Exploring and Evaluating Different Game Mechanics for Anti-Phishing Learning Games

Anti-phishing learning games are a promising approach to teach end-users about phishing, as they offer a scalable and engaging environment for active learning. Existing games have been criticized for their limited game mechanics that do not allow for detailed assessment of the players' acquired knowledge, instead focusing mostly on factual and conceptual knowledge to remember or understand. To extend the research field, this paper presents the design and evaluation of two new anti-phishing learning games: The first game implements an extended classification mechanic to better assess the player's decision process, while the second game implements a different game mechanic, which requires players to combine URL parts to construct their own phishing URLs. We compare the games with each other and with a baseline implementation that uses binary decisions similar to existing games in a user study with 133 participants. The study shows, that while all three games lead to performance increases, none of the new games offer significant improvements over the baseline. Furthermore, results of a longitudinal test three months after playing the games show that knowledge can be retained as participants still perform significantly better than before playing either one of the games.

[1]  Ankur Chattopadhyay,et al.  Mirror Mirror On The Wall - What Are Cybersecurity Educational Games Offering Overall: A Research Study and Gap Analysis , 2021, 2021 IEEE Frontiers in Education Conference (FIE).

[2]  Martin Shelton,et al.  Measuring Identity Confusion with Uniform Resource Locators , 2020, CHI.

[3]  George Kalmpourtzis,et al.  Constructive alignment of learning mechanics and game mechanics in Serious Game design in Higher Education , 2020, Int. J. Serious Games.

[4]  Martin R. Wolf,et al.  A Pond Full of Phishing Games - Analysis of Learning Games for Anti-Phishing Education , 2020, MSTEC.

[5]  Richard Roberts,et al.  You Are Who You Appear to Be: A Longitudinal Study of Domain Impersonation in TLS Certificates , 2019, CCS.

[6]  Martin R. Wolf,et al.  Through a Mirror Darkly - On the Obscurity of Teaching Goals in Game-Based Learning in IT Security , 2019, ISAGA.

[7]  Ulrik Schroeder,et al.  The Problem with Teaching Defence against the Dark Arts: A Review of Game-based Learning Applications and Serious Games for Cyber Security Education , 2019, CSEDU.

[8]  Patrickson Weanquoi,et al.  Using a Game to Improve Phishing Awareness , 2018, Journal of Cybersecurity Education, Research and Practice.

[9]  Adam Doupé,et al.  Inside a phisher's mind: Understanding the anti-phishing ecosystem through phishing kit analysis , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[10]  Mani Mina,et al.  Cyber security training a survey of serious games in cyber security , 2017, 2017 IEEE Frontiers in Education Conference (FIE).

[11]  Ian Dunwell,et al.  Essential features of serious games design in higher education: Linking learning attributes to game mechanics , 2017, Br. J. Educ. Technol..

[12]  Niall McShane,et al.  Mapping Learning and Game Mechanics for Serious Games Analysis in Engineering Education , 2017, IEEE Transactions on Emerging Topics in Computing.

[13]  Margarida Romero,et al.  Analysis of Game and Learning Mechanics According to the Learning Theories , 2016, 2016 8th International Conference on Games and Virtual Worlds for Serious Applications (VS-GAMES).

[14]  Maria Papadaki,et al.  A Review of Using Gaming Technology for Cyber-Security Awareness , 2016 .

[15]  M. J. Callaghan,et al.  Practical application of the Learning Mechanics-Game Mechanics (LM-GM) framework for Serious Games analysis in engineering education , 2016, 2016 13th International Conference on Remote Engineering and Virtual Instrumentation (REV).

[16]  Jeffrey Earp,et al.  An update to the systematic literature review of empirical evidence of the impacts and outcomes of computer games and serious games , 2016, Comput. Educ..

[17]  Victoria Bloom,et al.  Game Based Cyber Security Training: are Serious Games suitable for cyber security training? , 2016, Int. J. Serious Games.

[18]  David A. Elizondo,et al.  A renewed approach to serious games for cyber security , 2015, 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace.

[19]  Alessandro De Gloria,et al.  Mapping learning and game mechanics for serious games analysis , 2015, Br. J. Educ. Technol..

[20]  Carsten Maple,et al.  Can a Mobile Game Teach Computer Users to Thwart Phishing Attacks? , 2013, ArXiv.

[21]  Melanie Volkamer,et al.  NoPhish: An Anti-Phishing Education App , 2014, STM.

[22]  Elmer Lastdrager,et al.  Achieving a consensual definition of phishing based on a systematic review of the literature , 2014, Crime Science.

[23]  James M. Boyle,et al.  A systematic literature review of empirical evidence on computer games and serious games , 2012, Comput. Educ..

[24]  Manuel Castro,et al.  State-of-the-art simulation systems for information security education, training and awareness , 2010, IEEE EDUCON 2010 Conference.

[25]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[26]  D. Krathwohl A Revision of Bloom's Taxonomy: An Overview , 2002 .