Advertisement

PROTECT – An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11981)

Abstract

Social engineering is the clever manipulation of human trust. While most security protection focuses on technical aspects, organisations remain vulnerable to social engineers. Approaches employed in social engineering do not differ significantly from the ones used in common fraud. This implies defence mechanisms against the fraud are useful to prevent social engineering, as well. We tackle this problem using and enhancing an existing online serious game to train employees to use defence mechanisms of social psychology. The game has shown promising tendencies towards raising awareness for social engineering in an entertaining way. Training is highly effective when it is adapted to the players context. Our contribution focuses on enhancing the game with highly configurable game settings and content to allow the adaption to the player’s context as well as the integration into training platforms. We discuss the resulting game with practitioners in the field of security awareness to gather some qualitative feedback.

Keywords

Security controls Social psychology Serious games Fraud prevention Security training 

Notes

Acknowledgements

This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 786890 (THREAT-ARREST).

References

  1. 1.
    Aladawy, D., Beckers, K., Pape, S.: PERSUADED: fighting social engineering attacks with a serious game. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 103–118. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-98385-1_8. ISBN 978-3-319-98384-4CrossRefGoogle Scholar
  2. 2.
    Bakhshi, T., Papadaki, M., Furnell, S.: A practical assessment of social engineering vulnerabilities. In: HAISA, pp. 12–23 (2008)Google Scholar
  3. 3.
    BBC: How to hack people (2002). news.bbc.co.uk/2/hi/technology/2320121.stm
  4. 4.
    Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: Proceedings of the 24th IEEE International Conference on Requirements Engineering (RE 2016). IEEE Computer Society (2016).  https://doi.org/10.1109/RE.2016.39
  5. 5.
    Beckers, K., Pape, S., Fries, V.: HATCH: hack and trick capricious humans - a serious game on social engineering. In: Proceedings of the 2016 British HCI Conference, 11–15 July 2016, Bournemouth, United Kingdom (2016). http://ewic.bcs.org/content/ConWebDoc/56973
  6. 6.
    Dimensional Research: The Risk of Social Engineering on Information Security: A Survey of IT Profesionals (2011). http://docplayer.net/11092603-The-risk-of-social-engineering-on-information-security.html
  7. 7.
    Ferreira, A., Coventry, L., Lenzini, G.: Principles of persuasion in social engineering and their use in phishing. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 36–47. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-20376-8_4CrossRefGoogle Scholar
  8. 8.
    Gondree, M., Peterson, Z.N.J., Denning, T.: Security through play. IEEE Secur. Priv. 11(3), 64–67 (2013)CrossRefGoogle Scholar
  9. 9.
    Greitzer, F.L., Kuchar, O.A., Huston, K.: Cognitive science implications for enhancing training effectiveness in a serious gaming context. J. Educ. Resour. Comput. 7(3), 2 (2007)CrossRefGoogle Scholar
  10. 10.
    Irvine, C.E., Thompson, M.F., Allen, K.: CyberCIEGE: gaming for information assurance. IEEE Secur. Priv. 3(3), 61–64 (2005)CrossRefGoogle Scholar
  11. 11.
    Manske, K.: An introduction to social engineering. Inf. Syst. Secur. 9(5), 1–7 (2000)CrossRefGoogle Scholar
  12. 12.
    Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2011)Google Scholar
  13. 13.
    Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)Google Scholar
  14. 14.
    Olanrewaju, A.S.T., Zakaria, N.H.: Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics (ICOCI 2015) (2015)Google Scholar
  15. 15.
  16. 16.
    Schaab, P., Beckers, K., Pape, S.: A systematic gap analysis of social engineering defence mechanisms considering social psychology. In: Proceedings of the 10th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016), 19–21 July 2016, Frankfurt, Germany (2016). http://www.cscan.org/openaccess/?paperid=301
  17. 17.
    Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25(2), 206–222 (2017).  https://doi.org/10.1108/ICS-04-2017-0022CrossRefGoogle Scholar
  18. 18.
    Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley, Hoboken (2014)Google Scholar
  19. 19.
    Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011).  https://doi.org/10.1145/1897852.1897872. http://doi.acm.org/10.1145/1897852.1897872CrossRefGoogle Scholar
  20. 20.
    Williams, L., Meneely, A., Shipley, G.: Protection poker: the new software security “game”. IEEE Secur. Priv. 8(3), 14–20 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Social Engineering Academy (SEA) GmbHFrankfurt am MainGermany
  2. 2.Faculty of Economics and Business AdministrationGoethe University FrankfurtFrankfurt am MainGermany

Personalised recommendations