Skip to main content
SpringerLink
Log in

ConGISATA: A Framework for Continuous Gamified Information Security Awareness Training and Assessment

  • Conference paper
  • First Online:
Computer Security – ESORICS 2023 (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14346))

Included in the following conference series:

  • 248 Accesses

Abstract

The incidence of cybersecurity attacks utilizing social engineering techniques has increased. Such attacks exploit the fact that in every secure system, there is at least one individual with the means to access sensitive information. Since it is easier to deceive a person than it is to bypass the defense mechanisms in place, these types of attacks have gained popularity. This situation is exacerbated by the fact that people are more likely to take risks in their passive form, i.e., risks that arise due to the failure to perform an action. Passive risk has been identified as a significant threat to cybersecurity. To address these threats, there is a need to strengthen individuals’ information security awareness (ISA). Therefore, we developed ConGISATA - a continuous gamified ISA training and assessment framework based on embedded mobile sensors; a taxonomy for evaluating mobile users’ security awareness served as the basis for the sensors’ design. ConGISATA’s continuous and gradual training process enables users to learn from their real-life mistakes and adapt their behavior accordingly. ConGISATA aims to transform passive risk situations (as perceived by an individual) into active risk situations, as people tend to underestimate the potential impact of passive risks. Our evaluation of the proposed framework demonstrates its ability to improve individuals’ ISA, as assessed by the sensors and in simulations of common attack vectors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Kumar, A., Chaudhary, M., Kumar, N.: Social engineering threats and awareness: a survey. Eur. J. Adv. Eng. Technol. 2, 15–19 (2015)

    Google Scholar 

  2. Kelly, R.: Almost 90% of cyber attacks are caused by human error or behavior. ChiefExecutive. Net (2017)

    Google Scholar 

  3. Bada, M., Sasse, A., Nurse, J.: Cyber security awareness campaigns: why do they fail to change behaviour? arXiv Preprint arXiv:1901.02672 (2019)

  4. Deterding, S., Dixon, D., Khaled, R., Nacke, L.: From game design elements to gamefulness: defining “gamification”. In: Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, pp. 9–15 (2011)

    Google Scholar 

  5. Hamari, J., Koivisto, J., Sarsa, H.: Does gamification work?–a literature review of empirical studies on gamification. In: 2014 47th Hawaii International Conference on System Sciences, pp. 3025–3034 (2014)

    Google Scholar 

  6. Gjertsen, E., Gjære, E., Bartnes, M., Flores, W.: Gamification of information security awareness and training. In: ICISSP, pp. 59–70 (2017)

    Google Scholar 

  7. Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–12 (2009)

    Google Scholar 

  8. Bitton, R., Finkelshtein, A., Sidi, L., Puzis, R., Rokach, L., Shabtai, A.: Taxonomy of mobile users’ security awareness. Comput. Secur. 73, 266–293 (2018)

    Article  Google Scholar 

  9. Keinan, R., Bereby-Meyer, Y.: “Leaving it to chance”–passive risk taking in everyday life. Judgment Decis. Making 7 (2012)

    Google Scholar 

  10. Keinan, R., Bereby-Meyer, Y.: Perceptions of active versus passive risks, and the effect of personal responsibility. Pers. Soc. Psychol. Bull. 43, 999–1007 (2017)

    Article  Google Scholar 

  11. Bitton, R., Boymgold, K., Puzis, R., Shabtai, A.: Evaluating the information security awareness of smartphone users. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–13 (2020)

    Google Scholar 

  12. Newbould, M., Furnell, S.: Playing safe: a prototype game for raising awareness of social engineering. In: Australian Information Security Management Conference, p. 4 (2009)

    Google Scholar 

  13. Hart, S., Margheri, A., Paci, F., Sassone, V.: Riskio: a serious game for cyber security awareness and education. Comput. Secur. 101827 (2020)

    Google Scholar 

  14. Chapman, P., Burket, J., Brumley, D.: PicoCTF: a game-based computer security competition for high school students. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 2014) (2014)

    Google Scholar 

  15. Denning, T., Lerner, A., Shostack, A., Kohno, T.: Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education. In: Proceedings of the 2013 ACM SIGSAC Conference On Computer & Communications Security, pp. 915–928 (2013)

    Google Scholar 

  16. Alqahtani, H., Kavakli-Thorne, M.: Design and evaluation of an augmented reality game for cybersecurity awareness (CybAR). Information 11, 121 (2020)

    Article  Google Scholar 

  17. Luh, R., Temper, M., Tjoa, S., Schrittwieser, S., Janicke, H.: PenQuest: a gamified attacker/defender meta model for cyber security assessment and education. J. Comput. Virol. Hacking Tech. 16, 19–61 (2020)

    Article  Google Scholar 

  18. Yasin, A., Liu, L., Li, T., Fatima, R., Jianmin, W.: Improving software security awareness using a serious game. IET Softw. 13, 159–169 (2018)

    Article  Google Scholar 

  19. Arend, I., Shabtai, A., Idan, T., Keinan, R., Bereby-Meyer, Y.: Passive-and not active-risk tendencies predict cyber security behavior. Comput. Secur. 101929 (2020)

    Google Scholar 

  20. Selvam, V.: Human error in IT security. arXiv Preprint arXiv:2005.04163 (2020)

  21. Dunlosky, J., Rawson, K., Marsh, E., Nathan, M., Willingham, D.: Improving students’ learning with effective learning techniques: promising directions from cognitive and educational psychology. Psychol. Sci. Public Interest 14, 4–58 (2013)

    Article  Google Scholar 

  22. Canham, M., Posey, C., Constantino, M.: Phish derby: shoring the human shield through gamified phishing attacks. Front. Educ. 6, 536 (2022)

    Article  Google Scholar 

  23. Jaffray, A., Finn, C., Nurse, J.: SherLOCKED: a detective-themed serious game for cyber security education. In: International Symposium on Human Aspects of Information Security and Assurance, pp. 35–45 (2021)

    Google Scholar 

  24. Sophos Sophos 2023 Threat Report (2022). https://assets.sophos.com/X24WTUEQ/at/b5n9ntjqmbkb8fg5rn25g4fc/sophos-2023-threat-report.pdf

  25. Redmiles, E., Zhu, Z., Kross, S., Kuchhal, D., Dumitras, T., Mazurek, M.: Asking for a friend: evaluating response biases in security user studies. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1238–1255 (2018)

    Google Scholar 

  26. Solomon, A., et al.: Contextual security awareness: a context-based approach for assessing the security awareness of users. Knowl.-Based Syst. 246, 108709 (2022)

    Article  Google Scholar 

  27. Böckle, M., Novak, J., Bick, M.: Towards adaptive gamification: a synthesis of current developments (2017)

    Google Scholar 

  28. Alahmari, S., Renaud, K., Omoronyia, I.: Moving beyond cyber security awareness and training to engendering security knowledge sharing. Inf. Syst. E-Bus. Manag. 1–36 (2022)

    Google Scholar 

  29. Dincelli, E., Chengalur-Smith, I.: Choose your own training adventure: designing a gamified SETA artefact for improving information security and privacy through interactive storytelling. Eur. J. Inf. Syst. 29, 669–687 (2020)

    Article  Google Scholar 

  30. Scholefield, S., Shepherd, L.A.: Gamification techniques for raising cyber security awareness. In: Moallem, A. (ed.) HCII 2019. LNCS, vol. 11594, pp. 191–203. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22351-9_13

    Chapter  Google Scholar 

  31. Omar, N., Foozy, C., Hamid, I., Hafit, H., Arbain, A., Shamala, P.: Malware awareness tool for internet safety using gamification techniques. In: Journal of Physics: Conference Series, vol. 1874, p. 012023 (2021)

    Google Scholar 

  32. Wu, T., Tien, K., Hsu, W., Wen, F.: Assessing the effects of gamification on enhancing information security awareness knowledge. Appl. Sci. 11, 9266 (2021)

    Article  Google Scholar 

  33. Heid, K., Heider, J., Qasempour, K.: Raising security awareness on mobile systems through gamification. In: Proceedings of the European Interdisciplinary Cybersecurity Conference, pp. 1–6 (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Software and Information Systems Engineering and Cyber@BGU, Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Ofir Cohen, Ron Bitton, Asaf Shabtai & Rami Puzis

Authors
  1. Ofir Cohen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ron Bitton
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Asaf Shabtai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rami Puzis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ofir Cohen .

Editor information

Editors and Affiliations

  1. University of California, Irvine, CA, USA

    Gene Tsudik

  2. University of Padua, Padua, Italy

    Mauro Conti

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. Delft University of Technology, Delft, The Netherlands

    Georgios Smaragdakis

Appendix

Appendix

1.1 List of Articles and Blog Posts

As described in Sect. 5.3, we collected 32 publicly available relevant educational articles and blog posts to use in the experiment (the blog posts and articles are listed in Table 5). The items for the ConGISATA group are listed first, with their corresponding ISA taxonomy criterion ID, and do not include a comprehensiveness grade. The items for the baseline group, which include a comprehensiveness grade, are listed after the bold horizontal line.

Table 5. The articles and blog posts used in the experiment
Full size table

1.2 Passive Score Delta by Criterion

Figure 6 shows the average score deltas for the groups per criterion, as a function of the number of days since the experiment started.

Fig. 6.
figure 6

Average score deltas for the groups per criterion, as a function of the number of days since the experiment started.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cohen, O., Bitton, R., Shabtai, A., Puzis, R. (2024). ConGISATA: A Framework for Continuous Gamified Information Security Awareness Training and Assessment. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14346. Springer, Cham. https://doi.org/10.1007/978-3-031-51479-1_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-51479-1_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-51478-4

  • Online ISBN: 978-3-031-51479-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation