Analysis and evaluation of cybersecurity awareness using a game-based approach
Advances in technology have increased our dependence on online activities in our daily routines, business transactions and communication. However, this has been accompanied by an increase in malicious cyber-attacks that exploit the vulnerabilities of both online systems and Internet users. A range of technical solutions has been proposed, but human beings remain the weakest link in cybersecurity. Yet users’ knowledge and awareness of the range of cybersecurity issues remains relatively under-researched, which limits efforts to develop methods of improving security awareness. The research described in this thesis focuses on one promising method of increasing users’ cybersecurity awareness and changing their behaviour to avoid cyber-attacks, namely, gamification. The main contributions of the work are as follows.
First, it presents a critical review of current literature in the field of cybersecurity, identifies significant gaps in knowledge of cybersecurity awareness among users and explores the potential of serious games to improve awareness.
Second, it proposes a conceptual framework based on Technology Threat Avoidance Theory (TTAT) to evaluate the effectiveness of an augmented reality (AR) game designed to improve users’ ability to avoid cybersecurity attacks. The framework integrated the TTAT factors (perceived susceptibility, perceived severity, fear, perceived effectiveness, self-efficacy and safeguard cost) with gender and general decision-making style (GDMS) as individual variables. The framework was validated using a cross-sectional survey of 128 students at Macquarie University, Australia. Experimental results indicated positive support for most of the proposed relationships between the TTAT factors and cybersecurity avoidance motivation, with the exception of safeguard cost. Decision-making style had a moderating effect on avoidance behaviour. The findings also indicated that females were slightly more likely to engage in risky online behaviour than their male counterparts. The proposed framework adds considerable predictive power to the TTAT model.
Third, it describes the development of a game, called CybAR, that uses augmented reality (AR) technology. The game’s design was based on a theoretical model that combined concepts from the Unified Theory of Acceptance and Use of Technology (UTAUT2) with two significant variables, namely, personality traits and gamification factors. The theoretical model was quantitatively validated using structural equation modelling to analyse data from 122 students of Macquarie University. Experimental results demonstrated the positive impact of performance expectancy, social influence, hedonic motivation and facilitating conditions on behavioural intention to avoid cyber-attacks. There was a significant relationship between the gamification factor and actual use of the CybAR app, confirming the potential of gaming techniques to increase cybersecurity awareness and, hence, avoid cybersecurity threats. The personality traits of contentiousness and extraversion had the most effect on use behaviour of the CybAR game.
Finally, a pre-test/post-test research design was used to evaluate the effectiveness of the CybAR game in changing cybersecurity avoidance behaviour among 108 students from Macquarie University, who completed the Risky Cybersecurity Behaviour scale (RScB). The survey data were evaluated quantitatively using Wilcoxon Signed-Rank tests and qualitatively using heuristic techniques. The results indicated that CybAR is a useful and practical method of increasing players’ understanding of cybersecurity issues and vulnerabilities.