changed radically, but many underlying forces are constant. Technology has changed rapidly, human nature very little. An irresistible force meets an immovable object. The exponential rate of technological change gives us little time to react before technology moves on. Patterns and trajectories described in this book provide your best chance to antici...
Conference Paper
Attack/Defend computer security contests require participants to leverage knowledge obtained from a variety of courses across a computer science curriculum, providing undergraduates with a novel and exciting opportunity to challenge both themselves and their peers. However, there are limited opportunities to participate in such contests and none of them is well suited for novices in computer security. This paper describes the design of an Attack/Defend security contest that is geared towards undergraduates who have little exposure to computer security and require a more gentle introduction. We provide implementation details of the framework that supports this contest and offer lessons learned over the past three years in growing our contest into an intercollegiate event that is deployed on a cloud infrastructure to support multiple, concurrently operating contest sites which span three timezones.
Article
Malicious hackers profit from the division of labour among highly skilled associates. However, duplicity and betrayal form an intrinsic part of their daily operations. This article examines how a community of hackers uses an automated reputation system to enhance trust among its members. We analyse 449,478 feedbacks collected over 27 months that rate the trustworthiness of 29,985 individuals belonging to the largest computer hacking forum. Only a tiny fraction of the forum membership (2.4%) participates in the vast majority (75%) of ‘trust exchanges’, limiting its utility. We observe a reporting bias where the propensity to report positive outcomes is 2.81 times greater among beginner hackers than among forum administrators. Reputation systems do not protect against trust decay caused here by the rapid expansion of the community. Finally, a qualitative analysis of 25,000 randomly selected feedbacks indicates that a diverse set of behaviours, skills and attitudes trigger assessments of trustworthiness.
Article
The current classification systems for video games are first attempts at protecting children from the real or imaginary influence of potentially harmful contents. These systems, however, are based on questionable principles, for two reasons. First, analyzing the Pan European Game Information (PEGI) and the Entertainment Software Rating Board (ESRB) from a pedagogical point of view, one cannot but notice that they are inherently flawed by contradictions and confusion of different perspectives. Second, these contradictions increase the difficulty for parents who buy video games to understand the rating. This is a considerable drawback, as parents and child caregivers should be the primary targets of such rating systems. This article offers a critical examination of the European PEGI and the North American ESRB rating systems, and, starting from this analysis, suggests improvements that could make video game rating systems more appropriate in terms of their function as parental guidance.
Article
Issues concerning computer security have received considerable academic attention in recent years and cyber security has become a top priority for many governments, organizations, and industries. Unfortunately, the attention devoted to cyber crime issues has focused primarily on the technical dimension of computer crime. Today, our knowledge about the persons behind the keyboards remains fragmentary. The current study focuses on one particular subgroup of cyber criminals, the illicit computer hackers. In particular, two personality characteristics commonly ascribed to hackers, strong preference for rational decision-making processes and pronounced risk propensity, are examined and their influence on hacking activities and success is assessed. An abbreviated yet reliable scale to quantify these personality traits in future studies demonstrates the significant relevance both constructs have for predicting hacking-related outcomes. Implications, limitations, and suggestions for future studies are provided.
Article
Immersion and appeal are considered to be necessary constituents of the player experience. In this article their relationship is examined through a 2×2 factorial study (n=173) in the context of two games, a first-person shooter and a massively multi-player online role-playing game, and in the context of two types of players: experienced players who have never played the game in one of the genres in question, and experienced players who have played one of the games in question. It is found that immersion and appeal are linearly correlated, and the repercussions of this finding are discussed.
Article
Hacking is a widespread international phenomenon, and hackers'actions occasionally reach the media headlines. This study was designed to explore hackers' accounts. Understanding the concept of accounts is important in itself because it enables us to comprehend how people view themselves within their cultural context. The research was based on unstructured, in-depth, face-to-face interviews with 54 Israeli hackers who where asked to tell their life stories. The interviewees were located by a snowball or chain referral sampling strategy. This study found that hacking in general, and penetrating computer systems or software in particular, constitutes a newform of entertainment for hackers. Thus, as it is based on the play-like quality that characterizes the use of digital technology, hacking often constitutes a new form of social activity.
Chapter
What constitutes a good life? Few questions are of more fundamental importance to a positive psychology. Flow research has yielded one answer, providing an understanding of experiences during which individuals are fully involved in the present moment. Viewed through the experiential lens of flow, a good life is one that is characterized by complete absorption in what one does. In this chapter, we describe the flow model of optimal experience and optimal development, explain how flow and related constructs have been measured, discuss recent work in this area, and identify some promising directions for future research. © 2014 Springer Science+Business Media Dordrecht. All rights reserved.
Article
Honeypots have been studied in the network domain for detection and information collection against external threats in the past few years. They lure a potential attacker by simulating resources having vulnerabilities and observing the behavior of a potential attacker to identify him before a damaging attack takes place. A lot of work has been done in the area of privacy and security in databases. Though the number of attacks and complexity for database attacks are increasing day by day, there has been no attempt to design honeypots for privacy enforcing databases. The use of honeypots for databases would help in confirming the suspicion (malafide intention) of a suspicious user without leaking the target information (information which would fulfill the malafide intention) to the attacker. We propose a framework for database honeypots for certain types of attacks in privacy context. The proposed honeypots for databases are termed as Context honeypots.
Article
Although player enjoyment is central to computer games, there is currently no accepted model of player enjoyment in games. There are many heuristics in the literature, based on elements such as the game interface, mechanics, gameplay, and narrative. However, there is a need to integrate these heuristics into a validated model that can be used to design, evaluate, and understand enjoyment in games. We have drawn together the various heuristics into a concise model of enjoyment in games that is structured by flow. Flow, a widely accepted model of enjoyment, includes eight elements that, we found, encompass the various heuristics from the literature. Our new model, GameFlow, consists of eight elements -- concentration, challenge, skills, control, clear goals, feedback, immersion, and social interaction. Each element includes a set of criteria for achieving enjoyment in games. An initial investigation and validation of the GameFlow model was carried out by conducting expert reviews of two real-time strategy games, one high-rating and one low-rating, using the GameFlow criteria. The result was a deeper understanding of enjoyment in real-time strategy games and the identification of the strengths and weaknesses of the GameFlow model as an evaluation tool. The GameFlow criteria were able to successfully distinguish between the high-rated and low-rated games and identify why one succeeded and the other failed. We concluded that the GameFlow model can be used in its current form to review games; further work will provide tools for designing and evaluating enjoyment in games.
Article
This study presents results of a survey of self-proclaimed computer hackers about their perceptions in regards to illegal hacking. Results show that hackers continue to engage in illegal hacking activities despite the perception of severe judicial punishment. A closer look shows that hackers perceive a high utility value from hacking, little informal sanctions, and a low likelihood of punishment. These perceptions coupled with a high level of moral disengagement partially explain the hacker's illegal behavior.
Article
The concept of context honeypot for privacy violation, based on relational databases, was introduced (S.K. Gupta, Damor, Goyal, A. Gupta, & Sabharwal, 20087. Gupta , S.K. , Damor , R.G.S. , Goyal , V. , Gupta , A. and Sabharwal , S. 2008. Context honeypot: A framework for anticipatory privacy violation. Proceedings of the 1st ICETET, : 813–818. doi: 10.1109/ICETET.2008.26 View all references). Its aim is to confirm or reject the suspicion cast on a user through external stimuli. Its various characteristics such as luring, opaqueness and confirmation of suspicion have not yet been explored. Here, we focus on one of its important characteristics, opaqueness; that is, it should remain invisible to attackers. This paper discusses ways to quantify effectiveness of a context honeypot system in upholding its opaqueness property to suspected attacker. We conducted an experiment by generating a context honeypot system with known suspected attackers and then quantified its effectiveness through the proposed methods. The results obtained validate the methods proposed by us as an effective tool to quantify the effectiveness of the context honeypot in maintaining its opaqueness property.
Article
This study examined the associations among thinking style (rational versus experiential), gambling related cognitions, and problem gambling severity. The participants were 70 female and 41 male regular gamblers who completed the Gambling Related Cognitions Scale (Raylu and Oei, Addiction 99:757-769, 2004), the Rational-Experiential Inventory (Pacini and Epstien, J Pers Soc Psychol 76(6):972-987, 1999), and the Problem Gambling Severity Index (Ferris and Wynne, The Canadian problem and gambling index: final report. Canadian Centre on Substance Abuse, Ottawa, 2001). Rational thinking was negatively related to problem gambling severity. Gambling related biases increased with problem gambling severity but the strength of those biases was dampened by rational thought. The patterns by which gambling related cognition mediated the association between thinking style and gambling severity suggest that therapeutic interventions may benefit from a consideration of a gambler's thinking style.
Article
Recent theoretical and empirical work in cognitive science and neuroscience is brought into contact with the concept of the flow experience. After a brief exposition of brain function, the explicit-implicit distinction is applied to the effortless information processing that is so characteristic of the flow state. The explicit system is associated with the higher cognitive functions of the frontal lobe and medial temporal lobe structures and has evolved to increase cognitive flexibility. In contrast, the implicit system is associated with the skill-based knowledge supported primarily by the basal ganglia and has the advantage of being more efficient. From the analysis of this flexibility/efficiency trade-off emerges a thesis that identifies the flow state as a period during which a highly practiced skill that is represented in the implicit system's knowledge base is implemented without interference from the explicit system. It is proposed that a necessary prerequisite to the experience of flow is a state of transient hypofrontality that enables the temporary suppression of the analytical and meta-conscious capacities of the explicit system. Examining sensory-motor integration skills that seem to typify flow such as athletic performance, writing, and free-jazz improvisation, the new framework clarifies how this concept relates to creativity and opens new avenues of research.
Towards a Framework of Player Experience Research
  • L Nacke
  • A Drachen
L. Nacke and A. Drachen, "Towards a Framework of Player Experience Research," Proc. Second Int. Work. Eval. Play. Exp. Games FDG 2011, Bordeaux, Fr., 2011.
A Badge of Honor and a Scarlet Letter: An Ethnographic Study of Hacker Culture
  • K F Steinmetz
K. F. Steinmetz, A Badge of Honor and a Scarlet Letter: An Ethnographic Study of Hacker Culture. Huntsville, TX: Sam Houston State University, 2014.
PicoCTF: A Game-Based Computer Security Competition for High School Students
  • P Chapman
  • J Burket
  • D Brumley
P. Chapman, J. Burket, and D. Brumley, "PicoCTF: A Game-Based Computer Security Competition for High School Students.," in 3GSE, 2014.
The Market for Vulnerabilities: How Hackers Profit
  • Dela Paz
R. Dela Paz, "The Market for Vulnerabilities: How Hackers Profit," Exploits, 2011. [Online]. Available: https://blog.trendmicro.com/trendlabs-securityintelligence/the-market-for-vulnerabilities-how-hackersprofit/.
Luring: A framework to induce a suspected user into context honeypot
  • S K Gupta
  • R G S Damor
  • A Gupta
  • V Goyal
S. K. Gupta, R. G. S. Damor, A. Gupta, and V. Goyal, "Luring: A framework to induce a suspected user into context honeypot," Proc. -2nd Int. Annu. Work. Digit. Forensics Incid. Anal. WDFIA 2007, no. Wdfia, pp. 55-64, 2007.
Available: www.youtube.com/watch?v=ApKCZ-f1wbA
  • B Blakely
B. Blakely, "Cloud Identity Summit -Keynote Speech," Cloud Identity Summit, 2015. [Online]. Available: www.youtube.com/watch?v=ApKCZ-f1wbA. [Accessed: 18-Jun-2018].
Where Do the Phishers Live? Collecting Phishers' Geographic Locations from Automated Honeypots
  • R Gallagher
R. Gallagher, "Where Do the Phishers Live? Collecting Phishers' Geographic Locations from Automated Honeypots," Schmoocon, 2016. [Online]. Available: https://archive.org/details/Where_Do_The_Phishers_Liv e.
Video Game Addiction Tries to Move From Basement to Doctor's Office
  • T Hsu
T. Hsu, "Video Game Addiction Tries to Move From Basement to Doctor's Office," New York Times, New York, p. B1, 17-Jun-2018.
Is Our Children's Apps Learning?' Automatically Detecting COPPA Violations
  • I Reyes
I. Reyes et al., "'Is Our Children's Apps Learning?' Automatically Detecting COPPA Violations," in Workshop on Technology and Consumer Protection (ConPro 2017), 2017.