Exploring and Evaluating Different Game Mechanics for Anti-Phishing Learning Games

Abstract

Anti-phishing learning games are a promising approach to teach end-users about phishing, as they offer a scalable and engaging environment for active learning. Existing games have been criticized for their limited game mechanics that do not allow for detailed assessment of the players' acquired knowledge, instead focusing mostly on factual and conceptual knowledge to remember or understand. To extend the research field, this paper presents the design and evaluation of two new anti-phishing learning games: The first game implements an extended classification mechanic to better assess the player's decision process, while the second game implements a different game mechanic, which requires players to combine URL parts to construct their own phishing URLs. We compare the games with each other and with a baseline implementation that uses binary decisions similar to existing games in a user study with 133 participants. The study shows, that while all three games lead to performance increases, none of the new games offer significant improvements over the baseline. Furthermore, results of a longitudinal test three months after playing the games show that knowledge can be retained as participants still perform significantly better than before playing either one of the games.