Abstract
Social engineering is the clever manipulation of the human element to acquire information assets. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. The challenge in defeating social engineering is that it is a deceptive process that exploits human beings. Methods employed in social engineering do not differ much from those used to perform traditional fraud. This implies the applicability of defense mechanisms against the latter to the context of social engineering. Taking this problem into consideration, we designed a serious game that trains people against social engineering using defense mechanisms of social psychology. The results of our empirical evaluation of the game indicate that the game is able to raise awareness for social engineering in an entertaining way.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: Proceedings of the 24th IEEE International Conference on Requirements Engineering, RE 2016, pp. 16–25. IEEE Computer Society (2016)
Beckers, K., Pape, S., Fries, V.: HATCH: hack and trick capricious humans - a serious game on social engineering. In: Proceedings of British HCI 2016, pp. 1–3. ACM (2016)
Bowling, M., Fürnkranz, J., Graepel, T., Musick, R.: Machine learning and games. Mach. Learn. 63(3), 211–215 (2006)
Dimensional Research: The Risk of Social Engineering on Information Security: A Survey of IT Profesionals (2011). http://docplayer.net/11092603-The-risk-of-social-engineering-on-information-security.html
Djaouti, D., Alvarez, J., Jessel, J.-P.: Classifying serious games: the G/P/S model. In: Handbook of Research on Improving Learning and Motivation Through Educational Games: Multidisciplinary Approaches, pp. 118–136 (2011)
ENISA: Social engineering: exploiting the weakest links. Whitepaper, October 2008. https://www.enisa.europa.eu/publications/archive/social-engineering
Gondree, M., Peterson, Z.N.J., Denning, T.: Security through play. IEEE Secur. Priv. 11(3), 64–67 (2013)
Greitzer, F.L., Kuchar, O.A., Huston, K.: Cognitive science implications for enhancing training effectiveness in a serious gaming context. J. Educ. Resour. Comput., 7(3), (2007)
Hadnagy, C.: Social Engineering: The Art of Human Hacking. Wiley, Hoboken (2010)
Irvine, C.E., Thompson, M.F., Allen, K.: Cyberciege: gaming for information assurance. IEEE Secur. Priv. 3(3), 61–64 (2005)
Morehead, A.H.: The Complete Book of Solitaire and Patience Games. Read Books Ltd., Redditch (2014)
Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)
Olanrewaju, A.-S.T., Zakaria, N.H.: Social engineering awareness game (SEAG): an empirical evaluation of using game towards improving information security awareness. In: Proceedings of the 5th International Conference on Computing and Informatics, ICOCI 2015 (2015). Accessed 16 Oct 2016
Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156b. IEEE (2007)
PWC: Information Security Breaches Survey (2016). https://www.pwc.be/en/documents/media-centre/publications/2016/information-security-breaches-survey-2016.pdf
Rogers, Y., Sharp, H., Preece, J., Tepper, M.: Interaction design: beyond human-computer interaction. netWorker: Craft Netw. Comput. 11(4), 34 (2007)
Schaab, P., Beckers, K., Pape, S.: Social engineering defence mechanisms and counteracting training strategies. Inf. Comput. Secur. 25(2), 206–222 (2017)
Shostack, A.: Threat Modeling: Designing for Security, 1st edn. Wiley, Hoboken (2014)
Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manage. 36(2), 215–225 (2016)
Williams, L., Meneely, A., Shipley, G.: Protection Poker: the new software security “game”. IEEE Secur. Priv. 8(3), 14–20 (2010)
Wohlin, C., et al.: Experimentation in Software Engineering: An Introduction. The Kluwer International Series in Software Engineering. Springer, Boston (2012). https://doi.org/10.1007/978-1-4615-4625-2
Acknowledgements
This research has been partially supported by the Federal Ministry of Education and Research Germany (BMBF) with project grant number 16KIS0240.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Aladawy, D., Beckers, K., Pape, S. (2018). PERSUADED: Fighting Social Engineering Attacks with a Serious Game. In: Furnell, S., Mouratidis, H., Pernul, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2018. Lecture Notes in Computer Science(), vol 11033. Springer, Cham. https://doi.org/10.1007/978-3-319-98385-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-98385-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98384-4
Online ISBN: 978-3-319-98385-1
eBook Packages: Computer ScienceComputer Science (R0)