Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks
This addresses phishing threats for users by focusing on human decision-making vulnerabilities, though it is incremental as it builds on existing game-based training approaches.
The paper tackles the problem of phishing attacks by developing Phish Phinder, a serious game that trains users to enhance their confidence in mitigating phishing through gamified challenges, resulting in improved user interaction and phishing avoidance behavior.
Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.