PERSUADED: Fighting Social Engineering Attacks with a Serious Game
Social engineering is the clever manipulation of the human element to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. The challenge in defeating social engineering is that it is a deceptive process that exploits human beings. Methods employed in social engineering do not differ much from those used to perform traditional fraud. This implies the applicability of defense mechanisms against the latter to the context of social engineering. Taking this problem into consideration, we designed a serious game that trains people against social engineering using defense mechanisms of social psychology. The results of our empirical evaluation of the game indicate that the game is able to raise awareness for social engineering in an entertaining way.
KeywordsSecurity controls Social psychology Gamification
This research has been partially supported by the Federal Ministry of Education and Research Germany (BMBF) with project grant number 16KIS0240.
- 1.Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: Proceedings of the 24th IEEE International Conference on Requirements Engineering, RE 2016, pp. 16–25. IEEE Computer Society (2016)Google Scholar
- 2.Beckers, K., Pape, S., Fries, V.: HATCH: hack and trick capricious humans - a serious game on social engineering. In: Proceedings of British HCI 2016, pp. 1–3. ACM (2016)Google Scholar
- 4.Dimensional Research: The Risk of Social Engineering on Information Security: A Survey of IT Profesionals (2011). http://docplayer.net/11092603-The-risk-of-social-engineering-on-information-security.html
- 5.Djaouti, D., Alvarez, J., Jessel, J.-P.: Classifying serious games: the G/P/S model. In: Handbook of Research on Improving Learning and Motivation Through Educational Games: Multidisciplinary Approaches, pp. 118–136 (2011)Google Scholar
- 6.ENISA: Social engineering: exploiting the weakest links. Whitepaper, October 2008. https://www.enisa.europa.eu/publications/archive/social-engineering
- 9.Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2010)Google Scholar
- 11.Morehead, A.H.: The Complete Book of Solitaire and Patience Games. Read Books Ltd., Redditch (2014)Google Scholar
- 12.Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)Google Scholar
- 13.Olanrewaju, A.-S.T., Zakaria, N.H.: Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics, ICOCI 2015 (2015). Accessed 16 Oct 2016Google Scholar
- 14.Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156b. IEEE (2007)Google Scholar
- 15.PWC: Information Security Breaches Survey (2016). https://www.pwc.be/en/documents/media-centre/publications/2016/information-security-breaches-survey-2016.pdf
- 18.Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley, Hoboken (2014)Google Scholar