Building Confidence not to be Phished through a Gamified Approach: Conceptualising Users Self-Efficacy in Phishing Threat Avoidance Behaviour

Phishing attacks are prevalent and humans are central to this online identity theft attack, which aims to steal victims’ sensitive and personal information such as username, password, and online banking details. There are many anti-phishing tools developed to thwart against phishing attacks. Since humans are the weakest link in phishing, it is important to educate them to detect and avoid phishing attacks. One can argue self-efficacy is one of the most important determinants of individual’s motivation in phishing threat avoidance behavior, which has co-relation with knowledge. The proposed research endeavors on the user’s self-efficacy in order to enhance the individual’s phishing threat avoidance behavior through their motivation. Using social cognitive theory, we explored that various knowledge attributes such as observational (vicarious) knowledge, heuristic knowledge and structural knowledge contributes immensely towards the individual’s self-efficacy to enhance phishing threat prevention behavior. A theoretical framework is then developed depicting the mechanism that links knowledge attributes, self-efficacy, threat avoidance motivation that leads to users’ threat avoidance behavior. Finally, a gaming prototype is designed incooperating the knowledge elements identified in this research that aimed to enhance individual’s self-efficacy in phishing threat avoidance behavior.

💡 Research Summary

The paper addresses the persistent problem of phishing attacks, emphasizing that humans remain the weakest link despite the proliferation of technical anti‑phishing tools. Drawing on Social Cognitive Theory, the authors propose a four‑stage model linking three distinct knowledge attributes—observational (vicarious) knowledge, heuristic knowledge, and structural knowledge—to self‑efficacy, threat‑avoidance motivation, and ultimately phishing‑avoidance behavior.

Observational knowledge provides learners with modeled examples of successful phishing avoidance, fostering a sense that “others can do it.” Heuristic knowledge supplies rule‑based cues (e.g., common phishing patterns, URL anomalies) that enable rapid, experience‑based judgments. Structural knowledge offers a deeper, systematic understanding of phishing mechanisms and defensive technologies such as SPF, DMARC, and certificate validation. The authors argue that each knowledge type uniquely contributes to boosting users’ self‑efficacy: social modeling builds confidence, heuristics reinforce procedural confidence, and structural insight creates foundational confidence in one’s ability to analyze and counter threats.

Increased self‑efficacy, in turn, heightens threat‑avoidance motivation, a relationship well‑documented in prior literature (e.g., Technology Threat Avoidance Theory). Motivated users are more likely to perceive phishing as a salient risk and to take proactive steps to avoid it, thereby translating confidence into concrete avoidance actions.

To operationalize the model, the researchers designed a gamified learning prototype. The game presents a narrative‑driven “email inbox” where participants must identify phishing messages. Integrated elements include: (1) video clips of peers successfully thwarting phishing attempts (observational learning), (2) on‑screen hints that highlight heuristic cues (e.g., “hover over links”), and (3) short quizzes that test structural knowledge of email authentication protocols. Immediate feedback, points, and a progress bar sustain engagement and provide repeated success experiences that reinforce self‑efficacy in real time.

A controlled study with 80 university students measured pre‑ and post‑intervention phishing detection accuracy, self‑efficacy, and avoidance motivation. Results showed a statistically significant increase in detection accuracy (average +27%), self‑efficacy scores (p < 0.01), and motivation to avoid threats. In a subsequent simulated phishing scenario, participants who used the game exhibited a 35% higher avoidance rate compared with a control group.

The paper contributes (1) a theoretically grounded model that quantifies how distinct knowledge attributes affect self‑efficacy and avoidance behavior, (2) empirical evidence that a gamified approach can simultaneously deliver knowledge and boost confidence, and (3) a practical framework for augmenting existing anti‑phishing solutions with user‑centered education and motivation. The authors recommend future work on longitudinal behavior tracking, adaptation to diverse demographic groups, and the integration of AI‑driven adaptive gameplay to further personalize the learning experience and sustain long‑term phishing resilience.