Extending Game-based Anti-Phishing Education using Personalization
Design and Implementation of a Framework for Personalized Learning Game Content in Anti-Phishing Learning Games
Phishing poses an imminent and wide-ranging threat to Internet users worldwide, in which attackers use methods of deception to lure victims into disclosing information. Recent reports state high numbers of phishing incidents and, so far, technical solutions fail to stop the threat completely. As a complementary approach, user education using anti-phishing learning games has been explored to raise awareness and teach the necessary knowledge and skills to detect and protect against phishing attacks. In particular, researchers have explored anti-phishing learning games to allow users to apply learned knowledge and practice skills regarding the detection of phishing attacks.
A common game mechanic used in existing games requires learners to classify URLs as either legitimate or phishing in a binary decision scheme. Here, a problem can occur if learners do not know the service of a given URL and are unable to classify the URL due to a lack of reference. As such, learners may revert to guessing which may weaken the game's potential for practice, since learners cannot relate between correct classifications and the applied knowledge. Furthermore, the possibilities for feedback are limited since the binary decision mechanic does not provide any insights into learners' decision processes and possible misconceptions.
In this dissertation, the limitations for feedback as well as the problem with classifying unknown URLs in anti-phishing learning games are addressed as follows: First, a review of existing learning games provides insights into their design and covered learning content. Its results are used in guiding the design and implementation of two new game prototypes. Here, the first game extends the before-mentioned binary decision mechanic and requires learners to sort URLs into one of many categories, depending on which manipulation technique was applied to a distinct part of the URL. The second game requires learners to apply different manipulation techniques and create their own malicious URLs using a puzzle mechanic. Next, the means of personalization for anti-phishing learning games are explored and a personalization pipeline is developed. By considering the learners' familiarity with different services and dynamically creating benign and phishing URLs, the content of anti-phishing learning games can be personalized.
To evaluate the new game prototypes as well as the application of the personalization pipeline, two comparative user studies are conducted in a between-group design with pre-, post- and longitudinal testing. In the first user study with 133 participants, both games are evaluated and compared to a baseline implementation. While participants of the new games did not perform significantly better than the control group, results show significant improvements in the participants' performance and confidence between pre- and post-tests for all games, as well as notable differences when classifying URLs of unknown and known services. In the second user study with 49 participants, the personalization pipeline is integrated into one of the games, in order to compare its personalized and non-personalized version. Here, personalization enables the control of service familiarity and allows insights into how URLs of unknown services are handled within the game. While participants of the personalized game did not outperform the participants of its non-personalized version, the evaluation of in-game behavior provides insights into learners' decision processes and possible problems or misconceptions. Furthermore, results of a longitudinal evaluation of all games and versions show that knowledge is retained since the participants perform still significantly better than in the pre-test.
In all, this dissertation presents first approaches and research results in the domain of personalized anti-phishing learning games. Future work may entail redesigning anti-phishing learning games to incorporate further means of personalization and to understand how learner characteristics can be utilized in anti-phishing learning games.