Weaponize personnel against social engineering attacks via gamified active inoculation

Abstract

The number of cybercrime cases rises rapidly, and the type of crime takes more and more diverse forms. However, the protection against these risks lag behind and becomes quickly outdated. This thesis follows the Fake News Game example using active inoculation in the form of a game against social engineering risks. Inoculation draws the analogy with vaccines and says humans can be injected with small pieces of persuasion to trigger the development of antibodies against that persuasion, similar to how vaccines protect humans against diseases. The player is placed in a social engineer's shoes and learns six often used psychological techniques in social engineering attacks in the game. These techniques are shown in short, interactive sections, where the player experiences how these techniques feel. This way, the body learns how to recognize these techniques and develop its antibodies against them, thus learning how to protect against them when they are used for real. The game is built to be flexible and modular. The flexible and modular setup of the game allows for adjustment to the target audience. This way, it can also keep up with the rapidly changing developments within cybercrime. The intervention was tested within the Dutch Armed Forces in a three-group pretest-posttest quasi-experiment. The experiment showed no evidence the intervention was successful in raising resilience against social engineering attacks. However, the intervention data shows evidence that the intervention is an effective way of raising resilience against social engineering risks.