Securix: a 3D game-based learning approach for phishing attack awareness

ABSTRACT Majority of Internet users lack anti-phishing skills in identifying a phishing attack. This paper introduces a 3D-game prototype named Securix which simplifies and exaggerates real life scenario and conveys different game design principles. Securix is divided into three levels, depicted in scenarios, namely: URL, E-mail and Website which addresses different types of phishing attack. 3D characters and tools were designed to be imported into the game engine using C# programming language for scripting. A Technology Acceptance Model was used for evaluation of the game. To ascertain the liability and acceptability of this design, 50 questionnaires were administered. The results revealed perceived usefulness as the most significant determinant of adoption of Securix than all the other variables. All the relationships between Perceived Ease Of Use (PEOU), Perceived Usefulness (PU), Attitude Towards Using (ATU), and Actual Usage of the System (AUOS) were tested and found to be significant and positive. Analysis from the questionnaire revealed that PU was a strong predictor of actual usage with ninety-five percent (95%) of users as compared to PEOU which was sixty-eight percent (68%) and AUOS which had a result of seventy-four percent (74%). The overall game design enhances the user’s avoidance behaviour through motivation to protect themselves against phishing threats.

[1]  Shian-Shyong Tseng,et al.  Automatic content generation for anti-phishing education game , 2011, 2011 International Conference on Electrical and Control Engineering.

[2]  Malcolm Robert Pattinson,et al.  The design of phishing studies: Challenges for researchers , 2015, Comput. Secur..

[3]  Kami Vaniea,et al.  Permission Impossible: Teaching Firewall Configuration in a Game Environment , 2018 .

[4]  Elaine M. Raybourn,et al.  Social learning through gaming , 2004, CHI EA '04.

[5]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[6]  Alexandra Kunz,et al.  User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn , 2017, Comput. Secur..

[7]  Pradeep K. Atrey,et al.  A phish detector using lightweight search features , 2016, Comput. Secur..

[8]  Stefano Bocconi,et al.  Measuring the Effectiveness of Learning with Serious Games in Corporate Training , 2012, VS-GAMES.

[9]  Brigitte Werners,et al.  Phishing: An economic analysis of cybercrime perpetrators , 2016, Comput. Secur..

[10]  Nalin Asanka Gamagedara Arachchilage,et al.  Designing a Mobile Game for Home Computer Users to Protect Against Phishing Attacks , 2016, ArXiv.

[11]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[12]  Allison Druin,et al.  The role of children in the design of new technology , 2002 .

[13]  Nalin Asanka Gamagedara Arachchilage,et al.  Design a mobile game for home computer users to prevent from “phishing attacks” , 2011, International Conference on Information Society (i-Society 2011).

[14]  Ken Allen,et al.  CyberCIEGE: Gaming for Information Assurance , 2005, IEEE Secur. Priv..

[15]  Rui Zhao,et al.  Design and evaluation of the highly insidious extreme phishing attacks , 2017, Comput. Secur..

[16]  Sonia Chiasson,et al.  "Smells Phishy?": An educational game about online phishing scams , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[17]  B. B. Gupta,et al.  A Survey of Phishing Email Filtering Techniques , 2013, IEEE Communications Surveys & Tutorials.

[18]  Amir Herzberg,et al.  Why Johnny can't surf (safely)? Attacks and defenses for web users , 2009, Comput. Secur..

[19]  Clint A. Bowers,et al.  Serious Games Usability Testing: How to Ensure Proper Usability, Playability, and Effectiveness , 2011, HCI.

[20]  Jeanne H. Brockmyer,et al.  The Development of the Game Engagement Questionnaire: A Measure of Engagement in Video Game Playing: Response to Reviews , 2009, Interacting with computers.

[21]  Kang-Leng Chiew,et al.  Utilisation of website logo for phishing detection , 2015, Comput. Secur..

[22]  Lina Zhou,et al.  Phishing environments, techniques, and countermeasures: A survey , 2017, Comput. Secur..

[23]  Lorrie Faith Cranor,et al.  Lessons from a real world evaluation of anti-phishing training , 2008, 2008 eCrime Researchers Summit.

[24]  R. Seagram,et al.  Educational game models: conceptualization and evaluation , 2004 .

[25]  Swapan Purkait,et al.  Information Management & Computer Security Phishing counter measures and their effectiveness – literature review , 2016 .

[26]  Mohammad Rahim,et al.  A Socio-Behavioral Study of Home Computer Users' Intention to Practice Security , 2005, PACIS.

[27]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[28]  Youssef Iraqi,et al.  Phishing Detection: A Literature Survey , 2013, IEEE Communications Surveys & Tutorials.

[29]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[30]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[31]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.

[32]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[33]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[34]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[35]  Marc Olano,et al.  SecurityEmpire: Development and Evaluation of a Digital Game to Promote Cybersecurity Education , 2014, 3GSE.

[36]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[37]  M. Prensky Do They Really Think Differently , 2001 .

[38]  Ilango Krishnamurthi,et al.  A comprehensive and efficacious architecture for detecting phishing webpages , 2014, Comput. Secur..

[39]  Hokyoung Ryu,et al.  A Study of Design Requirements for Mobile Learning Environments , 2006, Sixth IEEE International Conference on Advanced Learning Technologies (ICALT'06).

[40]  Tom Rodden,et al.  At home with the technology: an ethnographic study of a set-top-box trial , 1999, TCHI.