Malware Phishing
6.3 Design Consideration of an Information Security Awareness Program through Gaming
6.3.3 Conceptual Game Prototype
This section describes the proposed prototype for the gaming component. The design takes into consideration the requirements identified in the previous section. A conceptual design with partial implementation was conducted.
This high level design and flow is depicted in Figure 6-13.
Figure 6-13: High-level Design of Game (Source: Own)
The game component initiates when the user logs into the game. With a successful login the user would be presented with the “Topic Tree”. This page would provide the user with the gaming topics and performance indicators. The use of badges provides a visual presentation of the performance indicators. The user can navigate to the topics, which provide access to learning material, as well as an assessment feature. In addition, access to the leaderboard and profile information is presented. The leaderboard not only indicates the user’s performance and progress, but also compares progress with other users playing the game. The user also has the option to log out of the system at any time during the play; the state of the game is stored after every interaction with the gaming platform.
The objectives of the gaming platform are to ensure users become aware of threats originating from the use of computers, and to transfer knowledge that allows the user to understand and mitigate these threats with the knowledge acquired from the information security awareness game. As described in Section 6.2.2.5, the richness of the information has an impact on the effectiveness of knowledge transfer and understanding - the use of hypertext and multimedia is ideal for this gaming component. Therefore, the topics section
presents the information resources used to transfer knowledge in the game, in the format of slides and videos.
Screenshots are used to explain the flow of the different components of the game. The user will be directed to the selected topic and provided with an interface (See Figure 6-14).
Figure 6-14: High Level View of Game Prototype (Source: Own)
The layering of subject matter as described by Khan et al. (2011) addresses the requirement of using a weighted method to incorporate the difficulty of content. Each level represents a more complex level of topics.
In order for the user to progress to more advanced topics, a user is required to ‘unlock’ the next level. To do so, users need to answer ten consecutive questions correctly on the preceding level. Questions are chosen at random from the pool of compiled questions for each level. The questions are also created from a practical point of view. This ensures the knowledge assessed replicates the real world and the user can apply it when the scenario is encountered. The layout presents a visual path that the user needs to complete on the selected topic. The path also represents a structure of progress to show the advancement in difficulty. In other words, the difficulty increases as the user progresses through each layer.
The user can access the quiz or tutorial component by selecting a section within the topic breakdown. The tutorial component contains information on the topic and is represented
by slides or videos, which ensure the user not only becomes aware of the subject matter, but also understands it (Figure 6-15).
Figure 6-15: Mixture of Hypertext and Hypermedia (Source: Own)
In the case of the quiz, the user can assess the knowledge on the topic and subsequently progress in the game and obtain points to compete with other users. The quiz consists of multiple choice questions and is randomly selected from the pool of questions created on the topics (Figure 6-16). As described earlier, the questions have weights assigned to them indicating the difficulty level. The use of the progress bar provides the user with a visual indication on progress within the quiz as prescribed by Nielsen (2005).
Figure 6-16: Sample Question and Status (Source: Own)
Other factors were taken into consideration to ensure the game is easy to use and intuitive, while providing the user with information on how to proceed and recover from errors without affecting the game. For example, if the game only made use of links, the user would only have with one method to play the game.
Badges were also implemented. This helped to indicate achievements for the users. The badge and achievement system encourages users to try and attain better scores and complete more sections. Different badges indicate different achievements, and the system automatically creates notifications to inform all users about the progress and achievements of other users. For example, a badge can be awarded to a user who answers ten questions correctly, or another badge can be awarded if a user accesses the game in three consecutive days (Figure 6-17).
Figure 6-17: Badges and Achievements (Source: Own)
By using a social networking application to run the game, users can view their friends’
activities, and this would also encourage repeated use. Social networking sites provide application programmable interfaces to encourage developers to develop and deploy games within the social networking site environment. In this way, by placing the game in a popular medium such as a social networking site, the appeal of the game is strengthened and this also promotes user acceptance. Overall, the game has been designed taking into consideration the various requirements prescribed by the literature.
6.4 Conclusion
This chapter addressed the development phase of the NIST information security awareness framework by identifying a platform to deliver the information security awareness program to the intended participants. Section 6.2 proposed the use of an autonomous system, which could conduct an information security awareness program and measure the information security awareness levels of participants without human intervention. The system consisted of several components which could operate individually, but could also be combined to achieve the objective of autonomous
information security awareness programs. The system requirements and design positive behaviour change. The use of gaming concepts provided metrics to calculate the effectiveness of the knowledge transferred as seen by CyberProtect and CyberSiege. In other words, the actions taken in the games demonstrated a clear understanding of concepts and application of it within a situation. This study builds on the concept of gaming to transfer knowledge to the participants. It should be noted different types of games exist which include interactive, text based and turn based. Each of these types has a design consideration as they are developed in different ways but have the same underlying objective. The type of game would be selected based on the method used to collect data from the participants (Section 7.2).
Section 6.3.2 investigated the design requirements for using game play to delivering information security awareness programs. The design considerations were then used to develop a prototype gaming component (Section 6.3.3).
The resulting design considerations identified in this chapter, together with the prototype feedback, were implemented in the development and deployment of a social networking game discussed in the next chapter.
The first phase of the NIST framework identified the need and topics required for the information security awareness program (Chapter 5). The second phase of the NIST information security awareness framework, which focused on the delivery platform required to transfer the knowledge on the selected topics, was discussed in this chapter.
The next phase of the NIST information security awareness framework, which focuses on the implementation of the information security awareness program, is described in the next chapter. Data collected during the information security awareness program would be analysed to determine the effectiveness of incorporating games in information security awareness programs.
Figure 7-1: Layout of Chapter 7