Creating IT Security Awareness is probably the most important task in an organization that seriously looks into protecting their information assets. An organization can spend heavily on their computer and network security solutions and yet fail to keep their assets safe; as their staff are not aware of the importance of IT security. Humans (users) have always been mentioned as the weakest link in many researches when it comes to IT security. Damages to IT systems can happen not only because users fail to conduct good IT security practices, but can also cause the systems to malfunction because of their carelessness and ignorance.
A user may become a victim to phishing or scam attacks if he does not know what these attacks are and how they work. For example, a user may receive an error or warning message that says his computing or mobile device needs to be "cleaned" or "tuned". Thinking that this message is genuine, the user may thus download a malicious software that is associated with the error/warning message. Malwares are known to be able to create many types of issues on a user's computing or mobile device i.e. slowing down the device performance, stealing the computing power of the device, stealing the information on the device or even taking control of the device.
Another example is that ignorant and innocent users may fall victim to phishing attacks. Phishing still remains as the highest fraud attack that users fall into. The very nature of phishing is to "fish" users to provide their important and valuable information i.e. credit card details, usernames and passwords. Emails received by users may contain creatively drafted messages that lures them to provide the important information. Users may carelessly provide their usernames and passwords from an email with the subject such as "Change Your Password Immediately". This fraud email which may contain links to fake websites (but look and feel like the original ones) will collect the username and password pairs.
If users are aware about the existence of such security problems, the chances are that they are more cautious when they come across such threats. For this, users must be given awareness on the importance of IT security. Among the many ways of doing so i.e. training, classroom teaching and videos, learning via games is probably another good approach in creating security awareness. Games involve users and therefore makes the learning of security awareness more engaging and interesting.
There are a number of games which have been created for this purpose. Among these games are CyberProtect, CyberCIEGE, Anti-phishing Phil, Artificial Intelligent Wars and also some games created by Next Generation Security (NGSEC). Brief details of some of these games are given below:
CyberProtect
This game teaches the basics of Information Assurance at the network level. This game is targeted to teach IT security professionals. In this game, players will learn how to protect their virtual network using protection measures and controls like firewalls, antiviruses, security policies, etc. Attacks are posed to the players' virtual network and the players' Information Assurance strategies will determine whether the attacks can be denied or not.
CyberCIEGE
This video game teaches the concepts of computer and network security. Players will spend virtual money to operate and defend their virtual networks. The objective of this game is to improve the players' knowledge on Information Assurance. At the same time, it provides cyber security education and training to the players. Just like CyberProtect, players will see the strength of the measures they put in protecting their virtual network while under attack, and the outcomes of those. The link to the game's site is here.
Anti-phishing Phil
As the name implies, this game focuses on teaching the users on countering phishing attacks. It shows the players on identifying phishing URLs, looking for cues in web browsers, and on getting the search engines to find the genuine and legitimate sites. The link to the game's site is here.
