Security questions education: exploring gamified features and functionalities

Purpose Security questions are one of the techniques used to recover forgotten passwords. However, security questions have both security and memorability limitations. To limit their security vulnerabilities, stronger answers need to be used. As serious games can motivate users to change their security behaviour, the purpose of this paper is to explore the features and functionalities that users would require in a serious game that educates them to provide stronger answers to security questions. Design/methodology/approach A lab study was conducted to collect users’ feedback on the desired game features and functionalities. In Stage 1, participants selected security questions/answers. In Stage 2, participants played a game and evaluated the usability and the provided features. Findings The main findings reveal that most participants found the current features and functionalities to be desirable; socially oriented functionalities (e.g. getting help from other players) did not seem desirable because users feared that their acquaintances could gain access to their security questions. Originality/value This research recommends that designers of serious games for security education should: use intrinsic rewards to motivate users to have a better learning experience; provide easier challenges during the training period and provide harder challenges only when the game determines that the users learned to play the game; and design their games for mobile devices because even users who usually do not play games would play a security education game on a mobile device.

[1]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[2]  Matthew Smith,et al.  Where Have You Been? Using Location-Based Security Questions for Fallback Authentication , 2015, SOUPS.

[3]  Shashi Mogalla,et al.  An Ancient Indian Board Game as a Tool for Authentication , 2011 .

[4]  Lynne Baillie,et al.  Sensor use and usefulness: Trade-offs for data-driven authentication on mobile devices , 2015, 2015 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[5]  John R. Anderson,et al.  RECOGNITION AND RETRIEVAL PROCESSES IN FREE RECALL , 1972 .

[6]  Tadayoshi Kohno,et al.  Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education , 2013, CCS.

[7]  Marten van Dijk,et al.  Exploring implicit memory for painless password recovery , 2011, CHI.

[8]  S. Ariyapperuma,et al.  Internet security games as a pedagogic tool for teaching network security , 2005, Proceedings Frontiers in Education 35th Annual Conference.

[9]  Zbigniew Michalewicz,et al.  Applying Puzzle-Based Learning to Cyber-Security Education , 2013, InfoSecCD.

[10]  E. Deci,et al.  A meta-analytic review of experiments examining the effects of extrinsic rewards on intrinsic motivation. , 1999, Psychological bulletin.

[11]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[12]  Moshe Zviran,et al.  User authentication by cognitive passwords: an empirical assessment , 1990, Proceedings of the 5th Jerusalem Conference on Information Technology, 1990. 'Next Decade in Information Technology'.

[13]  B. J. Fogg,et al.  Persuasive technology: using computers to change what we think and do , 2002, UBIQ.

[14]  Conor T. McLennan,et al.  An evaluation of the Game Changer Password System: A new approach to password security , 2017, Int. J. Hum. Comput. Stud..

[15]  Nicholas Micallef,et al.  Involving Users in the Design of a Serious Game for Security Questions Education , 2017, International Symposium on Human Aspects of Information Security and Assurance.

[16]  Hai Tao,et al.  Pass-Go: A Proposal to Improve the Usability of Graphical Passwords , 2008, Int. J. Netw. Secur..

[17]  Lynne Baillie,et al.  Time to exercise!: an aide-memoire stroke app for post-stroke arm rehabilitation , 2016, MobileHCI.

[18]  Vashek Matyas,et al.  Codes v. People: A Comparative Usability Study of Two Password Recovery Mechanisms , 2016, WISTP.

[19]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[20]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[21]  Ron Artstein,et al.  Life-experience passwords (LEPs) , 2016, ACSAC.

[22]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[23]  Philip T. Kortum,et al.  Determining what individual SUS scores mean: adding an adjective rating scale , 2009 .

[24]  Konstantin Beznosov,et al.  Phishing threat avoidance behaviour: An empirical investigation , 2016, Comput. Hum. Behav..

[25]  Heinrich Hußmann,et al.  I Know What You Did Last Week! Do You?: Dynamic Security Questions for Fallback Authentication on Smartphones , 2015, CHI.

[26]  Lynne Baillie,et al.  Stop annoying me!: an empirical investigation of the usability of app privacy notifications , 2017, OZCHI.

[27]  Tim Storer,et al.  A framework for continuous, transparent mobile device authentication , 2013, Comput. Secur..

[28]  Mike Just,et al.  Using avatars for improved authentication with challenge questions , 2011, SECURWARE 2011.

[29]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[30]  Richard C. Atkinson,et al.  Human Memory: A Proposed System and its Control Processes , 1968, Psychology of Learning and Motivation.

[31]  Joseph Bonneau,et al.  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google , 2015, WWW.

[32]  Jean-Pierre Jessel,et al.  Classifying Serious Games: The G/P/S Model , 2011 .

[33]  Mike Just,et al.  Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour , 2010 .

[34]  Mohammad Maifi Hasan Khan,et al.  Evaluating the Effectiveness of Using Hints for Autobiographical Authentication: A Field Study , 2015, SOUPS.

[35]  Zachary N. J. Peterson,et al.  Security through play , 2013, IEEE Security & Privacy.