Hacked Time: Design and Evaluation of a Self-Efficacy Based Cybersecurity Game

A major reason why people don't use security tools online is that they perceive them as difficult and challenging, resulting in the lack of self-efficacy. Previous research has looked at improving user security attitude and practices through a variety of interventions, including transformational games. These games, targeted at improving security attitude and promoting change through gameplay, offer a new perspective on cybersecurity education. In this research we present the design and evaluation of Hacked Time, a desktop game that uses an integrative approach that incorporates Bandura's self-efficacy design framework to improve player self-efficacy. Using a randomized control trial (n=178), we demonstrate that our game is effective in improving player's security attitude and self-efficacy for using cybersecurity tools. We discuss how our design pattern can serve as an exemplar to enhance player self-efficacy in other fields.

[1]  James W. Moore,et al.  What Is the Sense of Agency and Why Does it Matter? , 2016, Front. Psychol..

[2]  P. Backlund,et al.  Designing for Self-Efficacy in a Game Based Simulator: An Experimental Study and Its Implications for Serious Games Design , 2008, 2008 International Conference Visualisation.

[3]  Josephine Anstey,et al.  Agency and the "Emotion Machine" , 2005, International Conference on Virtual Storytelling.

[4]  Jessica Hammer,et al.  Design Features in Games for Health: Disciplinary and Interdisciplinary Expert Perspectives , 2017, Conference on Designing Interactive Systems.

[5]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[6]  Katherine Isbister,et al.  Designing games for learning: insights from conversations with designers , 2010, CHI.

[7]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[8]  D. Schunk,et al.  Risk Taking: Theoretical, Empirical, and Educational Considerations , 1991 .

[9]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[10]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[11]  Ben Shneiderman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[12]  Gautam Biswas,et al.  LEARNING BY TEACHING: A NEW AGENT PARADIGM FOR EDUCATIONAL SOFTWARE , 2005, Appl. Artif. Intell..

[13]  P. Curran Methods for the detection of carelessly invalid responses in survey data , 2016 .

[14]  Elissa M. Redmiles,et al.  How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior , 2016, CCS.

[15]  Timothy W. Bickmore,et al.  Using an interactive visual novel to promote patient empowerment through engagement , 2012, FDG.

[16]  Dominik Petko,et al.  Learning with serious games: Is fun playing the game a predictor of learning success? , 2016, Br. J. Educ. Technol..

[17]  Wayne G. Lutters,et al.  "It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security , 2018, SOUPS @ USENIX Security Symposium.

[18]  Tracy Fullerton,et al.  Game Design Workshop: A Playcentric Approach to Creating Innovative Games, Third Edition , 2014 .

[19]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[20]  J. P. Morgan,et al.  Design and Analysis: A Researcher's Handbook , 2005, Technometrics.

[21]  P. Briggs,et al.  Behavior Change Interventions for Cybersecurity , 2017 .

[22]  Victoria Bloom,et al.  Game Based Cyber Security Training: are Serious Games suitable for cyber security training? , 2016, Int. J. Serious Games.

[23]  I. Rosenstock,et al.  The Role of Self-Efficacy in Achieving Health Behavior Change , 1986, Health education quarterly.

[24]  Xuequn Wang,et al.  "Security begins at home": Determinants of home computer and mobile device security behavior , 2017, Comput. Secur..

[25]  Hein de Vries,et al.  Self-efficacy: the third factor besides attitude and subjective norm as a predictor of behavioural intentions , 1988 .

[26]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[27]  Cass R. Sunstein,et al.  Nudging: A Very Short Guide , 2014, How Change Happens.

[28]  Jonathan P. Rowe,et al.  Story-Based Learning: The Impact of Narrative on Learning Experiences and Outcomes , 2008, Intelligent Tutoring Systems.

[29]  R. Landers,et al.  An Evaluation of Gamified Training: Using Narrative to Improve Reactions and Learning , 2017 .

[30]  D. Das,et al.  PhishGuard: A browser plug-in for protection from phishing , 2008, 2008 2nd International Conference on Internet Multimedia Services Architecture and Applications.

[31]  A. L. Baylor,et al.  A Social-Cognitive Framework for Pedagogical Agents as Learning Companions , 2006 .

[32]  Michael Eagle,et al.  Audience Participation Games: Blurring the Line Between Player and Spectator , 2017, Conference on Designing Interactive Systems.

[33]  P. Wouters,et al.  A meta-analysis of the cognitive and motivational effects of serious games , 2013 .

[34]  R. Joseph,et al.  Applying Psychological Theories to Promote Long-Term Maintenance of Health Behaviors , 2016, American journal of lifestyle medicine.

[35]  Laura A. Dabbish,et al.  Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation , 2014, CCS.

[36]  Maria Papadaki,et al.  A Review of Using Gaming Technology for Cyber-Security Awareness , 2016 .

[37]  David J. Hauser,et al.  Attentive Turkers: MTurk participants perform better on online attention checks than do subject pool participants , 2015, Behavior Research Methods.

[38]  Laura A. Dabbish,et al.  The Effect of Social Influence on Security Sensitivity , 2014, SOUPS.

[39]  Robert LaRose,et al.  Online safety begins with you and me: Convincing Internet users to protect themselves , 2015, Comput. Hum. Behav..

[40]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[41]  Laura A. Dabbish,et al.  Privacy Attitudes of Mechanical Turk Workers and the U.S. Public , 2014, SOUPS.

[42]  A. Bandura Perceived self-efficacy in the exercise of control over AIDS infection , 1990 .

[43]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[44]  Jessica Hammer,et al.  Playtesting with a Purpose , 2016, CHI PLAY.

[45]  James M. Boyle,et al.  A systematic literature review of empirical evidence on computer games and serious games , 2012, Comput. Educ..

[46]  Jason R. C. Nurse,et al.  Cyber Security Awareness Campaigns: Why do they fail to change behaviour? , 2014, ArXiv.

[47]  Nalin Asanka Gamagedara Arachchilage,et al.  Building Confidence not to be Phished Through a Gamified Approach: Conceptualising User's Self-Efficacy in Phishing Threat Avoidance Behaviour , 2018, 2019 Cybersecurity and Cyberforensics Conference (CCC).

[48]  P. Dolan,et al.  Influencing behaviour: The mindspace way , 2012 .

[49]  Shian-Shyong Tseng,et al.  The mediating effect of anti-phishing self-efficacy between college students' internet self-efficacy and anti-phishing behavior and gender difference , 2016, Comput. Hum. Behav..

[50]  Laura A. Dabbish,et al.  Self-Efficacy-Based Game Design to Encourage Security Behavior Online , 2019, CHI Extended Abstracts.

[51]  Karen Tanenbaum,et al.  Commitment to Meaning: A Reframing of Agency in Games , 2009 .

[52]  Laura A. Dabbish,et al.  A Self-Report Measure of End-User Security Attitudes (SA-6) , 2019, SOUPS @ USENIX Security Symposium.

[53]  Xitong Guo,et al.  User acceptance of mobile health services from users’ perspectives: The role of self-efficacy and response-efficacy in technology acceptance , 2017, Informatics for health & social care.