Skip to main content

Sebastian Pape, Dennis-Kenji Kipker

Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy


It is generally accepted that the management of a company has a legal obligation to maintain and operate IT security measures as part of the company’s own compliance – this includes training employees with regard to social engineering attacks. On the other hand, the question arises whether and how the employee must tolerate associated measures, as for example social engineering penetration testing can be very intrusive.

This is a preview of subscription content, access via your institution.


  1. G. Bassett, C. D. Hylender, P. Langlois, A. Pinto, and S. Widup, Data Breach Investigations Report, (2020).

  2. P. Schaab, K. Beckers, and S. Pape, A Systematic Gap Analysis of Social Engineering Defence Mechanisms Considering Social Psychology, in 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016, Frankfurt, Germany, July 19-21, 2016, Proceedings. (2016).

  3. P. Schaab, K. Beckers, and S. Pape, Social Engineering Defence Mechanisms and Counteracting Training Strategies, Information and Computer Security 25, 206 (2017).

    Article  Google Scholar 

  4. T. Dimkov, A. Van Cleeff, W. Pieters, and P. Hartel, Two Methodologies for Physical Penetration Testing Using Social Engineering, in Proceedings of the 26th Annual Computer Security Applications Conference (2010), pp. 399–408.

    Google Scholar 

  5. J. M. Hatfield, Virtuous Human Hacking: The Ethics of Social Engineering in Penetration-Testing, Computers & Security 83, 354 (2019).

    Article  Google Scholar 

  6. J. Kuhn and A. Willemsen, Arbeitsrechtliche Aspekte von Social Engineering Audits, DER BETRIEB 02, 111 (2016).

    Google Scholar 

  7. M. Zimmer and A. Helle, Tests Mit Tücke – Arbeitsrechtliche Anforderungen an Social Engineering Tests, Betriebs-Berater 21/2016, 1269 (2016).

    Google Scholar 

  8. S. Stahl, Beyond Information Security Awareness Training: It’s Time to Change the Culture, Information Security Management Handbook, Volume 3 3, 285 (2006).

    Google Scholar 

  9. M. Bada, A. M. Sasse, and J. R. C. Nurse, Cyber Security Awareness Campaigns: Why Do They Fail to Change Behaviour?, CoRR abs/1901.02672, (2019).

  10. L. Donovan and P. Lead, The Use of Serious Games in the Corporate Sector, A State of the Art Report. Learnovate Centre (December 2012) (2012).

  11. K. Beckers, S. Pape, and V. Fries, HATCH: Hack and Trick Capricious Humans – a Serious Game on Social Engineering, in Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016 (2016).

  12. K. Beckers and S. Pape, A Serious Game for Eliciting Social Engineering Security Requirements, in Proceedings of the 24th IEEE International Conference on Requirements Engineering (IEEE Computer Society, 2016).

  13. Kreutz, GK-BetrVG, Bd. 2, 10th ed. (2014).

  14. A. Shostack, Elevation of Privilege: Drawing Developers into Threat Modeling, Microsoft, 2012.

  15. A. Shostack, Elevation of Privilege: Drawing Developers into Threat Modeling, in 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3gse 14) (USENIX Association, San Diego, CA, 2014).

  16. A. Shostack, Threat Modeling: Designing for Security, 1st ed. (John Wiley & Sons Inc., 2014).

    Google Scholar 

  17. K. Moløkken-Østvold, N. C. Haugen, and H. C. Benestad, Using Planning Poker for Combining Expert Estimates in Software Projects, Journal of Systems and Software 81, 2106 (2008).

    Article  Google Scholar 

  18. L. Williams, M. Gegick, and A. Meneely, Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer, in Proceedings of International Symposium on Engineering Secure Software and Systems (Springer, 2009), pp. 122–134.

  19. L. Williams, A. Meneely, and G. Shipley, Protection Poker: The New Software Security “Game”, Security Privacy, IEEE 8, 14 (2010).

  20. F. Osses, G. Márquez, C. Orellana, and H. Astudillo, Towards the Selection of Security Tactics Based on Non-Functional Requirements: Security Tactic Planning Poker, in 2017 36th International Conference of the Chilean Computer Science Society (SCCC) (IEEE, 2017), pp. 1–8.

  21. T. Denning, T. Kohno, and A. Shostack, Control-Alt-Hack: A Card Game for Computer Security Outreach and Education (Abstract Only), in The 44th ACM Technical Symposium on Computer Science Education, SIGCSE ’13, Denver, CO, USA, March 6-9, 2013 (2013), p. 729.

  22. T. Denning, A. Lerner, A. Shostack, and T. Kohno, Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education, in 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013 (2013), pp. 915–928.

  23. T. Denning, A. Shostack, and T. Kohno, Practical Lessons from Creating the Control-Alt-Hack Card Game and Research Challenges for Games in Education and Research, in 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education, 3gse ’14, San Diego, CA, USA, August 18, 2014. (2014).

  24. A. Yasin, L. Liu, T. Li, J. Wang, and D. Zowghi, Design and Preliminary Evaluation of a Cyber Security Requirements Education Game (SREG), Information and Software Technology (2017).

  25. A. Yasin, L. Liu, T. Li, R. Fatima, and W. Jianmin, Improving Software Security Awareness Using a Serious Game, IET Software (2018).

  26. R. Kessel and N. Gwatkin, Harbour Protection Table-Top Exercise Hpt2e: Contextual Read Ahead., (2012).

  27. R. Kessel and N. Gwatkin, Harbour Protection Table – Top Exercise Hpt2e 20 – 23 March 2012, La Spezia: Hpt2e Technologies and Platforms, (2012).

  28. A. Rieb and U. Lechner, Towards Operation Digital Chameleon, in CRITIS 2016 – the 11th International Conference on Critical Information Infrastructures Security (to Appear), edited by G. Havârneanu, R. Setola, H. Nassopoulos, and S. Wolthusen (Paris, 2016), pp. 1–6.

  29. A. Rieb and U. Lechner, Operation Digital Chameleon – Towards an Open Cybersecurity Method, in Proceedings of the 12th International Symposium on Open Collaboration (OpenSym 2016) (Berlin, 2016), pp. 1–10.

  30. A. Rieb, KMA Homepage Article about Operation Digital Snake Game, (2018).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Dennis-Kenji Kipker.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kipker, DK., Pape, S. Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy. Datenschutz Datensich 45, 310–314 (2021).

Download citation

  • Published:

  • Issue Date:

  • DOI: