Beckers, K.; Pape, S. and Fries, V.In Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016, 2016.
Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. Once realised someone is trying to trick us into taken actions that not in our best interest, we can simply say no. While traditional training techniques involve talks and questionnaires and often force employees to participate. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic office scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.