Skip to main content
SpringerLink
Log in

myREACH: a serious game for measuring security awareness about ransomware

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Today, raising security awareness among users is one of the most effective preventive cybersecurity strategies. Generally, the current level of security awareness in the organization is measured through standard questionnaires. However, this method suffers from poor participant engagement and low precision due to the explicit evaluation and misunderstandings of the questions. To address these issues, we present a serious video game called “myREACH” to measure the player’s security awareness about ransomware. To the best of our knowledge, this is the first attempt to develop a serious game for measuring security awareness. myREACH has been compared to the standard questionnaire for measuring security awareness about ransomware, known as RSAM. The results obtained from a sample of 172 participants indicate that, in 3 out of 9 categories, the game and questionnaire measurements yield similar results. However, in 5 out of 9 categories, the game measurement is superior. For the remaining category, it is inconclusive whether the game or questionnaire assessment is better. Furthermore, self-report measurements indicate that the temporal and mental demands of playing myREACH and completing the RSAM are the same. The overall performance during playing myREACH is 9% better than completing the RSAM, and participants are 15% more satisfied with the game compared to the questionnaire.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Data availability

data generated during and/or analysed during the current study are available from the corresponding author on reasonable request.

References

  1. Noorbehbahani F, Taghiyar A, Rezvani A (2023) RSAM: a questionnaire for Ransomware Security Awareness Measurement. J Comput Secur 10:1–16. https://doi.org/10.22108/JCS.2022.134927.1104

    Article  Google Scholar 

  2. Noorbehbahani F, Salehi F (2020) A serious game to extract Hofstede’s cultural dimensions at the individual level. User Model User-Adapt Interact. https://doi.org/10.1007/s11257-020-09280-6

  3. Choi BCK, Pak AWP (2005) A catalog of biases in questionnaires. Prev Chronic Dis 2:A13

    Google Scholar 

  4. Podsakoff PM, MacKenzie SB, Podsakoff NP (2012) Sources of method bias in social science research and recommendations on how to control it. Annu Rev Psychol 63:539–569. https://doi.org/10.1146/annurev-psych-120710-100452

    Article  Google Scholar 

  5. Fowler FJ (2013) Survey research methods (Applied Social Research methods), 5th edn. SAGE

  6. Dillman DA, Smyth JD, Christian LM (2014) Internet, phone, mail, and mixed-mode surveys: the tailored design method, 4th edn. Wiley

  7. Cook DA, Hatala R, Brydges R et al (2011) Technology-enhanced simulation for health professions education: a systematic review and meta-analysis. JAMA 306:978–988. https://doi.org/10.1001/jama.2011.1234

    Article  Google Scholar 

  8. Davis DA, Mazmanian PE, Fordis M et al (2006) Accuracy of physician self-assessment compared with observed measures of competence: a systematic review. JAMA 296:1094–1102. https://doi.org/10.1001/jama.296.9.1094

    Article  Google Scholar 

  9. Deterding S, Dixon D, Khaled R, Nacke L (2011) From game design elements to gamefulness: Defining gamification. Proc 15th Int Acad MindTrek Conf Envisioning Futur Media Environ MindTrek 2011, pp 9–15. https://doi.org/10.1145/2181037.2181040

  10. Gee J (2007) What video games have to teach us about learning and literacy, 2nd edn. St. Martin's Griffin

  11. Podsakoff PM, MacKenzie SB, Lee J-Y, Podsakoff NP (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. J Appl Psychol 88:879

    Article  Google Scholar 

  12. Bitton R, Boymgold K, Puzis R, Shabtai A (2020) Evaluating the Information Security Awareness of Smartphone Users. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, pp 1–13

  13. Tong T, Chignell M, Tierney MC et al (2016) A serious game for clinical assessment of cognitive status: validation study. JMIR Serious Games 4:e5006

    Article  Google Scholar 

  14. Hunicke R, Leblanc MG, Zubek R (2004) MDA: a formal approach to game design and game research. In: Proceedings of the AAAI Workshop on Challenges in Game AI

  15. Chou Y (2019) Actionable gamification: beyond points, badges, and leaderboards. Packt Publishing Ltd

  16. Fatih Y, Kumalija EJ, Sun Y (2018) Mobile learning based gamification in a history learning context. In: Sánchez IA, Isaias P (eds) International Association for Development of the Information Society. ERIC, Lisbon, pp 143–147

  17. Rooney P (2012) A theoretical framework for serious game design: exploring pedagogy, play and fidelity and their implications for the design process. Int J Game-Based Learn 2:41–60

    Article  Google Scholar 

  18. Ibrahim R, Jaafar A (2009) Educational games (EG) design framework: combination of game design, pedagogy and content modeling. In: 2009 International Conference on Electrical Engineering and Informatics,  pp 293–298

  19. Katsantonis NM, Kotini I, Fouliras P, Mavridis I (2019) Conceptual framework for developing cyber security serious games. In: 2019 IEEE Global Engineering Education Conference (EDUCON). pp 872–881

  20. Husain L (2011) Getting serious about math serious game design framework & an example of a math educational game. Lund University

  21. Yang C-C, Tseng S-S, Lee T-J et al (2012) Building an anti-phishing game to enhance network security literacy learning. In: 2012 IEEE 12th International Conference on Advanced Learning Technologies, pp 121–123

  22. Cone BD, Irvine CE, Thompson MF, Nguyen TD (2007) A video game for cyber security training and awareness. Comput Secur 26:63–72. https://doi.org/10.1016/j.cose.2006.10.005

    Article  Google Scholar 

  23. Jones J, Yuan X, Carr E, Yu H (2010) A comparative study of CyberCIEGE game and Department of Defense Information Assurance Awareness video. In: Proceedings of the IEEE SoutheastCon 2010 (SoutheastCon) pp 176–180

  24. Monk T, Van Niekerk J, von Solms R (2010) Sweetening the medicine: educating users about information security by means of game play. In: Proceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists, pp 193–200

  25. Gamagedara Arachchilage NA (2012) Security awareness of computer users: a game based learning approach. Brunel University

  26. Hendrix M, Al-Sherbaz A, Victoria B (2016) Game based cyber security training: are serious games suitable for cyber security training? Int J Serious Games 3:53–61

  27. Tioh J-N, Mina M, Jacobson DW (2017) Cyber security training a survey of serious games in cyber security. In: 2017 IEEE Frontiers in Education Conference (FIE), pp 1–5

  28. Sheng S, Magnien B, Kumaraguru P et al (2007) Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, pp 88–99

  29. Alotaibi F, Furnell S, Stengel I, Papadaki M (2016) A review of using gaming technology for cyber-security awareness. Int J Inf Secur Res(IJISR) 6:660–666

    Google Scholar 

  30. Tupsamudre H, Wasnik R, Biswas S et al (2018) Gap: a game for improving awareness about passwords. In: Joint International Conference on Serious Games, pp 66–78

  31. CJ G, Pandit S, Vaddepalli S et al (2018) Phishy-a serious game to train enterprise users on phishing awareness. In: Proceedings of the 2018 Annual Symposium on Computer-human Interaction in Play Companion Extended Abstracts, pp 169–181

  32. Furuichi M, Aibara M (2019) A challenge of developing serious games to raise the awareness of cybersecurity issues. In: DiGRA Conference

  33. Hill WA Jr, Fanuel M, Yuan X et al (2020) A survey of serious games for cybersecurity education and training. In: SU Proceedings on Cybersecurity Education, Research and Practice

  34. Jayakrishnan GC, Sirigireddy GR, Vaddepalli S et al (2020) Passworld: A serious game to promote password awareness and diversity in an enterprise. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp 1–18

  35. Lopes I, Morenets Y, Inácio PRM, Silva FGM (2018) Cyber-Detective—A game for cyber crime prevention. In: Proceedings of the Play2Learn, pp 175–191

  36. Kletenik D, Butbul A, Chan D et al (2021) Game on: teaching cybersecurity to novices through the use of a serious game. J Comput Sci Coll 36:11–21

    Google Scholar 

  37. Qusa H, Tarazi J (2021) Cyber-hero: A gamification framework for cyber security awareness for high schools students. In: 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), pp 677–682

  38. Coenraad M, Pellicone A, Ketelhut DJ et al (2020) Experiencing Cybersecurity one game at a time: a systematic review of Cybersecurity Digital games. Simul Gaming 51:586–611. https://doi.org/10.1177/1046878120933312

    Article  Google Scholar 

  39. Hussain A, Kuhn K, Shaikh SA (2020) Games for Cybersecurity decision-making. In: Fang X (ed) HCI in games. Springer International Publishing, Cham, pp 411–423

    Chapter  Google Scholar 

  40. Veneruso SV, Ferro LS, Marrella A et al (2020) CyberVR: an interactive learning experience in virtual reality for cybersecurity related issues. In: Proceedings of the International Conference on Advanced Visual Interfaces, pp 1–8

  41. Sookhanaphibarn K, Choensawat W (2020) Educational Games for Cybersecurity Awareness. In: 2020 IEEE 9th Global Conference on Consumer Electronics (GCCE), pp 424–428

  42. Yamin MM, Katt B, Nowostawski M (2021) Serious games as a tool to model attack and defense scenarios for cyber-security exercises. Comput Secur 110:102450

    Article  Google Scholar 

  43. Gustafsson E (2022) Experience of immersion in serious games: a quantitative study of educational games in the field of cyber security. University of Skövde

  44. Chiasson S, Modi M, Biddle R (2011) Auction hero: The design of a game to learn and teach about computer security. In: E-Learn: World Conference on E-Learning in Corporate, Government, Healthcare, and Higher Education, pp 2201–2206

  45. Labuschagne WA, Burke I, Veerasamy N, Eloff MM (2011) Design of cyber security awareness game utilizing a social media framework. In: 2011 Information Security for South Africa. pp 1–9

  46. Yerby J, Hollifield S, Kwak M, Floyd K (2014) Development of serious games for teaching digital forensics. Issues Inf Syst 15:335–343

  47. Ghazvini A, Shukur Z (2017) A framework for an effective information security awareness program in healthcare. Int J Adv Comput Sci Appl 8:193–205

  48. Nicho M (2017) Modelling serous games for enhancing end user cyber security awareness. IADIS Int J Comput Sci Inf Syst 15:91–106

    Google Scholar 

  49. König JA, Wolf M (2022) Cybersecurity awareness training provided by the competence developing game GHOST. In: ACHI 2018: The Eleventh International Conference on Advances in Computer-Human Interactions pp 81–87

  50. Gupta S, Gupta MP, Chaturvedi M et al (2020) Guess who?-a serious game for cybersecurity professionals. In: International Conference on Games and Learning Alliance. pp 421–427

  51. Watson PF, Petrie A (2010) Method agreement analysis: a review of correct methodology. Theriogenology 73:1167–1179. https://doi.org/10.1016/j.theriogenology.2010.01.003

    Article  Google Scholar 

  52. Giavarina D (2015) Understanding bland altman analysis. Biochem Med 25:141–151

    Article  Google Scholar 

  53. Agresti A (2012) Categorical data analysis, 3rd edn. Wiley

  54. Hart SG, Staveland LE (1988) Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. Hum Ment Workload 52:139–183. https://doi.org/10.1016/S0166-4115(08)62386-9

Download references

Author information

Authors and Affiliations

  1. Faculty of Computer Engineering, University of Isfahan, Isfahan, Iran

    Fakhroddin Noorbehbahani

  2. Faculty of IT Engineering, Sheikh Bahaei University, Isfahan, Iran

    Anahita Taghiyar

Authors
  1. Fakhroddin Noorbehbahani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anahita Taghiyar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fakhroddin Noorbehbahani.

Ethics declarations

Ethical considerations

This study maintains anonymity and entails minimal risk to participants. We have not collected personally identifiable information, and the procedures involve completing questionnaires and participating in a serious game. Furthermore, participation in our study was voluntary, and informed consent was obtained from all participants. The focus of our research is on comparing two assessment instruments rather than implementing sensitive or potentially harmful interventions.

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

Please see Tables 16 and 17.

Table 16 21 defined variables and the corresponding RSAM-E questionnaire items [1]
Full size table
Table 17 NASA Task Load Index selected items [54]
Full size table

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Noorbehbahani, F., Taghiyar, A. myREACH: a serious game for measuring security awareness about ransomware. Multimed Tools Appl (2024). https://doi.org/10.1007/s11042-024-19341-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11042-024-19341-2

Keywords

Search

Navigation