HATCH: Hack And Trick Capricious Humans – A Serious Game on Social Engineering

Social engineering is the illicit acquisition of information about computer systems by primarily non-technical means. Although the technical security of most critical systems is usually being regarded in penetration tests, such systems remain highly vulnerable to attacks from social engineers that exploit human behavioural patterns to obtain information (e.g., phishing). To achieve resilience against these attacks, we need to train people to teach them how these attacks work and how to detect them. We propose a serious game that helps players to understand how social engineering attackers work. The game can be played based on the real scenario in the company/department or based on a generic ofﬁce scenario with personas that can be attacked. Our game trains people in realising social engineering attacks in an entertaining way, which shall cause a lasting learning effect.


INTRODUCTION
Traditional penetration testing approaches often focus on vulnerabilities in network or software systems (Mitnick and Simon (2009)).Few approaches even consider the exploitation of humans via social engineering.While the amount of social engineering attacks and the damage they cause rises yearly the awareness of these attacks by employees remains low (Hadnagy (2010(Hadnagy ( , 2016)); Proofpoint (2016)).Recently, serious games have built reputation for getting employees of companies involved in security activities in an enjoyable and sustainable way.While still preserving a playful character, serious games are used for e.g.security education and threat analysis (Williams et al. (2009(Williams et al. ( , 2010)), Shostack (2012Shostack ( , 2014)), Denning et al. (2013)).We believe that there is a major benefit for adapting serious games specifically for social engineering (Beckers and Pape (2016a)).Our game aims at enabling common employees to elicit social engineering threats for their companies (real world scenario).Additionally, we have developed a generic scenario for training and awareness rising, which provides a description of a fictional office scenario with personas.In this paper we present our game, the generic scenario and our preliminary results of its application with students, academics, and industry.3. The players decide if they are insiders or outsiders to the organization.
4. Each player presents an attack to the group and the others discuss if the attack is feasible.
5. The players get points based on how viable their attack is and if the attack was compliant to the drawn cards.The player with the most points wins the game.
6.As debriefing, the perceived threats are discussed and the players reflect their attacks.
They may be supported by the company's security personal.

INDEPENDENT SCENARIO
We created a generic scenario that people can relate to with little effort.We came up with the ACME office company, a medium sized producing company for paper.Therefore, we described 10 employees, their roles in the company, familiarisation with computers and attitudes towards security and privacy (see Fig. 2 as an example). of the Technical University Munich and Goethe-University Frankfurt with a university degree.We were initially interested if the players could elicit possible and context-specific threats for their respective environments.We played in total 49 turns of the game in which a player suggests a threat.The players deemed 42 of these threats possible and 7 were rated not possible by the players.The results suggest that the players were able to elicit threats with the game (c.f.Beckers and Pape (2016a)).
Afterwards, we were interested to measure if playing the game raises the security awareness of the players.Kruger and Kearny (Kruger and Kearney (2006)) measure security awareness in terms of knowledge (what an employee knows), attitude (what an employee thinks), and behaviour (what an employee does).We created a set of 14 questions that measured security awareness with relation to the attack scenarios in our game on a 5-point Likert scale.The answers range from totally disagree to totally agree.We assessed the questionnaires with games played with 10 full time employees from academia and 4 senior employees of an organisation A. The academics used our ACME office scenario and the senior employees the context-specific version of the game.We could measure on average between 0.5 and 1 point increase in security awareness with the players after they played HATCH.There was no statistical significant difference in persons who worked with ACME office scenario and the ones with the contextspecific version of the game.
In future, we will try both versions of the game with a larger sample of participants and we are planning to measure the flow construct (Csikszentmihalyi (2000)) in relation to playing the game.In particular, we are planning to use the Flow Kurz Skala (Rheinberg et al. (2016)) to measure how intensive the player emerge in the game and correlate this to the difference in security awareness before and after the game.We assume that the flow experience is positively correlated to an increased security awareness.Additionally, we will create more generic scenarios to allow players with different background an easier access to the game.

ACKNOWLEDGEMENTS
We thank all the players of our game that provided us with invaluable feedback and spend their precious time with us improving the game.This research has been partially supported by Federal Ministry of Education and Research Germany (BMBF) within the focal point "IT-Security for Critical Infrastructures" (grant number 16KIS0240) and the TUM Living Lab Connected Mobility (TUM LLCM) project funded

Figure 1 :
Figure 1: Picture of a Game Session

Figure 2 :
Figure 2: A persona 1 within our ACME Office scenario