Pascal Jansen
Fabian Fischbach
ABSTRACT
As system infrastructures are becoming more secure against technical attacks, it is more difficult for attackers to overcome them with technical means. Social engineering instead exploits the human factor of information security and can have a significant impact on organizations. The lack of awareness about social engineering favors the successful realization of social engineering attacks, as employees do not recognize them as such early enough, resulting in high costs for the affected company. Current training approaches and awareness courses are limited in their versatility and create little motivation for employees to deal with the topic. The high immersion of virtual reality can improve learning in this context. We created The Social Engineer, an immersive educational game in virtual reality, to raise awareness and to sensitize players about social engineering. The player impersonates a penetration tester and conducts security audits in a virtually simulated company. The game consists of a detailed game world containing three distinct missions that require the player to apply different social engineering attack methods. Our concept enables the game to be highly extensible and flexible regarding different playable scenarios and settings. The Social Engineer can potentially benefit companies as an immersive self-training tool for their employees, support security experts in teaching social engineering awareness as part of a comprehensive training course, and entertain interested individuals by leveraging fun and innovative gameplay mechanics.
Supplemental Material
Available for Download
Preview video
- IO Interactive A/S. 2016. Hitman. Game [Microsoft Windows]. (11 March 2016). Square Enix, Tokyo, Japan.Google Scholar
- Kristian Beckers and Sebastian Pape. 2016. A serious game for eliciting social engineering security requirements. In 2016 IEEE 24th International Requirements Engineering Conference (RE). IEEE, 16--25.Google ScholarCross Ref
- John P Ceraolo. 1996. Penetration testing through social engineering. Information systems security 4, 4 (1996), 37--48.Google Scholar
- Nic Chantler and Roderic Broadhurst. 2008. Social engineering and crime prevention in cyberspace. Proceedings of the Korean Institute of Criminology (2008), 65--92.Google ScholarCross Ref
- Meng-Tzu Cheng, Yu-Wen Lin, Hsiao-Ching She, and Po-Chih Kuo. 2017. Is immersion of any value? Whether, and to what extent, game immersion experience during serious gaming afects science learning. British Journal of Educational Technology 48, 2 (2017), 246--263.Google ScholarCross Ref
- Marilyn Cohodas. 2014. Poll: Employees Clueless About Social Engineering. https://www.darkreading.com/perimeter/poll-employees-clueless-aboutsocial-engineering-/a/d-id/1316280. (Accessed on 04/05/2020).Google Scholar
- Darina Dicheva, Christo Dichev, Gennady Agre, and Galia Angelova. 2015. Gamiication in education: A systematic mapping study. Journal of Educational Technology & Society 18, 3 (2015).Google Scholar
- Trajce Dimkov, André Van Cleef, Wolter Pieters, and Pieter Hartel. 2010. Two methodologies for physical penetration testing using social engineering. In Proceedings of the 26th annual computer security applications conference. 399--408.Google ScholarDigital Library
- Matt Dixon, Nalin Asanka Gamagedara Arachchilage, and James Nicholson. 2019. Engaging Users with Educational Games: The Case of Phishing. In Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems. 1--6.Google ScholarDigital Library
- Tobias Drey, Pascal Jansen, Fabian Fischbach, Julian Frommel, and Enrico Rukzio. 2020. Towards Progress Assessment for Adaptive Hints in Educational Virtual Reality Games. In Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems. 1--9.Google Scholar
- Eidos-Montréal. 2014. Thief. Game [Microsoft Windows]. (25 February 2014). Square Enix, Tokyo, Japan.Google Scholar
- Enrico Frumento. 2018. Social Engineering: an IT Security problem doomed to get worse. https://medium.com/our-insights/social-engineering-an-it-securityproblem-doomed-to-get-worst-c9429ccf3330. (Accessed on 04/02/2020).Google Scholar
- HTC Corporation. 2020. VIVE? | Discover Virtual Reality Beyond Imagination. https://www.vive.com (Accessed on 06/01/2020).Google Scholar
- Imperva. 2019. What is Social Engineering | Attack Techniques & Prevention Methods | Incapsula. https://www.incapsula.com/web-application-security/socialengineering-attack.html (Accessed on 06/01/2020).Google Scholar
- Klei Entertainment Inc. 2015. Invisible, Inc. Game [Microsoft Windows]. (12 May 2015). Klei Entertainment Inc., Vancouver, Canada.Google Scholar
- Katharina Krombholz, Heidelinde Hobel, Markus Huber, and Edgar Weippl. 2015. Advanced social engineering attacks. Journal of Information Security and Applications 22 (jun 2015), 113--122. https://doi.org/10.1016/J.JISA.2014.09.005Google Scholar
- Guido Makransky, Stefan Borre-Gude, and Richard E Mayer. 2019. Motivational and cognitive beneits of training in immersive virtual reality based on multiple assessments. Journal of Computer Assisted Learning 35, 6 (2019), 691--707.Google ScholarCross Ref
- Efthymia Metalidou, Catherine Marinagi, Panagiotis Trivellas, Niclas Eberhagen, Christos Skourlas, and Georgios Giannakopoulos. 2014. The human factor of information security: Unintentional damage perspective. Procedia-Social and Behavioral Sciences 147 (2014), 424--428.Google ScholarCross Ref
- Martin Mink and Felix C Freiling. 2006. Is attack better than defense? Teaching information security the right way. In Proceedings of the 3rd annual conference on Information security curriculum development. 44--48.Google Scholar
- Konstantin Mitgutsch and Matthew J Weise. 2011. Subversive game design for recursive learning. (2011).Google Scholar
- Francois Mouton, Mercia M Malan, Louise Leenen, and Hein S Venter. 2014. Social engineering attack framework. In 2014 Information Security for South Africa. IEEE, 1--9.Google Scholar
- Pierluigi Paganini. 2018. The Most Common Social Engineering Attacks. https://resources.infosecinstitute.com/common-social-engineering-attacks/(Accessed on 06/01/2020).Google Scholar
- Meisam Rezaeian, Nader Sale Gilani, and Hadi Modaghegh. 2015. Information Security Management In Iranian Smart Metering Project. (2015).Google Scholar
- Kevin Richards, Ryan LaSalle, M Devost, F van der Dool, and J Kennedy-White. 2017. Cost of cybercrime study, insight on the security investments that make a diference. Ponemon Institute LLC, MI, USA (2017).Google Scholar
- Schutzwerk GmbH. 2020. Welcome To Schutzwerk. https://www.schutzwerk.com (Accessed on 03/01/2020).Google Scholar
- Unity Technologies. 2020. Unity Real-Time Development Platform. https://unity.com (Accessed on 06/01/2020).Google Scholar
- Maria Virvou and George Katsionis. 2008. On the usability and likeability of virtual reality games for education: The case of VR-ENGAGE.computers & Education 50, 1 (2008), 154--178.Google Scholar
- Gavin Watson, Andrew Mason, and Richard Ackroyd. 2014. Social engineering penetration testing: executing social engineering pen tests, assessments and defense. Syngress.Google Scholar
- Alvin M Weinberg. 1966. Can technology replace social engineering? Bulletin of the Atomic Scientists 22, 10 (1966), 4--8.Google ScholarCross Ref
- Zikai Alex Wen, Zhiqiu Lin, Rowena Chen, and Erik Andersen. 2019. What. hack: engaging anti-phishing training through a role-playing phishing simulation game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 1--12.Google ScholarDigital Library
- Michael Workman. 2007. Gaining access with social engineering: An empirical study of the threat. Information Systems Security 16, 6 (2007), 315--331.Google ScholarDigital Library
- Nima Zargham, Mehrdad Bahrini, Georg Volkmar, Dirk Wenig, Karsten Sohr, and Rainer Malaka. 2019. What Could Go Wrong? Raising Mobile Privacy and Security Awareness Through a Decision-Making Game. In Extended Abstracts of the Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts. 805--812.Google ScholarDigital Library
Index Terms
- The Social Engineer: An Immersive Virtual Reality Educational Game to Raise Social Engineering Awareness
Recommendations
An academic review of current industrial and commercial cyber security social engineering solutions
ICCSP '19: Proceedings of the 3rd International Conference on Cryptography, Security and PrivacyThe study aims to assess popular awareness training solutions and techniques used by organizations to defend and mitigate cyber security social engineering threats. Social engineering threats are the most unpredicted threats an organization faces, ...
TASEP: A Collaborative Social Engineering Tabletop Role-Playing Game to Prevent Successful Social Engineering Attacks
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityData breaches resulting from targeted attacks against organizations, e. g., by advanced persistent threat groups, often involve social engineering (SE) as the initial attack vector before malicious software is used, e. g., for persistence, lateral ...
Developing a virtual reality game for manufacturing education
FDG '19: Proceedings of the 14th International Conference on the Foundations of Digital GamesThis paper describes the development of a virtual reality (VR) simulation game for educating engineering students in manufacturing. Undergraduate engineering students work on solving design and manufacturing problems and utilize professional skills to ...
Comments