Integrating self-efficacy into a gamified approach to thwart phishing attacks

Security exploits can include cyber threats such as computer programs that can disturb the normal behavior of computer systems (viruses), unsolicited e-mail (spam), malicious software (malware), monitoring software (spyware), attempting to make computer resources unavailable to their intended users (Distributed Denial-of-Service or DDoS attack), the social engineering, and online identity theft (phishing). One such cyber threat, which is particularly dangerous to computer users is phishing. Phishing is well known as online identity theft, which targets to steal victims sensitive information such as username, password and online banking details. Automated anti-phishing web browser plugin tools have been developed and used to alert users of potential fake emails and websites. However, these tools are not completely reliable in detecting and protecting people from phishing attacks. This is because the “humans are the weakest link” in information security. It is not possible to completely circumvent the end-user, for example, in personal computer use, one mitigating approach for computer and information security is to educate the end-user in security prevention. Educational researchers and industry experts talk about well-designed user security education can be effective. However, we know to our cost no-one talks about how to better design security education (i.e. user-centered security education) for end-users. Therefore, this paper focuses on designing an innovative and gamified approach to educate individuals about phishing attacks. The study asks how one can integrate “selfefficacy”, which has a co-relation with the user’s knowledge, into an anti-phishing educational game to thwart phishing attacks? One of the main reasons would appear to be a lack of user knowledge to prevent from phishing attacks. Therefore, this research investigates the elements that influence (in this case, either conceptual or procedural knowledge or their interaction effect) and then integrate them into an anti-phishing educational game to enhance people’s phishing prevention behaviour through their motivation.