Abstract
The role of human factors in cybersecurity is an under-explored area that has a lot of potential towards mitigating attacks. As a result, an SLR that explored human factors in cybersecurity, focusing on phishing, revealed five key human factors that were persistent with phishing related attacks or issues. Based on the results of the SLR, further explorations into threat modelling were conducted to determine how to classify human factor related behaviour and the decisions that are likely behind them or lead towards human error. From here, this information was used to develop a human factor-centred threat model called STRIDE-HF that was implemented into a game called Another Week at the Office (AWATO). The results of further testing of AWATO revealed that is an effective tool for improving users awareness of good cybersecurity practices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It will be possible in future version of AWATO to add other human factors and related in-game behaviours.
- 2.
- 3.
The emails were created within an excel spreadsheet and implemented into the game via Blueprint scripts in the Unreal Engine.
- 4.
The handbook (corporate manual) is also shown to the player at the start of the game, following “the interview”.
- 5.
While many of the issues have similar STRIDE elements and human factors, the way that they are presented in-game varies.
- 6.
Positive results refer to participants who gave a rating of between 5–7 on the Likert scale; neutral (or indifferent) results for who gave a rating of 4; negative results for those who gave a rating of between 1–3.
References
2020 data breach investigations report: official—verison enterprise solutions. https://enterprise.verizon.com/resources/reports/dbir/. Accessed 20 Oct 2020
Alberts, C.J., Behrens, S.G., Pethia, R.D., Wilson, W.R.: Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) framework, version 1.0. Technical report, Carnegie-Mellon University Pittsburgh PA Software Engineering Institute (1999)
Baslyman, M., Chiasson, S.: “Smells phishy?”: an educational game about online phishing scams. In: 2016 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–11. IEEE (2016)
Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11851-2_14
Chen, X., Liu, Y., Yi, J.: A security evaluation framework based on stride model for software in networks. Int. J. Adv. Comput. Technol. 4(13), 269–278 (2012). July
Chiew, K.L., Yong, K.S.C., Tan, C.L.: A survey of phishing attacks: their types, vectors and technical approaches. Expert Syst. Appl. 106, 1–20 (2018)
Gokul, G.J., Pandit, S., Vaddepalli, S., Tupsamudre, H., Banahatti, V., Lodha, S.: Phishy-a serious game to train enterprise users on phishing awareness. In: Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts, pp. 169–181 (2018)
Desolda, G., Ferro, L.S., Marrella, A., Catarci, T., Costabile, M.F.: Human factors in phishing attacks: a systematic literature review. ACM Comput. Surv. (CSUR) 54(8), 1–35 (2021)
Dupont, G.: The dirty dozen errors in maintenance. In: The 11th Symposium on Human Factors in Maintenance and Inspection: Human Error in Aviation Maintenance (1997)
Egelman, S., Peer, E.: The myth of the average user: improving privacy and security systems through individualization. In: Proceedings of the 2015 New Security Paradigms Workshop, pp. 16–28 (2015)
Ferro, L.S., Marrella, A., Catarci, T.: A human factor approach to threat modeling. In: Moallem, A. (ed.) HCII 2021. LNCS, vol. 12788, pp. 139–157. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77392-2_10
Ferro, L.S., Sapio, F.: Another week at the office (AWATO) – an interactive serious game for threat modeling human factors. In: Moallem, A. (ed.) HCII 2020. LNCS, vol. 12210, pp. 123–142. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-50309-3_9
Graham, K., et al.: Cyberspace odyssey: a competitive team-oriented serious game in computer networking. IEEE Trans. Learn. Technol. 13(3), 502–515 (2020)
Hale, M.L., Gamble, R.F., Gamble, P.: CyberPhishing: a game-based platform for phishing awareness testing. In: 2015 48th Hawaii International Conference on System Sciences, pp. 5260–5269. IEEE (2015)
Hussain, S., Kamal, A., Ahmad, S., Rasool, G., Iqbal, S.: Threat modelling methodologies: a survey. Sci. Int. (Lahore) 26(4), 1607–1609 (2014)
Irvine, C.E., Thompson, M.F., Allen, K.: CyberCIEGE: gaming for information assurance. IEEE Secur. Priv. 3(3), 61–64 (2005)
Jordan, C., Knapp, M., Mitchell, D., Claypool, M., Fisler, K.: Countermeasures: a game for teaching computer security. In: 2011 10th Annual Workshop on Network and Systems Support for Games, pp. 1–6. IEEE (2011)
Khan, R., McLaughlin, K., Laverty, D., Sezer, S.: Stride-based threat modeling for cyber-physical systems. In: 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), pp. 1–6. IEEE (2017)
Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: 5th Symposium on Usable Privacy and Security (SOUPS 2009). ACM (2009). https://doi.org/10.1145/1572532.1572536
Lastdrager, E.E.H.: Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Sci. 3(1), 1–10 (2014). https://doi.org/10.1186/s40163-014-0009-y
LeBlanc, D., Howard, M.: Writing Secure Code. Pearson Education (2002)
Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: A threat model-based approach to security testing. Softw. Pract. Exp. 43(2), 241–258 (2013)
Misra, G., Arachchilage, N.A.G., Berkovsky, S.: Phish phinder: a game design approach to enhance user confidence in mitigating phishing attacks. arXiv preprint arXiv:1710.06064 (2017)
Nmachi, W.P., Win, T., et al.: Mitigating phishing attack in organisations: a literature review. In: CS & IT Conference Proceedings, vol. 11. CS & IT Conference Proceedings (2021)
Ruffy, F., Hommel, W., von Eye, F.: A STRIDE-based security architecture for software-defined networking. In: ICN 2016, p. 107 (2016)
Saitta, P., Larcom, B., Eddington, M.: Trike v1 methodology document. Draft (2005, work in progress)
Salkind, N.J.: Encyclopedia of Research Design, vol. 1. SAGE, Newbury Park (2010). https://doi.org/10.4135/9781412961288
Sheng, S., et al.: Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: 3rd Symposium on Usable privacy and security - SOUPS 2007, pp. 88–99. ACM (2007). https://doi.org/10.1145/1280680.1280692
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Sosonkin, M.: Octave: operationally critical threat, asset and vulnerability evaluation. Polytechnic University, April 2005
Tioh, J.N., Mina, M., Jacobson, D.W.: Cyber security training a survey of serious games in cyber security. In: 2017 IEEE Frontiers in Education Conference (FIE), pp. 1–5. IEEE (2017)
Twitchell, D.P.: SecurityCom: a multi-player game for researching and teaching information security teams. J. Digit. Forensics Secur. Law 2(4), 1 (2007)
Twitchell, D.P., Wiers, K., Adkins, M., Burgoon, J.K., Nunamaker, J.F.: StrikeCom: a multi-player online strategy game for researching and teaching group dynamics. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, pp. 45b–45b. IEEE (2005)
UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling. Wiley Online Library (2015)
Veneruso, S., Ferro, L.S., Marrella, A., Mecella, M., Catarci, T.: A game-based learning experience for improving cybersecurity awareness. In: ITASEC, pp. 235–242 (2020)
Veneruso, S.V., Ferro, L.S., Marrella, A., Mecella, M., Catarci, T.: CyberVR: an interactive learning experience in virtual reality for cybersecurity related issues. In: Proceedings of the International Conference on Advanced Visual Interfaces, pp. 1–8 (2020)
Weanquoi, P., Johnson, J., Zhang, J.: Using a game to improve phishing awareness. J. Cybersecur. Educ. Res. Pract. 2018(2), 2 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ferro, L.S., Marrella, A., Catarci, T., Sapio, F., Parenti, A., De Santis, M. (2022). AWATO: A Serious Game to Improve Cybersecurity Awareness. In: Fang, X. (eds) HCI in Games. HCII 2022. Lecture Notes in Computer Science, vol 13334. Springer, Cham. https://doi.org/10.1007/978-3-031-05637-6_33
Download citation
DOI: https://doi.org/10.1007/978-3-031-05637-6_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-05636-9
Online ISBN: 978-3-031-05637-6
eBook Packages: Computer ScienceComputer Science (R0)