Creating Awareness on Phishing Signals amongst Hospital Staff using Serious Gaming

Master thesis (2022)

Authors

R. Joseph Technology, Policy and Management

Contributors

P.H.A.J.M. van Gelder Safety and Security Science - TPM (supervisor 1)
M.L.C. de Bruijne Organisation & Governance - TPM (supervisor 1)
S Delgado Olabarriaga Amsterdam UMC (supervisor 2)
D. Boschma Game Lab - TPM (coach)
Faculty
Technology, Policy and Management
Copyright: © 2022 Reshma Joseph
Cybersecurity Serious Games Phishing Hospitals Social Engineering Ransomware
More Info
expand_more

Published Date

18-08-2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Abstract

Ransomware attacks based on social engineering have been increasing since COVID-19. Attackers have commonly used phishing as a social engineering technique to deploy a ransomware attack. Critical infrastructures such as hospitals have been the common target of these attacks due to hospitals’ sudden increase in digitization and interconnectivity, and the richness of data housed by them. 70 percent of the ransomware attacks against organizations were attributed to the shortage of cybersecurity skills amongst employees. The basic knowledge amongst employees in recognizing suspicious signals is scarce even though there are numerous workshops, programs, and online websites to educate users of such threats. To tackle this problem, effective employee awareness methods are necessary and in this research serious games are used to help solve the problem. The Game Design Research Approach was used to design a serious game based on the combination of the PMT and MINDSPACE frameworks. The game design focuses on creating awareness on phishing signals in the players by using the elements of the PMT framework, that is, threat appraisal (making the players aware of the severity of and vulnerability to a threat) and coping appraisal (coping responses available to the player to deal with the threat). The influencers of the MINDSPACE framework are used in the design of the game to act as catalysts to improve threat appraisal and coping appraisal. The designed game, Phish Phishy, is a tabletop card game with four different sets of cards and is played in two rounds. Two gameplay sessions were conducted in two large academic hospitals in The Netherlands. Based on the game design, the results from the game survey suggested an increase in the awareness levels, that is, improved understanding of phishing signals (threat appraisal) and improved response to threat by reporting them (coping appraisal). Therefore, the PMT and MINDSPACE framework combination suggested by Briggs (2017) was explored for the first time through the serious game, Phish Phishy, to make hospital staff aware of phishing signals in the work environment and report them. The imitations of this research are that the gameplay was conducted only in two hospitals so the sample size is too small for generalisability. Future research should focus on conducting more gameplay sessions by replicating the samples to consider the potential of making the PMT and MINDSPACE frameworks as the industry standard for creating cybersecurity awareness interventions.