Skip to main content
Book cover

IFIP International Summer School on Privacy and Identity Management

Privacy and Identity 2021: Privacy and Identity Management. Between Data Protection and Security pp 3–16Cite as

Challenges for Designing Serious Games on Security and Privacy Awareness

Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT,volume 644)

Abstract

Serious games seem to be a good alternative to traditional trainings since they are supposed to be more entertaining and engaging. However, serious games also create specific challenges: The serious games should not only be adapted to specific target groups, but also be capable of addressing recent attacks. Furthermore, evaluation of the serious games turns out to be challenging. While this already holds for serious games in general, it is even more difficult for serious games on security and privacy awareness. On the one hand, because it is hard to measure security and privacy awareness. On the other hand, because both of these topics are currently often in the main stream media requiring to make sure that a measured change really results from the game session. This paper briefly introduces three serious games to counter social engineering attacks and one serious game to raise privacy awareness. Based on the introduced games the raised challenges are discussed and partially existing solutions are presented.

Keywords

  • Serious games
  • Security awareness
  • Privacy awareness
  • Social engineering

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-99100-5_1
  • Chapter length: 14 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-99100-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Hardcover Book
USD   99.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

References

  1. Abt, C.C.: Serious Games. University Press of America (1987)

    Google Scholar 

  2. Aladawy, D., Beckers, K., Pape, S.: PERSUADED: fighting social engineering attacks with a serious game. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 103–118. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_8

    CrossRef  Google Scholar 

  3. Bada, M., Sasse, A.M., Nurse, J.R.C.: Cyber security awareness campaigns: why do they fail to change behaviour? CoRR abs/1901.02672 (2019). http://arxiv.org/abs/1901.02672

  4. Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: Proceedings of the 24th IEEE International Conference on Requirements Engineering, RE 2016. IEEE Computer Society (2016). https://ieeexplore.ieee.org/document/7765507

  5. Beckers, K., Pape, S., Fries, V.: HATCH: hack and trick capricious humans - a serious game on social engineering. In: Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, 11–15 July 2016 (2016). https://www.scienceopen.com/document?vid=ef4958b1-ff29-42e5-b58f-f66b8ef30a87

  6. Beckers, K., Schosser, D., Pape, S., Schaab, P.: A structured comparison of social engineering intelligence gathering tools. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) TrustBus 2017. LNCS, vol. 10442, pp. 232–246. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64483-7_15

    CrossRef  Google Scholar 

  7. The Bristol Cyber Security Group University of Bristol: Decisions and disruptions homepage. http://www.decisions-disruptions.org/

  8. Canavese, D., et al.: Cybersecurity outlook 1. Technical report, CyberSec4Europe, September 2020. https://cybersec4europe.eu/wp-content/uploads/2021/01/D3.10-Cybersecurity-outlook-1-Submitted.pdf

  9. CIA: Cia: Collect it all - declassified training game. https://www.muckrock.com/foi/united-states-of-america-10/materials-for-the-game-collection-deck-35175/#file-162778

  10. Connolly, T.M., Boyle, E.A., MacArthur, E., Hainey, T., Boyle, J.M.: A systematic literature review of empirical evidence on computer games and serious games. Comput. Educ. 59(2), 661–686 (2012)

    CrossRef  Google Scholar 

  11. Dax, J., et al.: Sichere informationsnetze bei kleinen und mittleren energieversorgern (SIDATE). In: Rudel, S., Lechner, U. (eds.) State of the Art: IT-Sicherheit für Kritische Infrastrukturen, chap. Sichere Informationsnetze bei kleinen und mittleren Energieversorgern (SIDATE), p. 29. Universität der Bundeswehr, Neubiberg (2018)

    Google Scholar 

  12. Denning, T., Kohno, T., Shostack, A.: Control-alt-hack: a card game for computer security outreach, education, and fun. Technical report. UW-CSE-12-07-01, Department of Computer Science and Engineering University of Washington, July 2012

    Google Scholar 

  13. Denning, T., Kohno, T., Shostack, A.: Control-alt-hack™: a card game for computer security outreach and education (abstract only). In: Camp, T., Tymann, P.T., Dougherty, J.D., Nagel, K. (eds.) The 44th ACM Technical Symposium on Computer Science Education, SIGCSE 2013, Denver, CO, USA, 6–9 March 2013, p. 729. ACM (2013). http://doi.acm.org/10.1145/2445196.2445408

  14. Denning, T., Lerner, A., Shostack, A., Kohno, T.: Control-alt-hack: the design and evaluation of a card game for computer security awareness and education. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 915–928. ACM (2013). http://doi.acm.org/10.1145/2508859.2516753

  15. Denning, T., Shostack, A., Kohno, T.: Practical lessons from creating the control-alt-hack card game and research challenges for games in education and research. In: Peterson, Z.N.J. (ed.) 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education, 3GSE 2014, San Diego, CA, USA, 18 August 2014. USENIX Association (2014). https://www.usenix.org/conference/3gse14/summit-program/presentation/denning

  16. Dimkov, T., Van Cleeff, A., Pieters, W., Hartel, P.: Two methodologies for physical penetration testing using social engineering. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 399–408 (2010)

    Google Scholar 

  17. Egelman, S., Peer, E.: Scaling the security wall: developing a security behavior intentions scale (SeBIS). In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 2873–2882 (2015)

    Google Scholar 

  18. Faily, S., Flechais, I.: Persona cases: a technique for grounding personas. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2267–2270 (2011)

    Google Scholar 

  19. Faklaris, C., Dabbish, L.A., Hong, J.I.: A self-report measure of end-user security attitudes (SA-6). In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pp. 61–77 (2019)

    Google Scholar 

  20. Franzwa, C., Tang, Y., Johnson, A.: Serious game design: motivating students through a balance of fun and learning. In: 2013 5th International Conference on Games and Virtual Worlds for Serious Applications (VS-GAMES), pp. 1–7. IEEE (2013)

    Google Scholar 

  21. Goeke, L., Quintanar, A., Beckers, K., Pape, S.: PROTECT – an easy configurable serious game to train employees against social engineering attacks. In: Fournaris, A.P., et al. (eds.) IOSEC/MSTEC/FINSEC -2019. LNCS, vol. 11981, pp. 156–171. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42051-2_11

    CrossRef  Google Scholar 

  22. Gondree, M., Peterson, Z.N.J.: Valuing security by getting [d0x3d!]: experiences with a network security board game. In: Kanich, C., Sherr, M. (eds.) 6th Workshop on Cyber Security Experimentation and Test, CSET 2013, Washington, D.C., USA, 12 August 2013. USENIX Association (2013). https://www.usenix.org/conference/cset13/workshop-program/presentation/gondree

  23. Gondree, M., Peterson, Z.N.J., Denning, T.: Security through play. IEEE Secur. Priv. 11(3), 64–67 (2013). https://doi.org/10.1109/MSP.2013.69

    CrossRef  Google Scholar 

  24. Hamari, J., Koivisto, J., Sarsa, H.: Does gamification work?-a literature review of empirical studies on gamification. In: 2014 47th Hawaii International Conference on System Sciences, pp. 3025–3034. IEEE (2014)

    Google Scholar 

  25. Hatfield, J.M.: Virtuous human hacking: the ethics of social engineering in penetration-testing. Comput. Secur. 83, 354–366 (2019)

    CrossRef  Google Scholar 

  26. Hatzivasilis, G., et al.: The threat-arrest cyber ranges platform. In: IEEE International Conference on Cyber Security and Resilience (CSR). IEEE, September 2021. https://ieeexplore.ieee.org/document/9527963

  27. Hazilov, V., Pape, S.: Systematic scenario creation for serious security-awareness games. In: Boureanu, I., et al. (eds.) ESORICS 2020. LNCS, vol. 12580, pp. 294–311. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-66504-3_18

    CrossRef  Google Scholar 

  28. Huizinga, J.: Homo Ludens: A Study on the Play Element in Culture, reprint 1971 (1938)

    Google Scholar 

  29. Kipker, D.K., Pape, S., Wojak, S., Beckers, K.: Juristische bewertung eines social-engineering-abwehr trainings. In: Rudel, S., Lechner, U. (eds.) State of the Art: IT-Sicherheit für Kritische Infrastrukturen, chap. Stand der IT-Sicherheit bei deutschen Stromnetzbetreibern, pp. 112–115. Universität der Bundeswehr, Neubiberg (2018)

    Google Scholar 

  30. Liao, S.: The CIA made a magic: the gathering-style card game for training agents, and we played it. The Verge, May 2018. https://www.theverge.com/2018/5/21/17374054/cia-collect-it-all-declassified-training-tabletop-card-game

  31. Masnick, M.: Cia game kickstarter campaign (2019). https://www.kickstarter.com/projects/mmasnick/cia-collect-it-all?ref=2fbwg2

  32. Masur, P.K., Teutsch, D., Trepte, S.: Entwicklung und validierung der online-privatheitskompetenzskala (oplis). Diagnostica (2017)

    Google Scholar 

  33. Papadaki, M., Furnell, S., Dodge, R.C.: Social engineering: exploiting the weakest links. European Network & Information Security Agency (ENISA), Heraklion, Crete (2008)

    Google Scholar 

  34. Pape, S.: Requirements engineering and tool-support for security and privacy, September 2020. http://publikationen.ub.uni-frankfurt.de/frontdoor/index/index/docId/59271

  35. Pape, S., Goeke, L., Quintanar, A., Beckers, K.: Conceptualization of a CyberSecurity awareness quiz. In: Hatzivasilis, G., Ioannidis, S. (eds.) MSTEC 2020. LNCS, vol. 12512, pp. 61–76. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62433-0_4

    CrossRef  Google Scholar 

  36. Pape, S., Kipker, D.K.: Case study: checking a serious security-awareness game for its legal adequacy. Datenschutz und Datensicherheit 45(5), 310–314 (2021). https://www.springerprofessional.de/en/case-study-checking-a-serious-security-awareness-game-for-its-le/19120160

  37. Pape, S., Klauer, A., Rebler, M.: Leech: let’s expose evidently bad data collecting habits - towards a serious game on understanding privacy policies (poster). In: 17th Symposium on Usable Privacy and Security (SOUPS 2021), June 2021. https://www.usenix.org/conference/soups2021/presentation/pape

  38. Pape, S., Schmitz, C., Kipker, D.K., Sekula, A.: On the use of information security management systems by German energy providers. In: Presented at the Fourteenth IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, March 2020

    Google Scholar 

  39. Parlett, D.: The Oxford History of Board Games. Oxford University Press (1999)

    Google Scholar 

  40. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)

    CrossRef  Google Scholar 

  41. Paul, N., Tesfay, W.B., Kipker, D.-K., Stelter, M., Pape, S.: Assessing privacy policies of internet of things services. In: Janczewski, L.J., Kutyłowski, M. (eds.) SEC 2018. IAICT, vol. 529, pp. 156–169. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99828-2_12

    CrossRef  Google Scholar 

  42. Good Distribution Practice Regulation: Regulation EU 2016/679 of the European parliament and of the council of 27 April 2016. Official Journal of the European Union (2016)

    Google Scholar 

  43. Rieb, A., Lechner, U.: Operation digital chameleon - towards an open cybersecurity method. In: Proceedings of the 12th International Symposium on Open Collaboration (OpenSym 2016), Berlin, pp. 1–10 (2016). http://www.opensym.org/os2016/proceedings-files/p200-rieb.pdf

  44. Rieb, A., Lechner, U.: Towards operation digital chameleon. In: Havârneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds.) CRITIS 2016 - The 11th International Conference on Critical Information Infrastructures Security, pp. 1–6. Paris (2016, to appear)

    Google Scholar 

  45. Riedel, J.C., Hauge, J.B.: State of the art of serious games for business and industry. In: 2011 17th International Conference on Concurrent Enterprising, pp. 1–8. IEEE (2011)

    Google Scholar 

  46. Saleh, T.: Covidlock update: deeper analysis of coronavirus Android ransomware (2020). https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware

  47. Salen, K., Tekinbaş, K.S., Zimmerman, E.: Rules of Play: Game Design Fundamentals. MIT Press, Cambridge (2004)

    Google Scholar 

  48. Schaab, P., Beckers, K., Pape, S.: A systematic gap analysis of social engineering defence mechanisms considering social psychology. In: 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016, Frankfurt, Germany, 19–21 July 2016, Proceedings (2016). https://www.cscan.org/openaccess/?paperid=301

  49. Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25(2), 206–222 (2017). https://doi.org/10.1108/ICS-04-2017-0022

    CrossRef  Google Scholar 

  50. Shostack, A.: Elevation of privilege: drawing developers into threat modeling. Technical report, Microsoft, Redmond, U.S. (2012). http://download.microsoft.com/download/F/A/E/FAE1434F-6D22-4581-9804-8B60C04354E4/EoP_Whitepaper.pdf

  51. Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley, Hoboken (2014)

    Google Scholar 

  52. Stahl, S.: Beyond information security awareness training: it’s time to change the culture. Inf. Secur. Manag. Handb. 3(3), 285 (2006)

    Google Scholar 

  53. Tioh, J.N., Mina, M., Jacobson, D.W.: Cyber security training a survey of serious games in cyber security. In: 2017 IEEE Frontiers in Education Conference (FIE), pp. 1–5. IEEE (2017)

    Google Scholar 

  54. IG UK: The ISMS card game homepage (2022). https://www.itgovernance.co.uk/shop/product/the-isms-card-game

  55. Watson, G., Mason, A., Ackroyd, R.: Social engineering penetration testing: executing social engineering pen tests, assessments and defense. Syngress (2014)

    Google Scholar 

  56. Zimmer, M., Helle, A.: Tests mit Tücke- Arbeitsrechtliche Anforderungen an social engineering tests. Betriebs-Berater 21(2016), 1269 (2016)

    Google Scholar 

Download references

Acknowledgements

This work was supported by European Union’s Horizon 2020 research and innovation program from the project CyberSec4Europe (grant agreement number: 830929) and from the project THREAT-ARREST (grant agreement number: 786890). We are also grateful to Kristina Femmer for designing plans and persona cards for HATCH.

Author information

Authors and Affiliations

  1. Chair of Mobile Business and Multilateral Security, Goethe University Frankfurt, Frankfurt, Germany

    Sebastian Pape

  2. Social Engineering Academy GmbH, Frankfurt, Germany

    Sebastian Pape

Authors
  1. Sebastian Pape
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sebastian Pape .

Editor information

Editors and Affiliations

  1. Fraunhofer ISI, Karlsruhe, Germany

    Michael Friedewald

  2. AIT Austrian Institute of Technology, Vienna, Austria

    Stephan Krenn

  3. Ostfalia University of Applied Sciences, Wolfenbüttel, Germany

    Ina Schiering

  4. University of Münster, Münster, Germany

    Stefan Schiffner

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Pape, S. (2022). Challenges for Designing Serious Games on Security and Privacy Awareness. In: Friedewald, M., Krenn, S., Schiering, I., Schiffner, S. (eds) Privacy and Identity Management. Between Data Protection and Security. Privacy and Identity 2021. IFIP Advances in Information and Communication Technology, vol 644. Springer, Cham. https://doi.org/10.1007/978-3-030-99100-5_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-99100-5_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-99099-2

  • Online ISBN: 978-3-030-99100-5

  • eBook Packages: Computer ScienceComputer Science (R0)