Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education

We scoped, designed, produced, and evaluated the effectiveness of a recreational tabletop card game created to raise awareness of and alter perceptions regarding-computer security. We discuss our process, the challenges that arose, and the decisions we made to address those challenges. As of May 2013, we have shipped approximately 800 free copies to 150 educators. We analyze and report on feedback from 22 of these educators about their experiences using Control-Alt-Hack with over 450 students in classroom and non-classroom contexts. The responses from the 14 educators who reported on their use of the game in a classroom context variously indicated that: their students' awareness of computer security as a complex and interesting field was increased (11/14); they would use the game again in their classroom (10/14); and they would recommend the game to others (13/14). Of note, 2 of the 14 classroom educators reported that they would not have otherwise covered the material. Additionally, we present results from user studies with 11 individuals and find that their responses indicate that 8 of the 11 had an increased awareness of computer security or a changed perception; furthermore, all of our intended goals are touched upon in their responses.

[1]  L Sweeney,et al.  Weaving Technology and Policy Together to Maintain Confidentiality , 1997, Journal of Law, Medicine & Ethics.

[2]  Adam Shostack,et al.  Elevation of Privilege: Drawing Developers into Threat Modeling , 2014, 3GSE.

[3]  Prabhaker Mateti A laboratory-based course on internet security , 2003, SIGCSE.

[4]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[5]  Tadayoshi Kohno,et al.  A spotlight on security and privacy risks with future household robots: attacks and lessons , 2009, UbiComp.

[6]  Milo M. K. Martin,et al.  Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically , 2010, 2010 IEEE Symposium on Security and Privacy.

[7]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[8]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[9]  Georgory White,et al.  Security across the curriculum: using computer secu-rity to teach computer science principles , 1997 .

[10]  Ariel J. Feldman,et al.  Security Analysis of the Diebold AccuVote-TS Voting Machine , 2007, EVT.

[11]  Erik Andersen Optimizing adaptivity in educational games , 2012, FDG.

[12]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[13]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[14]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[15]  Bo Brinkman,et al.  The heart of a whistle-blower: a corporate decision-making game for computer ethics classes , 2009, SIGCSE '09.

[16]  Miodrag Potkonjak,et al.  Hiding Data in DNA , 2002, Information Hiding.

[17]  Alan F. Blackwell,et al.  Programming , 1973, CSC '73.

[18]  Zachary N. J. Peterson,et al.  Security through play , 2013, IEEE Security & Privacy.

[19]  W. Marsden I and J , 2012 .

[20]  Niraj K. Jha,et al.  Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system , 2011, 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services.

[21]  Magy Seif El-Nasr,et al.  Programming, PWNed: using digital game development to enhance learners' competency and self-efficacy in a high school computing science course , 2012, SIGCSE '12.

[22]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[23]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.