Conference Paper

PROTECT - An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks

  • Continental Automotive Technologies GmbH
To read the full-text of this research, you can request a copy directly from the authors.


Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player's context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... However, only the initial, most relevant study from a given author or group of authors was chosen to keep the selection concise. Haferkamp, 2011;Almeida et al., 2017Anti-terrorism Training Bruzzone, 2009Sormani, 2016 Engineering and Information Systems Vermillion et al., 2017;Kwak et al., 2019Military Garris et al., 2002Zyda, 2005;Yildirim, 2010Policing BinSubaih, 2005Bosse & Gerritsen, 2017;Sorace et al., 2018;Akhgar et al., 2019Cybersecurity Sheng et al., 2007Cone et al., 2007;Newbould & Furnell, 2009;Arachchilage, 2013;Denning et al., 2013;Olanrewaju & Zakaria, 2015;Hendrix & Sherbaz, 2016;Beckers & Pape, 2016;Aladawy et al., 2018;Chothia et al., 2018;Frey et al., 2018;Goeke et al., 2019;Hart et al., 2020 ...
... A disadvantage of this offline tabletop approach is its scalability. Aladawy et al. (2018) and Goeke et al. (2019) developed an online version of the game and changed the player perspective from being a social engineer to being a SEA defender to train players' resistance against persuasion. Being put into a defending position correlates better with real-world scenarios (generally, most people would rather face situations where they must defend against SEAs than be an attacker themselves). ...
... However, there have been studies outside criminology that used a similar approach. Beckers and Pape (2016) performed experiments to test the effectiveness of an SG approach for SE awareness creation and further developed the approach to create an online version of the game (Aladawy et al., 2018;Goeke et al., 2019). The initial approach, however, was not further evaluated for improvement potentials. ...
Full-text available
Social engineering is a method used by offenders to deceive their targets utilizing rationales of human psychology. Offenders aim to exploit information and use them for intelligence purposes or financial gains. Generating resilience against these malicious methods is still challenging. Literature shows that serious gaming learning approaches are used more frequently to instill lasting retention effects. Serious games are interactive, experiential learning approaches that impart knowledge about rationales and concepts in a way that fosters retention. In three samples and totally 97 participants the study at hand evaluated a social engineering serious game for participants' involvement and instruction compliance during the game. Field observations and unstructured interviews were used to collect data on participants' engagement, satisfaction and compliance with game master instructions. The findings show that there are potentials in changing the game material and its process to foster these dimensions and make it more useful as an instructional instrument for social engineering awareness creation.
... : Relation [149] of HATCH [148], PROTECT [151], and the CyberSecurity Awareness Quiz [150] . ...
... HATCH is the first in a cascade of three serious games [149], each with a different purpose as shown in Figure 5 [150]. However, since PROTECT [151] and the CyberSecurity Awareness Quiz [150] are both single-player games, HATCH is the obvious candidate for a legal and ethical assessment. Due to its multiplayer character and when eliciting threats with real scenarios, care has to be taken that no personal data of the players or other employees of the organization are at risk, or some of the players start bullying others. ...
... Due to its multiplayer character and when eliciting threats with real scenarios, care has to be taken that no personal data of the players or other employees of the organization are at risk, or some of the players start bullying others. Figure 5: Relation [149] of HATCH [148], PROTECT [151], and the CyberSecurity Awareness Quiz [150] When playing HATCH with a realistic scenario, the employees' personal information might be at risk if players use it to describe their attacks. Legal requirements demand a careful consideration of conditions the game can be used in. ...
Technical Report
Full-text available
This report proposes a conceptual framework for the monitoring and evaluation of a cybersecurity awareness (CSA) program. In order to do so, it uses a nonsystematic or purposive literature review. Initially, it reviewed nine existing frameworks/models on CSA mainly to derive the skeleton (phases and sub-phases) of the framework. This is followed by a set of guidelines and practical advice in each phase and sub-phases of the framework that would be useful for the enhancement of a CSA program. The guidelines and advice on "what to do in each phase" as well as "what to expect in each phase" will be useful for CSA professionals, individuals, or organizations who intend to design a CSA program. In addition to this, the report also presents the evaluation criteria of two CSA mechanisms, which are posters and serious games.
... THREAT-ARREST combines all modern training aspects of serious gaming [25,26], emulation and simulation in a concrete manner [27], and offers continuous security assurance and programme adaptation based on the trainee's performance and skills ( Table 1). The platform [24] offers training on known and/or new advanced cyber-attack scenarios, taking different types of action against them, including: preparedness, detection and analysis, incident response, and post incident response actions. ...
... With this Tool, we can: (i) export the system's security vulnerabilities and threats, (ii) conduct a risk analysis to identify the most significant of them, and (iii) perform statistical analysis on the various system log-files in order to produce realistic synthetic logs (i.e., with the platform's Data Fabrication Tool). Afterwards, these logs are utilized by the CTTP models and can be processed by the Gamification, Emulation, and/or Simulation Tools [25][26][27]. ...
... The overall accomplishments of the trainee disclose his/her level of understanding concerning the tampering and spoofing perspectives of social engineering attacks and the usage of the relevant countermeasures that would assure integrity and authentication, respectively. The basic training involves the Training and the Gamification Tools [25]. The trainees are registered and we compound their training sessions. ...
Full-text available
Nowadays, more-and-more cyber-security training is emerging as an essential process for the lifelong personnel education in organizations, especially for those which operate critical infrastructures. This is due to security breaches on popular services that become publicly known and raise people’s security awareness. Except from large organizations, small-to-medium enterprises and individuals need to keep their knowledge on the related topics up-to-date as a means to protect their business operation or to obtain professional skills. Therefore, the potential target-group may range from simple users, who require basic knowledge on the current threat landscape and how to operate the related defense mechanisms, to security experts, who require hands-on experience in responding to security incidents. This high diversity makes training and certification quite a challenging task. This study combines pedagogical practices and cyber-security modelling in an attempt to support dynamically adaptive training procedures. The training programme is initially tailored to the trainee’s needs, promoting the continuous adaptation to his/her performance afterwards. As the trainee accomplishes the basic evaluation tasks, the assessment starts involving more advanced features that demand a higher level of understanding. The overall method is integrated in a modern cyber-ranges platform, and a pilot training programme for smart shipping employees is presented.
... The game is designed to provide knowledge and train people through social psychology theories on resistance to persuasion. This game is further enhanced to contain more content and to accommodate contexts Goeke et al. [2019]. ...
Full-text available
Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this SoK paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.
Conference Paper
Full-text available
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Conference Paper
Full-text available
Research on marketing and deception has identified principles of persuasion that influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini’s principles of influence, Gragg’s psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies.
Full-text available
Serious games use entertainment principles, creativity, and technology to meet government or corporate training objectives, but these principles alone will not guarantee that the intended learning will occur. To be effective, serious games must incorporate sound cognitive, learning, and pedagogical principles into their design and structure. In this paper, we review cognitive principles that can be applied to improve the training effectiveness in serious games and we describe a process we used to design improvements for an existing game-based training application in the domain of cyber security education.
Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.
The US Naval Postgraduate School and University of Washington each independently developed informal security-themed tabletop games. [d0x3d!] is a board game in which players collaborate as white-hat hackers, tasked to retrieve a set of valuable digital assets held by an adversarial network. Control-Alt-Hack is a card game in which three to six players act as white-hat hackers at a security consulting company. These games employ modest pedagogical objectives to expose broad audiences to computer security topics.
From the Publisher:A Legendary Hacker Reveals How To Guard Against the Gravest Security Risk of All–Human NatureAuthor Biography: Kevin D. Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm ( He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News, and has been a keynote speaker at numerous industry events. He has also hosted a weekly radio show on KFI AM 640, Los Angeles. William L. Simon is a bestselling author of more than a dozen books and an award-winning film and television writer.
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equalsome could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.
Social engineering is the con man's “low-tech” approach to the high-tech world of the Internet. This article explains social engineering concepts, the impact they can have on an organization, and controls the organization can implement to limit its exposure to those attacks.
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Purpose The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation. Design/methodology/approach An e‐mail‐based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security‐aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation. Findings In spite of a short window of operation for the experiment, the results revealed that 23 per‐cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online. Research limitations/implications After running for approximately 3.5 h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended. Practical implications Despite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial. Originality/value This paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e‐mail‐based social engineering study that was conducted amongst staff within a cooperating organisation.
CyberCIEGE is a high-end, commercial-quality video game developed jointly by Rivermind and the Naval Postgraduate School's Center for Information Systems Security Studies and Research. This dynamic, extensible game adheres to information assurance principles to help teach key concepts and practices. CyberCIEGE is a resource management simulation in which the player assumes the role of a decision maker for an IT dependent organization. The objective is to keep the organization's virtual users happy and productive while providing the necessary security measures to protect valuable information assets.
Playing safe: A prototype game for raising awareness of social engineering
  • M Newbould
  • S Furnell
Newbould, M., Furnell, S.: Playing safe: A prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference. p. 4 (2009)
Social engineering awareness game (seag): An empirical evaluation of using game towards improving information security awareness
  • A S T Olanrewaju
  • N H Zakaria
Olanrewaju, A.S.T., Zakaria, N.H.: Social engineering awareness game (seag): An empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics, ICOCI 2015 (2015)
A systematic gap analysis of social engineering defence mechanisms considering social psychology
  • P Schaab
  • K Beckers
  • S Pape
Schaab, P., Beckers, K., Pape, S.: A systematic gap analysis of social engineering defence mechanisms considering social psychology. In: 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016 ,Frankfurt, Germany, July 19-21, 2016, Proceedings. (2016), http://www.cscan. org/openaccess/?paperid=301
Threat Modeling: Designing for Security
  • A Shostack
Shostack, A.: Threat Modeling: Designing for Security. John Wiley & Sons Inc., 1st edn. (2014)