Chapter

PERSUADED: Fighting Social Engineering Attacks with a Serious Game

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Another game called PERSUADED specifically trains people to withstand social engineering attacks [1]. The game works as follows. ...
... PROTECT is based on the game concept of PERSUADED [1]. In this paper, Aladawy et al. discuss design goals and game concepts for a serious card game for the sensitization of people against social engineering attacks. ...
... Because the deck of cards is always shuffled before a game starts, each game is different from the previous game(s) (cf. [1], chap. 3, p. 5). ...
Chapter
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
... Another game called PERSUADED specifically trains people to withstand social engineering attacks [1]. The game works as follows. ...
... PROTECT is based on the game concept of PERSUADED [1]. In this paper, Aladawy et al. discuss design goals and game concepts for a serious card game for the sensitization of people against social engineering attacks. ...
... Because the deck of cards is always shuffled before a game starts, each game is different from the previous game(s) (cf. [1], chap. 3, p. 5). ...
Conference Paper
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player's context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
... Description: PERSUADED (Aladawy et al., 2018) is a computer game that allows players to learn the effectiveness of defence controls against most common social engineering attacks. Game Mechanics -is based on a single-player game like patience and solitaire, where the player can decide to play a card in their hand or draw another card from the deck. ...
... PERSUADED Game Four Types of Cards(Aladawy et al., 2018). ...
Thesis
Cyber attacks have been increasing, and there have been many media reports of attacks against large and small organisations, causing financial loss and reputational damage. Organisations invest in professional training courses for their employees to raise awareness of cyber attacks and related defences. However, traditional approaches have failed to effectively educate employees, as testified by the increasing number of successful cyber attacks exploiting human factors. Serious games are an effective alternative tool to educate and train people on cyber security concepts. There is consensus on the benefits and potential of creating serious games and gamification techniques, which applies game mechanics to non-gaming activities, such as training to make the exercise more engaging. Many serious games have been created without a transparent and formal design process. There are currently several pedagogical models, frameworks, and methodologies for designing and analysing serious games that provide valuable interpretations. None of the models is designed specifically for serious cyber games, and these models focus primarily on high-level aspects and requirements. Many design models fail to address higher-order thinking skills and do not consider the target players’ different needs. They do not help understand how such high-level requirements can be concretely satisfied and not a detailed explanation of how to design a serious game in a step-by-step process. This thesis proposes a new pedagogical model called MOTENS to design serious cyber games for awareness and education. The MOTENS model was developed from the experience of creating Riskio, a multiplayer tabletop game to increase cyber security awareness for people with a technical and non-technical background working in organisations and university students. A new serious game called CIST: A serious single-player online game for hardware security supply chain was designed using the MOTENS model. The CIST game was then tested to verify that the game mechanics design selected using the MOTENS model achieved the desired learning outcomes. The CIST game was played and evaluated in a workshop on hardware security threats and defences for MSc/PhD students. Some issues reported by the students were identified as failure of the CIST game design and not the MOTENS model. As with the Riskio game, the CIST game proved popular with the target players and increased players participation in learning. Further research is required to develop the MOTENS model by creating and designing/evaluating different types of serious cyber games.
... Sect. A.7) and its predecessor Persuaded [7] (cf. Sect. ...
... The serious game PROTECT [72] builds on its predecessor Persuaded [7], thus both games share the same gaming principle. Players draw cards in a patience like manner from a pile and besides special cards, the pile contains attacks and defenses. ...
Thesis
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
... Since security policies are documents often unread by the users, the serious game PROTECT was developed to train users in behaving according to the organization's security policies [21]. PROTECT is the further development of PERSUADED [2] with the improvement of making the game more configurable and an improved graphical user interface as shown in Fig. 3a. Both games are digital card games where players have to defend against attacks with the correct defenses in a solitaire like game type. ...
Chapter
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
... An effort to improve awareness of SEA through persuasive training. [19] used game designed to provide knowledge on social psychology theory of resistant to persuasion. This is to improve SEA awareness in a friendly manner in the general populace. ...
Article
Full-text available
Purpose: E-Government system emerged as a novel public service provision platform that enables governance in an efficient and transparent manner globally. However, despite the success recorded so far by the increase in the use of information and communication technology (ICT) and E-government for public service provision. Social engineering attack (SEA) is one of the challenging information security attacks that prove to be difficult to tackle. This is because the attackers leverage on peoples’ weakness to exploit the system instead of technical vulnerabilities. Design/Methodology/Approach: This paper uses PESTLE (political, economic, social, technology, legal and environment) analysis to critically evaluate the external factors affecting SEAs in E-government system. Findings/Result: The study identified phishing, Baiting, Pretexting, Quid Pro Quo, Honey Trap, Tail Gating, and Pharming as the major SEA techniques used to exploit E-government systems. Furthermore, the author suggest training and awareness programme as the most effective way to detect as well as prevent SEA in E-government system. Users should be aware of the languages with terms requesting urgent response as well as unusual or unexpected situation in a suspicious messages or attachment as factors to detect SEA. Technical controls using natural language processes (NLP), security policies, multifactor authentication (MFA) as well as secured preservation of confidential information from suspicious users are some of the SEA preventive measures. Originality/Value: A flexible and efficient interaction among citizens, businesses and government organizations is a critical factor for successful E-Government system. SEA is one of major challenges affecting communications in E-government system that requires attention. In conclusion, studies toward technological approach for solution of SEA in E-government is recommended. Paper Type: Conceptual Research.
Chapter
Social engineering attacks are phenomena that are equally applicable to both the physical world and cyberspace. These attacks in the physical world have been studied for a much longer time than their counterpart in cyberspace. This motivates us to investigate how social engineering attacks in the physical world and cyberspace relate to each other, including their common characteristics and unique features. For this purpose, we propose a methodology to unify social engineering attacks and defenses in the physical world and cyberspace into a single framework, including: (i) a systematic model based on psychological principles for describing these attacks, (ii) a systematization of these attacks, and (iii) a systematization of defenses against them. Our study leads to several insights, which shed light on the future research directions toward adequately defending against social engineering attacks in cyberspace.
Chapter
Game-based learning is a promising approach to anti-phishing education, as it fosters motivation and can help reduce the perceived difficulty of the educational material. Over the years, several prototypes for game-based applications have been proposed, that follow different approaches in content selection, presentation, and game mechanics. In this paper, a literature and product review of existing learning games is presented. Based on research papers and accessible applications, an in-depth analysis was conducted, encompassing target groups, educational contexts, learning goals based on Bloom’s Revised Taxonomy, and learning content. As a result of this review, we created the publications on games (POG) data set for the domain of anti-phishing education. While there are games that can convey factual and conceptual knowledge, we find that most games are either unavailable, fail to convey procedural knowledge or lack technical depth. Thus, we identify potential areas of improvement for games suitable for end-users in informal learning contexts.
Article
Smart Cities evolve into complex and pervasive urban environments with a citizens’ mandate to meet sustainable development goals. Repositioning democratic values of citizens’ choices in these complex ecosystems has turned out to be imperative in an era of social media filter bubbles, fake news and opportunities for manipulating electoral results with such means. This paper introduces a new paradigm of augmented democracy that promises actively engaging citizens in a more informed decision-making augmented into public urban space. The proposed concept is inspired by a digital revive of the Ancient Agora of Athens, an arena of public discourse, a Polis where citizens assemble to actively deliberate and collectively decide about public matters. The core contribution of the proposed paradigm is the concept of proving witness presence: making decision-making subject of providing secure evidence and testifying for choices made in the physical space. This paper shows how the challenge of proving witness presence can be tackled with blockchain consensus to empower citizens’ trust and overcome security vulnerabilities of GPS localization. Moreover, a novel platform for collective decision-making and crowd-sensing in urban space is introduced: Smart Agora. It is shown how real-time collective measurements over citizens’ choices can be made in a fully decentralized and privacy-preserving way. Witness presence is tested by deploying a decentralized system for crowd-sensing the sustainable use of transport means. Furthermore, witness presence of cycling risk is validated using official accident data from public authorities compared against wisdom of the crowd. The paramount role of dynamic consensus, self-governance and ethically aligned artificial intelligence in the augmented democracy paradigm is outlined.
Conference Paper
Full-text available
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Article
Full-text available
Information technology has dramatically increased online business opportunities; however these opportunities have also created serious risks in relation to information security. Previously, information security issues were studied in a technological context, but growing security needs have extended researchers' attention to explore the management role in information security management. Various studies have explored different management roles and activities, but none has given a comprehensive picture of these roles and activities to manage information security effectively. So it is necessary to accumulate knowledge about various managerial roles and activities from literature to enable managers to adopt these for a more holistic approach to information security management. In this paper, using a systematic literature review approach, we synthesised literature related to management's roles in information security to explore specific managerial activities to enhance information security management. We found that numerous activities of management, particularly development and execution of information security policy, awareness, compliance training, development of effective enterprise information architecture, IT infrastructure management, business and IT alignment and human resources management, had a significant impact on the quality of management of information security. Thus, this research makes a novel contribution by arguing that a more holistic approach to information security is needed and we suggest the ways in which managers can play an effective role in information security. This research also opens up many new avenues for further research in this area.
Article
Full-text available
The purpose of this chapter is to introduce an overall classification system for Serious Games. The intention of this classification is to guide people through the vast field of Serious Games by providing them with a general overview. For example, it may appeal to teachers who wish to find games with strong educational potential though they may be outside the “edugames” field. This chapter will start by discussing the definition of Serious Games, and define them as having a combination of “serious” and “game” aspects. This theoretical framework will be used to review previous classification systems and discuss their limitations. It will then introduce a new classification that addresses a number of these limitations: the G/P/S model. This classifies games according to both their “serious-related” and “game-related” characteristics, and combines the strengths of several previous classification systems.
Conference Paper
Full-text available
The literature agrees that the major threat to IS security is constituted by careless employees who do not comply with organizations' IS security policies and procedures. To address this concern, different approaches for ensuring employees' IS security policy compliance have been proposed. Prior research on IS security compliance has criticized these extant IS security awareness approaches as lacking theoretically and empirically grounded principles to ensure that employees comply with IS security policies. To fill this gap, this study proposes a theoretical model that contains the factors that explain employees' IS security policy compliance. Data (N=245) from a Finnish company provides empirical support for the model. The results suggest that information quality has a significant effect on actual IS security policy compliance. Employees' attitude, normative beliefs and habits have significant effect on intention to comply with IS security policy. Threat appraisal and facilitating conditions have significant impact on attitude towards complying, while coping appraisal does not have a significant effect on employees' attitude towards complying. Sanctions have insignificant effect on intention to comply with IS security policy and awards do not have a significant effect on actual compliance with IS security policy
Article
Full-text available
Online learning in commercial computer games allows computer-controlled opponents to adapt to the way the game is being played. As such it provides a mechanism to deal with weaknesses in the game AI, and to respond to changes in human player tactics. ...
Article
Full-text available
Serious games use entertainment principles, creativity, and technology to meet government or corporate training objectives, but these principles alone will not guarantee that the intended learning will occur. To be effective, serious games must incorporate sound cognitive, learning, and pedagogical principles into their design and structure. In this paper, we review cognitive principles that can be applied to improve the training effectiveness in serious games and we describe a process we used to design improvements for an existing game-based training application in the domain of cyber security education.
Article
Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.
Article
The US Naval Postgraduate School and University of Washington each independently developed informal security-themed tabletop games. [d0x3d!] is a board game in which players collaborate as white-hat hackers, tasked to retrieve a set of valuable digital assets held by an adversarial network. Control-Alt-Hack is a card game in which three to six players act as white-hat hackers at a security consulting company. These games employ modest pedagogical objectives to expose broad audiences to computer security topics.
Article
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equalsome could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.
Article
Social engineering is now a major threat to users and systems in the online context, and it is therefore vital to educate potential victims in order to reduce their susceptibility to the related attacks. However, as with other aspects of security education, this firstly requires a means of getting the user’s attention. This paper presents details of an awarenessraising game that was developed in order to educate users in a more interactive way. A board game approach, combining reference material with themed multiple-choice questions, was implemented as an initial prototype, and evaluated with 21 users. The results suggested that the approach helped to increase players’ awareness of social engineering, with nobody scoring under 55% whilst playing the game, and 86% feeling they had improved their knowledge of the subjects involved.
Article
Accomplished authors, Preece, Rogers and Sharp, have written a key new textbook on this core subject area. Interaction Design deals with a broad scope of issues, topics and paradigms that has traditionally been the scope of Human-Computer Interaction (HCI) and Interaction Design (ID). The book covers psychological and social aspects of users, interaction styles, user requirements, design approaches, usability and evaluation, traditional and future interface paradigms and the role of theory in informing design. The topics will be grounded in the design process and the aim is to present relevant issues in an integrated and coherent way, rather than assembling a collection of chapters on individual HCI topics.KEY FEATURES: This truly integrated approach to HCI provides students with background information from psychology, sociology, anthropology, information systems and computer science provides principles and skills for designing any technology through the use of many interesting and state of the art examples. The author supported, highly interactive Web Site provides resources that allow students to collaborate on experiments, participate in design competitions, collaborate on design, find resources and communicate with others. The accompanying Web Site also features examples, step-by-step exercises and templates for questionnaires.
Article
CyberCIEGE is a high-end, commercial-quality video game developed jointly by Rivermind and the Naval Postgraduate School's Center for Information Systems Security Studies and Research. This dynamic, extensible game adheres to information assurance principles to help teach key concepts and practices. CyberCIEGE is a resource management simulation in which the player assumes the role of a decision maker for an IT dependent organization. The objective is to keep the organization's virtual users happy and productive while providing the necessary security measures to protect valuable information assets.
The Complete Book of Solitaire and Patience Games. Read Books Ltd
  • A H Morehead
  • AH Morehead
Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness
  • A.-S T Olanrewaju
  • N H Zakaria
A.-S. T. Olanrewaju and N. H. Zakaria. Social engineering awareness game (seag): An empirical evaluation of using game towards improving information security awareness. In Proceedings of the 5th International Conference on Computing and Informatics, ICOCI 2015, 2015. (Accessed on 10/16/2016).
The Risk of Social Engineering on Information Security: A Survey of IT Profesionals
  • Dimensional Research
Dimensional Research. The Risk of Social Engineering on Information Security: A Survey of IT Profesionals, 2011. http://docplayer.net/11092603-The-risk-of-socialengineering-on-information-security.html.
Classifying serious games: the g/p/s model. Handbook of research on improving learning and motivation through educational games: Multidisciplinary approaches
  • D Djaouti
  • J Alvarez
  • J.-P Jessel
D. Djaouti, J. Alvarez, and J.-P. Jessel. Classifying serious games: the g/p/s model. Handbook of research on improving learning and motivation through educational games: Multidisciplinary approaches, pages 118-136, 2011.
Interaction design: beyond humancomputer interaction. netWorker:The Craft of Network Computing
  • Y Rogers
  • H Sharp
  • J Preece
  • M Tepper
Y. Rogers, H. Sharp, J. Preece, and M. Tepper. Interaction design: beyond humancomputer interaction. netWorker:The Craft of Network Computing, 11(4):34, 2007.
Threat Modeling: Designing for Security
  • A Shostack
A. Shostack. Threat Modeling: Designing for Security. John Wiley & Sons Inc., 1st edition, 2014.