Teach IT user’s not to get phished: Play the game, get the knowledge and confidence to handle phishing emails/websites

Phishing attacks are prevalent and humans are central to this online identity theft attack, which aims to steal victims’ sensitive and personal information such as username, password, and online banking details. Computer users or humans are more prone to this kind of cyber-attack and are the weakest link in the security chain. The scammer takes this advantage to target its victim for their gain. Therefore, it is important to educate them to detect and avoid phishing attacks. It is also necessary to be confident and knowledgeable while taking trustworthy security decisions to avoid phishing attacks. Therefore, the work reported in my Master’s thesis focuses on phishing attacks and how to teach and educate people to avoid phishing attacks by enhancing their knowledge and confidence. This research also focuses on game-based learning, which demonstrates how factors that help to increase IT users’ self-efficacy can be incorporated into an anti-phishing gaming tool for educating people about anti-phishing techniques.

“Anti-phishing Education” is a method that helps to give education about phishing as well as anti-phishing. Web-based training, interactive game-based training, contextual training or spear-phishing experiments, embedded training (i.e. through machine and software that people normally use), and non-embedded training are some of the anti-phishing awareness methods used by researchers to build and enhance user’s knowledge about cyber threats.

All of the techniques to educate IT user’s, tried to strengthen user’s knowledge about how to better identify and differentiate between legitimate and phishing URLs/Emails. However, there are some limitations and challenges associated with the success of educating people about phishing and anti-phishing learning. Most people are not motivated to learn and utilise security education; for some people, security is not a primary task; it is also very difficult to educate people not to misinterpret a non-phishing threat as a phishing threat. In addition, people are not motivated to pay attention to training materials. This is because IT users are ignoring security educational material and also the fact that security is very necessary to be safe in cyber-space.

There is a strong co-relationship between the user’s knowledge and their self-efficacy (confidence). Users with more knowledge of phishing attacks are the ones who are more confident in thwarting phishing attacks. Therefore, the research I proposed incorporates the user’s confidence into a game-based learning tool, which will create and enhance user awareness through their phishing threat avoidance behaviour through their motivation. The proposed research will help users to build their confidence in a knowledge-based way so that the occurrence of such phishing attacks can be minimised or prevented.

This talk will discuss how IT users can educate themselves in learning different kinds of phishing detection and identification knowledge to buildup their confidence level while playing a game-based anti-phishing learning tool. It will be fun to play, enjoyable, convenient, enhance people’s creativity and keep them engaged. Overall, this game-based anti-phishing learning tool will make them understand different kinds of phishing techniques and how to recognise and be protected in the cyber-space. It will simply give awareness in an interactive way differently than the reading materials!