Abstract
Today, raising security awareness among users is one of the most effective preventive cybersecurity strategies. Generally, the current level of security awareness in the organization is measured through standard questionnaires. However, this method suffers from poor participant engagement and low precision due to the explicit evaluation and misunderstandings of the questions. To address these issues, we present a serious video game called “myREACH” to measure the player’s security awareness about ransomware. To the best of our knowledge, this is the first attempt to develop a serious game for measuring security awareness. myREACH has been compared to the standard questionnaire for measuring security awareness about ransomware, known as RSAM. The results obtained from a sample of 172 participants indicate that, in 3 out of 9 categories, the game and questionnaire measurements yield similar results. However, in 5 out of 9 categories, the game measurement is superior. For the remaining category, it is inconclusive whether the game or questionnaire assessment is better. Furthermore, self-report measurements indicate that the temporal and mental demands of playing myREACH and completing the RSAM are the same. The overall performance during playing myREACH is 9% better than completing the RSAM, and participants are 15% more satisfied with the game compared to the questionnaire.
Similar content being viewed by others
Data availability
data generated during and/or analysed during the current study are available from the corresponding author on reasonable request.
References
Noorbehbahani F, Taghiyar A, Rezvani A (2023) RSAM: a questionnaire for Ransomware Security Awareness Measurement. J Comput Secur 10:1–16. https://doi.org/10.22108/JCS.2022.134927.1104
Noorbehbahani F, Salehi F (2020) A serious game to extract Hofstede’s cultural dimensions at the individual level. User Model User-Adapt Interact. https://doi.org/10.1007/s11257-020-09280-6
Choi BCK, Pak AWP (2005) A catalog of biases in questionnaires. Prev Chronic Dis 2:A13
Podsakoff PM, MacKenzie SB, Podsakoff NP (2012) Sources of method bias in social science research and recommendations on how to control it. Annu Rev Psychol 63:539–569. https://doi.org/10.1146/annurev-psych-120710-100452
Fowler FJ (2013) Survey research methods (Applied Social Research methods), 5th edn. SAGE
Dillman DA, Smyth JD, Christian LM (2014) Internet, phone, mail, and mixed-mode surveys: the tailored design method, 4th edn. Wiley
Cook DA, Hatala R, Brydges R et al (2011) Technology-enhanced simulation for health professions education: a systematic review and meta-analysis. JAMA 306:978–988. https://doi.org/10.1001/jama.2011.1234
Davis DA, Mazmanian PE, Fordis M et al (2006) Accuracy of physician self-assessment compared with observed measures of competence: a systematic review. JAMA 296:1094–1102. https://doi.org/10.1001/jama.296.9.1094
Deterding S, Dixon D, Khaled R, Nacke L (2011) From game design elements to gamefulness: Defining gamification. Proc 15th Int Acad MindTrek Conf Envisioning Futur Media Environ MindTrek 2011, pp 9–15. https://doi.org/10.1145/2181037.2181040
Gee J (2007) What video games have to teach us about learning and literacy, 2nd edn. St. Martin's Griffin
Podsakoff PM, MacKenzie SB, Lee J-Y, Podsakoff NP (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. J Appl Psychol 88:879
Bitton R, Boymgold K, Puzis R, Shabtai A (2020) Evaluating the Information Security Awareness of Smartphone Users. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, pp 1–13
Tong T, Chignell M, Tierney MC et al (2016) A serious game for clinical assessment of cognitive status: validation study. JMIR Serious Games 4:e5006
Hunicke R, Leblanc MG, Zubek R (2004) MDA: a formal approach to game design and game research. In: Proceedings of the AAAI Workshop on Challenges in Game AI
Chou Y (2019) Actionable gamification: beyond points, badges, and leaderboards. Packt Publishing Ltd
Fatih Y, Kumalija EJ, Sun Y (2018) Mobile learning based gamification in a history learning context. In: Sánchez IA, Isaias P (eds) International Association for Development of the Information Society. ERIC, Lisbon, pp 143–147
Rooney P (2012) A theoretical framework for serious game design: exploring pedagogy, play and fidelity and their implications for the design process. Int J Game-Based Learn 2:41–60
Ibrahim R, Jaafar A (2009) Educational games (EG) design framework: combination of game design, pedagogy and content modeling. In: 2009 International Conference on Electrical Engineering and Informatics, pp 293–298
Katsantonis NM, Kotini I, Fouliras P, Mavridis I (2019) Conceptual framework for developing cyber security serious games. In: 2019 IEEE Global Engineering Education Conference (EDUCON). pp 872–881
Husain L (2011) Getting serious about math serious game design framework & an example of a math educational game. Lund University
Yang C-C, Tseng S-S, Lee T-J et al (2012) Building an anti-phishing game to enhance network security literacy learning. In: 2012 IEEE 12th International Conference on Advanced Learning Technologies, pp 121–123
Cone BD, Irvine CE, Thompson MF, Nguyen TD (2007) A video game for cyber security training and awareness. Comput Secur 26:63–72. https://doi.org/10.1016/j.cose.2006.10.005
Jones J, Yuan X, Carr E, Yu H (2010) A comparative study of CyberCIEGE game and Department of Defense Information Assurance Awareness video. In: Proceedings of the IEEE SoutheastCon 2010 (SoutheastCon) pp 176–180
Monk T, Van Niekerk J, von Solms R (2010) Sweetening the medicine: educating users about information security by means of game play. In: Proceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists, pp 193–200
Gamagedara Arachchilage NA (2012) Security awareness of computer users: a game based learning approach. Brunel University
Hendrix M, Al-Sherbaz A, Victoria B (2016) Game based cyber security training: are serious games suitable for cyber security training? Int J Serious Games 3:53–61
Tioh J-N, Mina M, Jacobson DW (2017) Cyber security training a survey of serious games in cyber security. In: 2017 IEEE Frontiers in Education Conference (FIE), pp 1–5
Sheng S, Magnien B, Kumaraguru P et al (2007) Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, pp 88–99
Alotaibi F, Furnell S, Stengel I, Papadaki M (2016) A review of using gaming technology for cyber-security awareness. Int J Inf Secur Res(IJISR) 6:660–666
Tupsamudre H, Wasnik R, Biswas S et al (2018) Gap: a game for improving awareness about passwords. In: Joint International Conference on Serious Games, pp 66–78
CJ G, Pandit S, Vaddepalli S et al (2018) Phishy-a serious game to train enterprise users on phishing awareness. In: Proceedings of the 2018 Annual Symposium on Computer-human Interaction in Play Companion Extended Abstracts, pp 169–181
Furuichi M, Aibara M (2019) A challenge of developing serious games to raise the awareness of cybersecurity issues. In: DiGRA Conference
Hill WA Jr, Fanuel M, Yuan X et al (2020) A survey of serious games for cybersecurity education and training. In: SU Proceedings on Cybersecurity Education, Research and Practice
Jayakrishnan GC, Sirigireddy GR, Vaddepalli S et al (2020) Passworld: A serious game to promote password awareness and diversity in an enterprise. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp 1–18
Lopes I, Morenets Y, Inácio PRM, Silva FGM (2018) Cyber-Detective—A game for cyber crime prevention. In: Proceedings of the Play2Learn, pp 175–191
Kletenik D, Butbul A, Chan D et al (2021) Game on: teaching cybersecurity to novices through the use of a serious game. J Comput Sci Coll 36:11–21
Qusa H, Tarazi J (2021) Cyber-hero: A gamification framework for cyber security awareness for high schools students. In: 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), pp 677–682
Coenraad M, Pellicone A, Ketelhut DJ et al (2020) Experiencing Cybersecurity one game at a time: a systematic review of Cybersecurity Digital games. Simul Gaming 51:586–611. https://doi.org/10.1177/1046878120933312
Hussain A, Kuhn K, Shaikh SA (2020) Games for Cybersecurity decision-making. In: Fang X (ed) HCI in games. Springer International Publishing, Cham, pp 411–423
Veneruso SV, Ferro LS, Marrella A et al (2020) CyberVR: an interactive learning experience in virtual reality for cybersecurity related issues. In: Proceedings of the International Conference on Advanced Visual Interfaces, pp 1–8
Sookhanaphibarn K, Choensawat W (2020) Educational Games for Cybersecurity Awareness. In: 2020 IEEE 9th Global Conference on Consumer Electronics (GCCE), pp 424–428
Yamin MM, Katt B, Nowostawski M (2021) Serious games as a tool to model attack and defense scenarios for cyber-security exercises. Comput Secur 110:102450
Gustafsson E (2022) Experience of immersion in serious games: a quantitative study of educational games in the field of cyber security. University of Skövde
Chiasson S, Modi M, Biddle R (2011) Auction hero: The design of a game to learn and teach about computer security. In: E-Learn: World Conference on E-Learning in Corporate, Government, Healthcare, and Higher Education, pp 2201–2206
Labuschagne WA, Burke I, Veerasamy N, Eloff MM (2011) Design of cyber security awareness game utilizing a social media framework. In: 2011 Information Security for South Africa. pp 1–9
Yerby J, Hollifield S, Kwak M, Floyd K (2014) Development of serious games for teaching digital forensics. Issues Inf Syst 15:335–343
Ghazvini A, Shukur Z (2017) A framework for an effective information security awareness program in healthcare. Int J Adv Comput Sci Appl 8:193–205
Nicho M (2017) Modelling serous games for enhancing end user cyber security awareness. IADIS Int J Comput Sci Inf Syst 15:91–106
König JA, Wolf M (2022) Cybersecurity awareness training provided by the competence developing game GHOST. In: ACHI 2018: The Eleventh International Conference on Advances in Computer-Human Interactions pp 81–87
Gupta S, Gupta MP, Chaturvedi M et al (2020) Guess who?-a serious game for cybersecurity professionals. In: International Conference on Games and Learning Alliance. pp 421–427
Watson PF, Petrie A (2010) Method agreement analysis: a review of correct methodology. Theriogenology 73:1167–1179. https://doi.org/10.1016/j.theriogenology.2010.01.003
Giavarina D (2015) Understanding bland altman analysis. Biochem Med 25:141–151
Agresti A (2012) Categorical data analysis, 3rd edn. Wiley
Hart SG, Staveland LE (1988) Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. Hum Ment Workload 52:139–183. https://doi.org/10.1016/S0166-4115(08)62386-9
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Ethical considerations
This study maintains anonymity and entails minimal risk to participants. We have not collected personally identifiable information, and the procedures involve completing questionnaires and participating in a serious game. Furthermore, participation in our study was voluntary, and informed consent was obtained from all participants. The focus of our research is on comparing two assessment instruments rather than implementing sensitive or potentially harmful interventions.
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Noorbehbahani, F., Taghiyar, A. myREACH: a serious game for measuring security awareness about ransomware. Multimed Tools Appl (2024). https://doi.org/10.1007/s11042-024-19341-2
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11042-024-19341-2