Advertisement

PERSUADED: Fighting Social Engineering Attacks with a Serious Game

  • Dina Aladawy
  • Kristian Beckers
  • Sebastian PapeEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11033)

Abstract

Social engineering is the clever manipulation of the human element to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. The challenge in defeating social engineering is that it is a deceptive process that exploits human beings. Methods employed in social engineering do not differ much from those used to perform traditional fraud. This implies the applicability of defense mechanisms against the latter to the context of social engineering. Taking this problem into consideration, we designed a serious game that trains people against social engineering using defense mechanisms of social psychology. The results of our empirical evaluation of the game indicate that the game is able to raise awareness for social engineering in an entertaining way.

Keywords

Security controls Social psychology Gamification 

Notes

Acknowledgements

This research has been partially supported by the Federal Ministry of Education and Research Germany (BMBF) with project grant number 16KIS0240.

References

  1. 1.
    Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: Proceedings of the 24th IEEE International Conference on Requirements Engineering, RE 2016, pp. 16–25. IEEE Computer Society (2016)Google Scholar
  2. 2.
    Beckers, K., Pape, S., Fries, V.: HATCH: hack and trick capricious humans - a serious game on social engineering. In: Proceedings of British HCI 2016, pp. 1–3. ACM (2016)Google Scholar
  3. 3.
    Bowling, M., Fürnkranz, J., Graepel, T., Musick, R.: Machine learning and games. Mach. Learn. 63(3), 211–215 (2006)CrossRefGoogle Scholar
  4. 4.
    Dimensional Research: The Risk of Social Engineering on Information Security: A Survey of IT Profesionals (2011). http://docplayer.net/11092603-The-risk-of-social-engineering-on-information-security.html
  5. 5.
    Djaouti, D., Alvarez, J., Jessel, J.-P.: Classifying serious games: the G/P/S model. In: Handbook of Research on Improving Learning and Motivation Through Educational Games: Multidisciplinary Approaches, pp. 118–136 (2011)Google Scholar
  6. 6.
    ENISA: Social engineering: exploiting the weakest links. Whitepaper, October 2008. https://www.enisa.europa.eu/publications/archive/social-engineering
  7. 7.
    Gondree, M., Peterson, Z.N.J., Denning, T.: Security through play. IEEE Secur. Priv. 11(3), 64–67 (2013)CrossRefGoogle Scholar
  8. 8.
    Greitzer, F.L., Kuchar, O.A., Huston, K.: Cognitive science implications for enhancing training effectiveness in a serious gaming context. J. Educ. Resour. Comput., 7(3), (2007)CrossRefGoogle Scholar
  9. 9.
    Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2010)Google Scholar
  10. 10.
    Irvine, C.E., Thompson, M.F., Allen, K.: Cyberciege: gaming for information assurance. IEEE Secur. Priv. 3(3), 61–64 (2005)CrossRefGoogle Scholar
  11. 11.
    Morehead, A.H.: The Complete Book of Solitaire and Patience Games. Read Books Ltd., Redditch (2014)Google Scholar
  12. 12.
    Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)Google Scholar
  13. 13.
    Olanrewaju, A.-S.T., Zakaria, N.H.: Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics, ICOCI 2015 (2015). Accessed 16 Oct 2016Google Scholar
  14. 14.
    Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156b. IEEE (2007)Google Scholar
  15. 15.
  16. 16.
    Rogers, Y., Sharp, H., Preece, J., Tepper, M.: Interaction design: beyond human-computer interaction. netWorker: Craft Netw. Comput. 11(4), 34 (2007)CrossRefGoogle Scholar
  17. 17.
    Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25(2), 206–222 (2017)CrossRefGoogle Scholar
  18. 18.
    Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley, Hoboken (2014)Google Scholar
  19. 19.
    Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manage. 36(2), 215–225 (2016)CrossRefGoogle Scholar
  20. 20.
    Williams, L., Meneely, A., Shipley, G.: Protection Poker: the new software security “game”. IEEE Secur. Priv. 8(3), 14–20 (2010)CrossRefGoogle Scholar
  21. 21.
    Wohlin, C., et al.: Experimentation in Software Engineering: An Introduction. The Kluwer International Series in Software Engineering. Springer, Boston (2012).  https://doi.org/10.1007/978-1-4615-4625-2CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Dina Aladawy
    • 1
  • Kristian Beckers
    • 1
    • 3
  • Sebastian Pape
    • 2
    • 3
    Email author
  1. 1.Institute of InformaticsTechnische Universität München (TUM)GarchingGermany
  2. 2.Faculty of Economics and Business AdministrationGoethe University FrankfurtFrankfurt am MainGermany
  3. 3.Social Engineering Academy (SEA) GmbHFrankfurt am MainGermany

Personalised recommendations