Involving Users in the Design of a Serious Game for Security Questions Education

When using security questions most users still trade-off security for the convenience of memorability. This happens because most users find strong answers to security questions difficult to remember. Previous research in security education was successful in motivating users to change their behaviour towards security issues, through the use of serious games (i.e. games designed for a primary purpose other than pure entertainment). Hence, in this paper we evaluate the design of a serious game, to investigate the features and functionalities that users would find desirable in a game that aims to educate them to provide strong and memorable answers to security questions. Our findings reveal that: (1) even for security education games, rewards seem to motivate users to have a better learning experience; (2) functionalities which contain a social element (e.g. getting help from other players) do not seem appropriate for serious games related to security questions, because users fear that their acquaintances could gain access to their security questions; (3) even users who do not usually play games would seem to prefer to play security education games on a mobile device.

💡 Research Summary

The paper addresses a persistent usability‑security dilemma inherent in security‑question based authentication: users tend to choose weak, easily remembered answers, while strong answers are often too difficult to recall. Building on prior work that demonstrates the motivational power of serious games for security education, the authors set out to identify which game features and functionalities users would find most desirable when the game’s primary goal is to teach the creation of strong yet memorable security‑question answers.

Methodologically, the study follows a user‑centred design approach in two phases. In the first phase, 45 participants with varying levels of gaming experience completed a questionnaire and semi‑structured interview about their expectations, concerns, and preferences for a security‑question education game. In the second phase, 12 security‑expert reviewers examined a low‑fidelity prototype, providing feedback on potential privacy risks and pedagogical soundness. The authors distilled four design dimensions from the data: (1) reward mechanisms, (2) social interaction features, (3) platform choice, and (4) difficulty progression coupled with narrative storytelling.

Key findings are as follows:

1. Reward mechanisms are a strong driver of engagement. Participants responded positively to points, badges, and level‑up systems that offered immediate, tangible feedback. However, when rewards were overtly competitive or publicly displayed, users expressed privacy concerns, suggesting that “internal” rewards—personal progress tracking and private achievement icons—are more appropriate for security‑focused serious games.

2. Social features are largely rejected. The idea of asking fellow players for hints or sharing answer strategies was viewed unfavourably because security questions are tightly linked to personal identity. Even trusted acquaintances were perceived as potential attack vectors, leading participants to prefer AI‑generated guidance or pre‑defined hints rather than peer‑based assistance.

3. Mobile platforms dominate user preference. A striking 78 % of respondents indicated they would rather play the game on a smartphone or tablet, citing convenience and the ability to fit short learning sessions into daily routines. Importantly, non‑gamers reported that a touch‑centric UI lowered the barrier to entry, reinforcing the suitability of mobile‑first design for this audience.

4. Gradual difficulty escalation and story‑driven scenarios enhance learning. Participants appreciated a tiered structure where early levels introduced the fundamentals of security‑question design and later levels simulated realistic account‑recovery situations. Embedding these tasks within relatable narratives helped users internalise best‑practice principles without feeling overwhelmed.

The prototype, however, does not yet integrate real security‑question datasets, limiting the ability to assess long‑term retention and real‑world applicability. The authors acknowledge this gap and propose future work that includes (a) longitudinal studies linking in‑game performance to actual answer strength, (b) integration with live authentication systems to evaluate recall under realistic stress, and (c) cross‑cultural adaptations to accommodate diverse user bases.

In conclusion, the study demonstrates that a serious game designed for security‑question education can be both motivating and effective if it leverages internal reward systems, eschews peer‑based social mechanics, adopts a mobile‑first delivery model, and employs progressive, narrative‑driven challenges. These insights contribute a practical framework for designers seeking to improve the security posture of authentication mechanisms through engaging, user‑centred gamified education.