User-Centred Security Education: A Game Design to Thwart Phishing Attacks

Security exploits can include cyber threats such as computer programs that can disturb the normal behaviour of computer systems (viruses), unsolicited e-mail (spam), malicious software (malware), monitoring software (spyware), attempting to make computer resources unavailable to their intended users (Distributed Denial-of-Service or DDoS attack), the social engineering, and online identity theft (phishing) [4]. One such cyber threat, which is particularly dangerous to computer users is phishing [7] [2] [4]. Phishing is well known as online identity theft, which aims to steal sensitive information such as username, password and online banking details from its victims. Automated anti-phishing tools have been developed and used to alert users of potentially fraudulent emails and websites. However, these tools are not entirely reliable in detecting phishing attacks [12] [3]. Even the best anti-phishing tools missed over 20 percent of phishing websites [14]. Because “human” is the weakest link in information security [11] [3] [4]. It is not possible to completely avoid the end-user, for example in personal computer use, one mitigating approach for computer and information security is to educate the end-user in security prevention [3] [13] [12] [14] [8] [4]. The aim of this research study focuses on a design and development of a game prototype for mobile platforms to educate individuals about phishing attacks. Therefore, the study asks how does one identify which issues the game design needs to be addressed? The elements of a game design framework developed by Arachchilage and Love [3] for avoiding phishing attacks were used to address the game design issues. Our mobile game design aimed to enhance the users’ avoidance behaviour through their motivation to protect themselves against phishing threats. Garera et al. [9] strongly argue it is often possible to differentiate phishing websites from legitimate ones by carefully looking at the URL. Therefore, this mobile game prototype designed to teach people to identify legitimate URLs from mimic ones. A think-aloud study was conducted, along with a preand post-test, to assess the game design framework though the developed mobile game prototype. The study results showed a significant improvement of participants’ phishing avoidance behaviour in their post-test assessment. Furthermore, the study findings suggest that participants’ threat perception, safeguard effectiveness, self-efficacy, perceived severity and perceived susceptibility elements positively impact threat avoidance behaviour, whereas safeguard cost had a negative impact on it. Figure 1: The game design framework [3]