ArticlePDF Available

Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy



Zusammenfassung It is generally accepted that the management of a company has a legal obligation to maintain and operate IT security measures as part of the company’s own compliance – this includes training employees with regard to social engineering attacks. On the other hand, the question arises whether and how the employee must tolerate associated measures, as for example social engineering penetration testing can be very intrusive.
1 Introduction
Social engineering (SE) attempts to induce and exploit cer tain be-
haviour by inuencing the victims to obtain sensitive informa-
tion. A SE attack is oen the rst step of a larger attack, in which
the attacker uses the information gained there for further attacks
[1]. However, the latest Data Breach Investigations Report [1] also
reports a nother increase of nancially mot ivated SE, where the at-
tacker directly ask for some money, i. e. by impersonating CEOs
or other high-level executives. While a couple of defense meth-
ods and counteracting training methods [2, 3] exist, at present,
companies have three main strategies to fend o SE attacks: SE
penetration testing, security awareness training and campaigns.
For SE penetration testing, penetration testers are, as benign
hackers, supposed to attack the employees and nd weak points.
is is mostly the case to investigate the employees’ vulnerability
to phishing attacks. Unfortunately, this approach is not without
problems. Experiments have shown that this approach can also
lead to employees becoming demotivated when confronted with
the results of the test [4]. In addition, such a test ca n interfere with
the employees’ right of personality, in particular since for an ac-
curate assessment of the situation, employees cannot be told be-
forehand they are being tested, resulting in ethical issues [5]. As
a consequence, there are numerous labour law requirements for
SE penetration tests [6, 7].
Security awareness training may prove successful in particu-
lar against phishing. However, oen employees are not trained at
all or the training is conducted insuciently [1] or in a way that
it does not have a long lasting eect [8]. Security awareness cam-
paigns oen prov ide only information about risks and are not en-
gaging, interesting and entertaining enough, evoke negative feel-
ings such as anxiety, fear or stress and therefore are ineective to
change individuals’ behavior [9]. Altogether, both strategies have
in common that individuals generally dislike following instruc-
tions because it is associated with losing control.
A not so common method is the use of serious games, games
that have a serious goa l besides entertainment. Serious games are
more entertaining and engaging than traditional forms of learn-
ing and inuence individuals’ behavior due to their use of ped-
agogy and game-based learning principles, such as motivation,
cognitive apprenticeship and constructivism [10]. erefore, at
a rst glance the use of a serious game for awareness raising and
training aga inst SE attacks, e. g. HATCH [11, 12], seems to be ne.
However, in this paper we investigate t he legal challenges to ma ke
use of the game HATCH, which oers two dierent types of sce-
narios. As a case study, we examine under which circumstanc-
es which of HATCH’s scenario types is suitable and legal to ful-
ll its goal. Based on the results, we derive general recommen-
dations what to consider when making use of a serious game for
awareness raising.1
1 Foto: Petra Coddington
Sebastian Pape, Dennis-Kenji Kipker
Case Study: Checking a Serious
Security-Awareness Game
for its Legal Adequacy
It is generally accepted that the management of a company has a legal obligation to
maintain and operate IT security measures as part of the company’s own compliance –
this includes training employees with regard to social engineering attacks. On the other
hand, the question arises whether and how the employee must tolerate associated
measures, as for example social engineering penetration testing can be very intrusive.
Dr. Dennis-Kenji Kipker
Wissenschaftlicher Geschäftsführer des
Instituts für Informations-, Gesundheits-
und Medizinrecht (IGMR) an der Universi-
tät Bremen, und Mitglied im Vorstand der
Europäischen Akademie für Informations-
freiheit und Datenschutz (EAID), Berlin.
Dr. Sebastian Pape
Wissenschaftlicher Mitarbeiter des
Lehrstuhls für Mobile Business &
Multilateral Security an der Goethe-
Universität Frankfurt und geschäfts-
führender Gesellschafter der Social
Engineering Academy GmbH.1
310 DuD Datenschutz un d Datensicherhei t 5 | 2021
2 Background and
Related Work
In this section, we first describe
HATCH, the game we have investi-
gated. In the second part of the sec-
tion, we discuss related work.
2.1 HAT CH
e serious game considered for our
use case is HATCH [11, 12], which
aims to improve the employees’ un-
derstanding of SE. For our analysis,
we briey sketch how HATCH works:
Each player is in the role of an attacker.
1. Each player draws a card from the
deck of human behavioral prin-
ciples, e. g.the “Need and Greed”
2. Each player draws three cards from
the deck of the social engineering at-
tack techniques, e . g.phishing.
3. Each player develops an attack tar-
geting one of the personas in the scenario based on the drawn
4. Each player presents his/her attack to the group and the other
members of the group discuss if the attack is feasible.
5. e players get points based on how viable their attack is and
if the attack was compliant to the drawn cards. e player with
the most points wins the game.
6. As debrieng, t he perceived threats are discussed and the play-
ers reect their attacks.
e game can be played either with an imag inary (virt ual) scenar-
io or a (realistic) scenario that reects the real working environ-
ment. We describe both scenario types in the following.
Virtual Scenarios
Virtual scena rios are used when HATCH is used for training and
awareness purposes [11]. ese consist of a plan of a department
or company (see Fig.1) and for each of the employees shown in
the plan there is a persona card that outlines the basic character-
istics of the employee (see Fig.2). e players’ task now is to come
up with an attack that is as plausible as possible on the basis of the
drawn ca rds and that exploits the characteristics of the employees
present in the game. e attack found is then evaluated for plau-
sibility by the players.
Realistic Scenarios
e basic gameplay of HATCH with a realistic scenario [12] is the
same as with a virtual scenario. However, virtual people are not
used here, instead a plan of the real working environment is cre-
ated and the players devise attacks on their colleagues. In doing
so, they use t heir colleagues’ ex isting knowledge of work process-
es, ski lls and preferences. Besides training and awareness raising,
the result is a list of possible SE threats that can be used to im-
prove work processes and security policies. e advantage over a
threat analysis by experts is that the employees of a department
or a company know the real work processes very well, so it is eas-
ier to train them in social engineering than to have experts study
all work processes.
2.2 Related Work
While there are reports on the use of serious games in the cor-
porate sector [10], the body of literature specic to serious games
aiming to raise awareness and allow security training is rather
low. Regarding compliance and serious games, there is a lot of
work, but only on using serious games to increa se the compliance
and not on the compliance of serious games. In the area of SE,
most of the work is focused on SE penetration testing. [5] discuss-
es the ethics of SE penetration testing, and [6] and [7] discuss SE
penetration testing from a legal perspective towards labour law.
Fig. 1 | Scenario for an Energy Provider
Fig. 2 | Persona Card for Jonas, an Accountant
DuD Datensc hutz und Datensic herheit 5 | 2021 311
3 Legal Adequacy of HATCH
It is generally accepted that management has a legal obligation to
maintain and operate IT security measures as part of the compa-
ny’s own compliance – this includes training employees with re-
gard to socia l engineering attacks. e compliance obligation un-
der IT security law ca n be derived from the most varied legal pro-
visions and depending on the respective industry, generally from
§43 par.1 German Limited Liability Companies Act (GmbHG)
and §93 par.1 German Stock Corporation Act (AktG). Where,
on the one hand, there are corporate obligations to implement an
appropriate level of IT security, the question arises on the other
hand as to whether and how the employee must tolerate associat-
ed measures and, if necessary, also participate in them. e con-
ict between freedom and security is updated here in the form of
issues relating to labour law and also data protection law, as well
as for corporate compliance and corporate gover nance. Especial-
ly for an SE game like HATCH, which requires the active partic-
ipation of the individual employee, various legal problem areas
therefore open up. A distinction must be made between the real-
istic and the virtual game scenario.
3.1 Realistic Scenarios
In HATCH’s realistic scenario, the actors involved in t he compa-
ny play themselves out. A particular legal relevance for this case
arises from the fact that the simulated SE attacks are aimed at re-
al persons and their character traits. With regard to the question
of the legal reasonableness for the individual employee, this must
be evaluated in compliance w ith Art.2 par.1 in conjunction with
Art.1 par.1 of the German Constitution (“Grundgesetz”, GG),
which prescribes the General Right of Personality (“APR”). e
APR as a par t of the Germa n Constitutional Law has an inuence
on employment law, among other things, as an ancillary obliga-
tion of the employer under the employment contract in accord-
ance with §241 par.2 of the German Civil Code (“Bürgerliches
Gesetzbuch”, BGB).
For the employer, on the other hand, the f reedom of occupation
resulting from Art.12 of the GG and the associated protection of
entrepreneurial interests, also based on the indirect third-par-
ty eect of the fundamental rights in the private-law relation-
ship, is in dispute. I n principle, the employer must protect t he em-
ployee from unlawful interference with his or her persona l rights
within the scope of his or her obligations arising indirectly from
the APR [13, BetrVG, p.99, Rn.106]. is also includes protec-
tion against potentially embarrassing measures that could have
a negative impact on employees [6]. Particularly for an SE game
in a realistic scenario, there are risks here in that employees feel
exposed or that their company’s appreciation is reduced, in that
personal limits are exceeded by experiencing the game as a real-
istic situation and in that unforeseeable courses of the game oc-
cur in the group dynamics. It is quest ionable whether, in contrast
to this and in the specic case, the company’s interests in the ex-
ecution of the game outweigh the risks and whether compliance
with the obligation under German IT Security Law is therefore
to be classied as more important than employee protection. e
principle applies here that in sectors and industries that are par-
ticularly relevant to security, gaps in corporate security certain-
ly have a high weight in the legal weighing of interests [9]. From
this, it can be concluded that, as a rule, the ctitious creation of
a potentially employee-damaging environment, in which the re-
al personality of the employee is exposed to weak points relevant
to SE, in companies that are not particularly exposed, can hard-
ly be justied by the potentially increased learning success of an
awareness raising measure to promote IT security. e situation
would be dierent for Critical Infrastructures with a high risk of
attack or for companies that have already been victims of SE inci-
dents and for which a similar threat situation is also apparent for
the future: Here, the increased need for awareness-raising meas-
ures as a factual connection w ith the protection of employees and
their jobs could justify the feasibility of the measure, above all in
the interest of the employee. A dierent legal assessment may al-
so be required in the case of a threat analysis, as the methodolo-
gy to be applied here requires that all weak points relevant to IT
security in a company be determined, which therefore necessar-
ily also includes the human factor.
3.2 Virtual Scenarios
In the virtual scenario of HATCH, the SE attacks are played out
using ctional characters and the imag inary role assignments as-
sociated with them. As in the realistic scenario, a legal balancing
between t he personal interests of the employee and t he operation-
al and economic interests of the employer must be carried out. A
stigmatization risk for the individual employee exists here to the
extent that technical or content-related knowledge gaps with re-
gard to SE threats reveal personal decits vis-à-vis the employer.
However, this can be counteracted by training measures on SE
prevention carried out before the game. Clearly formulated com-
munication and game rules also help to ensure that situations
of potential hostility, harassment or discrimination during the
course of the game can be eectively countered in advance. Last
but not least, the choice of ctional characters also signicantly
reduces the degree of personality impairment, as the employee’s
inner structures and characteristics are not subject to play [10].
Likewise, in the ctious scenario HATCH oers a possibility to
promote and support the personalit y development of the employ-
ees within the scope of the compulsory exercise of §75 par.2 Ger-
man Works Constitution Act (“Betriebsverfassungsgesetz”, Be-
trVG). As in the realistic scenario, the game also enables the em-
ployer to protect the company from SE attacks by improving the
awareness of its employees. As a result, the employer’s interests
generally outweigh those of the employee in the virtual game op-
eration, so that t he use of HATCH represents a conceivable alter-
native to the classic training measures in this area.
4 Discussion
In this section, we discuss how the result of our legal analysis
could be generalised. Fi rst, which parts of t he results ca n be trans-
ferred to other games. Second, to which extend it is possible to
generalize the results to other (European) countries.
4.1 Generalization to Other Games
All legal considerations are specic to HATCH. us, in general
one would need to do a legal assessment for each game individu-
ally. However, some general conclusion can be drawn in particu-
lar from the comparison of the two dierent scenario types. e
312 DuD Datens chutz und Datensi cherheit 5 | 2021
analysis of the virtual scenario suggests that if within the serious
game the employee’s personal characteristics are not subject to
play, the use of the serious game may be admissible if it is operat-
ed in a sucient manner2. If the employee’s personal character-
istics are subject to play, as in the realistic scenario, a legal assess-
ment is needed considering the aim of the game, i. e. threat anal-
ysis, the risk situation and exposure of the company to SE attacks
to justify the feasibility of the game.
As a consequence, games which merely have a technical focus
and do not consider human factors should be playable w ithout the
risk that employee’s personal characteristics are subject to play.
For example, Elevation of Privileges [14, 15] based on [16]’s threat
modeling method should work out ne if players focus on the
system, it’s bugs and features as proposed in the game’s instruc-
tions. Similar considerations hold for security related variants of
planing poker [17] such as Protection Poker [18, 19], Security Tac-
tic Planning Poker (SToPPER) [20].
Ctrl-Alt-Hack [21–23], another tabletop card game about white
hat hacking, is based on game mechanics with virtual personas
(hackers) and fullling the missions in the game does not rely on
the players’ or employees’ characteristics. erefore, even though
it includes attacks based on social engineering, we would consid-
er it comparable to the virtual scenario from HATCH, and thus
conclude that there should be no major obstacles to play it with-
in the context of a company.
We went through the descriptions of a couple of education-
al security games like Cyber Security Requirements Education
Game(SREG) [24], Cyber Security-Requirements Awareness Game
(CSRAG) [25], Harbour Protection Table-Top Exercise (HPT2E)
[26, 27], Operation Digital Chameleon [28, 29], and Operation Dig-
ital Snake [30], but none of them was making use of players’ or
employees’ characteristics. On the other hand, all of them are in-
tended for awareness raising or education and none of them is in-
tended for threat analysis. us, they would also be in the same
line than the virtual scenario for hatch, which also makes them
rather unproblematic game candidates.
2 e. g. taking care th at no personal deficit s vis-á-vis the emplo yer are re-
vealed and clearly formulated communication and game rules are applied.
4.2 Generalization to Other Countries
All legal considerations made in this context are subject to Ger-
man law. is is due to the fact that in the EU, labour law is pri-
marily regulated by the Member States t hemselves. Nevertheless,
some general conclusions can also be drawn. For example, some
of the legal considerations made in the legal analysis in this arti-
cle are based on data protection regulations which are governed
by EU law, in particular the EU GDPR. In many cases of EU law,
as far as the processing of personal data is concerned, t he focus is
on balancing the interests of the data processor (in this case, the
employer) and those whose personal data are processed (in this
case, the employee). us, to the extent that operational IT secu-
rity interests are weighed against individual data protection in-
terests, the legal statements i n this paper can cer tainly be general-
ised to a certain ex tent. In this respect, the lega l weighing of i nter-
ests carried out here can at least provide an indication of wheth-
er the use of HATCH in the operational context would also be le-
gally permissible in other (European) countries.
5 Conclusion
While at a rst glance, it seems to be legit to use a serious game
for security training and awareness, our legal assessment showed
large dierences in the assessment of the two dierent scenari-
os. If the employee’s personal cha racteristics are pa rt of the game,
care needs to be taken to not unnecessarily expose the personal-
ity of the employees. is even holds if the employees ask for or
volunteer to play the scenario with a realistic environment, where
they would suggest social engineering attacks on each other. On
the other hand, if the employer can demonstrate a reasonable in-
terest, i .e. if the game is used for threat analysis, the use of the
game with a realistic scenario may be admissible.
As future work, the legal assessment should be extended for
other countries such as the US or other member states of the EU.
is work was supported by European Union’s Horizon 2020
research and innovation program from the project CyberSe-
Organisation / Strategie
Jetzt Home-Office-Schooling starten
und Gratis-Monate sichern!
Näheres finden Sie unter
einfach online schulen
direkt starten
kein Installationsaufwand
intuitiv bedienbar
Responsive Design: Alle Devices
keine eigene Infrastruktur
jederzeit und überall nutzbar
Wissensvermittlung mit Praxis-Tipps
inkl. Selbst-Test mit Zertikat
Monitoring der absolvierten Schulungen
DuD Datensc hutz und Datensic herheit 5 | 2021 313
c4Europe (grant agreement number: 830929) and from the pro-
ject THREAT-ARREST (grant agreement number: 786890). We
are thankful to Kristina Femmer for the graphical implementa-
tion of the scenario and the persona cards.
All urls have been last visited on February 12th, 2021.
[1] G. Bassett, C. D. Hylender, P. Langlois, A. Pinto, and S. Widup, Data Breach
Investigations Re port, (2020).
[2] P. Schaab, K. Beckers, and S. Pape, A Systematic Gap Analysis of Social En-
gineering Defence Mechanisms Considering Social Psychology, in 10th I nte r-
national Symposium on Human Aspects of Information Security & Assurance,
HAISA 2016, Frankfurt, G ermany, July 19-21, 2016, Proceedings. (2016) .
[3] P. Schaab, K. Becke rs, and S. Pape, Social Engineering Defence Mechanisms
and Counteracting Training Strategies, Information and Computer Securi-
ty 25, 206 (2017).
[4] T. Dimkov, A. Van Cleeff, W. Pieters, and P. Hartel, Two Methodologies for
Physical Penetration Testing Using Social Engineering, in Proceedings of the
26th Annual Computer Security Applications Conference (2010), pp. 399–
[5] J. M. Hatfield, Vir tuous Human Hacking: The Ethics of Soci al Engineering in
Penetration-Testing, Computers & Security 83, 354 (2019).
[6] J. Kuhn and A. Wille msen, Arbeitsrechtliche Aspekte von Social Engineering
Audits, DER BETRIEB 02, 111 (2016).
[7] M. Zimmer and A. Helle, Tests Mit Tücke – Arbeitsrechtliche Anforderungen
an Social Enginee ring Tests, Betriebs-Berater 21/2016, 1269 (2016).
[8] S. Stahl, Beyond Information Security Awareness Training: It’s Time to
Change the Culture, Information Security Management Handbook, Vol-
ume 3 3, 285 (2006).
[9] M. Bada, A. M. Sasse, and J. R. C. Nurse, Cyber Security Awareness Cam-
paigns: Why Do They Fail to Change Behaviour?, CoRR abs/1901.02672,
[10] L . Donovan and P. Lead, The Use of Serious Game s in the Corporate Sector, A
State of the Art Rep ort. Learnovate Centre (December 2012) (2012).
[11] K. B eckers, S. Pape, and V. Fries, HATCH: Hack and Trick Capricious Humans –
a Serious Game on So cial Engineering, in Proceedings of the 2016 British HCI
Conference, Bournem outh, United Kingdom, July 11-15, 2016 (2016).
[12] K. Be ckers and S. Pape, A Serious Game for El iciting Social Engineeri ng Secu-
rity Requirements, in Proceedings of the 24th IEEE International Conference
on Requirements Engineering (IEEE Computer Societ y, 2016).
[13] Kreutz, GK-Be trVG, Bd. 2, 10th ed. (2014).
[14] A . Shostack, Elevation of Priv ilege: Drawing Developers into T hreat Mod-
eling, Microsoft, 2012.
[15] A. Shostack, Elevation of Privilege: Drawing Developers into Threat Mode-
ling, in 2014 USENIX Summit on Gaming, Games, and Gamification in Secu-
rity Education (3gse 14) (USENIX Association, San Diego, CA, 2014).
[16] A. Shostack, Threat Modeling: Designing for Security, 1st ed. (John Wiley &
Sons Inc., 2014).
[17] K. Moløkken-Østvold, N. C. Haugen, and H. C. Benestad, Using Planning
Poker for Combining Expert Estimates in Software Projects, Journal of Sys-
tems and Soft ware 81, 2106 (2008).
[18] L. Williams, M. Gegick, and A. Meneely, Protection Poker: Struct uring Soft-
ware Security Risk Assessment and Knowledge Transfer, in Proceedings of
International Symposium on Engineering Secure Software and Systems
(Springer, 2009), pp. 122–134.
[19] L. Williams, A. Meneel y, and G. Shipley, Protection Poker: The New Soft ware
Security “Game”, Security Privacy, IEEE 8, 14 (2010).
[20] F. Osses, G. Márquez, C . Orellana, and H. Astudillo, Towards the Sele ction of
Security Tactics Based on No n-Functional Req uirements: Security Tactic Plan-
ning Poker, in 2017 36th International Conference of the Chilean Computer
Science Society (SCCC) (IEEE, 2017), pp. 1–8.
[21] T. Denning, T. Kohno, and A. Shostack, Control-Alt-Hack: A Card Game for
Computer Security O utreach and Education (Abstract O nly), in The 44th ACM
Technical Symposium on Computer Science Education, SIGCSE ’13, Denver,
CO, USA, March 6-9, 2013 (2013), p. 729.
[22] T. Denning, A . Lerner, A. Shostack, and T. Kohno, Control-Alt-Hack: The De-
sign and Evaluation of a Card Game for Computer Security Awareness and
Education, in 2013 ACM SIGSAC Conference on Computer and Communica-
tions Security, CCS’13, Berlin, Germany, November 4-8 , 2013 (2013), pp. 915 –
[23] T. Denning, A. Shostack, and T. Kohno, Practical Lessons f rom Creating the
Control-Alt-Hack Card Game and Research Challenges for Games in Educa-
tion and Research, in 2014 USENIX Summit on Gaming, Games, and Gamifi-
cation in Security Education, 3gse ’14, San Diego, CA, USA, August 18, 2014.
[24] A . Yasin, L. Liu, T. Li, J. Wang, and D. Zowghi, Design and Preli minary Evalu-
ation of a Cyber Security Re quirements Education Game (SREG), Information
and Software Technology (2017).
[25] A. Yasin, L. L iu, T. Li, R. Fatima, and W. Jianmin, Improving Software Securi-
ty Awareness Using a Seri ous Game, IET Software (2018).
[26] R. Kessel and N. Gwatki n, Harbour Protection Table-Top Exercise Hpt2e: Con-
textual Read Ahead., ( 2012).
[27] R. Kessel and N. Gwatkin, Harbour Protecti on Table – Top Exercise Hpt2e 20
– 23 March 2012, La Spezia: Hpt2e Technologies an d Platforms, (2 012).
[28] A. Rieb and U. Lechner, Towards Operation Digital Chameleon, in CRITIS
2016 – the 11th International Conference on Critical Information Infrastruc-
tures Security (to Appea r), edited by G. Havârneanu, R. Seto la, H. Nassopou-
los, and S. Wolthusen (Par is, 2016), pp. 1–6.
[29] A. Rieb and U. Lechner, Operation D igital Chameleon – Towards an Ope n Cy-
bersecurity M ethod, in Proceedings of the 12th International Symposium on
Open Collaboration (OpenSym 2016) (Berlin, 2016), pp. 1–10.
[30] A. Rieb, KMA Homepa ge Article about O peration Digital Snake Ga me, (2018).
314 DuD Datens chutz und Datensi cherheit 5 | 2021
... Sect. A.1, A.2), a legal assessment of them [153] (cf. Sect. A. 10), and a structured method to generate appropriate scenarios to adapt HATCH to different domains [94] (cf. ...
... The generic version of the game aims to raise the players' awareness for social engineering threats and educate them on detecting this kind of attacks. In order to not unnecessarily expose and blame colleagues during a training session, it is based on a virtual scenario with personas as attack victims [153]. The initial scenario consists of a layout of a medium-sized office and ten employees as personas, printed on cards that contain fictional descriptions of them. ...
... Hatfield [93] discusses the ethics of social engineering penetration testing, and Kuhn and Willemsen [121] and Zimmer and Helle [220] discuss social engineering penetration testing from a legal perspective towards labor law. Therefore, we have investigated the legal challenges to make use of the game HATCH, and in particular the circumstances for HATCH's two different scenario types [153] . ...
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
... If they are, the organization needs a justification why a more gentle type of training without considering the employees' personal characteristics is not appropriate. This could be the case if the organization wants to conduct threat analysis, for example, because there already have been some incidents, or the organization is specifically exposed to social engineering attacks and wants to mitigate that [153]. ...
Technical Report
Full-text available
This report proposes a conceptual framework for the monitoring and evaluation of a cybersecurity awareness (CSA) program. In order to do so, it uses a nonsystematic or purposive literature review. Initially, it reviewed nine existing frameworks/models on CSA mainly to derive the skeleton (phases and sub-phases) of the framework. This is followed by a set of guidelines and practical advice in each phase and sub-phases of the framework that would be useful for the enhancement of a CSA program. The guidelines and advice on "what to do in each phase" as well as "what to expect in each phase" will be useful for CSA professionals, individuals, or organizations who intend to design a CSA program. In addition to this, the report also presents the evaluation criteria of two CSA mechanisms, which are posters and serious games.
... If they are, the organization needs a justification why a more gentle type of training without considering the employees' personal characteristics is not appropriate. This could be the case if the organization wants to conduct a threat analysis, for example because there already have been some incidents or the organization is specifically exposed social engineering attacks and wants to mitigate that [36]. ...
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
Technical Report
Full-text available
How corporates are exploiting serious games for training.
Full-text available
Context: Protecting people from cyber threats imposes great challenges, not only technically, but also socially. To achieve the intended level of awareness, software security principles need to be shown with concrete examples during security education. Objective: This study aims to design a serious game integrating software security knowledge and concepts into the processes to make it more engaging to learn while playing. Method: In this paper, we have: i) designed a serious game to compensate the deficiencies in the literature; ii) performed empirical evaluations including survey, brainstorming and observation to the proposed game. Results: Our study shows that: i) Cyber Security-Requirements Awareness Game (CSRAG) has a positive effect on players security learning outcomes, level of engagement and participation; ii) Game-based learning can be an effective way of teaching security related scenarios.
Conference Paper
Full-text available
To achieve security requirements in software design, software architects often adopt security tactics which provide mechanisms to detect, resist, react, and recover from attacks. Nevertheless, there are situations in which the selection of security tactics must be performed in a group manner involving practitioners with different profiles for a more accurate achieve ment of the security requirements. In this article we propose Security Tactic Planning Poker (SToPPER), a technique that allows stakeholders to interact with each other in order to select security tactics in group form. To validate our proposal, an empirical study was performed in a group of 9 subjects who were presented with three specific non-functional requirements (NFRs) of a particular project. The results revealed that the use of our technique allowed establishing a common basis for the use of security tactics, generating the interaction of all stakeholders involving quick familiarization; a good process of interaction and integration; and the possibility to quickly learn security tactics. At the same time, it was observed that: (1) the subjects performed involuntarily trade-offs between security tactics, and (2) subjects with greater experience selected security tactics with more foundation than the novice subjects.
This paper by Dr. Maria Bada and Professor Angela Sasse focuses on Security Awareness Campaigns, trying to identify factors which potentially lead to failure of these in changing the information security behaviours of consumers and employees. Past and current efforts to improve information security practices have not had the desired effort. In this paper, we explain the challenges involved in improving information security behaviours. Changing behaviour requires more than giving information about risks and correct behaviours – firstly, the people must be able to understand and apply the advice, and secondly, they must be willing to do – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour (e.g. theory of reasoned action, theory of planned behaviour, protection motivation theory). We review the suitability of persuasion techniques, including the widely used fear appeals. Essential components for an awareness campaign as well as factors which can lead to a campaign’s failure are also discussed. In order to enact change, the current sources of influence-whether they are conscious or unconscious, personal, environmental or social, which are keeping people from enacting vital behaviours, need to be identified. Cultural differences in risk perceptions can also influence the maintenance of a particular way of life. Finally, since the vast majority of behaviours are habitual, the change from existing habits to better information security habits requires support. Finally, we present examples of existing awareness campaigns in U.K., in Australia, in Canada and Africa.
This paper offers a virtue ethics analysis of social engineering in penetration-testing. It begins by considering previous research on this topic and argues that such attempts misconstrue or more often overlook this Aristotelian tradition. It articulates the core tenets of virtue ethics and applies them to an analysis of white hat social engineering. A virtue ethics analysis requires that individuals and the firms that initiate the penetration-test be placed within a larger communal context which obligates individuals who are potential human hacking victims to participate in the constitution and flourishing of larger communities. As such, for virtue ethics consent is not a necessary condition for the positive ethical status of white hat social engineering. If methods are consistent with moderation (i.e. the golden mean) manipulation at lower orders within the hierarchy of communities can be justified if it can reasonably be understood as part of an individual's participatory obligation and the results of this participation is essential to ensure the eudaimonia of the larger community. Nevertheless, the golden mean requires that robust mitigation strategies lessen the degree of harm inflicted on social engineering victims. Where possible, a degree of consent should be attained as part of this mitigation. Finally, penetration-testing firms must be able to demonstrate that a robust ethical training program governs its use of social engineering.
The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. Although an awareness training program can impart information security knowledge, it rarely has a significant impact on people’s feelings about their responsibility for securing information or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.
Context: Security, in digitally connected organizational environments of today, involves many different perspectives, including social, physical, and technical factors. In order to understand the interactions among these correlated aspects and elicit potential threats geared towards a given organization, different security requirements analysis approaches are proposed in the literature. However, the body of knowledge is yet to unleash its full potential due to the complex nature of security problems, and inadequate ways to improve security awareness of key players in the organization. Objective: Objective(s) of the research study is to improve the security awareness of players utilizing serious games via: (i) Know-how of security concepts and security protection; (ii) guided process of identifying valuable assets and vulnerabilities in a given organizational setting; (iii) guided process of defining successful security attacks to the organization. Method: Important methods used to address the above objectives include: (i) a comprehensive review of the literature to better understand security and game design elements; (ii) designing a serious game using cyber security knowledge and game-based techniques combined with security requirements engineering concepts; (iii) using empirical evaluation (observation and survey) to verify the effectiveness of the proposed game design. Result: The solution proposed is a serious game for security requirements education, which: (i) can be an effective and fun way of learning security related concepts; (ii) mimics a real life problem setting in a presentable and understandable way; (iii) motivates players to learn more about security related concepts in future. Conclusion: From this study, we conclude that the proposed Security Requirement Education Game (SREG) has positive results and is helpful for players of the game to get an understanding of security attacks and vulnerabilities.
Conference Paper
In the Serious Game “Operation Digital Chameleon” red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of an IT-Security training. This paper presents the game design and selected results from the evaluation of the gaming experience, an analysis of attack vectors and defense strategies developed in gaming and take outs of game participants. Participants enjoy the experience, develop APTs with realistic complexity and even innovations and take out the need for more information, more awareness training and cross-functional teams in IT-Security.
Purpose This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps. Design/methodology/approach The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings. Findings The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks. Originality/value The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.
Conference Paper
In the Serious Game Operation Digital Chameleon red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of an IT-Security training. Operation Digital Chameleon is the training game of the IT-Security Matchplay series in the IT-Security for Critical Infrastructure research program funded by BMBF. We present the design of Operation Digital Chameleon in its current form as well as results from game #3. We analyze the potential and innovation capability of Operation Digital Chameleon as an Open Innovation method for the domain of IT-Security of Critical Infrastructures. We find that Operation Digital Chamaeleon facilitates creativity, opens the process of IT-Security strategy development and --despite being designed for training purposes -- opens the process to explore innovative attack vectors.