Chapter

PROTECT – An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... In information security, semantic attacks refers to manipulation of systems' interface by deception of users to breach the security setting of the systems. In this perspective, [20] proposed an online game to detect social engineering attacks by enhancing peoples' awareness in an entertaining way. To enable users detect and report of semantic SEA, [21] conducted an experiment to evaluate human sensor cogni-sense attacks. ...
... b) Technological Detection Although, SE attacker do not require any technical skills in most of the SE techniques to operate a sophisticated attack. Implementation of technical solution by using game by [20] and NLP by machine learning and case-based reasoning system by [16] Therefore, research has shown that SEA can be detected by using technological means. Further studies toward technological approach for solution of SEA in E-government is recommended. ...
Article
Full-text available
Purpose: E-Government system emerged as a novel public service provision platform that enables governance in an efficient and transparent manner globally. However, despite the success recorded so far by the increase in the use of information and communication technology (ICT) and E-government for public service provision. Social engineering attack (SEA) is one of the challenging information security attacks that prove to be difficult to tackle. This is because the attackers leverage on peoples’ weakness to exploit the system instead of technical vulnerabilities. Design/Methodology/Approach: This paper uses PESTLE (political, economic, social, technology, legal and environment) analysis to critically evaluate the external factors affecting SEAs in E-government system. Findings/Result: The study identified phishing, Baiting, Pretexting, Quid Pro Quo, Honey Trap, Tail Gating, and Pharming as the major SEA techniques used to exploit E-government systems. Furthermore, the author suggest training and awareness programme as the most effective way to detect as well as prevent SEA in E-government system. Users should be aware of the languages with terms requesting urgent response as well as unusual or unexpected situation in a suspicious messages or attachment as factors to detect SEA. Technical controls using natural language processes (NLP), security policies, multifactor authentication (MFA) as well as secured preservation of confidential information from suspicious users are some of the SEA preventive measures. Originality/Value: A flexible and efficient interaction among citizens, businesses and government organizations is a critical factor for successful E-Government system. SEA is one of major challenges affecting communications in E-government system that requires attention. In conclusion, studies toward technological approach for solution of SEA in E-government is recommended. Paper Type: Conceptual Research.
... A serious game model includes information about the following two types of games: PROTECT [37] or Awareness Quiz [38]. Updates occurred only on the creation of the latter. ...
... Phishing and social engineering -Main lecture and educational material -Emulation of a virtual lab with an email phishing scenario and the use of OpenPGP software (Kleopatra) -Serious game for targeted social engineering on system administrators with the PROTECT game [37] The everlasting effects of social-engineering with a focus on phishing attacks, as well as email security authentication, integrity, and confidentiality. ...
Article
Full-text available
Digital technologies are facilitating our daily activities, and thus leading to the social transformation with the upcoming 5G communications and the Internet of Things. However, mainstream and sophisticated attacks are remaining a threat, both for individuals and organisations. Cyber Range emerges as a promising solution to effectively train people in cybersecurity aspects. A Training Programme is considered adequate only if it can adapt to the scope of the attacks they cover and if the trainees apply the learning material to the operational system. Therefore, this study introduces the model-driven CYber Range Assurance platform (CYRA). The solution allows a trainee to be trained for known and new cyber-attacks by adapting to the continuously evolving threat landscape and examines if the trainees transfer the acquired knowledge to the working environment. Furthermore, this paper presents a use case on an operational backend ICT system, showing how the CYRA platform was utilised to increase the security posture of the organisation.
... Some recent examples of SGs, such as 'Riskio' [25], 'CybAR' [2], 'AWATO' [18] and 'PROTECT' [21] look to provide innovation, incorporate new technologies, or tackle areas of knowledge that have seen little attention in this form. CybAR utilises augmented reality within a mobile application to increase awareness of different cyber attack forms. ...
Article
Training effective simulation scenarios presents numerous challenges from a pedagogical point of view. Through application of the Conceptual Framework for e-Learning and Training (COFELET) as a pattern for designing serious games, we propose the use of the Simulated Critical Infrastructure Protection Scenarios (SCIPS) platform as a prospective tool for supporting the process of providing effective cyber security training. The SCIPS platform is designed to run different scenarios, such as examples in financial forecasting and business infrastructures, with an initial scenario developed in collaboration with industrial partners focusing on an electricity generation plant. Focus groups from these sources were conducted to identify design and developmental considerations for the platform. As an extension from the COFELET framework, we propose an intelligence scaffolding practice as a guidance mechanic taking the form of an agent within the scenario. The agent represents a major innovation in the system and we envisage a deep learning-based augmentation to further adapt towards the behavioural aspects of learners.
... This sub-model consists of one or more Game modules. A Game module includes the following fields: (a) the type of the game (e.g., AWARENESS QUEST [7] or PROTECT [12], as supported in THREAT-ARREST), (b) the difficulty level, (c) the overall game time, (d) one or more card deck id's and (e) whether this game needs any special practise. ...
Conference Paper
Full-text available
In light of the ever-increasing complexity and criticality of applications supported by ICT infrastructures, Cyber Ranges emerge as a promising solution to effectively train people within organisations on cyber-security aspects, thus providing an efficient mechanism to manage the associated risks. Motivated by this, the work presented herein introduces the model-driven approach of the THREAT-ARREST project for Cyber Range training, presenting in detail the Cyber Threat Training and Preparation (CTTP) models. These models, comprising sub-models catering for different aspects of the training, are used for specifying and generating the Training Programmes. As such, the paper also provides details on implementation aspects regarding the use of these models in the context of a usable cyber range training platform and two specific training scenarios.
Chapter
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
Conference Paper
Emerging technologies are facilitating our daily activities and drive the digital transformation. The Internet of Things (IoT) and 5G communications will provide a wide range of new applications and business opportunities, but with a wide and quite complex attack surface. Several users are not aware of the underlying threats and most of them do not possess the knowledge to set and operate the various digital assets securely. Therefore, cyber security training is becoming mandatory both for simple users and security experts. Cyber ranges constitute an advance training technique where trainees gain hands-on experiences on a safe virtual environment, which can be a realistic digital twin of an actual system. This paper presents the cyber ranges platform THREAT-ARREST. Its design is fully model-driven and offers all modern training features (i.e. emulation, simulation, serious games, and fabricated data). The platform has been evaluated under the smart energy, intelligent transportation, and healthcare domains.
Chapter
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game CyberSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
Conference Paper
Full-text available
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional penetration testing approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the defences against social engineering do not evolve accordingly. Hence, the security awareness of these attacks by employees remains low. We examined the psychological principles of social engineering and which psychological techniques induce resistance to persuasion applicable for social engineering. The techniques examined are an enhancement of persuasion knowledge, attitude bolstering and influencing the decision making. While research exists elaborating on security awareness, the integration of resistance against persuasion has not been done. Therefore, we analysed current defence mechanisms and provide a gap analysis based on research in social psychology. Based on our findings we provide guidelines of how to improve social engineering defence mechanisms such as security awareness programs.
Conference Paper
Full-text available
Research on marketing and deception has identified principles of persuasion that influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini’s principles of influence, Gragg’s psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies.
Article
Full-text available
Serious games use entertainment principles, creativity, and technology to meet government or corporate training objectives, but these principles alone will not guarantee that the intended learning will occur. To be effective, serious games must incorporate sound cognitive, learning, and pedagogical principles into their design and structure. In this paper, we review cognitive principles that can be applied to improve the training effectiveness in serious games and we describe a process we used to design improvements for an existing game-based training application in the domain of cyber security education.
Article
Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Article
The US Naval Postgraduate School and University of Washington each independently developed informal security-themed tabletop games. [d0x3d!] is a board game in which players collaborate as white-hat hackers, tasked to retrieve a set of valuable digital assets held by an adversarial network. Control-Alt-Hack is a card game in which three to six players act as white-hat hackers at a security consulting company. These games employ modest pedagogical objectives to expose broad audiences to computer security topics.
Article
From the Publisher:A Legendary Hacker Reveals How To Guard Against the Gravest Security Risk of All–Human NatureAuthor Biography: Kevin D. Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News, and has been a keynote speaker at numerous industry events. He has also hosted a weekly radio show on KFI AM 640, Los Angeles. William L. Simon is a bestselling author of more than a dozen books and an award-winning film and television writer.
Article
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software. But not all discovered vulnerabilities are equalsome could cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams must prioritize security fortification efforts to prevent the most damaging attacks. Protection Poker is a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrates Protection Poker's potential for improving software security practices and team software security knowledge.
Article
Social engineering is the con man's “low-tech” approach to the high-tech world of the Internet. This article explains social engineering concepts, the impact they can have on an organization, and controls the organization can implement to limit its exposure to those attacks.
Article
Effective countermeasures depend on first understanding how users naturally fall victim to fraudsters.
Purpose The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation. Design/methodology/approach An e‐mail‐based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security‐aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation. Findings In spite of a short window of operation for the experiment, the results revealed that 23 per‐cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online. Research limitations/implications After running for approximately 3.5 h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended. Practical implications Despite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial. Originality/value This paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e‐mail‐based social engineering study that was conducted amongst staff within a cooperating organisation.
Article
Social engineering is now a major threat to users and systems in the online context, and it is therefore vital to educate potential victims in order to reduce their susceptibility to the related attacks. However, as with other aspects of security education, this firstly requires a means of getting the user’s attention. This paper presents details of an awarenessraising game that was developed in order to educate users in a more interactive way. A board game approach, combining reference material with themed multiple-choice questions, was implemented as an initial prototype, and evaluated with 21 users. The results suggested that the approach helped to increase players’ awareness of social engineering, with nobody scoring under 55% whilst playing the game, and 86% feeling they had improved their knowledge of the subjects involved.
Article
CyberCIEGE is a high-end, commercial-quality video game developed jointly by Rivermind and the Naval Postgraduate School's Center for Information Systems Security Studies and Research. This dynamic, extensible game adheres to information assurance principles to help teach key concepts and practices. CyberCIEGE is a resource management simulation in which the player assumes the role of a decision maker for an IT dependent organization. The objective is to keep the organization's virtual users happy and productive while providing the necessary security measures to protect valuable information assets.
Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness
  • A S T Olanrewaju
  • N H Zakaria
Olanrewaju, A.S.T., Zakaria, N.H.: Social engineering awareness game (seag): An empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics, ICOCI 2015 (2015)
Threat Modeling: Designing for Security
  • A Shostack
Shostack, A.: Threat Modeling: Designing for Security. John Wiley & Sons Inc., 1st edn. (2014)