Skip to main content
SpringerLink
Log in

AWATO: A Serious Game to Improve Cybersecurity Awareness

  • Conference paper
  • First Online:
HCI in Games (HCII 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13334))

Included in the following conference series:

Abstract

The role of human factors in cybersecurity is an under-explored area that has a lot of potential towards mitigating attacks. As a result, an SLR that explored human factors in cybersecurity, focusing on phishing, revealed five key human factors that were persistent with phishing related attacks or issues. Based on the results of the SLR, further explorations into threat modelling were conducted to determine how to classify human factor related behaviour and the decisions that are likely behind them or lead towards human error. From here, this information was used to develop a human factor-centred threat model called STRIDE-HF that was implemented into a game called Another Week at the Office (AWATO). The results of further testing of AWATO revealed that is an effective tool for improving users awareness of good cybersecurity practices.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    It will be possible in future version of AWATO to add other human factors and related in-game behaviours.

  2. 2.

    www.unrealengine.com.

  3. 3.

    The emails were created within an excel spreadsheet and implemented into the game via Blueprint scripts in the Unreal Engine.

  4. 4.

    The handbook (corporate manual) is also shown to the player at the start of the game, following “the interview”.

  5. 5.

    While many of the issues have similar STRIDE elements and human factors, the way that they are presented in-game varies.

  6. 6.

    Positive results refer to participants who gave a rating of between 5–7 on the Likert scale; neutral (or indifferent) results for who gave a rating of 4; negative results for those who gave a rating of between 1–3.

References

  1. 2020 data breach investigations report: official—verison enterprise solutions. https://enterprise.verizon.com/resources/reports/dbir/. Accessed 20 Oct 2020

  2. Alberts, C.J., Behrens, S.G., Pethia, R.D., Wilson, W.R.: Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) framework, version 1.0. Technical report, Carnegie-Mellon University Pittsburgh PA Software Engineering Institute (1999)

    Google Scholar 

  3. Baslyman, M., Chiasson, S.: “Smells phishy?”: an educational game about online phishing scams. In: 2016 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–11. IEEE (2016)

    Google Scholar 

  4. Canova, G., Volkamer, M., Bergmann, C., Borza, R.: NoPhish: an anti-phishing education app. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 188–192. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11851-2_14

    Chapter  Google Scholar 

  5. Chen, X., Liu, Y., Yi, J.: A security evaluation framework based on stride model for software in networks. Int. J. Adv. Comput. Technol. 4(13), 269–278 (2012). July

    Google Scholar 

  6. Chiew, K.L., Yong, K.S.C., Tan, C.L.: A survey of phishing attacks: their types, vectors and technical approaches. Expert Syst. Appl. 106, 1–20 (2018)

    Article  Google Scholar 

  7. Gokul, G.J., Pandit, S., Vaddepalli, S., Tupsamudre, H., Banahatti, V., Lodha, S.: Phishy-a serious game to train enterprise users on phishing awareness. In: Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts, pp. 169–181 (2018)

    Google Scholar 

  8. Desolda, G., Ferro, L.S., Marrella, A., Catarci, T., Costabile, M.F.: Human factors in phishing attacks: a systematic literature review. ACM Comput. Surv. (CSUR) 54(8), 1–35 (2021)

    Article  Google Scholar 

  9. Dupont, G.: The dirty dozen errors in maintenance. In: The 11th Symposium on Human Factors in Maintenance and Inspection: Human Error in Aviation Maintenance (1997)

    Google Scholar 

  10. Egelman, S., Peer, E.: The myth of the average user: improving privacy and security systems through individualization. In: Proceedings of the 2015 New Security Paradigms Workshop, pp. 16–28 (2015)

    Google Scholar 

  11. Ferro, L.S., Marrella, A., Catarci, T.: A human factor approach to threat modeling. In: Moallem, A. (ed.) HCII 2021. LNCS, vol. 12788, pp. 139–157. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77392-2_10

    Chapter  Google Scholar 

  12. Ferro, L.S., Sapio, F.: Another week at the office (AWATO) – an interactive serious game for threat modeling human factors. In: Moallem, A. (ed.) HCII 2020. LNCS, vol. 12210, pp. 123–142. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-50309-3_9

    Chapter  Google Scholar 

  13. Graham, K., et al.: Cyberspace odyssey: a competitive team-oriented serious game in computer networking. IEEE Trans. Learn. Technol. 13(3), 502–515 (2020)

    Article  Google Scholar 

  14. Hale, M.L., Gamble, R.F., Gamble, P.: CyberPhishing: a game-based platform for phishing awareness testing. In: 2015 48th Hawaii International Conference on System Sciences, pp. 5260–5269. IEEE (2015)

    Google Scholar 

  15. Hussain, S., Kamal, A., Ahmad, S., Rasool, G., Iqbal, S.: Threat modelling methodologies: a survey. Sci. Int. (Lahore) 26(4), 1607–1609 (2014)

    Google Scholar 

  16. Irvine, C.E., Thompson, M.F., Allen, K.: CyberCIEGE: gaming for information assurance. IEEE Secur. Priv. 3(3), 61–64 (2005)

    Article  Google Scholar 

  17. Jordan, C., Knapp, M., Mitchell, D., Claypool, M., Fisler, K.: Countermeasures: a game for teaching computer security. In: 2011 10th Annual Workshop on Network and Systems Support for Games, pp. 1–6. IEEE (2011)

    Google Scholar 

  18. Khan, R., McLaughlin, K., Laverty, D., Sezer, S.: Stride-based threat modeling for cyber-physical systems. In: 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), pp. 1–6. IEEE (2017)

    Google Scholar 

  19. Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: 5th Symposium on Usable Privacy and Security (SOUPS 2009). ACM (2009). https://doi.org/10.1145/1572532.1572536

  20. Lastdrager, E.E.H.: Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Sci. 3(1), 1–10 (2014). https://doi.org/10.1186/s40163-014-0009-y

    Article  Google Scholar 

  21. LeBlanc, D., Howard, M.: Writing Secure Code. Pearson Education (2002)

    Google Scholar 

  22. Marback, A., Do, H., He, K., Kondamarri, S., Xu, D.: A threat model-based approach to security testing. Softw. Pract. Exp. 43(2), 241–258 (2013)

    Article  Google Scholar 

  23. Misra, G., Arachchilage, N.A.G., Berkovsky, S.: Phish phinder: a game design approach to enhance user confidence in mitigating phishing attacks. arXiv preprint arXiv:1710.06064 (2017)

  24. Nmachi, W.P., Win, T., et al.: Mitigating phishing attack in organisations: a literature review. In: CS & IT Conference Proceedings, vol. 11. CS & IT Conference Proceedings (2021)

    Google Scholar 

  25. Ruffy, F., Hommel, W., von Eye, F.: A STRIDE-based security architecture for software-defined networking. In: ICN 2016, p. 107 (2016)

    Google Scholar 

  26. Saitta, P., Larcom, B., Eddington, M.: Trike v1 methodology document. Draft (2005, work in progress)

    Google Scholar 

  27. Salkind, N.J.: Encyclopedia of Research Design, vol. 1. SAGE, Newbury Park (2010). https://doi.org/10.4135/9781412961288

  28. Sheng, S., et al.: Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In: 3rd Symposium on Usable privacy and security - SOUPS 2007, pp. 88–99. ACM (2007). https://doi.org/10.1145/1280680.1280692

  29. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  30. Sosonkin, M.: Octave: operationally critical threat, asset and vulnerability evaluation. Polytechnic University, April 2005

    Google Scholar 

  31. Tioh, J.N., Mina, M., Jacobson, D.W.: Cyber security training a survey of serious games in cyber security. In: 2017 IEEE Frontiers in Education Conference (FIE), pp. 1–5. IEEE (2017)

    Google Scholar 

  32. Twitchell, D.P.: SecurityCom: a multi-player game for researching and teaching information security teams. J. Digit. Forensics Secur. Law 2(4), 1 (2007)

    Google Scholar 

  33. Twitchell, D.P., Wiers, K., Adkins, M., Burgoon, J.K., Nunamaker, J.F.: StrikeCom: a multi-player online strategy game for researching and teaching group dynamics. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, pp. 45b–45b. IEEE (2005)

    Google Scholar 

  34. UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling. Wiley Online Library (2015)

    Google Scholar 

  35. Veneruso, S., Ferro, L.S., Marrella, A., Mecella, M., Catarci, T.: A game-based learning experience for improving cybersecurity awareness. In: ITASEC, pp. 235–242 (2020)

    Google Scholar 

  36. Veneruso, S.V., Ferro, L.S., Marrella, A., Mecella, M., Catarci, T.: CyberVR: an interactive learning experience in virtual reality for cybersecurity related issues. In: Proceedings of the International Conference on Advanced Visual Interfaces, pp. 1–8 (2020)

    Google Scholar 

  37. Weanquoi, P., Johnson, J., Zhang, J.: Using a game to improve phishing awareness. J. Cybersecur. Educ. Res. Pract. 2018(2), 2 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Sapienza, University of Rome, Rome, Italy

    Lauren S. Ferro, Andrea Marrella, Tiziana Catarci & Francesco Sapio

  2. Red Hog Studio, Rome, Italy

    Adriano Parenti & Matteo De Santis

Authors
  1. Lauren S. Ferro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrea Marrella
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tiziana Catarci
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Francesco Sapio
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Adriano Parenti
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Matteo De Santis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lauren S. Ferro .

Editor information

Editors and Affiliations

  1. DePaul University, Chicago, IL, USA

    Xiaowen Fang

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ferro, L.S., Marrella, A., Catarci, T., Sapio, F., Parenti, A., De Santis, M. (2022). AWATO: A Serious Game to Improve Cybersecurity Awareness. In: Fang, X. (eds) HCI in Games. HCII 2022. Lecture Notes in Computer Science, vol 13334. Springer, Cham. https://doi.org/10.1007/978-3-031-05637-6_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-05637-6_33

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-05636-9

  • Online ISBN: 978-3-031-05637-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation