Abstract
Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Threat Arrest homepage: https://www.threat-arrest.eu.
- 2.
References
Aladawy, D., Beckers, K., Pape, S.: PERSUADED: fighting social engineering attacks with a serious game. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 103–118. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_8. ISBN 978-3-319-98384-4
Bakhshi, T., Papadaki, M., Furnell, S.: A practical assessment of social engineering vulnerabilities. In: HAISA, pp. 12–23 (2008)
BBC: How to hack people (2002). news.bbc.co.uk/2/hi/technology/2320121.stm
Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: Proceedings of the 24th IEEE International Conference on Requirements Engineering (RE 2016). IEEE Computer Society (2016). https://doi.org/10.1109/RE.2016.39
Beckers, K., Pape, S., Fries, V.: HATCH: hack and trick capricious humans - a serious game on social engineering. In: Proceedings of the 2016 British HCI Conference, 11–15 July 2016, Bournemouth, United Kingdom (2016). http://ewic.bcs.org/content/ConWebDoc/56973
Dimensional Research: The Risk of Social Engineering on Information Security: A Survey of IT Profesionals (2011). http://docplayer.net/11092603-The-risk-of-social-engineering-on-information-security.html
Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_4
Gondree, M., Peterson, Z.N.J., Denning, T.: Security through play. IEEE Secur. Priv. 11(3), 64–67 (2013)
Greitzer, F.L., Kuchar, O.A., Huston, K.: Cognitive science implications for enhancing training effectiveness in a serious gaming context. J. Educ. Resour. Comput. 7(3), 2 (2007)
Irvine, C.E., Thompson, M.F., Allen, K.: CyberCIEGE: gaming for information assurance. IEEE Secur. Priv. 3(3), 61–64 (2005)
Manske, K.: An introduction to social engineering. Inf. Syst. Secur. 9(5), 1–7 (2000)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2011)
Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)
Olanrewaju, A.S.T., Zakaria, N.H.: Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics (ICOCI 2015) (2015)
SANS: Social Engineering Threats (2003). http://www.sans.org/reading-room/whitepapers/engineering/threat-social-engineering-defense-1232
Schaab, P., Beckers, K., Pape, S.: A systematic gap analysis of social engineering defence mechanisms considering social psychology. In: Proceedings of the 10th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016), 19–21 July 2016, Frankfurt, Germany (2016). http://www.cscan.org/openaccess/?paperid=301
Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25(2), 206–222 (2017). https://doi.org/10.1108/ICS-04-2017-0022
Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley, Hoboken (2014)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011). https://doi.org/10.1145/1897852.1897872. http://doi.acm.org/10.1145/1897852.1897872
Williams, L., Meneely, A., Shipley, G.: Protection poker: the new software security “game”. IEEE Secur. Priv. 8(3), 14–20 (2010)
Acknowledgements
This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 786890 (THREAT-ARREST).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Goeke, L., Quintanar, A., Beckers, K., Pape, S. (2020). PROTECT – An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-42051-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42050-5
Online ISBN: 978-3-030-42051-2
eBook Packages: Computer ScienceComputer Science (R0)