Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks

TL;DR

Phish Phinder is a serious game that educates users about phishing through gamified challenges, aiming to improve their confidence and decision-making skills to better avoid phishing attacks.

Contribution

The paper introduces Phish Phinder, a novel gamified approach that combines empirical design insights and persuasive principles to enhance user awareness and trust management against phishing.

Findings

Identified key interface elements through empirical study.

Integrated persuasive design principles into game development.

Improved user confidence in phishing mitigation.

Abstract

Phishing is an especially challenging cyber security threat as it does not attack computer systems, but targets the user who works on that system by relying on the vulnerability of their decision-making ability. Phishing attacks can be used to gather sensitive information from victims and can have devastating impact if they are successful in deceiving the user. Several anti-phishing tools have been designed and implemented but they have been unable to solve the problem adequately. This failure is often due to security experts overlooking the human element and ignoring their fallibility in making trust decisions online. In this paper, we present Phish Phinder, a serious game designed to enhance the user's confidence in mitigating phishing attacks by providing them with both conceptual and procedural knowledge about phishing. The user is trained through a series of gamified challenges, designed to educate them about important phishing related concepts, through an interactive user interface. Key elements of the game interface were identified through an empirical study with the aim of enhancing user interaction with the game. We also adopted several persuasive design principles while designing Phish Phinder to enhance phishing avoidance behaviour among users.