Abstract
The incidence of cybersecurity attacks utilizing social engineering techniques has increased. Such attacks exploit the fact that in every secure system, there is at least one individual with the means to access sensitive information. Since it is easier to deceive a person than it is to bypass the defense mechanisms in place, these types of attacks have gained popularity. This situation is exacerbated by the fact that people are more likely to take risks in their passive form, i.e., risks that arise due to the failure to perform an action. Passive risk has been identified as a significant threat to cybersecurity. To address these threats, there is a need to strengthen individuals’ information security awareness (ISA). Therefore, we developed ConGISATA - a continuous gamified ISA training and assessment framework based on embedded mobile sensors; a taxonomy for evaluating mobile users’ security awareness served as the basis for the sensors’ design. ConGISATA’s continuous and gradual training process enables users to learn from their real-life mistakes and adapt their behavior accordingly. ConGISATA aims to transform passive risk situations (as perceived by an individual) into active risk situations, as people tend to underestimate the potential impact of passive risks. Our evaluation of the proposed framework demonstrates its ability to improve individuals’ ISA, as assessed by the sensors and in simulations of common attack vectors.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Kumar, A., Chaudhary, M., Kumar, N.: Social engineering threats and awareness: a survey. Eur. J. Adv. Eng. Technol. 2, 15–19 (2015)
Kelly, R.: Almost 90% of cyber attacks are caused by human error or behavior. ChiefExecutive. Net (2017)
Bada, M., Sasse, A., Nurse, J.: Cyber security awareness campaigns: why do they fail to change behaviour? arXiv Preprint arXiv:1901.02672 (2019)
Deterding, S., Dixon, D., Khaled, R., Nacke, L.: From game design elements to gamefulness: defining “gamification”. In: Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, pp. 9–15 (2011)
Hamari, J., Koivisto, J., Sarsa, H.: Does gamification work?–a literature review of empirical studies on gamification. In: 2014 47th Hawaii International Conference on System Sciences, pp. 3025–3034 (2014)
Gjertsen, E., Gjære, E., Bartnes, M., Flores, W.: Gamification of information security awareness and training. In: ICISSP, pp. 59–70 (2017)
Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–12 (2009)
Bitton, R., Finkelshtein, A., Sidi, L., Puzis, R., Rokach, L., Shabtai, A.: Taxonomy of mobile users’ security awareness. Comput. Secur. 73, 266–293 (2018)
Keinan, R., Bereby-Meyer, Y.: “Leaving it to chance”–passive risk taking in everyday life. Judgment Decis. Making 7 (2012)
Keinan, R., Bereby-Meyer, Y.: Perceptions of active versus passive risks, and the effect of personal responsibility. Pers. Soc. Psychol. Bull. 43, 999–1007 (2017)
Bitton, R., Boymgold, K., Puzis, R., Shabtai, A.: Evaluating the information security awareness of smartphone users. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–13 (2020)
Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)
Hart, S., Margheri, A., Paci, F., Sassone, V.: Riskio: a serious game for cyber security awareness and education. Comput. Secur. 101827 (2020)
Chapman, P., Burket, J., Brumley, D.: PicoCTF: a game-based computer security competition for high school students. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014) (2014)
Denning, T., Lerner, A., Shostack, A., Kohno, T.: Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education. In: Proceedings of the 2013 ACM SIGSAC Conference On Computer & Communications Security, pp. 915–928 (2013)
Alqahtani, H., Kavakli-Thorne, M.: Design and evaluation of an augmented reality game for cybersecurity awareness (CybAR). Information 11, 121 (2020)
Luh, R., Temper, M., Tjoa, S., Schrittwieser, S., Janicke, H.: PenQuest: a gamified attacker/defender meta model for cyber security assessment and education. J. Comput. Virol. Hacking Tech. 16, 19–61 (2020)
Yasin, A., Liu, L., Li, T., Fatima, R., Jianmin, W.: Improving software security awareness using a serious game. IET Softw. 13, 159–169 (2018)
Arend, I., Shabtai, A., Idan, T., Keinan, R., Bereby-Meyer, Y.: Passive-and not active-risk tendencies predict cyber security behavior. Comput. Secur. 101929 (2020)
Selvam, V.: Human error in IT security. arXiv Preprint arXiv:2005.04163 (2020)
Dunlosky, J., Rawson, K., Marsh, E., Nathan, M., Willingham, D.: Improving students’ learning with effective learning techniques: promising directions from cognitive and educational psychology. Psychol. Sci. Public Interest 14, 4–58 (2013)
Canham, M., Posey, C., Constantino, M.: Phish derby: shoring the human shield through gamified phishing attacks. Front. Educ. 6, 536 (2022)
Jaffray, A., Finn, C., Nurse, J.: SherLOCKED: a detective-themed serious game for cyber security education. In: International Symposium on Human Aspects of Information Security and Assurance, pp. 35–45 (2021)
Sophos Sophos 2023 Threat Report (2022). https://assets.sophos.com/X24WTUEQ/at/b5n9ntjqmbkb8fg5rn25g4fc/sophos-2023-threat-report.pdf
Redmiles, E., Zhu, Z., Kross, S., Kuchhal, D., Dumitras, T., Mazurek, M.: Asking for a friend: evaluating response biases in security user studies. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1238–1255 (2018)
Solomon, A., et al.: Contextual security awareness: a context-based approach for assessing the security awareness of users. Knowl.-Based Syst. 246, 108709 (2022)
Böckle, M., Novak, J., Bick, M.: Towards adaptive gamification: a synthesis of current developments (2017)
Alahmari, S., Renaud, K., Omoronyia, I.: Moving beyond cyber security awareness and training to engendering security knowledge sharing. Inf. Syst. E-Bus. Manag. 1–36 (2022)
Dincelli, E., Chengalur-Smith, I.: Choose your own training adventure: designing a gamified SETA artefact for improving information security and privacy through interactive storytelling. Eur. J. Inf. Syst. 29, 669–687 (2020)
Scholefield, S., Shepherd, L.A.: Gamification techniques for raising cyber security awareness. In: Moallem, A. (ed.) HCII 2019. LNCS, vol. 11594, pp. 191–203. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22351-9_13
Omar, N., Foozy, C., Hamid, I., Hafit, H., Arbain, A., Shamala, P.: Malware awareness tool for internet safety using gamification techniques. In: Journal of Physics: Conference Series, vol. 1874, p. 012023 (2021)
Wu, T., Tien, K., Hsu, W., Wen, F.: Assessing the effects of gamification on enhancing information security awareness knowledge. Appl. Sci. 11, 9266 (2021)
Heid, K., Heider, J., Qasempour, K.: Raising security awareness on mobile systems through gamification. In: Proceedings of the European Interdisciplinary Cybersecurity Conference, pp. 1–6 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
1.1 List of Articles and Blog Posts
As described in Sect. 5.3, we collected 32 publicly available relevant educational articles and blog posts to use in the experiment (the blog posts and articles are listed in Table 5). The items for the ConGISATA group are listed first, with their corresponding ISA taxonomy criterion ID, and do not include a comprehensiveness grade. The items for the baseline group, which include a comprehensiveness grade, are listed after the bold horizontal line.
1.2 Passive Score Delta by Criterion
Figure 6 shows the average score deltas for the groups per criterion, as a function of the number of days since the experiment started.
Average score deltas for the groups per criterion, as a function of the number of days since the experiment started.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cohen, O., Bitton, R., Shabtai, A., Puzis, R. (2024). ConGISATA: A Framework for Continuous Gamified Information Security Awareness Training and Assessment. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14346. Springer, Cham. https://doi.org/10.1007/978-3-031-51479-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-031-51479-1_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51478-4
Online ISBN: 978-3-031-51479-1
eBook Packages: Computer ScienceComputer Science (R0)