Conference Paper

Systematic Scenario Creation for Serious Security-Awareness Games

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees' awareness are more effective if adjusted to their target audience. For that purpose, we propose the creation of specific scenarios for serious games by considering specifics of the respective organisation. Based on the work of Faily and Flechais [11], who created personas utilizing grounded theory, we demonstrate how to develop a specific scenario for HATCH [4], a serious game on social engineering. Our method for adapting a scenario of a serious game on social engineering resulted in a realistic scenario and thus was effective. Since the method is also very time-consuming, we propose future work to investigate if the effort can be reduced.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Technical Report
Full-text available
How corporates are exploiting serious games for training.
Chapter
Full-text available
Bei Social Engineering (SE) wird durch Beeinflussungen der Opfer versucht, ein bestimmtes Verhalten hervorzurufen und auszunutzen, um sensible Informationen zu beschaffen. Laut dem aktuellen Datensatz des Data Breach Investigations Report [1] enthalten 43 % aller Datendiebstähle einen SE-Angriff. Dabei ist der SE-Angriff oft der erste Schritt eines größeren Angriffs, bei dem der Angreifer die dort gewonnen Informationen für weitere Angriffe verwendet. Zur Zeit haben Firmen hauptsächlich zwei Strategien, um SE-Angriffe abzuwehren: Einerseits können sie Penetration Tester beauftragen, die als "gutartige Hacker" die Mit-arbeiter angreifen und dabei Schwachstellen finden sollen. Leider ist dieser Ansatz nicht ganz unproblematisch. Experimente haben gezeigt, dass dieser Ansatz auch dazu führen kann, dass Angestellte demotiviert werden, wenn sie mit den Ergebnissen des Tests konfrontiert werden. Außerdem kann ein derartiger Test in das Persönlich-keitsrecht der Mitarbeiter eingreifen, sodass es zahlreiche arbeitsrechtliche Anforderungen an SE Penetration-Tests gibt [2, 3]. Andererseits können Firmen Schulungen und Security-Awareness-Trainings durchführen, in denen die Mitarbeiter auf Socia-Engineering-Bedrohungen hinge-wiesen werden. Oft sind diese Schulungen verpflichtend, haben aber keinen lang anhaltenden Effekt [4]. Eine dritte Möglichkeit sind Serious Games, d. h. Spiele, die neben Unterhaltung auch ein ernsthaftes Ziel verfol-gen. Diese können zum Beispiel für Awareness-Trainings eingesetzt werden, um Mitarbeiter auf mögliche IT-Si-cherheitsbedrohungen aufmerksam zu machen. HATCH Eines der beschriebenen Serious Games ist HATCH (siehe Abbildung 1), das das Verständnis der Arbeitnehmer von SE verbessert [5]. Durch das Spiel kann außerdem eine Liste möglicher SE-Bedrohungen erstellt werden, die zur Verbesserung der Sicherheit dienen kann [6]. Je nach Ziel wird mit einem ausgedachten (virtuellen) Szenario oder einem (realistischen) Szenario, das das reale Arbeitsumfeld abbildet, gespielt. Virtuelle Szenarien Beim Einsatz von HATCH zu Schulungs- und Awarenesszwecken kommen virtuelle Szenarien zum Einsatz. Diese bestehen aus einem Plan einer Abteilung oder Firma (siehe Abbildung 2 links) und für jede der im Plan dargestellten Mitarbeiter existiert eine Persona-Karte, die die grundlegenden Eigenschaften des Mitarbeiters skizziert (siehe Abbildung 2 rechts). Aufgabe der Spieler ist es nun, sich einen auf Basis der gezogenen Karten möglichst plausiblen Angriff auszudenken, der die Eigenheiten der im Spiel vorhandenen Mitarbeiter ausnutzt. Der gefundene Angriff wird dann von den Mitspielern auf Plausibilität bewertet.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Conference Paper
Full-text available
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional penetration testing approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the defences against social engineering do not evolve accordingly. Hence, the security awareness of these attacks by employees remains low. We examined the psychological principles of social engineering and which psychological techniques induce resistance to persuasion applicable for social engineering. The techniques examined are an enhancement of persuasion knowledge, attitude bolstering and influencing the decision making. While research exists elaborating on security awareness, the integration of resistance against persuasion has not been done. Therefore, we analysed current defence mechanisms and provide a gap analysis based on research in social psychology. Based on our findings we provide guidelines of how to improve social engineering defence mechanisms such as security awareness programs.
Article
Full-text available
The use of digital games and gamification has demonstrated potential to improve many aspects of how businesses provide training to staff, and communicate with consumers. However, there is still a need for better understanding of how the adoption of games and gasification would influence the process of decision-making in organisations across different industry. This article provides a structured review of existing literature on the use of games in the business environment, and seeks to consolidate findings to address research questions regarding their perception, proven efficacy, and identifies key areas for future work. The findings highlight that serious games can have positive and effective impacts in multiple areas of a business, including training, decision-support, and consumer outreach. They also emphasise the challenges and pitfalls of applying serious games and gamification principles within a business context, and discuss the implications of development and evaluation methodologies on the success of a game-based solution.
Conference Paper
Full-text available
This paper arises from work ongoing in the GALA (Games and Learning Alliance - Network of Excellence for Serious Games). As part of GALA, a comprehensive state of the art analysis of existing serious games for the business and industry domain (loosely defined) was undertaken. A categorisation of the identified serious games was developed in order to analyse the characteristics of the serious games - the aspects they covered and those they do not cover. Of primary importance were the simulation level, topic and skills mediated by the identified serious games. The "simulation level" means the level or amount of the world that is simulated in the simulation or serious game. This is a hierarchy starting with the World/ God/ Universe - in which level whole worlds are simulated, for example, in games such as Civilization. The hierarchy then proceeds downwards from nation, industry, inter-organisational, business/ organisation, intra-organisational/ processes, group/ team, discipline, techniques to games addressing the individual. Second the skills to be transferred by the serious game were also analysed. From this an analysis of the gaps in coverage of serious games was carried out, leading to identifying opportunities for, and recommendations of, serious games to be developed for the business and industry domain.
Conference Paper
Full-text available
Organizations are increasingly investing in technology-enhanced learning systems to improve their employees’ skills. Serious games are one example; the competitive and fun nature of games is supposed to motivate employee participation. But any system that records employee data raises issues of privacy and trust. In this paper, we present a study on privacy and trust implications of serious games in an organizational context. We present findings from 32 interviews with potential end-users of a serious games platform called TARGET. A qualitative analysis of the interviews reveals that participants anticipate privacy risks for the data generated in game playing, and their decision to trust their fellow employees and managers depends on the presence of specific trust signals. Failure to minimize privacy risks and maximize trust will affect the acceptance of the system and the learning experience – thus undermining the primary purpose for which it was deployed. Game designers are advised to provide mechanisms for selective disclosure of data by players, and organizations should not use gaming data for appraisal or selection purposes, and clearly communicate this to employees.
Conference Paper
Full-text available
Personas are a popular technique in User-Centered Design, however their validity can be called into question. While the techniques used to developed personas and their integration with other design activities provide some measure of validity, a persona's legitimacy can be threatened by challenging its characteristics. This note presents Persona Cases: personas whose characteristics are both grounded in, and traceable to their originating source of empirical data. This approach builds on the premise that sense-making in qualitative data analysis is an argumentative activity, and aligns concepts associated with a Grounded Theory analysis with recent work on arguing the characteristics of personas. We illustrate this approach using a case study in the Critical Infrastructure Protection domain.
Conference Paper
Full-text available
Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years
Article
This paper by Dr. Maria Bada and Professor Angela Sasse focuses on Security Awareness Campaigns, trying to identify factors which potentially lead to failure of these in changing the information security behaviours of consumers and employees. Past and current efforts to improve information security practices have not had the desired effort. In this paper, we explain the challenges involved in improving information security behaviours. Changing behaviour requires more than giving information about risks and correct behaviours – firstly, the people must be able to understand and apply the advice, and secondly, they must be willing to do – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour (e.g. theory of reasoned action, theory of planned behaviour, protection motivation theory). We review the suitability of persuasion techniques, including the widely used fear appeals. Essential components for an awareness campaign as well as factors which can lead to a campaign’s failure are also discussed. In order to enact change, the current sources of influence-whether they are conscious or unconscious, personal, environmental or social, which are keeping people from enacting vital behaviours, need to be identified. Cultural differences in risk perceptions can also influence the maintenance of a particular way of life. Finally, since the vast majority of behaviours are habitual, the change from existing habits to better information security habits requires support. Finally, we present examples of existing awareness campaigns in U.K., in Australia, in Canada and Africa.
Article
Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.
Chapter
The expert interview as a method of qualitative empirical research, designed to explore expert knowledge, has been developed considerably since the early 1990s. A number of readers has been published1 and thus a gap in the methods’ literature has been dealt with, much to the benefit of many disciplines and fields of research in the social sciences. It can be assumed that through increased reflection on methodical issues research into experts’ knowledge has gained in professionalism and quality.2
Article
Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users’ information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.
Article
From the Publisher:A Legendary Hacker Reveals How To Guard Against the Gravest Security Risk of All–Human NatureAuthor Biography: Kevin D. Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News, and has been a keynote speaker at numerous industry events. He has also hosted a weekly radio show on KFI AM 640, Los Angeles. William L. Simon is a bestselling author of more than a dozen books and an award-winning film and television writer.
Article
Social engineering is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to steal data or money, steal access to systems or cellular phones, or even steal your identity. Such attacks can be very simple or very complex. Gaining access to information over the phone or through Web sites that you visit has added a new dimension to the role of the social engineer. We will examine ways in which people, companies, government agencies and military organizations have been duped into disclosing information that opened them to attack. We will discuss whom the social engineers of today are and what they are after. We'll also discuss both the low-tech and the newer forms of electronic theft, and explore measures that will keep your personal, customer, supplier and company information out of the hands of the social engineer.
Methods for understanding and reducing social engineering attacks
  • M Alexander
Alexander, M.: Methods for understanding and reducing social engineering attacks. SANS Inst. 1, 1-32 (2016), https://www.sans.org/readingroom/whitepapers/critical/methods-understand-ing-reducing-socialengineering-attacks-36972
The inmates are running the asylum. indianapolis, ia: Sams
  • A Cooper
Cooper, A.: The inmates are running the asylum. indianapolis, ia: Sams. Macmillan (1999)
Social engineering: Exploiting the weakest links
  • M Papadaki
  • S Furnell
  • R Dodge
Papadaki, M., Furnell, S., Dodge, R.: Social engineering: Exploiting the weakest links. European Network & Information Security Agency (ENISA), Heraklion, Crete (2008)