Security Serious Game

SSG – security serious games This thesis describes the problem of ignorance in CyberSecurity. This gap leads to Malware spreading. Malware is intrusive software that is designed to damage and destroy computers and computer systems. Malware uses human factors to spread, in fact, Malware authors often try to trick users into downloading malicious files or opening files containing malicious attachments. To avoid that, it is important to improve users’ knowledge about Malware. One way to do that is through SSG. This is a technique for transmitting knowledge through gamification techniques, achieving good results. The work starts talking about Cybercrime and how it is increased in the last few years. Then, it will continue with the Malware description, how to protect from Malware and how Malware uses users’ ignorance to spread. Regarding users’ ignorance, there are some important statistics, before and after security training. They show how, where there was security training, employees were able to recognize malware in higher percentages. Then, the work continues with Social Engineering and its different techniques: Baiting, Phishing, Pretexting, and Scareware. After that, the work focuses on a way to reduce IT ignorance, in particular on Security Serious Games. The work starts to introduce the SSG and an important study about the target of the game. Because, before creating a game, you need to define a target. At the beginning of the study, there is Bartle’s theory. He suggests a categorization of 4 types: Socializer, Achievers, Killers, and Explorers). This theory suffers from several limitations, then, another researcher Nick Yee formulated 3 components and 10 sub-components that are very important in understanding the motivations of the players. After discussing the target, the work introduces a list of Serious Security Games online to better understand their mechanism. For each game, there is a short explanation about it, a personal review of the gameplay and then a way to adapt the game to the Malware concept. These SSGs are collected in a server, in which it is possible to read a short description to know the context of the game and it is possible to play it with a click on the play button. Now, the work shifts to the creation of a SSG for teaching about Malware, in particular how it spreads. In the end, the work, through the surveys, verifies if the users have acquired knowledge about Malware. Then, it discusses what has been achieved, what worked, and what can be better to improve in future works.