A game design
framework for avoiding phishing attacks
Nalin Asanka
Gamagedara Arachchilage, Steve Love
School of Information Systems, Computing and Mathematics, Brunel
University, Uxbridge, Middlesex UB8 3PH, United Kingdom
Abstract
Game based education is becoming more and more popular. This is
because game based education provides an opportunity for learning
in a natural environment. Phishing is an online identity theft,
which attempts to steal sensitive information such as username,
password, and online banking details from its victims. To prevent
this, phishing awareness needs to be considered. This research aims
to develop a game design framework, which enhances user avoidance
behaviour through motivation to protect users from phishing
attacks. In order to do this, a theoretical model derived from
Technology Thread Avoidance Theory (TTAT) was developed and used in
the game design framework (Liang & Xue, 2010). A survey study
was undertaken with 150 regular computer users to elicit feedback
through a questionnaire. The study findings revealed that perceived
threat, safeguard effectiveness, safeguard cost, self-efficacy,
perceived severity, and perceived susceptibility elements should be
addressed in the game design framework for computer users to avoid
phishing attacks. Furthermore, we argue that this game design
framework can be used not only for preventing phishing attacks but
also for preventing other malicious
IT attacks such as viruses, malware, botnets and spyware.
1. Introduction
Security exploits can include malicious IT
threats such as computer programs which can disturb the normal
behaviour of computer systems (viruses), malicious software
(malware),unsolicited e-mail (spam), monitoring software
(spyware),attempting to make computer resources unavailable to its
intended users (Distributed Denial-of-Service or DDoS attack), the
art of human hacking (social engineering) and online identity
theft(phishing). These attacks are prepared to target either
financial or social gain (Purkait, 2012; Aggarwaly, Rajadesingan,
&Kumaraguru, 2012; Ng, Kankanhalli, & Xu, 2009; Workman,
Bommer, & Straub, 2008 and Woon, Tan, & Low, 2005). For
example, a DDoS attack could target a bank in order to break down
their e-mail server and the attacker can exhort a lump sum of money
to give the e-mail server back to the bank.
One such IT
threat that is particularly dangerous to computer users is
phishing. This is a type of semantic attack (Purkait,
2012;Aggarwaly et al., 2012; Downs, Holbrook, & Cranor, 2007
and Schneier, 2000) in which attackers try to fool and steal money
from legitimate Internet users sending e-mails rather than
exploiting bugs in computer software. The attacker creates a
fraudulent web site which has the look-and-feel of the legitimate
website.Then users are invited by sending e-mails to access to a
fraudulent website and steal their money. Phishing attacks get more
sophisticated regularly as and when attackers learn new techniques
and change their strategies accordingly (Purkait, 2012; Aggarwalyet
al., 2012 and Kumaraguru et al., 2007). The most popular approach
is e-mail (James, 2005 and Richmond, 2006). Phishing e-mails employ
a variety of tactics to trick people into disclosing
their confidential information such as usernames,
passwords, national insurance numbers and credit/debit card
numbers. For example, asking people to take part in a survey or
urging people to verify their bank account information in which
they must provide their bank details to be compensated. The
increasing sophistication of these techniques makes it a challenge
to protect individual users against phishing attacks (Purkait, 2012
and Drake,Oliver, & Koontz, 2006).
Personal
computer users are susceptible to phishing attacks due to the rapid
growth of internet technology (Purkait, 2012; Aggarw-aly et al.,
2012 and Ponnurangam et al., 2007). This is because users can have
lack of security awareness and sensitive trust decisions that they
make during online activities such as online banking transactions
or bill payments. Therefore, personal computer users make a
significant contribution in helping to make cyberspace a safer place
for everyone. Internet technology is so ubiquitous today that it
provides the backbone for modern living enabling ordinary people to
socialize, shop, and be entertained all through their personal
computers. As people’s reliance on Internet grows, the possibility
of hacking, attacking and other security breaches increases rapidly
(Liang & Xue, 2009). Therefore, the message ‘‘security is
important’’ should be reached to all personal computer users.
Automated computer systems can be used to identify
some fraudulent e-mails and websites (Sanchez & Duan, 2012;
Purkait,2012 and Workman et al., 2008). Dhamija and Tygar (2005)
and Ye and Sean (2002) have developed a prototype called ‘‘trusted
paths’’ for the Mozilla web browser that was designed to help users
verify that their browser has made a secure connection to a trusted
website. Nevertheless, these systems are not totally reliable in
detecting phishing attacks (Purkait, 2012; Sanchez & Duan, 2012
and Sheng et al., 2007). Previous research has revealed that
available anti-phishing tools such as CallingID Toolbar, Cloudmark
Anti-Fraud Toolbar, EarthLink Toolbar, Firefox 2, eBay Toolbar and
Netcraft Anti-Phishing Toolbar are deficient for combating phishing
threats (Purkait, 2012 and Robila & Ragucci, 2006). Even the
best toolbars neglect over 20% of phishing websites (Zhang,Egelman,
Cranor, & Hong, 2007). On the one hand, software application
designers and developers will continue to improve phishing and spam
detection. However, human is the weakest link in information
security (Purkait, 2012 and CNN.com, 2005). On the other hand,
human factor risks can mitigate by educating users on how to combat
phishing threats (Purkait, 2012; Aggarwaly et al.,2012; Brody,
Mulig, & Kimball, 2007 and Robila & Ragucci, 2006).
Phishing
education needs to be considered to protect individual users
against phishing threats. Previous studies have reported end-user
education as a frequently recommended approach to countering
phishing attacks (Allen, 2006; Hiner, 2002; Purkait, 2012;Timko,
2008 and Kumaraguru et al., 2007). So, how to educate computer
users to combat phishing threat?
The design of
games is a double-edged sword. When its power is properly harnessed
to serve good purposes, it has tremendous potential to improve
human performance. However, when it is exploited for violation
purposes, it can pose huge threats to individuals and society.
Therefore, the design of educational games is not an easy task and
there are no all-purpose solutions (Walls,2012 and Moreno-Ger,
Burgos, Sierra, & Fernández-Manjón,2008). The notion that game
based education offers the opportunity to embed learning in a
natural environment has repeatedly
emerged in the research literature (Arachchilage
& Cole, 2011;Walls, 2012; Moreno-Ger et al., 2008 and Sheng et
al., 2007).
This research
study is the first step in the development of a game design
framework to enhance user avoidance behaviour through motivation to
thwart phishing attacks. The aim of this study is to investigate
what key elements should be addressed in the game design framework
to avoid phishing attacks.
The objectives
are as follows:
Identify the key elements that should be addressed
in the game design framework to avoid phishing attacks.
Evaluate the game design framework using phishing
attack (malicious IT threat) and game based anti-phishing
education(safeguarding measure).
Formulate a game design framework to thwart
phishing attacks.
2. Theoretical Background
The premise behind this study is to develop a game
design framework, which enhances user avoidance behaviour through
motivation to protect them against phishing attacks. A theoretical
model derived from Technology Threat Avoidance Theory (TTAT) was
used to develop the game design framework, which is shown in Fig. 1
(Liang & Xue, 2010). The TTAT describes individual IT users’
behaviour of avoiding the threat of malicious information
technologies such as phishing attacks (Liang & Xue, 2009). The
model examines how individuals avoid malicious IT threats by using
a given safeguarding measure. The safeguarding measure does not
necessarily have to be an IT source such as anti-phishing tools;
rather it could be behaviour such as anti-phishing education(Liang
& Xue, 2010).
Consistent
with TTAT (Liang & Xue, 2009), users’ IT threat avoidance
behaviour is determined by avoidance motivation,which, in turn, is
affected by perceived threat. Perceived threat is influenced by
perceived severity and susceptibility. Perceived threat is also
influenced by the interaction of perceived severity and
susceptibility. User’s avoidance motivation is also determined by
three constructs such as safeguard effectiveness, safeguard cost,
and self-efficacy.
Safeguard
effectiveness is described as the individual assessment of a
safeguarding measure regarding how effectively it can be applied to
avoid the malicious IT threat (Liang & Xue, 2010).For example,
the individual assessment regarding how effectively anti-phishing
education can be applied to avoid a phishing attack.Safeguard cost
is a payback for safeguard effectiveness. This refers to the
physical and cognitive efforts such as time, money, inconvenience
and comprehension required using the safeguard measure (Liang &
Xue, 2009). Self-efficacy is defined as individuals’ confidence in
taking the safeguard measure. This is an important determinant of
avoidance motivation. Previous research has revealed
that individuals are more motivated to perform IT
security related behaviours as the level of their self-efficacy
increases (Kaiser, inpress; Ng et al., 2009; Woon et al., 2005). In
addition, the research model posits that avoidance motivation is
influenced by an interaction between perceived threat and safeguard
effectiveness.
The TTAT identifies the issues that the game design
framework needs to address. The proposed game design framework
attempts to develop threat perceptions such that individuals will
be more motivated to avoid phishing attacks and use safeguarding
measures. A key aspect of this is that they realise the
effectiveness of safeguarding measures, lower safeguard costs, and
increase self-efficacy.
Sheng et al. have conducted a role-play survey with
1001 online survey respondents to study who falls for phishing
attacks (Sheng,Holbrook, Kumaraguru, Cranor, & Downs, 2010).
The study revealed that women are more susceptible than men to
phishing and participants between the ages of 18 and 25 are more
susceptible to phishing than other age groups. Participants are
included from a diverse group of staff and student, including
people who were concerned about computer security. The study
described in this paper was targeted towards to examine
participants’ phishing threat avoidance behaviour by using
anti-phishing education.Therefore, the survey was only administered
to participants’ ages
ranged from 18 to 25 those who had not already
completed the questionnaire before.
3. Pilot study
A pilot study is a rehearsal, which is conducted
before the main study takes place (Compeau & Higgins, 1995;
Milne, Orbell, &Sheeran, 2002; Sonderegger & Sauer, 2010).
It helps the researcher to determine whether or not the study is
appropriate in terms of validity. If any problems are encountered
during the pilot study,adjustments are made before the main study.
A quantitative analysis, based on Likert style questionnaire,
approach was adopted to evaluate the game design framework
described in this paper.
3.1.Questionnaire design
The questionnaire was constructed based on Liang
and Xue’s theoretical model and relevant research literature (Liang
& Xue,2009; Liang & Xue, 2010; Rosenstock, 1974; Saleeby,
2000; Smith,Milberg, & Burke, 1996; Champion & Scott, 1997;
Compeau &Higgins, 1995; Davis, 1989 and Davis, Bagozzi, &
Warshaw, 1983). Perceived threat was measured on the basis of
substantive meaning (Rosenstock, 1974). The questionnaire items
related to this aspect assessed respondents’ perception of the
likely harm, danger,peril or damage that phishing attack imposes.
Perceived susceptibility was developed based on health behaviour
research (Saleeby,2000); and was used to evaluate the likelihood
and possibility of the occurrence of a phishing attack.
TTAT
speculates that computer users’ well-being includes two dimensions:
computer performance and information privacy.However, Liang and Xue
argue that a malicious IT attack could damage both dimensions
(Liang & Xue, 2009). Therefore, severity perception of computer
users should relate to the two dimensions.Perceived severity was
measured by the number of items based on the privacy literature in
IS (Smith, Milberg, & Burke, 1996) and practitioner research
that report the negative impact of phishing attacks (Brody et al.,
2007; Dhamija, Tygar, & Hearst, 2006; Downs, Holbrook, &
Cranor, 2006; Downs et al., 2007; Grinter et al., 2006;Jagatic,
Johnson, Jakobsson, & Menczer, 2007; Miller & Garfinkel,
2005 and Schneier, 2000). The items developed in
their research were based on users’ concerns about both loss of
personal and confidential information and degraded computer
performance related to processing speed, Internet connection, and
software applications.
The items of
safeguard effectiveness were developed based on relevant health
behaviour research (Downs et al., 2007 and Saleeby, 2000). For
example, a number of items in this subscale were derived for
safeguard cost based on Milne et al. and Saleeby’s studies
(Champion & Scott, 1997 and Saleeby, 2000). Self-efficacy was
measured with items developed by Compeau and Higgins(1995), making
minor amendments to adapt it to the anti-phishing education
context. The number of items developed for avoidance motivation was
based on the behavioural intention measures
from technology adoption research (Davis, 1989 and
Compeau &Higgins, 1995), with a focus on threat avoidance
rather than IT adoption. Finally, threat avoidance was measured
with three self-developed items.
Therefore, the pilot study questionnaire contained
four items for perceived threat, four items for perceived severity,
three items for perceived susceptibility, four items for safeguard
effectiveness, three items for safeguard cost, 6 items for
self-efficacy, three items for avoidance motivation, and three items
for avoidance behaviour.In total 30 items were evaluated using a
five-point scale Likert at 1 = ‘Strongly disagree’ and 5 = ‘Strongly
agree’. A sample set of questionnaire is shown in Table 1.
3.2. Participants
A pilot study questionnaire survey was run with
sixteen first year undergraduate students from the Department of
Information Systems and Computing, Brunel University, London. A
summary of the demographics of the participants in the pilot study
is shown in Table 2.
3.3. Procedure
The pilot study questionnaire survey was conducted
in-person.First participants were asked to read and sign the
consent form.Then the individual participants were asked whether or
not they knew what the term ‘‘Phishing Attack’’ means. Those who
gave a positive response were asked to give a short verbal
description to confirm their understanding, whilst negative
responders were read a brief definition of phishing attack and given
a short verbal description. Then participants were asked to
complete the questionnaire. The individual participant was given 10
min to complete
the questionnaire. They were also informed that
they could provide any comments and feedback on both the content
and format of the study had just been asked to take part.
3.4. Results
Cronbach’s alpha, which is known as a coefficient
alpha was used to measure the internal consistency of the
questionnaire(Pallant, 2007). Previous research has indicated that
an alpha score that is greater than 7.0 indicates that there is a
good level of internal scale consistency (Cronbach, 1951; Pallant,
2007 and Zaharias& Poylymenakou, 2009).Therefore, Cronbach’s
alpha was calculated for each construct of the questionnaire and is
summarized in Table 3.
3.5. Summary
Based on the feedback obtained from the wording of
some measurement items of each construct was slightly revised. The
final questionnaire contained four items for perceived threat, four
items for perceived severity, three items for perceived
susceptibility, four items for safeguard effectiveness, three items
for safeguard cost, 6 items for self-efficacy, three items for
avoidance motivation, and three items for avoidance behaviour.
Therefore, total 30 items were used in the main study to measure 8
constructs in the research model using a five-point scale Likert at
1 = ‘Strongly disagree’ and 5 = ‘Strongly agree’.
4. Main study
4.1. Participants
The questionnaire was administrated to 151
participants, who were undergraduate students from Brunel
University and Bedford-shire University. Participants’ ages ranged
from 18 to 25, with a gender split of 67% male and 33% female. They
had average of 16–20 h per week of Internet experience (SD = 1.19).
Each participant took part in the survey on a fully voluntary
basis. A summary of the demographics of the participants in the
main study is shown in Table 4.
4.2. Procedure
The questionnaire was handed out to participants’
in-person by the researcher. First, the nature of the research was
explained to each participant individually and they were given an
informed consent form to read and sign. They were also told that
they were free to withdraw from the study at any time without
having to give a reason for withdrawing. Then the individual
participants were asked whether or not they knew what the term
‘‘Phishing Attack’’means. Those who gave a positive response were
asked to give a short verbal description to confirm their
understanding, whilst negative respondents were read a brief
definition of a phishing attack and also given a short verbal
description. Then participants were asked to complete the
questionnaire, which measured the eight constructs; perceived
severity, perceived susceptibility, perceived threat, safeguard
effectiveness, safeguard cost, self-efficacy, avoidance motivation
and avoidance behaviour. The individual participant was given 10
min to complete the questionnaire. After completing the
questionnaire, participants were thanked for their valuable time
and effort in taking part in the study.
4.3. Results
As in the pilot study, Cronbach’s alpha was
calculated for each construct to measure the internal consistency
of the questionnaire items. The results of this analysis are
summarised in Table 5. Previous research has been shown minimum
level of Cronbach’s alpha is 0.7 to be internally consistent of a
set of items as a group (Cronbach,1951; Pallant, 2007 and Zaharias
& Poylymenakou, 2009).
In addition,
the Kaiser–Meyer–Olkin (KMO) value measure was used to assess the
adequacy of the sample and the KMO value should be greater than 0.6
for a satisfactory analysis to proceed(Cronbach & Meehl, 1955).
For the sample used in this study the KMO = 0.718.
4.4. Model testing
The study employed a multiple regression analysis
to test the Liang and Xue’s theoretical model using the following
parameters: phishing attack and anti-phishing education as a
malicious IT threat and safeguarding measure respectively.
The model
testing results are shown in Fig. 2. The model calculated R square
value for perceived threat, avoidance motivation,and avoidance
behaviour, which was defined as how much of variance in the
dependent variable is explained by its independent variables in the
model (Davis et al., 1983). In the results for the model in this
study 36% of variance is explained in perceived threat, 22% of
variance in avoidance motivation, and 15% of variance in avoidance
behaviour. Pearson correlation analysis was then employed to
describe the strength and direction of the linear
relationship between two constructs. The results
indicate that perceived threat is significantly determined by
perceived severity(r = .499⁄⁄, and Sig. = .000) and perceived
susceptibility (r = .357⁄⁄,and Sig. = .000). Avoidance motivation
is significantly determined by perceived threat (r = .386⁄⁄, and
Sig. = .000). According to Liang and Xue’s and Baron and Kenny’s
research, these results show that the influences of perceived
susceptibility and severity on avoidance motivation are fully
mediated by perceived threat.
As Fig. 2
shows, avoidance motivation is also significantly determined by
safeguard effectiveness (r = .381⁄⁄, and Sig. = .000),self-efficacy
(r = .162⁄, Sig. = .047), and safeguard cost (r = À.112⁄,Sig. =
.037). Finally, avoidance motivation is found to be significantly
influence by avoidance behaviour (r = .390⁄⁄, and Sig. = .000).
To evaluate
the interaction effects of both perceived susceptibility and
severity, and perceived threat and safeguard effectiveness,Chin et
al.’s product-indicator approach was used (Chin, Marcolin,&
Newsted, 2003). Interaction variables were created by cross
multiplying the items of perceived susceptibility and severity, and
perceived threat and safeguard effectiveness (Liang & Xue,
2010). A Fig. 2 shows, the interaction between perceived severity
and susceptibility was statistically significant on perceived
threat(r = .588⁄⁄, and Sig. = .000). Finally, the interaction
between perceived threat and safeguard effectiveness was
statistically significant on avoidance motivation (r = .452⁄⁄, and
Sig. = .000).
In summary,
the model testing results provided support to all of the
hypotheses. Moreover, age, gender, and Internet experiences were
included as control variables on avoidance motivation and avoidance
behaviour in the model testing. However, none of these control
variables was found to have a statistically significant effect on
either avoidance motivation or avoidance behaviour. This is similar
to the finding of Liang and Xue’s empirical study.
5. Game design framework
This study empirically investigated what key
elements should be addressed in the game design framework for
computer users to avoid phishing attacks through motivation. The
elements of a theoretical model derived from TTAT, was used to
address in the game design framework. Fig. 2 shows the model
testing results.The model accounts for 36% of variance in perceived
threat, 21% of variance in avoidance motivation, and 15% of
variance in avoidance behaviour. Perceived threat is significantly
determined by perceived severity (r = .499⁄⁄, and Sig. = .000),
perceived suscepti-
bility (r = .357⁄⁄, and Sig. = .000) and their
interaction (r = .588⁄⁄,and Sig. = .000). Therefore, perceived
severity and perceived susceptibility elements addressed in the
game design framework for computer users to thwart phishing
attacks. As Fig. 2 shows, avoidance behaviour is significantly
determined by perceived threat(r = .386⁄⁄, and Sig. = .000),
safeguard effectiveness (r = .381⁄⁄, and Sig. = .000), and
safeguard cost (r = À.112⁄, Sig. = .037), and self-efficacy (r =
.162⁄, Sig. = .047). However, it is interesting to note that
safeguard cost negatively effects avoidance motivation though it is
significantly determined by avoidance motivation. This is because
the user’s motivation to avoid the IT threat is expected be reduced
by the potential cost of using the safeguard measure (Liang &
Xue, 2010). Therefore, perceived threat, safeguard
effectiveness,safeguard cost, and self-efficacy elements should be
addressed in the game design framework. Finally, avoidance
motivation is found significantly influence avoidance behaviour (r =
.390⁄⁄, and Sig. = .000).
In summary, this study results provided support to
determine what key elements should be addressed in the game design
framework for computer users to avoid phishing attacks through
motivation. Therefore, perceived threat, safeguard
effectiveness,safeguard cost, self-efficacy, perceived threat, and
perceived susceptibility elements addressed in the game design
framework.The game design framework is shown in Fig. 3.
6. Discussion
This study empirically investigated a game design
framework for computer users to thwart phishing attacks. Therefore,
phishing attack and anti-phishing education were considered as a
malicious IT threat and safeguarding measure respectively in order
to test a theoretical model derived from TTAT (Liang & Xue,
2010). The study paid particular attention to threat perception
because it plays a vital role in influencing computer users’
avoidance behaviour. Data analysis results showed in Fig. 2, the
model is able to explain a considerable amount of variance in
users’ motivation to avoid IT threats (22%) and actual avoidance
behaviour (15%).Therefore, this study conveys a simple, yet
powerful message to motivate computer users to avoid malicious IT
threats.
However, it is interesting to note that avoidance
behaviour is quite low though it is significant (Pallant, 2007).
There is a possible explanation for this result. When users decide
that the IT threat can be avoided by the safeguarding measures,
they may take a problem-focused coping measure. However, when the
IT threat
could not be avoided completely, they may take an
emotion-fo-cused coping approach (Liang & Xue, 2010; Liang
& Xue, 2009 and Rhoa & Yub, 2011). Lazarus and Folkman
asserted two types of coping could be performed to deal with the
threat; problem-focused and emotion-focused (Lazarus & Folkman,
1984). Problem-focused coping referred to adaptive behaviors that
take a problem-solving approach. It directly deals with the
malicious IT threat by taking safeguarding measure such as updating
password regularly, disabling cookies, and installing and
configuring safeguarding IT. When people face the problem as a
challenge, they seem to take a problem-oriented coping behavior and
treat the problem as a thing that can be controlled. In contrast,
emotion-focused coping, the problem identified as a threat and loss,
people tend to perceive
it as a thing cannot be solved by them and hence,
take an emotional coping behavior. Beaudry and Pinsonneaut stated
that if users perceive the malicious IT threat, they take
problem-focused coping, or
if they believe that the threat is not avoidable,
they will inactively avoid the threat by performing emotion-focused
coping (Beaudry &Pinsonneaut, 2001). Therefore, it can
therefore be argued in the current study, that users’
emotion-focused coping behaviour would have caused for avoidance
behaviour of phishing threat, which will account for the variance
of avoidance behaviour.
Computer users have to be convinced and feel that such malicious
IT threats exist in the cyberspace and are avoidable. The study
found some evidence in the data analysis results that the model is
able to explain a respectable amount of variance in threat
perception (36%). This figure is little higher than Liang and
Xue’s
empirical study, which is 33% (Liang & Xue, 2010).
Therefore, perceived threat element is significantly important to
address in the game design framework for computer users to enhance
avoidance behaviour through motivation to thwart phishing attacks.
Furthermore, the study demonstrates threat perception that users
need to be aware of likelihood and severity of being attacked by
malicious IT threat. If users actually perceive the threat, they
are more motivated to avoid it. The safeguarding measure was
evaluated from three aspects; taking into account safeguard
effectiveness, cost related to safeguard measure, and users
confident of using the safeguard. If the level of effectiveness of
the safeguarding measure is high then users are more motivated to
avoid threats. So, the safeguard effectiveness element is important
in the game design framework for computer users to thwart phishing
threats. Users’ high confidence in taking the safeguard measures
influences their motivation to avoid threats. Therefore,
self-efficacy should also
be included in the game design framework for avoiding threats
through motivation.
When the safeguard cost is high, users are less motivated to
avoid threats. Liang and Xue describes when time, money,
inconvenience and comprehension needed to use the safeguarding
measure is high, users are less motivated to avoid threats (Liang
&Xue, 2009; Liang & Xue, 2010). The current study results
also dem-
onstrated safeguard cost negatively affects avoidance
motivation.Therefore, safeguard cost should address in the game
design framework, as a payback to safeguarding effectiveness. Liang
and Xue’s model testing results did not support the interaction
between perceived severity and susceptibility on perceived
threat
(Liang & Xue, 2010). Surprisingly, this study revealed that
perceived threat is significantly determined by the interaction
between perceived severity and susceptibility (r = .588⁄⁄, and Sig.
= .000).
Moreover, this study emphasises that avoidance motivation is
significantly determined by the interaction of perceived threat and
safeguard effectiveness (r = .452⁄⁄, and Sig. = .000). This result
contradicts with Liang and Xue’s findings regarding the interaction
between perceived threat and safeguard effectiveness on avoidance
motivation (Liang & Xue, 2010). However, they suggest the
interaction between perceived threat and safeguard effectiveness
can be viewed from two perspectives. First, when the threat level
is high, perceived threat can be viewed to negatively moderate the
relationship between safeguard effectiveness and avoidance
motivation. Second, when the level of safeguard effectiveness is
high, it can be viewed to negatively moderate the relationship
between perceived threat and avoidance motivation. Therefore, this
study does not provide evidence to address the interaction of
perceived threat and safeguard effectiveness in the game design
framework.
7. Conclusion and future work
This study attempted to develop a game design framework,which
enhances computer users’ avoidance behaviour through motivation to
prevent themselves from phishing attacks. The study empirically
investigated what elements should address in the game design
framework for computer users to thwart phishing attacks. A
theoretical model derived from TTAT was used to develop the game
design framework. To test the model, phishing attack and
anti-phishing education were considered as a malicious IT threat
and safeguarding measure respectively.
Finally, the current study results provided support to define
what elements should be included in the game design framework for
computer users to thwart phishing attacks. Therefore, perceived
threat, safeguard effectiveness, safeguard cost,
self-efficacy,perceived severity, and perceived susceptibility
elements should be incorporated into the game design framework for
computer users to avoid phishing attacks through motivation.
Furthermore, for future research we will attempt to design and
evaluate a mobile game using MIT App Inventor Emulator as a tool to
educate computer users against the dangers of phishing attacks.The
study will use the game design framework developed on the results
from the study reported in this paper.
References
Aggarwaly, A., Rajadesingan, A., Kumaraguru, P. (2012).
PhishAri: Automatic realtime phishing detection on twitter. In
Seventh IEEE APWG eCrime researchers summit (eCRS). Las Croabas,
Puerto Rico, 22–25 October 2012. Accessed 03.12.12.
Allen, M. (2006). Social engineering: A means to violate a
computer system. Tech. rep., SANS Institute.
Arachchilage, N. A. G., & Cole, M. (2011). Design a mobile
game for home computer users to prevent from ‘‘phishing attacks’’.
Information Society (i-
Society), 485–489.
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=
5978543&isnumber=597843 Accessed 22.12.11.
Beaudry, A., Pinsonneault, A. (2001). IT-induced adaptation and
individual
performance: A coping acts model. In Twenty-second international
conference
on, information systems (pp. 475–480).
Brody, R. G., Mulig, E., & Kimball, V. (2007). Phishing,
pharming and identity theft.
Journal of Academy of Accounting and Financial Studies, 11,
43–56.
Champion, V., & Scott, C. (1997). Reliability and validity
of breast cancer screening
belief scales in African American women. Nursing Research,
6(46), 331–337.
Chin, W. W., Marcolin, B. L., & Newsted, P. R. (2003). A
partial least squares latent
variable modeling approach for measuring interaction effects:
Results from a
Monte Carlo simulation study and an electronic mail
emotion/adoption study.
Information Systems Research, 2(14), 189–217.
CNN.com, 2005. A convicted hacker debunks some myths.
2005/TECH/internet/10/07/kevin.mitnick.cnna/index.html>
Accessed 04.04.11.
Compeau, D. R., & Higgins, C. A. (1995). Computer
self-efficacy: development of a
measure and initial test. MIS Quarterly, 19, 189–211.
Cronbach, L. J. (1951). Coefficient alpha and the internal
structure of tests.
Psychometrika, 16, 297–334.
Cronbach, L. J., & Meehl, P. E. (1955). Construct validity
in psychological test.
Psychological Bulletin, 52, 281–302.
Davis, F. D. (1989). Perceived usefulness, perceived ease of
use, and user acceptance
of information technology. MIS Quarterly, 13(3), 319–338.
Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1983). User
acceptance of computer
technology: A comparison of two theoretical models. Management
Science,
35(8), 982–1003.
Dhamija, R., Tygar, J. D. (2005). The battle against phishing:
Dynamic security skins.
In Symposium on usable privacy and security SOUPS ‘05,
Pittsburgh, Pennsylvania,
6–8 July 2005 (Vol. 93, pp. 77–88).
1073001.1073009> Accessed 20.03.11.
Dhamija, R., Tygar, J. D., Hearst, M. (2006). Why phishing
works. In The SIGCHI
conference on human factors in computing systems, Montréal,
Québec, Canada,
22–26 April 2006.
Downs, J. M., Holbrook, M., Cranor, L. F. (2006). Decision
strategies and
susceptibility to phishing. In Second symposium on usable
privacy and security
SOUPS ’06, Pittsburgh, Pennsylvania, 12–14 July 2006 (Vol. 149,
pp. 79–90).
Accessed 10.01.12.
Downs, J. S., Holbrook, M., Cranor, L. F. (2007). Behavioural
response to phishing
risk. In Anti-phishing working groups – 2nd annual eCrime
researchers summit,
October 2007, Pittsburgh, Pennsylvania (pp. 37–44) doi:
10.1145/1299015.
1299019 Accessed 25.03.11.
Drake, C. E., Oliver, J. J., Koontz, E. J. (2006). Mail frontier
anatomy of a phishing
email. Accessed
03.04.11.
Grinter, R., Rodden, T., Aoki, P., Cutrell, E., Jeffries, R.,
Olson, G. (2006). Eds.CHI ‘06
(pp. 581–590). Accessed
15.05.11.
Hiner, J. (2002). Change your company’s culture to combat social
engineering attacks.
Accessed
15.07.11.
Jagatic, T., Johnson, N., Jakobsson, M., & Menczer, F.
(2007). Social phishing.
communications of the ACM, 50(10), 94–100.
James, L. (2005). Phishing exposed, Syngress, Canada.
Kaiser, H. F. (1974). An index of factorial simplicity.
Psychometrika, 39(1), 31–36.
Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J.,
Nunge, E. (2007).
Protecting people from phishing: the design and evaluation of an
embedded
training email system. In SIGCHI conference on human factors in
computing
systems, San Jose, California, USA, April–May 2007.
Lazarus, R., & Folkman, S. (1984). Stress, coping, and
adaptation. New York: Springer-
Verlag.
Liang, H., & Xue, Y. (2009). Avoidance of information
technology threats: A
theoretical perspective. MIS Quarterly, 33(1), 71–90.
Liang, H., & Xue, Y. (2010). Understanding security
behaviours in personal computer
usage: A threat avoidance perspective. Association for
Information Systems, 11(7),
394–413.
Miller, M. W. R., Garfinkel, S. (2005). Do security toolbars
actually prevent phishing
attacks, Posters SOUPS.
Milne, S., Orbell, S., & Sheeran, P. (2002). Combining
motivational and volitional
interventions to promote exercise participation: Protection
motivation theory
and implementation intentions. British Journal of Health
Psychology, 7, 163–
184.
Moreno-Ger, P., Burgos, D., Sierra, J. L., &
Fernández-Manjón, B. (2008). Educational
game design for online education. Computers in Human Behavior,
24(6),
2530–2540.
Ng, B. Y., Kankanhalli, A., & Xu, Y. C. (2009). Studying
users’ computer security
behavior: A health belief perspective. Decision Support System,
46(4), 815–825.
Pallant, J. (2007). A step by step guide to data analysis using
SPSS for windows (Version
15), SPSS survival manual. Buckingham: Open University
Press.
Ponnurangam, K., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A.,
Cranor, L. F., Hong, J.
(2007). Getting users to pay attention to anti-phishing
education: Evaluation of
retention and transfer. In APWG eCrime researchers summit, 4–5
October 2007,
Pittsburgh, PA, USA.
Purkait, S. (2012). Phishing counter measures and their
effectiveness – literature
review. Information Management & Computer Security, 20(5),
382–420. http://
dx.doi.org/10.1108/09685221211286548. Accessed 03.12.12.
Rhoa, H., Yub, I. (2011). The impact of information technology
threat avoidance factors
on avoidance behavior of user.
Richmond, R. (2006). Hackers set up attacks on home PCs,
financial firms: Study.
siteid=google&guid={92615073-95B6-452EA3B9
569BEACF91E8}&
keyword=> Accessed 27.03.11.
Robila, S. A., Ragucci, J. W. (2006). Do not be a phish: steps
in user education. In 11th
annual SIGCSE conference on innovation and technology in
computer science
education, Bologna, Italy, June 2006, 26–28. doi:
10.1145/1140124.1140187
Accessed 29.03.11.
Rosenstock, I. M. (1974). The health belief model and preventive
health behavior.
Health Education Monographs, 2, 354–386.
Saleeby, J. R. (2000). Health beliefs about mental illness: an
instrument
development study. American Journal of Health Behavior (24),
83–95.
N.A.G. Arachchilage, S. Love / Computers in Human Behavior 29
(2013) 706–714 713
anchez, F., Duan, Z. (2012). A sender-centric approach to
detecting phishing emails.
In ASE/IEEE international conference on cyber security,
Washington DC, USA,
December 14–16, 2012.
Accessed 03.12.12.
Schneier, B., 2000. Semantic attacks; the third wave of network
attacks, crypto-
gram newsletter, October 2000.
0010.html> Accessed 02.04.11.
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.
F., Hong, J., Nunge, E.
(2007). Anti-phishing phil: the design and evaluation of a game
that teaches
people not to fall for phish. In 3rd symposium on usable privacy
and security,
Pittsburgh, Pennsylvania, July 2007.
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., Downs,
J. (2010). Who falls for
phish?: A demographic analysis of phishing susceptibility and
effectiveness of
interventions. In 28th international conference on human factors
in computing
systems, 10–15 April, 2010, Atlanta, Georgia, USA.
Smith, H., Milberg, S., & Burke, S. (1996). Information
privacy: measuring individuals’
concerns about organizational practices. MIS Quarterly, 20(2),
167–196.
Sonderegger, A., & Sauer, J. (2010). The influence of design
aesthetics in usability
testing: effects on user performance and perceived usability.
Applied
Ergonomics, 41(3), 403–410.
Timko, D. (2008). The social engineering threat. Information
Systems Security
Association Journal..
Walls, R. (2012). Using computer games to teach social studies.
Digital Media;
Project Assignment, Uppsala University,
record.jsf?pid=diva2:561746> Accessed 03.12.12.
Woon, I., Tan, G. W., Low, R. (2005). A protection motivation
theory approach to
home wireless security. In International conference on
information systems (pp.
367–380). Las Vegas, NV.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security
lapses and the omission
of information security measures: a threat control model and
empirical test.
Computers in Human Behavior, 24(6), 2799–2816.
Ye, Z., Sean, S. (2002). Trusted paths for browsers. In
Proceedings of the 11th USENIX
security symposium, USENIX association (pp. 263–279). Berkeley,
CA, USA.
Zaharias, P., & Poylymenakou, A. (2009). Developing a
usability evaluation method
for e-learning applications: beyond functional usability.
International Journal of
Human–Computer Interaction, 25(1), 75–98.
Zhang, Y., Egelman, S., Cranor, L. F., Hong, J. (2007). Phinding
phish – evaluating
anti-phishing tools. In Proceedings of the 14th annual network
& distributed
system security symposium, February 28–March 2, 2007.
org/pubs/toolbars.html> Accessed 04.06.11.
以避免网络钓鱼攻击的一个游戏设计框架
Nalin Asanka Gamagedara Arachchilage, Steve
Love
School of Information Systems, Computing and
Mathematics, Brunel University, Uxbridge, Middlesex UB8 3PH, United Kingdom
摘要[/B]
基于游戏化的教育变得越来越流行。这是因为基于游戏化的教育在自然环境中支持提供学习的机会。网络钓鱼是一个在线身份盗窃,试图窃取敏感信息,如受害者的用户名、密码和网上银行的细节。为了避免这种情况,需要增强用户的网络钓鱼意识。本研究旨在开发一个游戏设计框架,它增强了用户回避行为,通过这一动机来保护用户免受钓鱼攻击。为了做到这一点,在游戏设计框架中开发和使用了来源于技术威胁回避理论(TTAT)的一个理论模型。一项调查研究调查了150名普通计算机用户通过问卷反馈引出。这个研究结果显示,
为了计算机用户避免钓鱼攻击,感知威胁性、保障效能、维护成本、自我效能感、感知严重性、易感性认知元素应该在游戏设计框架中提及到。此外,我们认为这游戏设计框架不仅仅可以用来防止网络钓鱼攻击,也为防止其他恶意信息技术攻击,如病毒、恶意软件和间谍软件、僵尸网络。
1.引入[/B]
安全利用可以包括恶意的信息技术威胁如计算机程序可以扰乱了正常行为的计算机系统(病毒),恶意软件(恶意),不请自来的电子邮件(垃圾邮件),监控软件(间谍),试图使计算机资源不可用对于面向的用户(分布式拒绝服务或DDoS攻击),人类黑客艺术(社会工程)和在线身份盗窃(钓鱼)。这些攻击准备目标要么金融或社会获得。例如,一个DDoS攻击目标银行,为了打破他们的电子邮件服务器,攻击者可以赚一笔钱利用邮件服务器返回到银行。
对于计算机用户特别危险的这样一个信息技术威胁就是网络钓鱼。这是一种语义攻击类型,在这种攻击类型中,攻击者通过向合法的互联网用户发送电子邮件,而不是利用在计算机软件的漏洞,试图欺骗和偷钱。攻击者创建一个欺诈网站,它有其合法网站的外观。然后用户通过发送电子邮件邀请访问欺诈网站和借此偷他们的钱。随着钓鱼攻击获得更多复杂的规律性和当攻击者学习到新技术时,就会相应地改变他们的策略。最受欢迎的方法是电子邮件。钓鱼电子邮件采用各种策略来引诱人们披露他们的机密信息,如用户名、密码、国家保险号码和信用卡/借记卡号码。例如,要求人们参加一个调查或敦促人们来验证他们的银行帐户信息,他们必须提供他们的银行信息得到补偿。日益成熟的这些技术对于保护个人用户免受钓鱼攻击是一个挑战。
个人电脑用户容易受到网络钓鱼攻击由于快速增长的互联网技术。这是因为在网上活动的期间,如网上银行交易或账单支付时,用户缺乏安全意识和做出敏感的信任决策。因此,个人电脑用户需要做出重大贡献,在帮助使网络空间对每个人来说都是更安全的地方。现在互联网技术无处不在,它所提供的现代生活支柱使普通的人们社交、购物和消遣都通过他们的个人电脑。随着人们对互联网的依赖增长,
黑客攻击的可能性,攻击和其他安全漏洞增加迅速。因此,“安全非常重要”这一消息应该传达到所有的个人电脑用户。
自动化的计算机系统可以用来识别一些欺骗性的电子邮件和网站。Dhamija和泰格(2005)和Ye和肖恩(2002)为Mozilla浏览器开发了一款叫做“可信路径”的一个原型,旨在帮助用户确认他们的浏览器已经和一个可信任的网站有了一个安全的连接。然而,这些系统并不是完全可靠在检测网络钓鱼攻击时。先前的研究已经显示,可用反钓鱼工具,如CallingID工具栏,
Cloudmark反欺诈工具栏,EarthLink工具栏,火狐2,eBay工具栏和Netcraft反钓鱼工具栏在打击网络钓鱼威胁时是有缺陷的。即使是最好的工具栏忽视超过20%的钓鱼网站。一方面,软件应用的设计师和开发人员将继续改善网络钓鱼和垃圾邮件检测。然而,人类在信息安全上是最薄弱的环节。另一方面,可以通过教育用户如何打击网络钓鱼攻击的威胁,达到人为因素风险的降低。
网络钓鱼教育需要考虑保护个人用户免受网络钓鱼攻击的威胁。先前的研究已经报道终端用户教育作为一个经常推荐的方法来反对网络钓鱼攻击。因此,如何培养计算机用户打击网络钓鱼威胁?设计的游戏是一把双刃剑。当它作为服务好的目的被正确利用时,它有巨大的潜力来改善人类的性能。然而,当它作为违法目的被利用时,它会造成对个人和社会的巨大威胁。因此,教育游戏的设计不是一件容易的任务,没有万能的解决方案。基于游戏教育为在自然环境中嵌入学习提供了机会,这一概念一再出现在研究文献中。本研究的第一步是开发一个游戏设计框架来提高用户回避行为通过动机来阻挠钓鱼攻击。本研究的目的是调查解决什么关键元素应该在游戏设计的框架中提及到,以避免网络钓鱼攻击。
目标如下:
l
识别在游戏设计的框架中提及到的关键元素,以避免网络钓鱼攻击。
l
估计用于网络钓鱼攻击(恶意信息技术威胁)的游戏设计框架和基于游戏的反钓鱼教育(保护措施)。
l
开发一个游戏设计框架来阻止网络钓鱼攻击。
2.理论背景[/B]
本研究的前提是开发一个游戏设计框架,它增强了用户回避行为通过动机来抵御网络钓鱼攻击。一个理论模型来源于技术威胁回避理论(TTAT)是用于开发游戏的设计框架,如图1所示。技术回避理论描述个人信息技术用户的行为避免恶意信息技术的威胁如钓鱼攻击。通过使用一个给定的保护措施,模型检验个体如何避免恶意信息技术威胁。保护措施并不一定非得是信息技术资源,如反钓鱼工具。相反,它可能是种行为,如反钓鱼教育。
符合技术威胁回避理论,用户的信息技术威胁回避行为是由回避动机决定的,进而被感知威胁性所影响。感知威胁性是受感知严重性和易感性所影响。感知威胁性也受到感知严重性和易感性的交互所影响。用户的回避动机也由三个结构所决定,如保障效能,维护成本,和自我效能感。
保障效能被描述为个体评估一个关于如何有效地保护措施可用于避免恶意信息技术威胁。例如,对于如何有效地评价个体反钓鱼教育可以应用于避免网络钓鱼攻击。维护成本是一个回报保障效能。这指的是物理和认知努力如时间、金钱、不便和理解需要使用保障措施。自我效能感被定义为在采取保障措施方面的个人的信心。这是一个重要的回避动机的决定因素。先前的研究已经显示,个人更有动力来执行信息技术安全相关的行为作为他们的自我效能感增加的水平。此外,该研究模型假定回避动机是受到感知威胁性和保障效能的相互影响。
技术威胁回避理论确定了游戏设计框架需要解决的问题。提出的游戏设计框架尝试发展威胁认知这样个人更愿意避免钓鱼攻击和使用保护措施。一个关键的方面是,他们意识到保护措施的有效性,降低维护成本,提高自我效能感。
盛等人进行了一个角色扮演的调查,与1001名在线调查受访者中调查研究谁爱上了钓鱼攻击。这项研究表明,女性比男性更容易受网络钓鱼和参与者年龄在18到25岁之间更容易受到网络钓鱼比其他年龄组的人。参与者包括来自不同的文化群工作人员和学生,包括关心计算机安全的人们。本文所描述的研究是针对检查参与者的网络钓鱼威胁回避行为通过使用反钓鱼教育。因此,这项调查只是给予年龄从18到25岁的参与者,他们之前还没有完成问卷调查。
3.初步研究[/B]
初步研究是一个详述,这是在主要研究发生之前进行的。它帮助研究人员决定是否该研究是适当的在有效性方面。如果在初步的研究中遇到了一些任何问题,在主要的研究之前做过调整。一个定量分析,基于李克特风格问卷,方法是采用了在本文中描述的对游戏设计框架的评估。
3.1. 问卷设计
问卷的构造是基于梁和雪的理论模型和相关的研究文献。在实质性意义的基础上测量感知威胁性。关于这个方面的问卷项目评估受访者感知的可能伤害,危险,危险或伤害,网络钓鱼攻击施加的。开发的易感性是基于健康行为的研究;和用于评估网络钓鱼攻击发生的可能性。
图1.来源于技术威胁回避理论的研究模型
技术威胁回避理论推测计算机用户的福利包括两个维度:计算机性能和信息隐私。然而,梁和雪认为,恶意信息技术攻击,可能损害这两个维度(梁&雪,2009)。因此,计算机用户的感知严重性应该涉及这两个维度。使用了大量的基于信息系统的关于隐私文献和实践者对网络钓鱼攻击的负面影响的研究报告的项目测量了感知严重性。他们的研究开发项目是基于用户的担心,及个人和机密信息的丢失和计算机的性能与加工速度、网络连接和软件应用程序的退化。
项目开发的保障有效性基于相关健康行为研究。例如,基于Milne和Saleeby等人的研究,得到了在这个量表维度中为保障成本的一些项目。自我效能感是通过
Compeau and
Higgins开发的项目量表测量的(1995),做出小修改使其适应反钓鱼教育背景。关于避免动机开发出来的大量项目量表是基于技术采用的行为意图措施研究,重点在于威胁回避而不是信息技术的采用。最后,威胁回避是通过三个自主研发项目测量的。
因此,先前的研究问卷包含了感知威胁性的四个项目,四项感知严重性,三项易感性,四项保障效能,三项保障成本,六项自我效能感,有三项针对回避动机的,和三项针对回避行为的。使用一个李克特五点量表评估了总共30项,1
=“强烈不同意”,5 =“强烈同意”。问卷的样本如表1所示。
表1 问卷样本
3.2. 参与者
一个先前研究问卷调查了信息系统和计算系的大一的本科生,布鲁内尔大学,伦敦。先前的研究中参与者人口统计如表2所示。
表2 先前研究的参与者人口统计
[tr]
| [td]
| 特点
| [/TD]
| [td]
| 人数
| [/TD]
| [/TR]
| [tr]
| [td]
| 样本大小
| [/TD]
| [td]
| 16
| [/TD]
| [/TR]
| [tr]
| [td]
| 性别
| [/TD]
| [/TR]
| [tr]
| [td]
| 男性
| [/TD]
| [td]
| 10
| [/TD]
| [/TR]
| [tr]
| [td]
| 女性
| [/TD]
| [td]
| 6
| [/TD]
| [/TR]
| [tr]
| [td]
| 年龄范围(18-25)
| [/TD]
| [td]
| 16
| [/TD]
| [/TR]
| [tr]
| [td]
| 在网上平均每周花费时间
| [/TD]
| [/TR]
| [tr]
| [td]
| 0-5
| [/TD]
| [td]
| 0
| [/TD]
| [/TR]
| [tr]
| [td]
| 6-10
| [/TD]
| [td]
| 19
| [/TD]
| [/TR]
| [tr]
| [td]
| 11-15
| [/TD]
| [td]
| 12
| [/TD]
| [/TR]
| [tr]
| [td]
| 16-20
| [/TD]
| [td]
| 19
| [/TD]
| [/TR]
| [tr]
| [td]
| 20+
| [/TD]
| [td]
| 50
| [/TD]
| | [/TR] |
3.3.过程
先前的研究是面对面进行问卷调查的。首先参与者被要求阅读并签署同意书。然后个体参与者被问及他们是否知道术语“网络钓鱼攻击”的意思。那些给了一个积极响应的同学被要求作一个简短的口头描述确认他们的理解,而那些没有做出回应的应答者阅读一个简短的定义,并做了简短的钓鱼攻击的口头描述。随后参与者被要求完成调查问卷。个体参与者分配了10分钟来完成问卷。他们还被告知,他们可以提供关于研究内容和格式的任何评论和反馈。
3.4.结果
克隆巴赫α系数,被称为系数α,是用来测量问卷的内部一致(Pallant,2007)。先前的研究已经表明,一个大于0.7的α值表明,有一个良好的内部规模的一致性。因此,对于每一个问卷的结构模型计算的克隆巴赫α系数如表3所示。
表3 先前研究中的问卷结构的克隆巴赫a系数
[tr]
| [td]
| 结构
| [/TD]
| [td]
| 克隆巴赫a系数(>0.70)
| [/TD]
| [/TR]
| [tr]
| [td]
| 易感性
| [/TD]
| [td]
| 0.716
| [/TD]
| [/TR]
| [tr]
| [td]
| 感知严重性
| [/TD]
| [td]
| 0.869
| [/TD]
| [/TR]
| [tr]
| [td]
| 感知威胁性
| [/TD]
| [td]
| 0.770
| [/TD]
| [/TR]
| [tr]
| [td]
| 保障效能
| [/TD]
| [td]
| 0.904
| [/TD]
| [/TR]
| [tr]
| [td]
| 维护成本
| [/TD]
| [td]
| 0.938
| [/TD]
| [/TR]
| [tr]
| [td]
| 自我效能感
| [/TD]
| [td]
| 0.798
| [/TD]
| [/TR]
| [tr]
| [td]
| 回避动机
| [/TD]
| [td]
| 0.751
| [/TD]
| [/TR]
| [tr]
| [td]
| 回避行为
| [/TD]
| [td]
| 0.880
| [/TD]
| | [/TR] |
3.5.总结
基于从每个结构模型的一些测量项目的措辞中获得的反馈信息加以稍微修改。最终的问卷包含四项感知威胁性,四个项目关于感知严重性的,三个项目的关于易感性的,四个项目关于保障效能的,三个项目关于保障成本,六个项目关于自我效能感,三个项目关于回避动机的,和三个项目关于回避行为的。因此,总共30项被用于在主要研究中使用李克特五点量表测量研究模型的构造,1
=“强烈反对”和5 =“强烈同意”。
4.主要研究[/B]
4.1.参与者
问卷调查了151名参与者,他们来自布鲁奈尔大学和贝德福德郡大学的本科生。参与者的年龄从18岁到25岁,性别差异方面,33%的女性和67%男性。他们平均每周16
- 20 小时的互联网体验(SD =
1.19)。每个参与者参加调查是在完全自愿的基础上的。主要研究中的参与者的人口统计入表4所示。
表4 主要研究中的参与者人口统计
[tr]
| [td]
| 特点
| [/TD]
| [td]
| 人数
| [/TD]
| [/TR]
| [tr]
| [td]
| 样本大小
| [/TD]
| [td]
| 151
| [/TD]
| [/TR]
| [tr]
| [td]
| 性别
| [/TD]
| [/TR]
| [tr]
| [td]
| 男性
| [/TD]
| [td]
| 101
| [/TD]
| [/TR]
| [tr]
| [td]
| 女性
| [/TD]
| [td]
| 50
| [/TD]
| [/TR]
| [tr]
| [td]
| 年龄范围(18-25)
| [/TD]
| [td]
| 151
| [/TD]
| [/TR]
| [tr]
| [td]
| 在网上平均每周花费时间
| [/TD]
| [/TR]
| [tr]
| [td]
| 0-5
| [/TD]
| [td]
| 3
| [/TD]
| [/TR]
| [tr]
| [td]
| 6-10
| [/TD]
| [td]
| 12
| [/TD]
| [/TR]
| [tr]
| [td]
| 11-15
| [/TD]
| [td]
| 14
| [/TD]
| [/TR]
| [tr]
| [td]
| 16-20
| [/TD]
| [td]
| 14
| [/TD]
| [/TR]
| [tr]
| [td]
| 20+
| [/TD]
| [td]
| 57
| [/TD]
| | [/TR] |
4.2.过程
问卷被研究人员亲自发放给参与者。首先,对每个参与者单独解释研究的性质和给予他们知情同意,从阅读到做出回答。他们还被告知,他们可以自由退出研究在任何时间而无需说明理由撤回。然后个体参与者被问及他们是否知道术语“网络钓鱼攻击”的意思。那些给予积极响应的人被要求给一个简短的口头描述来证实他们的理解,同时消极的被调查者被要求阅读钓鱼攻击的简要定义,并做了简短的口头描述。随后参与者被要求完成调查问卷,测量了八个结构;感知严重性、易感性、感知威胁性,保障效能,保障成本、自我效能感、回避动机和避免的行为。给与个体参与者10分钟完成问卷。当完成问卷之后,感谢参与者在这项研究中花费了他们宝贵的时间和精力。
4.3.结果
正如在先前的研究中,为了测量问卷项目的内部一致性,对于每个指标都计算了克隆巴赫α系数。此分析的结果列于表5。先前的研究已经显示最低得克隆巴赫α系数的值是0.7作为一组项目的内部一致性。
此外,(KMO)值用于测量评估样本的充分性和KMO值应大于0.6为一个令人满意的分析来进行。在这个研究的示例KMO =
0.718。
表5 主要研究中的问卷结构的克隆巴赫a系数
[tr]
| [td]
| 结构
| [/TD]
| [td]
| 克隆巴赫a系数(>0.70)
| [/TD]
| [/TR]
| [tr]
| [td]
| 易感性
| [/TD]
| [td]
| 0.730
| [/TD]
| [/TR]
| [tr]
| [td]
| 感知严重性
| [/TD]
| [td]
| 0.766
| [/TD]
| [/TR]
| [tr]
| [td]
| 感知威胁性
| [/TD]
| [td]
| 0.701
| [/TD]
| [/TR]
| [tr]
| [td]
| 保障效能
| [/TD]
| [td]
| 0.803
| [/TD]
| [/TR]
| [tr]
| [td]
| 维护成本
| [/TD]
| [td]
| 0.805
| [/TD]
| [/TR]
| [tr]
| [td]
| 自我效能感
| [/TD]
| [td]
| 0.714
| [/TD]
| [/TR]
| [tr]
| [td]
| 回避动机
| [/TD]
| [td]
| 0.753
| [/TD]
| [/TR]
| [tr]
| [td]
| 回避行为
| [/TD]
| [td]
| 0.762
| [/TD]
| | [/TR] |
4.4.模型测试
该研究采用多元回归分析来测试梁和雪的理论模型使用以下参数:网络钓鱼攻击和反钓鱼教育分别作为一个恶意的信息技术威胁和保护措施。模型测试结果见图2。该模型计算了对于感知威胁性、回避动机和回避行为的R平方值,它被定义为在模型中自变量解释了因变量的方差多少(戴维斯et
al,1983)。在这项研究模型的结果中36%的方差是解释了感知威胁性,22%的方差解释了回避动机,和15%方差解释了回避行为。然后采用皮尔森相关分析来描述在两个结构之间的线性相关的强度和方向。结果表明,感知威胁性是明显取决于感知严重性(r
= .499, and Sig. = .000)和易感性(r = .357,and Sig. =
.000)。回避动机明显取决于感知威胁性(r = .386, and Sig. = .000)。根据 Liang
和雪的以及 Baron和Kenny的研究,这些结果表明,感知威胁性完全仲裁了易感性和感知严重性对于回避动机的影响。
图2.模型测试结果
如图2所示,回避动机显著取决于保障效能 (r = .381, and Sig. = .000),自我效能感 (r = .162,
Sig. = .047), 维护成本 (r = -.112,Sig. = .037).最后,发现回避行为显著取决于回避动机(r =
.390, and Sig. = .000).
为了评估易感性和感知严重性、感知威胁性和保障效能两者的相互影响,使用了Chin等人的产品指标的方法。通过易感性和感知严重性,感知威胁性和保障效能这些项目的交叉相乘创建了交互变量。如图2所示,在感知严重性和易感性之间的交互性对感知威胁性有统计上的显著影响(r =.588 and Sig. =
.000)。最后,在感知威胁性和保障效能之间的交互性对回避动机在统计上显著的影响(r =.452 and Sig. =
.000)。
总之,模型测试结果提供支持所有的假设。此外,在模型的测试中,年龄,性别,和互联网经验作为控制变量在回避动机和回避行为中。然而,所有这些控制变量没有一个被发现有统计上显著的影响在回避动机或回避行为上。这是类似于梁和雪的实证研究的结果。
5.游戏设计框架[/B]
本实证调查研究应该解决什么关键元素应该在游戏设计的框架中提及到,方便计算机用户有意识的避免网络钓鱼攻击。来自技术威胁回避理论的一个理论模型中的元素,用于解决在游戏设计框架。图2显示了模型试验的结果。该模型占36%的方差在感知威胁性上,21%的方差在回避动机,和15%的方差在回避行为。感知威胁性是明显取决于感知严重性
(r = .499, and Sig. = .000)、易感性 (r = .357, and Sig. = .000)和他们的交互
(r = .588,and Sig. = .000)
。因此,感知严重性和易感性元素应该在游戏设计框架中被提及,为了计算机用户阻止网络钓鱼攻击。正如图2所示,回避行为明显由感知威胁性(r
= .386, and Sig. = .000),保障效能 (r = .381, and Sig. = .000),和维护成本(r =
À.112, Sig. = .037),和自我效能感(r = .162, Sig. =
.047)。然而,有趣的是注意到保障成本和回避动机之间负相关,尽管它被显著的取决于回避动机。这是因为用户为了避免信息技术的威胁这一动机,被预计降低了使用保障措施的潜在成本(梁&雪,2010)。因此,感知威胁性,保障效能,维护成本,和自我效能感这些元素应该在游戏设计框架中提及到。最后,发现回避动机显著影响回避行为
(r = .390⁄, and Sig. = .000)。
总之,本研究结果提供支持来确定哪些关键的元素应该在游戏设计的框架中被提及到,便于计算机用户通过动机避免网络钓鱼攻击。因此,感知威胁性,保障效能,维护成本、自我效能感、感知严重性、易感性这些元素在游戏设计框架中被提及。游戏设计框架如图3所示。
图3.游戏设计框架
6.讨论[/B]
本实证研究调查了一个游戏设计框架,用于计算机用户阻止网络钓鱼攻击。因此,网络钓鱼攻击和反钓鱼教育分别被视为一种恶意的信息技术威胁和一种保护措施,为了测试来自技术威胁回避理论(TTAT)的一个理论模型(梁&雪,2010)。这项研究特别注意威胁感知,因为它起着至关重要的作用在影响计算机用户的回避行为上。数据分析的结果显示在图2中,该模型能够解释大量的方差在用户避免信息技术威胁(22%)和实际回避行为(15%)的动机上。因此,本研究表达了一个简单的,但功能强大的消息激励计算机用户避免恶意的信息技术威胁。
然而,有趣的是要注意,回避行为很低尽管它很重要。对这一结果有一个可能的解释。当用户决定,采用一些保护措施可以避免信息技术威胁时,他们可能需要一个针对问题的应对措施。然而,当信息技术威胁不可能被完全避免时,他们可能需要一个情感集中应对方法。Lazarus
and
Folkman宣称两种类型的应对可能被执行以应对威胁:问题关注和情感集中。问题关注的应对称为自适应行为,这种行为采取了一种解决问题的方法。它通过采取保护措施如定期更新密码,禁用信息记录程序,和安装和配置维护保障信息技术,来直接处理恶意信息技术威胁。当人们面对问题作为一个挑战时,他们似乎采取了一种问题关注的应对行为和对待这个问题作为一件能被控制的事情。相比之下,情绪集中处理,问题确定为一种威胁和损失,人们往往会把它作为一件他们解决不了的事,因此,采取一种情感应对行为。Beaudry和Pinsonneaut表示,如果用户感知到恶意信息技术威胁,他们采取针对问题的应对,或如果他们认为威胁是不可以避免的,他们会无用地避免威胁,他们采取情绪关注应对。因此它被认为在当前的研究中,用户的情感集中应对行为也为回避行为造成了网络钓鱼的威胁,这将解释回避行为的方差。
计算机用户必须相信和觉得这样的恶意信息技术威胁存在于网络空间且是可以避免的。这个研究发现一些证据在数据分析结果上,该模型能够解释相当大的方差在感知威胁性上(36%)。这个数据是小高于梁和雪的实证研究的33%(梁&雪,2010)。因此,感知威胁性元素非常重要在游戏设计框架中被提及到,用于计算机用户提高回避行为,通过激励来阻止网络钓鱼攻击。此外,研究表明感知威胁性,用户需要意识到遭受恶意信息技术攻击的可能性和严重性。如果用户确实感知到威胁,他们更想要摆脱它。维护措施从三个方面进行了评价;考虑到保障效能、相关的保障措施的成本,和用户使用维护的信心。如果保障措施有效性的水平是高的,那么用户会更主动地避免威胁。因此,保障效能是重要的元素在游戏设计框架中,为电脑用户阻止网络钓鱼攻击的威胁。用户采取保障措施的高的信心影响他们避免威胁的动机。因此,自我效能感还应该包括在游戏设计的框架中,以通过动机避免威胁。
当维护成本高,用户对于避免威胁的积极性降低时。梁和雪描述当时间、金钱、不便和理解需要使用保护措施非常高的时候,用户避免威胁的积极性降低。目前的研究结果还证明了维护成本和回避动机负相关。因此,维护成本应该被提及到游戏设计框架中,作为对保障效能的回报。梁和雪的模型测试结果不支持感知严重性和易感性之间的交互性对感知威胁性有影响。令人惊讶的是,这项研究表明感知威胁性是明显取决于感知严重性和易感性之间的交互
(r = .588, and Sig. = .000)。
此外,本研究强调,回避动机明显取决于感知威胁性和保障效能的交互(r = .452, and Sig. =
.000)。这个结果与梁和雪的结果在关于感知威胁性和保障效能之间的交互性对回避动机的影响上相互矛盾(梁&雪,2010)。然而,他们建议感知威胁性和保障效能之间的交互性可从两个角度观看。第一,当威胁等级高,感知威胁性可以被视为和保障效能和回避动机之间的关系负相关。第二,当保障效能的水平较高时,它可以被视为和感知威胁性和回避动机之间的关系有负相关。因此,这项研究并没有提供证据,在游戏设计框架中感知威胁性和保障效能的交互方面。
7.结论和展望[/B]
本研究试图开发一个游戏设计框架,它能够提高计算机用户的回避行为,通过动机以防止自己被钓鱼攻击。实证研究调查哪些元素应该在游戏设计框架中被提及,方便计算机用户阻止网络钓鱼攻击。一个来自技术威胁回避理论的理论模型被用于开发游戏设计框架。为了测试这一模型,网络钓鱼攻击和反钓鱼教育分别被视为一种恶意信息技术威胁和一种保障措施。
最后,当前的研究结果提供了支持在定义哪些元素应该包含在游戏设计框架中,方便计算机用户阻止网络钓鱼攻击。因此,感知威胁性,保障效能,维护成本,自我效能感,感知严重性,和易感性这些元素应该被纳入游戏设计框架中,为计算机用户通过动机避免网络钓鱼的攻击。
此外,对于未来的研究,我们将尝试设计和评估一个手机游戏,通过使用麻省理工学院应用程序发明家模拟器作为一种工具来教育计算机用户面对网络钓鱼攻击的危险。这项研究将使用在本文中报道的研究结果开发出来的游戏设计框架。
|
