Designing a Mobile Game for Home Computer Users to Protect Against Phishing Attacks

This research aims to design an educational mobile game for home computer users to prevent from phishing attacks. Phishing is an online identity theft which aims to steal sensitive information such as username, password and online banking details from victims. To prevent this, phishing education needs to be considered. Mobile games could facilitate to embed learning in a natural environment. The paper introduces a mobile game design based on a story which is simplifying and exaggerating real life. We use a theoretical model derived from Technology Threat Avoidance Theory (TTAT) to address the game design issues and game design principles were used as a set of guidelines for structuring and presenting information. The overall mobile game design was aimed to enhance avoidance behaviour through motivation of home computer users to protect against phishing threats. The prototype game design is presented on Google App Inventor Emulator. We believe by training home computer users to protect against phishing attacks, would be an aid to enable the cyberspace as a secure environment.

💡 Research Summary

The paper presents the design and preliminary implementation of an educational mobile game aimed at helping home computer users avoid phishing attacks. Recognizing that phishing—online identity theft targeting credentials and banking information—remains a pervasive threat, especially for non‑technical users, the authors argue that traditional text‑based warnings and tutorials are insufficient to sustain attention and promote real‑world defensive behavior. To address this gap, they propose a game‑based learning solution that embeds security concepts within a familiar, everyday context.

The theoretical foundation of the design is the Technology Threat Avoidance Theory (TTAT), which posits that users’ avoidance behavior is driven by three interrelated constructs: threat perception, motivation to avoid, and actual avoidance actions. The authors map each TTAT component onto specific game mechanics. Threat perception is heightened through visual “phishing traps,” time‑limited challenges, and realistic email, messenger, and website simulations. Motivation is reinforced by a points system, level progression, badges, and leader‑board rankings that reward correct identification of phishing attempts. Avoidance behavior is cultivated via immediate feedback, score updates, and the ability to retry failed levels, thereby encouraging repeated practice.

The game’s narrative is set in a virtual home environment where the player navigates everyday digital interactions—checking emails, browsing the web, receiving instant messages—and must decide whether each item is legitimate or a phishing lure. This storyline simplifies and exaggerates real‑life scenarios to make learning objectives clear while preserving immersion. Design principles guiding the development include clear goals, adaptive difficulty, instant feedback, repeatable practice, and social competition, all intended to boost engagement and facilitate knowledge transfer.

For rapid prototyping, the authors selected Google App Inventor, a low‑cost, drag‑and‑drop platform that allows non‑programmers to create functional Android applications. Using the App Inventor emulator, they built the user interface, interaction flow, scoring logic, and feedback mechanisms. The prototype demonstrates a functional proof‑of‑concept, though the authors acknowledge that emulator testing may not capture all nuances of real device performance.

Evaluation is planned through a pre‑ and post‑test design. Participants will complete questionnaires assessing phishing awareness, perceived risk, and security habits before playing the game, and the same measures after gameplay. In‑game logs (click patterns, response times, accuracy) will provide objective data on behavioral change. The authors anticipate measurable improvements in threat perception, increased motivation to avoid phishing, and higher rates of correct identification in real‑world contexts.

Limitations discussed include the prototype’s confinement to a simulated environment, the need for broader demographic testing to ensure generalizability across age groups and technical skill levels, and the absence of longitudinal data to confirm lasting behavioral change. Future work will involve field trials with diverse user groups, integration of AI‑generated phishing scenarios to keep content up‑to‑date, and expansion of the platform to support both mobile and desktop interfaces.

In conclusion, the study offers a systematic framework that links a well‑established security behavior theory (TTAT) with concrete game design practices, delivering a tangible educational tool for home users. By leveraging gamification, the authors aim to transform passive security warnings into active learning experiences, thereby strengthening users’ ability to recognize and thwart phishing attacks and contributing to a safer cyber ecosystem.