Involving Users in the Design of a Serious Game for Security Questions Education

📝 Abstract

When using security questions most users still trade-off security for the convenience of memorability. This happens because most users find strong answers to security questions difficult to remember. Previous research in security education was successful in motivating users to change their behaviour towards security issues, through the use of serious games (i.e. games designed for a primary purpose other than pure entertainment). Hence, in this paper we evaluate the design of a serious game, to investigate the features and functionalities that users would find desirable in a game that aims to educate them to provide strong and memorable answers to security questions. Our findings reveal that: (1) even for security education games, rewards seem to motivate users to have a better learning experience; (2) functionalities which contain a social element (e.g. getting help from other players) do not seem appropriate for serious games related to security questions, because users fear that their acquaintances could gain access to their security questions; (3) even users who do not usually play games would seem to prefer to play security education games on a mobile device.

💡 Analysis

When using security questions most users still trade-off security for the convenience of memorability. This happens because most users find strong answers to security questions difficult to remember. Previous research in security education was successful in motivating users to change their behaviour towards security issues, through the use of serious games (i.e. games designed for a primary purpose other than pure entertainment). Hence, in this paper we evaluate the design of a serious game, to investigate the features and functionalities that users would find desirable in a game that aims to educate them to provide strong and memorable answers to security questions. Our findings reveal that: (1) even for security education games, rewards seem to motivate users to have a better learning experience; (2) functionalities which contain a social element (e.g. getting help from other players) do not seem appropriate for serious games related to security questions, because users fear that their acquaintances could gain access to their security questions; (3) even users who do not usually play games would seem to prefer to play security education games on a mobile device.

📄 Content

Involving Users in the Design of a Serious Game for Security Questions Education Nicholas Micallef and Nalin Asanka Gamagedara Arachchilage

Australian Centre for Cyber Security School of Engineering and Information Technology University of New South Wales Canberra, Australia e-mail: {n.micallef; nalin.asanka}@adfa.edu.au Abstract When using security questions most users still trade-off security for the convenience of memorability. This happens because most users find strong answers to security questions difficult to remember. Previous research in security education was successful in motivating users to change their behaviour towards security issues, through the use of serious games (i.e. games designed for a primary purpose other than pure entertainment). Hence, in this paper we evaluate the design of a serious game, to investigate the features and functionalities that users would find desirable in a game that aims to educate them to provide strong and memorable answers to security questions. Our findings reveal that: (1) even for security education games, rewards seem to motivate users to have a better learning experience; (2) functionalities which contain a social element (e.g. getting help from other players) do not seem appropriate for serious games related to security questions, because users fear that their acquaintances could gain access to their security questions; (3) even users who do not usually play games would seem to prefer to play security education games on a mobile device. Keywords Usable Security, Security Questions, Serious Games, Cyber Security Education

1. Introduction and Background Fall-back authentication mechanisms are used to recover forgotten passwords. Large organisations (i.e. Google, Facebook) have recently adopted fall-back authentication mechanisms such as text-based and email-based password recovery. However, these mechanisms do not manage to provide a better fall-back authentication experience because they are still prone to a number of security vulnerabilities and portability issues (Stavova et al. 2016). For instance, text-based password recovery has the limitation that users might not carry their device with them when on vacation. In this situation, it would be impossible for users to recover their forgotten password.
   The main alternative to these fall-back authentication mechanisms are security questions. The main challenge of security questions is that strong answers to security questions (i.e. high entropy) are difficult for users to remember (Shay et al. 2012), but also hard for potential attackers to guess or obtain using social engineering techniques (e.g. monitoring of social networking profiles). Alternatively, weak answers to security questions (i.e. low entropy) are easier for potential attackers to breach (Bonneau et al. 2010; Denning et al. 2011), but then they are easier for users to remember (Zviran and Haga, 1990; Just and Aspinall, 2009, 2010). System- generated answers to security questions (as proposed by Micallef and Just (2011)) seem to be a promising design option (Micallef and Arachchilage, 2017a, 2017b), since they can limit the vulnerabilities to guessing and social engineering attacks (Shay et al. 2012). However, system-generated answers to security questions need to be better presented to users, to increase the strength of fall-back authentication. Hence, research still needs to investigate the best way to educate users to adhere to stronger answers to security questions.
   A serious game is a game designed for a primary purpose other than pure entertainment (Djaouti et al. 2011). In the field of security education, serious games were used as a pedagogical tool, for teaching network security (Ariyapperuma and Minhas, 2005; Gondree et al. 2013), which has improved the overall learning experience. Also, previous research has used serious games in the security field to educate users about the susceptibility to phishing attacks, to teach users to be less prone to these security vulnerabilities (Arachchilage et al. 2013, 2014, 2016). Serious games were also used to motivate users to change their behaviour towards general concepts in computer security (Denning et al. 2013; Dasgupta et al. 2013) and to help users remember passwords (Tao and Adams, 2008; Malempati and Mogalla, 2011; McLennan et al. 2017). Most of this research was successful in motivating users to change their behaviour towards security issues through the use of serious games. Therefore, we argue that a serious game that nudges users to improve memorability towards security questions, through educational interventions, could be effective in enhancing users’ behaviour to strengthen their answers to security questions.
   A serious game for security questions has been recently proposed by Micallef and Arachchilage (2017a, 2017b), with the aim of enhancing the memorability of system- generated answers to security questions. H

This content is AI-processed based on ArXiv data.