No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Challenges for Designing Serious Games on Security and Privacy Awareness
Abstract
Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.
... To date, several proposals for educational interventions on privacy have been presented, either with constructive and playful features, or not. The type of these interventions ranges from software tools that monitor the flow of personal data (EnckWilliam et al. 2014;Hatamian et al. 2017), applications for providing personalized advice on good privacy practices (Ghazinour et al. 2016) and interactive software tools that enhance user's awareness (Aktypi et al. 2017;Tadic et al. 2018) to playful activities aimed at mobilizing the player and informing her about information privacy and personal data protection (Cetto et al. 2014;Pape 2022;Raynes-Goldie and Allen 2014;Suknot et al. 2014). Researchers argue that traditional privacy awareness interventions, such as lectures and presentations on privacy policies, are not always effective in practice (Lavranou and Tsohou 2019;Soumelidou and Tsohou 2021). ...
... Social4School is game in which children interact in a simulation of a SNS and the main goal is to enhance their perception on privacy issues and to make them aware about the protection of their own and others' personal data (Bioglio et al. 2019). Leech is an adventure computer game, that aims to enhance players' understanding and knowledge on privacy policies, through quest-solving gameplay (Pape 2022). ...
Creating educational interventions to enhance information privacy awareness is at the heart of research, as the protection of personal data and privacy is increasingly of concern to internet users. However, although efforts have interactive and exploratory features, they are not sufficiently supported by a theoretical learning framework, such as constructivism. In addition, they do not target specific learning outcomes to prepare competent users to protect their own privacy and personal data. Based on the requirements of the Constructivist Information Privacy Pedagogy and the Information Privacy Competency Model for Citizens we claim that escape rooms are the ideal constructive educational interventions, and we propose an indicative scenario for an escape room oriented towards specific competences for the internet user.KeywordsConstructivismPrivacy competencesSerious gamesEscape rooms
Zusammenfassung
It is generally accepted that the management of a company has a legal obligation to maintain and operate IT security measures as part of the company’s own compliance – this includes training employees with regard to social engineering attacks. On the other hand, the question arises whether and how the employee must tolerate associated measures, as for example social engineering penetration testing can be very intrusive.
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed:
Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise
employees’ awareness and to train them.
Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed.
Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided.
Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
Bei Social Engineering (SE) wird durch Beeinflussungen der Opfer versucht, ein bestimmtes Verhalten hervorzurufen und auszunutzen, um sensible Informationen zu beschaffen. Laut dem aktuellen Datensatz des Data Breach Investigations Report [1] enthalten 43 % aller Datendiebstähle einen SE-Angriff. Dabei ist der SE-Angriff oft der erste Schritt eines größeren Angriffs, bei dem der Angreifer die dort gewonnen Informationen für weitere Angriffe verwendet. Zur Zeit haben Firmen hauptsächlich zwei Strategien, um SE-Angriffe abzuwehren: Einerseits können sie Penetration Tester beauftragen, die als "gutartige Hacker" die Mit-arbeiter angreifen und dabei Schwachstellen finden sollen. Leider ist dieser Ansatz nicht ganz unproblematisch. Experimente haben gezeigt, dass dieser Ansatz auch dazu führen kann, dass Angestellte demotiviert werden, wenn sie mit den Ergebnissen des Tests konfrontiert werden. Außerdem kann ein derartiger Test in das Persönlich-keitsrecht der Mitarbeiter eingreifen, sodass es zahlreiche arbeitsrechtliche Anforderungen an SE Penetration-Tests gibt [2, 3]. Andererseits können Firmen Schulungen und Security-Awareness-Trainings durchführen, in denen die Mitarbeiter auf Socia-Engineering-Bedrohungen hinge-wiesen werden. Oft sind diese Schulungen verpflichtend, haben aber keinen lang anhaltenden Effekt [4]. Eine dritte Möglichkeit sind Serious Games, d. h. Spiele, die neben Unterhaltung auch ein ernsthaftes Ziel verfol-gen. Diese können zum Beispiel für Awareness-Trainings eingesetzt werden, um Mitarbeiter auf mögliche IT-Si-cherheitsbedrohungen aufmerksam zu machen. HATCH Eines der beschriebenen Serious Games ist HATCH (siehe Abbildung 1), das das Verständnis der Arbeitnehmer von SE verbessert [5]. Durch das Spiel kann außerdem eine Liste möglicher SE-Bedrohungen erstellt werden, die zur Verbesserung der Sicherheit dienen kann [6]. Je nach Ziel wird mit einem ausgedachten (virtuellen) Szenario oder einem (realistischen) Szenario, das das reale Arbeitsumfeld abbildet, gespielt. Virtuelle Szenarien Beim Einsatz von HATCH zu Schulungs- und Awarenesszwecken kommen virtuelle Szenarien zum Einsatz. Diese bestehen aus einem Plan einer Abteilung oder Firma (siehe Abbildung 2 links) und für jede der im Plan dargestellten Mitarbeiter existiert eine Persona-Karte, die die grundlegenden Eigenschaften des Mitarbeiters skizziert (siehe Abbildung 2 rechts). Aufgabe der Spieler ist es nun, sich einen auf Basis der gezogenen Karten möglichst plausiblen Angriff auszudenken, der die Eigenheiten der im Spiel vorhandenen Mitarbeiter ausnutzt. Der gefundene Angriff wird dann von den Mitspielern auf Plausibilität bewertet.
Social engineering is the clever manipulation of the human tendency to trust to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Traditional penetration testing approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the defences against social engineering do not evolve accordingly. However, tools exist for social engineering intelligence gathering, which means the gathering of information about possible victims that can be used in an attack. We survey these tools and present an overview of their capabilities. We concluded that attackers have a wide range of intelligence gathering tools at their disposal, which increases the likelihood of future attacks and allows even non-technical skilled users to apply these tools.
Online-Privatheitskompetenz gilt in der medienpsychologischen Forschung als wichtiger Einflussfaktor auf das Privatheitsverhalten in Online-Umgebungen. Eine Skala zur Erfassung dieser Kompetenz fehlt jedoch. Ziel dieser Arbeit war entsprechend die Entwicklung und Validierung einer umfassenden Skala zur Messung von Online-Privatheitskompetenz. In Vorarbeiten wurden anhand einer qualitativen Inhaltsanalyse die Dimensionen des Konstrukts identifiziert (Trepte et al., 2015). Darauf aufbauend wurde aus 113 Wissensfragen eine aus 20 Fragen bestehende Skala entwickelt, die vier Wissensbereiche abdeckt: Wissen über 1) institutionelle Praktiken, 2) technische Aspekte des Datenschutzes, 3) Datenschutzrecht und 4) Datenschutzstrategien. Die Ergebnisse von drei konsekutiven Studien sprechen für ein Bi-Faktor-Modell, wobei der globale Faktor die Online-Privatheitskompetenz widerspiegelt. Die Konstrukt- und Kriteriumsvalidität wurde anhand einer Quotenstichprobe deutscher Internetnutzender (N = 1 945) überprüft: Der globale Faktor korrelierte positiv mit der subjektiven Kompetenzeinschätzung der Probandinnen und Probanden und erwies sich als angemessener Prädiktor für die Umsetzung unterschiedlicher Datenschutzmaßnahmen.
Mehr Informationen auch auf www.oplis.de
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.
Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap.
Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of indi- vidual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible.
We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional penetration testing approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering. While the amount of social engineering attacks and the damage they cause rise every year, the defences against social engineering do not evolve accordingly. Hence, the security awareness of these attacks by employees remains low. We examined the psychological principles of social engineering and which psychological techniques induce resistance to persuasion applicable for social engineering. The techniques examined are an enhancement of persuasion knowledge, attitude bolstering and influencing the decision making. While research exists elaborating on security awareness, the integration of resistance against persuasion has not been done. Therefore, we analysed current defence mechanisms and provide a gap analysis based on research in social psychology. Based on our findings we provide guidelines of how to improve social engineering defence mechanisms such as security awareness programs.
Despite the plethora of security advice and online education materials offered to end-users, there exists no standard measurement tool for end-user security behaviors. We present the creation of such a tool. We surveyed the most common computer security advice that experts offer to end-users in order to construct a set of Likert scale questions to probe the extent to which respondents claim to follow this advice. Using these questions, we iteratively surveyed a pool of 3,619 computer users to refine our question set such that each question was applicable to a large percentage of the population, exhibited adequate variance between respondents, and had high reliability (i.e., desirable psychometric properties). After performing both exploratory and confirmatory factor analysis, we identified a 16-item scale consisting of four sub-scales that measures attitudes towards choosing passwords, device securement, staying up-to-date, and proactive awareness.
Stagnating growth in our educational systems has piqued interests in alternative teaching methods such as the inclusion of "serious games" into curricula. In response to those needs, a series of educational games have been developed in accordance with pre-engineering programs such as Project Lead the Way (PLTW). The focus of development is in creating an engaging, educational environment by balancing fun and learning whilst meeting the standards of commercial-level games. In this paper, we present methods, and the implementation of those methods, for serious game design that accommodates the integration of game mechanics with learning. The focuses on narrative-learning synthesis, supplementing the player's actions with feedback, and the development of a sufficient guidance system without compromising the entertainment or education aspects of a game are presented. Student-based evaluations of the game realism and the utility and usability of the learning tools in promoting students' interests and learning are also presented based on game deployment in both in- and out-of- school settings
This paper arises from work ongoing in the GALA (Games and Learning Alliance - Network of Excellence for Serious Games). As part of GALA, a comprehensive state of the art analysis of existing serious games for the business and industry domain (loosely defined) was undertaken. A categorisation of the identified serious games was developed in order to analyse the characteristics of the serious games - the aspects they covered and those they do not cover. Of primary importance were the simulation level, topic and skills mediated by the identified serious games. The "simulation level" means the level or amount of the world that is simulated in the simulation or serious game. This is a hierarchy starting with the World/ God/ Universe - in which level whole worlds are simulated, for example, in games such as Civilization. The hierarchy then proceeds downwards from nation, industry, inter-organisational, business/ organisation, intra-organisational/ processes, group/ team, discipline, techniques to games addressing the individual. Second the skills to be transferred by the serious game were also analysed. From this an analysis of the gaps in coverage of serious games was carried out, leading to identifying opportunities for, and recommendations of, serious games to be developed for the business and industry domain.
It is increasingly acknowledged that many threats to an organisation’s computer systems can be attributed to the behaviour of computer users. To quantify these human-based information security vulnerabilities, we are developing the Human Aspects of Information Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was to outline the conceptual development of the HAIS-Q, including validity and reliability testing. The second aim was to examine the relationship between knowledge of policy and procedures, attitude towards policy and procedures and behaviour when using a work computer. Results from 500 Australian employees indicate that knowledge of policy and procedures had a stronger influence on attitude towards policy and procedure than self-reported behaviour. This finding suggests that training and education will be more effective if it outlines not only what is expected (knowledge) but also provides an understanding of why this is important (attitude). Plans for future research to further develop and test the HAIS-Q are outlined.
This paper reviews peer-reviewed empirical studies on gamification. We create a framework for examining the effects of gamification by drawing from the definitions of gamification and the discussion on motivational affordances. The literature review covers results, independent variables (examined motivational affordances), dependent variables (examined psychological/behavioral outcomes from gamification), the contexts of gamification, and types of studies performed on the gamified systems. The paper examines the state of current research on the topic and points out gaps in existing literature. The review indicates that gamification provides positive effects, however, the effects are greatly dependent on the context in which the gamification is being implemented, as well as on the users using it. The findings of the review provide insight for further studies as well as for the design of gamified systems.
Personas are a popular technique in User-Centered Design, however their validity can be called into question. While the techniques used to developed personas and their integration with other design activities provide some measure of validity, a persona's legitimacy can be threatened by challenging its characteristics. This note presents Persona Cases: personas whose characteristics are both grounded in, and traceable to their originating source of empirical data. This approach builds on the premise that sense-making in qualitative data analysis is an argumentative activity, and aligns concepts associated with a Grounded Theory analysis with recent work on arguing the characteristics of personas. We illustrate this approach using a case study in the Critical Infrastructure Protection domain.
Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years
Emerging technologies are facilitating our daily activities and drive the digital transformation. The Internet of Things (IoT) and 5G communications will provide a wide range of new applications and business opportunities, but with a wide and quite complex attack surface. Several users are not aware of the underlying threats and most of them do not possess the knowledge to set and operate the various digital assets securely. Therefore, cyber security training is becoming mandatory both for simple users and security experts. Cyber ranges constitute an advance training technique where trainees gain hands-on experiences on a safe virtual environment, which can be a realistic digital twin of an actual system. This paper presents the cyber ranges platform THREAT-ARREST. Its design is fully model-driven and offers all modern training features (i.e. emulation, simulation, serious games, and fabricated data). The platform has been evaluated under the smart energy, intelligent transportation, and healthcare domains.
Most privacy policies are incomprehensive and largely unreadable. As a consequence, most users do not bother to read them. We propose Leech, a serious game developed in a students’ project for learning about the contents and structure of privacy policies so that users get a rough understanding what to expect in privacy policies. Leech is an adventure game and the player has to solve quests to complete the game. Two of the tasks are implemented as a mini game to allow more complexity. Two pre-tests led to promising results and we intend to quantitatively evaluate the game in the next step by investigating players’ online privacy literacy, demographics, values on privacy policies, actions within the game, and their in-game experience.
Most privacy policies are incomprehensive and largely unreadable. As a consequence, most users do not bother to read them. We propose Leech, a serious game developed in a students’ project for learning about the contents and structure of privacy policies so that users get a rough understanding what to expect in privacy policies. Leech is an adventure game and the player has to solve quests to complete the game. Two of the tasks are implemented as a mini game to allow more complexity. Two pre-tests led to promising results and we intend to quantitatively evaluate the game in the next step by investigating players’ online privacy literacy, demographics, values on privacy policies, actions within the game, and their in-game experience.
While social engineering is still a recent threat, many organisations only address it by using traditional trainings, penetration tests, standardized security awareness campaigns or serious games. Existing research has shown that methods for raising employees’ awareness are more effective if adjusted to their target audience. For that purpose, we propose the creation of specific scenarios for serious games by considering specifics of the respective organisation. Based on the work of Faily and Flechais [11], who created personas utilizing grounded theory, we demonstrate how to develop a specific scenario for HATCH [4], a serious game on social engineering. Our method for adapting a scenario of a serious game on social engineering resulted in a realistic scenario and thus was effective. Since the method is also very time-consuming, we propose future work to investigate if the effort can be reduced.
Recent approaches to raise security awareness have improved a lot in terms of user-friendliness and user engagement. However, since social engineering attacks on employees are evolving fast, new variants arise very rapidly. To deal with recent changes, our serious game CyberSecurity Awareness Quiz provides a quiz on recent variants to make employees aware of new attacks or attack variants in an entertaining way. While the gameplay of a quiz is more or less generic, the core of our contribution is a concept to create questions and answers based on current affairs and attacks observed in the wild.
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
This paper by Dr. Maria Bada and Professor Angela Sasse focuses on Security Awareness Campaigns, trying to identify factors which potentially lead to failure of these in changing the information security behaviours of consumers and employees. Past and current efforts to improve information security practices have not had the desired effort. In this paper, we explain the challenges involved in improving information security behaviours. Changing behaviour requires more than giving information about risks and correct behaviours – firstly, the people must be able to understand and apply the advice, and secondly, they must be willing to do – and the latter requires changes to attitudes and intentions. These antecedents of behaviour change are identified in several psychological models of behaviour (e.g. theory of reasoned action, theory of planned behaviour, protection motivation theory). We review the suitability of persuasion techniques, including the widely used fear appeals. Essential components for an awareness campaign as well as factors which can lead to a campaign’s failure are also discussed. In order to enact change, the current sources of influence-whether they are conscious or unconscious, personal, environmental or social, which are keeping people from enacting vital behaviours, need to be identified. Cultural differences in risk perceptions can also influence the maintenance of a particular way of life. Finally, since the vast majority of behaviours are habitual, the change from existing habits to better information security habits requires support. Finally, we present examples of existing awareness campaigns in U.K., in Australia, in Canada and Africa.
This paper offers a virtue ethics analysis of social engineering in penetration-testing. It begins by considering previous research on this topic and argues that such attempts misconstrue or more often overlook this Aristotelian tradition. It articulates the core tenets of virtue ethics and applies them to an analysis of white hat social engineering. A virtue ethics analysis requires that individuals and the firms that initiate the penetration-test be placed within a larger communal context which obligates individuals who are potential human hacking victims to participate in the constitution and flourishing of larger communities. As such, for virtue ethics consent is not a necessary condition for the positive ethical status of white hat social engineering. If methods are consistent with moderation (i.e. the golden mean) manipulation at lower orders within the hierarchy of communities can be justified if it can reasonably be understood as part of an individual's participatory obligation and the results of this participation is essential to ensure the eudaimonia of the larger community. Nevertheless, the golden mean requires that robust mitigation strategies lessen the degree of harm inflicted on social engineering victims. Where possible, a degree of consent should be attained as part of this mitigation. Finally, penetration-testing firms must be able to demonstrate that a robust ethical training program governs its use of social engineering.
The effectiveness of an information security program ultimately depends upon the behavior of people. Behavior, in turn, depends upon what people know, how they feel, and what their instincts tell them to do. Although an awareness training program can impart information security knowledge, it rarely has a significant impact on people’s feelings about their responsibility for securing information or their deeper security instincts. The result is often a gap between the dictates of information security policy and the behaviors of our people.
In the Serious Game “Operation Digital Chameleon” red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of an IT-Security training. This paper presents the game design and selected results from the evaluation of the gaming experience, an analysis of attack vectors and defense strategies developed in gaming and take outs of game participants. Participants enjoy the experience, develop APTs with realistic complexity and even innovations and take out the need for more information, more awareness training and cross-functional teams in IT-Security.
Purpose
This paper aims to outline strategies for defence against social engineering that are missing in the current best practices of information technology (IT) security. Reason for the incomplete training techniques in IT security is the interdisciplinary of the field. Social engineering is focusing on exploiting human behaviour, and this is not sufficiently addressed in IT security. Instead, most defence strategies are devised by IT security experts with a background in information systems rather than human behaviour. The authors aim to outline this gap and point out strategies to fill the gaps.
Design/methodology/approach
The authors conducted a literature review from viewpoint IT security and viewpoint of social psychology. In addition, they mapped the results to outline gaps and analysed how these gaps could be filled using established methods from social psychology and discussed the findings.
Findings
The authors analysed gaps in social engineering defences and mapped them to underlying psychological principles of social engineering attacks, for example, social proof. Furthermore, the authors discuss which type of countermeasure proposed in social psychology should be applied to counteract which principle. The authors derived two training strategies from these results that go beyond the state-of-the-art trainings in IT security and allow security professionals to raise companies’ bars against social engineering attacks.
Originality/value
The training strategies outline how interdisciplinary research between computer science and social psychology can lead to a more complete defence against social engineering by providing reference points for researchers and IT security professionals with advice on how to improve training.
In the Serious Game Operation Digital Chameleon red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of an IT-Security training. Operation Digital Chameleon is the training game of the IT-Security Matchplay series in the IT-Security for Critical Infrastructure research program funded by BMBF. We present the design of Operation Digital Chameleon in its current form as well as results from game #3. We analyze the potential and innovation capability of Operation Digital Chameleon as an Open Innovation method for the domain of IT-Security of Critical Infrastructures. We find that Operation Digital Chamaeleon facilitates creativity, opens the process of IT-Security strategy development and --despite being designed for training purposes -- opens the process to explore innovative attack vectors.
A general lack of awareness about computer security contributes to the insecurity of new consumer technologies. We seek to increase people's prioritization of computer security and their understanding of the variety of attacks and technologies that can be vulnerable to compromise. We work towards this goal via fun: more specifically, via a recreational tabletop card game where people play as white hat hackers. In this paper, we describe our goals and experiences in creating this card game. We licensed a game mechanic from a hobbyist game company, worked with graphic designers and illustrators, and rewrote card text to make the game about working as a computer security professional. We discuss the possibilities for expanding the educational benefits of this game, both in and out of the classroom. We conclude by inviting others to engage in this outreach space by creating games or other enticing and novel artifacts to increase awareness and appreciation of the complexities and impact of computer security on people's daily lives.
In this poster, we present Control-Alt-Hack": White Hat Hacking for Fun and Profit--a card game for computer security outreach and education. A general lack of awareness about computer security contributes to the insecurity of new consumer technologies. We seek to increase people's prioritization of computer security and their understanding of the variety of attacks and technologies that can be vulnerable to compromise. We work towards this goal via a recreational tabletop card game where people play as white hat hackers, using their characters' skills to perform a variety of hacking Missions. We licensed a game mechanic from a hobbyist game company, worked with graphic designers and illustrators, and rewrote card text to make the game about working as a computer security professional. Visit www.controlalthack.com for supplementary educational materials and to request free educator copies.
We scoped, designed, produced, and evaluated the effectiveness of a recreational tabletop card game created to raise awareness of and alter perceptions regarding-computer security. We discuss our process, the challenges that arose, and the decisions we made to address those challenges. As of May 2013, we have shipped approximately 800 free copies to 150 educators. We analyze and report on feedback from 22 of these educators about their experiences using Control-Alt-Hack with over 450 students in classroom and non-classroom contexts. The responses from the 14 educators who reported on their use of the game in a classroom context variously indicated that: their students' awareness of computer security as a complex and interesting field was increased (11/14); they would use the game again in their classroom (10/14); and they would recommend the game to others (13/14). Of note, 2 of the 14 classroom educators reported that they would not have otherwise covered the material. Additionally, we present results from user studies with 11 individuals and find that their responses indicate that 8 of the 11 had an increased awareness of computer security or a changed perception; furthermore, all of our intended goals are touched upon in their responses.
The US Naval Postgraduate School and University of Washington each independently developed informal security-themed tabletop games. [d0x3d!] is a board game in which players collaborate as white-hat hackers, tasked to retrieve a set of valuable digital assets held by an adversarial network. Control-Alt-Hack is a card game in which three to six players act as white-hat hackers at a security consulting company. These games employ modest pedagogical objectives to expose broad audiences to computer security topics.
Valuing security by getting [d0x3d!]: experiences with a network security board game
- M Gondree
- Z N J Peterson
Gondree, M., Peterson, Z.N.J.: Valuing security by getting [d0x3d!]:
Experiences with a network security board game.
In: Kanich, C.,
Sherr, M. (eds.) 6th Workshop on Cyber Security Experimentation and
Test, CSET '13, Washington, D.C., USA, August 12, 2013. USENIX
Association (2013), https://www.usenix.org/conference/cset13/workshopprogram/presentation/gondree
Practical lessons from creating the control-alt-hack card game and research challenges for games in education and research
- T Denning
- A Shostack
- T Kohno
Denning, T., Shostack, A., Kohno, T.: Practical lessons from creating the control-alt-hack card game and research challenges for games
in education and research. In: Peterson, Z.N.J. (ed.) 2014 USENIX
Summit on Gaming, Games, and Gamification in Security Education, 3GSE '14, San Diego, CA, USA, August 18, 2014. USENIX
Association (2014), https://www.usenix.org/conference/3gse14/summitprogram/presentation/denning
A self-report measure of end-user security attitudes (SA-6)
- C Faklaris
- L A Dabbish
- J I Hong
Faklaris, C., Dabbish, L.A., Hong, J.I.: A self-report measure of end-user
security attitudes (sa-6). In: Fifteenth Symposium on Usable Privacy and
Security ({SOUPS} 2019). pp. 61-77 (2019)
The CIA made a magic: the gathering-style card game for training agents, and we played it. The Verge
- S Liao
Liao, S.: The CIA made a magic: The gathering-style card game
for training agents, and we played it.
The Verge (May 2018),
https://www.theverge.com/2018/5/21/17374054/cia-collect-it-alldeclassified-training-tabletop-card-game
Social engineering: exploiting the weakest links
- M Papadaki
- S Furnell
- R C Dodge
Papadaki, M., Furnell, S., Dodge, R.C.: Social engineering: Exploiting the
weakest links. European Network & Information Security Agency (ENISA),
Heraklion, Crete (2008)
On the use of information security management systems by German energy providers
- S Pape
- C Schmitz
- D K Kipker
- A Sekula
Pape, S., Schmitz, C., Kipker, D.K., Sekula, A.: On the use of information
security management systems by german energy providers. In: Presented
at the Fourteenth IFIP Working Group 11.10 International Conference on
Critical Infrastructure Protection (03 2020)
Covidlock update: deeper analysis of coronavirus Android ransomware
- T Saleh
Saleh, T.: Covidlock update: Deeper analysis of coronavirus android ransomware. https://www.domaintools.com/resources/blog/covidlock-updatecoronavirus-ransomware (2020)
Tests mit Tücke- Arbeitsrechtliche Anforderungen an social engineering tests
- M Zimmer
- A Helle
Zimmer, M., Helle, A.: Tests mit Tücke-Arbeitsrechtliche Anforderungen
an Social Engineering Tests. Betriebs-Berater 21(2016), 1269 (2016)
Elevation of privilege: drawing developers into threat modeling
- A Shostack
Shostack, A.: Elevation of privilege: Drawing developers into
threat modeling.
Tech. rep., Microsoft, Redmond, U.S. (2012),
http://download.microsoft.com/download/F/A/E/FAE1434F-6D22-4581-9804-8B60C04354E4/EoP Whitepaper.pdf
PROTECT -an easy configurable serious game to train employees against social engineering attacks
- L Goeke
- A Quintanar
- K Beckers
- S Pape
- A P Fournaris
- M Athanatos
- K Lampropoulos
- S Ioannidis
- G Hatzivasilis
- E Damiani
- H Abie
- S Ranise
- L Verderame
- A Siena
- Garcia-Alfaro
Goeke, L., Quintanar, A., Beckers, K., Pape, S.: PROTECT -an easy
configurable serious game to train employees against social engineering
attacks. In: Fournaris, A.P., Athanatos, M., Lampropoulos, K., Ioannidis, S., Hatzivasilis, G., Damiani, E., Abie, H., Ranise, S., Verderame, L.,
Siena, A., Garcia-Alfaro, J. (eds.) Computer Security -ESORICS 2019 International Workshops, IOSec, MSTEC, and FINSEC, Luxembourg City,
Luxembourg, September 26-27, 2019, Revised Selected Papers. LNCS, vol.
11981, pp. 156-171. Springer International Publishing, Cham (09 2019),
https://link.springer.com/chapter/10.1007/978-3-030-42051-2 11