The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/2056-4961.htm

ICS
31,5 Cyber Suraksha: a card game for
smartphone security awareness
Pintu Shah
Department of Information Technology,
576 Narsee Monjee Institute of Management Studies, Mumbai, India, and
Received 14 May 2022 Anuja Agarwal
Revised 26 November 2022
2 February 2023
Department of Technology Management,
24 April 2023 Narsee Monjee Institute of Management Studies, Mumbai, India
16 May 2023
16 May 2023
Accepted 17 May 2023

Abstract
Purpose – The frequency and sophistication of cybercrimes are increasing. These cybercrimes are
impacting government and private organizations as well as individuals. One of the countermeasures is to
improve the cyber hygiene of the end-users. Serious games or game-based learning has emerged as a
promising approach for implementing security education, training and awareness program. In this paper, the
researchers propose a tabletop card game called Cyber Suraksha to increase threat awareness and motivate
users to adopt recommended security controls for smartphone users. Cyber Suraksha provides an active
learning environment for the players. This paper aims to provide the details of the design and evaluation of
the game using a between-subjects design.
Design/methodology/approach – The researchers have used constructive learning theory and the
Fogg behaviour model (FBM) to design a tabletop card game called Cyber Suraksha. The researchers
evaluated the game using a between-subjects design. The participants’ responses in the control and
intervention groups were collected using the risk behaviour diagnosis scale. Pearson’s Chi-Square test with a
5% significance level was used to test the hypotheses.
Findings – The results indicate that the game is enjoyable and fun. Cyber Suraksha game effectively
motivates users to adopt the recommended security control for the targeted behaviour. The results indicate
that the participants in the intervention group are 2.65 times more likely to adopt recommended behaviour.
The findings of this study provide evidence for the effectiveness of hope and fear appeals in improving
cybersecurity awareness.
Research limitations/implications – The generalizability of the study is limited because the sample
size is small compared to the total number of smartphone users in India, and only students from computer/IT
UG programs in India are used as participants in this study.
Practical implications – This study uses hope and a fear appeal to design an effective serious game. It
also demonstrates using the FBM and constructive learning principles for effective serious game design.
Cyber Suraksha is effective for the student group and may be tested with other age groups.
Originality/value – To the researchers’ knowledge, there are no serious games for cybersecurity
awareness focusing on the threats faced by smartphone users based on FBM and constructive learning
theory. This research used hope along with a fear appeal to motivate smartphone users to adopt
recommended security controls.
Keywords Cybersecurity awareness, Serious games, Game-based learning, Smartphone user,
Fogg behaviour model, Constructive learning theory
Paper type Research paper

Information & Computer Security

Vol. 31 No. 5, 2023
pp. 576-600
1. Introduction
© Emerald Publishing Limited
2056-4961
Cyber threats are emerging as one of the biggest societal threats of the 21st century (Brooks,
DOI 10.1108/ICS-05-2022-0087 2021). Cybercriminals are getting organized and collaborating with other gangs to launch
cyber-attacks. New threat vectors are emerging because of new technologies like the Internet Cyber
of Things, cloud computing, artificial intelligence, 4G and 5G networks and smartphones Suraksha
(Forcepoint, 2018). Cybercriminals target businesses and common people for their financial
gains (IBM Security, 2021; ENISA, 2021). Keeping pace with the constantly changing cyber
threat landscape is becoming challenging.
Businesses have increased security spending to become more resilient to cyber-attacks
(Braue, 2021). Several standards and frameworks have been proposed to manage cyber risk
for organizations. Some popular standards and frameworks are ISO 27,000 family for 577
information security management system, the NIST risk management framework, the NIST
cybersecurity framework, the center for internet security controls and IEC 62443 for an
industrial control system. These standards and frameworks help organizations manage risk
by selecting appropriate security controls. One of the countermeasures suggested by these
standards is the security education, training and awareness of the human user of the
systems. Previous research indicates that human users are the weakest link. However, the
human user can be critical in mitigating cyber threats (Carpenter, 2019). Therefore, creating
awareness and educating all users about the risk posed by cyber threats are essential.
Educated users will be better positioned to take security decisions to avoid or mitigate cyber
risks. Many governments have started cybersecurity awareness campaigns to create
awareness about cyber threats (CISA, 2022; MeitY, 2022; NCSC, 2022).
Cybersecurity awareness and training programs use various approaches. Conventional
methods of delivering security awareness encompass paper and electronic media. Paper-based
delivery methods include leaflets, newsletters and posters addressing the relevant threat.
Electronic media-based methods include computer-based training (CBT) and web-based
training (WBT). Some other methods are formal instructor-led training, video-based,
simulation-based and game-based methods (Abawajy, 2014; Al-Daeef et al., 2017; Ghazvini and
Shukur, 2017). Previous research indicates that conventional delivery methods have limited
success in changing the cybersecurity behaviour of the end-users (Bada et al., 2019; Hart et al.,
2020). Probable reasons for such ineffectiveness may be the lack of experimentally validated
theory-based intervention for the design of the SETA program and one-size-fits-all approach
(Alshaikh et al., 2019; Farooq, 2019; Kävrestad et al., 2022). Many of the SETA programs are
based on best practices or industry guidelines. Such programs have no empirical evidence or
theoretical explanation for their effectiveness (Alshaikh et al., 2019). Therefore, this research
uses a Fogg behaviour model (FBM) from persuasive design to influence human behaviour.
A serious game is a game designed for edutainment. Game-based methods or serious games
are becoming popular in academia and industry because of their pedagogical benefits (Compte
et al., 2015; Kulshrestha et al., 2021; Wittrin et al., 2021). Serious games have been used in
various settings like school education, healthcare and advertising (Hendrix et al., 2016; Larson,
2020). The key feature of the serious game is that it provides learning in a fun and engaging
manner. Serious games are effective in behavioural change and training (Alotaibi et al., 2017).
Some researchers have used serious games for cybersecurity awareness and training
(Thompson and Irvine, 2011a, 2011b; Denning et al., 2013; Arachchilage and Love, 2014;
Ghazvini and Shukur, 2017; Hart et al., 2020; Gasiba et al., 2021). Most games addressed general
cybersecurity awareness, network security, phishing and end-user PC protection (Hendrix et al.,
2016; Alotaibi et al., 2016; Hart et al., 2020).
Smartphone has become the most popular computing device, as indicated by the growing
number of smartphone users (O’Dea, 2021). Smartphones are used for many tasks, including
business and personal communication, financial transactions and entertainment.
Smartphone users face threats similar to those faced by other computing devices, like
desktop and laptop users. However, they also face unique threats, like the loss of
ICS smartphones and SIM cloning (Tu et al., 2015; Chakraborty et al., 2019). According to a
31,5 survey by Hom (2022), around 70 million smartphones are lost each year. Monetary losses
are not limited to the cost of smartphone devices. Smartphone theft may lead to fraudulent
charges as well as identity theft. Victims will likely pay around $500–$1,000 to recover their
personal photos, videos and other data (ITA, 2022). It is not pleasant to imagine a stranger
accessing personal photos, videos and data, even if it is available from a backup drive.
578 Around 54% of companies that had experienced a mobile-related security breach attributed
it, at least in part, to user behaviour (Verizon, 2021). A previous study by Shah and Agarwal
(2020a, 2020b) reported lax cybersecurity behaviour by Indian smartphone users. Hence,
there is a need to focus on improving the cybersecurity behaviour of smartphone users in
India. Although the theory of planned behaviour (TPB) and protection motivation theory
(PMT) are popular in information security awareness research, they are ineffective (Lebek
et al., 2013; Hutchinson and Ophoff, 2019). This need to design better interventions
motivated the researchers to develop a serious game for cybersecurity awareness focusing
on the threats smartphone users face based on FBM. Also, the ENISA (2018) recommended
using the FBM to design the intervention, particularly for cybersecurity behaviours. The
main contributions of this research work are:

Previous studies have reported mixed results on the effectiveness of fear appeals in
improving cybersecurity awareness (Renaud and Dupuis, 2019). Cybersecurity fear
appeals may cause negative emotions (Dupuis and Renaud, 2021). However, this
research used hope and a fear appeal to minimize the negative emotions. The
recommendations’ effectiveness provides hope, enhancing fear appeal effectiveness
(Nabi and Myrick, 2018). The results of this study lend support to the effectiveness
of hope and fear appeals to improve cybersecurity awareness.

This study demonstrates the use of the FBM and constructive learning principles
for effective serious game design.

Section 2 provides a literature review on serious games for cybersecurity. Section 3 presents
the design principles of Cyber Suraksha. This section discusses the FBM, constructive
learning principles and how they are used in game design. Section 4 describes game
components, game mechanics and play rules. Section 5 describes the research methodology.
Section 6 presents the results and analysis of the experiment to evaluate the game. Section 7
discusses the lessons learned during the design and evaluation of the game. Section 8
concludes the paper with future work.

2. Literature review
Recently, many security games have been reported in the literature (Coenraad et al., 2020).
These increasing numbers indicate that game-based learning is gaining attention in
cybersecurity. Researchers are hopeful about the effectiveness of such games in creating
cybersecurity awareness and better cyber hygiene among the end-users.
There are many ways in which security games may be classified. Lope and Medina
(2016) identified 16 criteria grouped into six blocks for the serious games’ classification.
Some popular criteria for game classification are based on genre, target audience,
application area, gameplay and game platform. For example, based on genre, games may be
classified as action, adventure, fight, logic, simulation, sport and strategy (Lope and Medina,
2016). Security games have been designed for various objectives like secure software
development, security awareness, training and education. These games have different target
users like general users, software developers, computer and allied engineering students and
cybersecurity professionals. In this study, the researchers classified cybersecurity games
based on the game’s objective as security awareness games, secure software development Cyber
games and security education and training games. The main goal of security awareness Suraksha
games is to improve cyber hygiene by motivating players to adopt recommended security
controls. Poor coding practices lead to many vulnerabilities that the attackers exploit. The
software developer should follow secure coding practices to prevent these vulnerabilities.
Many researchers have proposed serious games focusing on threat modelling, risk
assessment, security requirements elicitation and secure coding. Such games are classified 579
as secure software development games in this research. These games are targeted at IT
professionals associated with software development. The cybersecurity education and
training games focus on improving the cybersecurity knowledge and skills of the players.
They are more technical as compared to cybersecurity awareness games. Table 1 shows
some of the selected games that fall into these categories.
Below are details of a few serious cybersecurity games from the literature focussing on
cybersecurity awareness.
Visoottiviseth et al. (2018) designed a security game called POMEGA for security
awareness. The game is targeted at the age group of 15–25 years. It contains quiz-based
games on passwords, social networks, phishing, physical security, and mobile security. The
researchers used pre and post-test methods to evaluate the game with 105 student
participants. The results indicate that the game was effective as the post-test scores
exceeded the pre-test scores.
Cyber Air-Strike is an interactive cybersecurity awareness game (Bhardwaj, 2019). The
game focuses on the importance of firewalls, anti-virus, and strong password and how to
avoid phishing, adware and spyware attacks. The game incorporates revised Bloom’s
Taxonomy. However, the game is not evaluated by actual users.
What.Hack is an anti-phishing online simulation game (Wen et al., 2019). The players are
required to evaluate whether the email is phishing or not based on the rulebook. The game
was tested with 39 participants. The study reported a 36.7% improvement in players’
correctness in identifying phishing emails.
Another computer game, PERSUADED, also focuses on social engineering attacks
(Aladawy et al., 2018). Players learn the countermeasures against the most common social

Categories Games

Cybersecurity Pomega (Visoottiviseth et al., 2018), Cyber Air-Strike (Bhardwaj, 2019), What.
awareness games Hack (Wen et al., 2019), What Could Go Wrong (Zargham et al., 2019), Make My
Phone Secure! (Bahrini et al., 2019), PERSUADED (Aladawy et al., 2018), Bird’s
Life (Weanquoi et al., 2018), Anti-Phishing Educational Game (Arachchilage
and Hameed, 2017)
Secure software Hacker (Thinkfun, 2022), Data-Driven Security Game (Løvgren et al., 2019),
development Security Requirement Education Game (Yasin et al., 2018), social engineering
games security requirements game (Beckers and Pape, 2016), OWASP Cornucopia
(OWASP, 2012), Protection Poker (Williams et al., 2010), Elevation of Privilege
(EoP) (Shostack, 2010)
Cybersecurity CybAR (Alqahtani and Kavakli-Thorne, 2020), Cyber Wargame (Haggman,
education and 2019), Cyber Detective (Lopes et al., 2018), Jail, Hero or Drug Lord? (Chothia
training games et al., 2017a, 2017b), Play 2 Prepare (Graffer et al., 2015), [d0x3d!] (Gondree and
Peterson, 2013), Control-Alt-Hack (Denning et al., 2013), CyberCIEGE
(Thompson and Irvine, 2011a, 2011b) Table 1.
Cybersecurity games
Source: Created by authors in categories
ICS engineering attacks. The researchers conducted the study with 21 participants in the age
31,5 range of 19–35 years.
What could go wrong is a humorous decision-making game (Zargham et al., 2019). The
game encourages users to make informed decisions about mobile device security and
privacy settings. The game provides feedback about the impact of the decision to the user in
a humorous way. The authors evaluated three different scenarios using a between-subject
580 design with 21 participants. They reported a positive effect of games and humour on raising
security and privacy awareness.
Make my phone secure! is a game for learning how to grant and change Android
permissions (Bahrini et al., 2019). The researchers used a within-subject design with three
different ways of conveying information related to the mobile application permission
system. The study reported the results of 18 participants. The results indicate the game
variant was more fun than the simple menu and menu þ hints variants. The researchers
concluded that gamified application is successful in raising security awareness.
Table 2 presents the summary of the games mentioned above.
In conclusion, many cybersecurity games have been proposed in the literature for
various objectives. Most security games rely on factual knowledge but miss the context.

Target
Study Game name Game type Context audience Game evaluation

Visoottiviseth POMEGA 2D multi-user Phishing, password, The age group The game was
et al. (2018) game social networks, of 15–25 years evaluated with 105
mobile security and participants using
physical security pre- and post-test
methods
Bhardwaj Cyber Air- 2D web Malware, phishing, Amateur Not evaluated
(2019) Strike application password and computer users
unauthorized data
access
Wen et al. What.Hack Web-based Phishing General public The game was
(2019) with role play evaluated with 39
participants using
pre- and post-test
methods
Aladawy et al. Persuaded Card game Social engineering Employees The game was
(2018) evaluated with 21
participants using
pre and post-test
method
Zargham et al. What Could Go Desktop Mobile device Mobile device The game was
(2019) Wrong application security and privacy users evaluated with 21
setting participants using a
between-subject
design
Bahrini et al. Make my Mobile Mobile app Mobile device The game was
(2019) phone secure! application permissions users evaluated with 18
participants using a
within-subject
Table 2. design
Summary of security
games Source: Created by authors
Often there is missing relevance, with no emphasis on risks, adversary models and the Cyber
quality of security measures (Roepke and Schroeder, 2019). Very few games are designed Suraksha
with some theoretical underpinnings like a TPB, PMT or any other model or framework.
Theory-based interventions are more likely to succeed (Alshaikh et al., 2019). The ENISA
(2018) recommended using the FBM to design the intervention, particularly for
cybersecurity behaviours. Hence, Cyber Suraksha is designed based on the principles of
constructive learning theory and the FBM. It focuses on smartphone users and the threats 581
faced by them. This game uses real-life attack scenarios, and players must identify
appropriate countermeasures. The target audience for this game is any smartphone user.

3. Theoretical framework
Interventions based on behavioural theories are more likely to succeed (Coventry et al.,
2014). To meet this goal, the researchers have designed a card game called Cyber Suraksha
based on the principles of game design, constructive learning theory and the FBM. The
game’s main objective is to create awareness about cybersecurity threats smartphone users
face and motivate them to adopt recommended cybersecurity controls. The game should be
fun and promote the player’s active learning. Any smartphone user is the target audience
for the game. The researchers discuss the theoretical underpinnings of the game in this
section and how they are incorporated into the proposed game.

3.1 Constructivism learning principles

Constructive learning theory has been used in various contexts, like foreign language learning,
software testing and others. The basic premise of constructivism is that knowledge is
constructed based on a learner’s previous knowledge, experiences, beliefs and insights. The
learner is actively engaged in the activity compared to passively receiving information (Lebow,
1993; Pande and Bharathi, 2020). Learning takes place because of interaction, collaboration and
exchange of ideas. This contrasts with the traditional learning environment, where learning is
primarily achieved alone through repetition. The characteristics of a constructive learning
environment are as follows (Brown, 2014; Aydogdu and Selanik-Ay, 2016):

Simulated learning: The environment should be created to assist, imitate and
reproduce real-world complications and events.

Active learning: Learners should have the opportunity to be engaged in ways that
encourage self-direction, creativity and critical examination of issues that need to be
solved.

Collaborative learning: Learners may learn from each other’s ideas through
interaction and cooperation. The environment should promote such collaborative
learning.

Interactive teaching: The teacher’s job is to stimulate and foster conversation by
asking thoughtful, open-ended questions and encouraging learners to ask questions.
Teachers may encourage learners to engage in dialogue with both the teacher and
one another and provide hints and corrective feedback on their responses/solutions
to a problem. Table 3 shows how the principles of constructive learning are
incorporated into the Cyber Suraksha, a tabletop card game.

The researchers believe the principled application of constructivism learning principles to

serious games will realize the intended goals.
ICS Principle of constructive
31,5 learning Realization in the game

Simulated learning The Cyber Suraksha game has scenario cards. These cards represent real-
world scenarios for cyber threats like phishing. These scenarios provide
the context for the learner to understand the related risk and
countermeasures
582 Active learning The game provides an opportunity for active learning through discussion
within and among other teams while matching the risk card and defence
card with their scenario card
Collaborative learning Players must match their randomly allocated risk and defence cards with
their scenario cards. If they do not have matching risk and defence cards,
they must trade the cards with other players or the game master. This
Table 3. trading provides an opportunity for collaborative learning as they
understand the scenarios of other players
Principles of Interactive teaching The game master acts as a facilitator and provides immediate feedback on
constructive learning the correctness of the scenario card and its related risk and defence
and its realization in
the game Source: Created by authors

3.2 Game development framework

The researchers followed the conceptual framework suggested by Yusoff et al. (2009) to
develop the game along with the constructivism learning principles. The framework
includes learning and pedagogy theory and gaming requirements, as discussed below:

Incremental learning: Initially, each team is provided with a cybersecurity tip sheet,
scenario card and risk card. Once they have matched the scenario card with the
relevant risk card, they are randomly provided with two defence cards. Hence,
learning information is provided incrementally.

Game linearity: In this game, learning is made in stages. First is matching the
scenario card with the relevant risk card, followed by matching the defence cards
with the identified risk.

Attention span: The game is fast-moving and may be completed in an average time
of about 25–30 min. Time is adequate to absorb the learning content of the game.

Scaffolding within the game: Cybersecurity tip sheet is provided as support. Also,
the game master provides feedback during the game.

Interaction: The game provides two opportunities for the players to interact with
other participants. First, when they try to match the scenario card with the risk
card, and second, while matching the risk card with the defence cards.

Learner control: The game master is a facilitator, and the learner feels comfortable
exploring new ideas. The game also provides an opportunity to learn from others.

Intermittent feedback: Feedback is provided by the participants and the game
master.

Rewards: There are no reward points used in the game. However, players must
complete the task in the shortest possible time.

Situational and authentic learning: Scenarios give the specific situation or the
context rather than the abstract setting of the game. Players can easily relate such
situations to news items reported in the media.
3.3 Fogg behaviour model Cyber
The general deterrence theory, TPB and PMT are the most widely used theories in Suraksha
information security awareness research (Lebek et al., 2013). While these theories
provide insights into information security awareness, some researchers doubt their
effectiveness (Hutchinson and Ophoff, 2019). Three essential requirements for
behaviour change are capability, opportunity and motivation (Michie et al., 2011). FBM
effectively captures these requirements. The FBM provides a simple, actionable 583
framework for designing effective behaviour change interventions. Hence, the
researchers decided to use FBM as the theoretical framework for the design of game
cards. FBM is useful in persuasive design (Fogg, 2009). FBM has been used in the
cybersecurity domain as well (Jordan et al., 2014; Bawazir et al., 2016; Liljestrand et al.,
2019; Parkin et al., 2019; Shah and Agarwal, 2020a, 2020b). FBM posits that three
elements, namely, motivation, ability and prompt, should be present simultaneously for
behaviour to occur. FBM states that motivation and ability have a compensatory
relationship. It means that even if the motivation is low, if the ability is high, the
behaviour may occur when prompted, and vice versa. According to FBM, there are
three core motivators: sensation, anticipation and belonging. Each of these core
motivators has two sides. Pleasure/pain for sensation, hope/fear for anticipation and
social acceptance/rejection for belonging. Fear/hope is used as a core motivator in this
game.
Cards were designed to motivate players to adopt the recommended behaviour using fear
appeal. The fear appeal has been used as a motivator in different contexts to promote
desired behaviour and is effective (Tannenbaum et al., 2015; Boshoff and Toerien, 2017; Nabi
and Myrick, 2019). It has been used in past research to promote the adoption of
cybersecurity behaviours (Boss et al., 2015; Albayram et al., 2017; Jansen and Schaik, 2018;
Jansen and Schaik, 2019). The fear appeal should include a description of the threat’s
severity and an individual’s susceptibility to the threat (Johnston and Warkentin, 2010). It
should also have information related to the recommended response’s efficacy and the
individual’s ability to perform the recommended response. Table 4 describes how the FBM
components are used for the card design.

4. Cyber Suraksha: a serious cybersecurity card game

This section gives the details of the Cyber Suraksha game. First, game components are
described (Sections 4.1 and 4.2), followed by game mechanics and play (Section 4.3). Finally,
the gameplay is explained with an example in this section. The game consists of a card deck
and a cybersecurity tip sheet. The researchers present the description of the cards, the
cybersecurity tip sheet and the gameplay in this section.

FBM component The realization in the game

Motivator Anticipation (fear and hope). Risk cards describe the threat and its
susceptibility. Defence cards describe the recommended countermeasure and
its efficacy
Ability Defence cards guide the usage of the recommended measure
Table 4.
Prompt Playing the game acts as a prompt for the adoption of recommended measures FBM components
and their realization
Source: Created by authors in game
ICS 4.1 Card deck
31,5 The game contains three types of cards: scenario cards, risk cards and defence cards. The
scenario card describes the typical situation of a cybersecurity incident. The risk card
contains a threat description and information about threat severity and susceptibility. The
defence card describes the recommended response, how to adopt it, and information about
its efficacy. Supporting users through clues positively affects the adoption of security
584 behaviour (Furnell et al., 2018). Hence, the researchers used visual clues like red to indicate
danger and green to indicate the recommended response. A sample of all three types of cards
is shown in Figure 1. There are 36 cards in this game.
Based on industry reports and previous research, the researchers identified the most
common threats and attack vectors and recommended countermeasures for smartphone
users (FBI, 2020; CERT-In, 2020; IBM Security, 2020; Shah and Agarwal, 2020a, 2020b; RSA,
2020). The researchers focused on the following threats:

Mobile app permissions;

Mobile app vulnerability;

Data theft;

Malware;

Porting out; and

Phishing (including SMS and voice phishing).

The next step was to develop real-life scenarios based on the above-identified threats. The
researchers searched various articles in the popular press and industry reports
incorporating the above threats to develop real-life scenarios. The researchers developed
nine scenarios based on the identified threats. The researchers identified two recommended
measures for each scenario.

4.2 Cybersecurity tip sheet

It describes the risk and two related countermeasures. For example, for the malware threat,
the cybersecurity tip sheet contains a description as “these are the malicious programs

Figure 1.
Types of cards
which may slow down your smartphone, steal sensitive information from a smartphone, Cyber
etc”. The related countermeasures are: Suraksha

install anti malware apps and regularly update and scan; and

download apps from trusted sources like the Google Play Store or the IOS App Store.

4.3 Game mechanics and play 585

Game mechanics are the rules that govern the player’s actions and the game’s response to
them. Game mechanics may make the game more or less enjoyable and fun. The Cyber
Suraksha game is designed to be played in two modes: individual or team. In team mode,
players can compete as a team of 2–3 players. Collaboration among teams may provide
better learning as it allows for discussion between team members. The researchers have
used team mode for this study. A maximum of nine teams can participate, as the game
currently has nine scenarios. A game typically starts with a briefing about the game by the
game master. The game master then randomly distributes one scenario and risk cards to
each team.
Each team tries to match the scenario card with the risk card based on their
understanding. If the team does not have the relevant risk card, it must be acquired from
other teams by trading cards. Once they have the matching risk card, they collect
cybersecurity tip sheet from the game master. The game master asks the team to draw two
defence cards from the deck after verifying the scenario and risk card match. The team must
match the two defence cards with the related risk card. If the team does not have relevant
defence cards for their risk card, they may trade defence cards with other teams. The winner
is the first team to correctly match the scenario card with its risk card and the two related
defence cards. The game will continue to play for the second, third, fourth place and so on.
All teams share their identification of risks and defences with the other teams. The game
master provides feedback to all the teams and discusses cybersecurity threats.
Example: One team receives a scenario and a risk card. The scenario card for the team is
given below:
You received an automated voice call informing you about the expiry of your Netflix
account. It asked you to enter your credit card information, date of expiry and CVV number
after the beep sound for the renewal. You entered the details. After some time, you receive an
SMS alert stating that your card has been used on Amazon for the purchase of goods worth
Rs 20,000.
The team has received phishing as a risk card. The team correctly identifies the risk in
the scenario as voice phishing or vishing. The team’s risk card does not match the identified
risk. Hence, the team members canvass other groups looking for a vishing card. However,
the identified team with a vishing card does not require a phishing card but a malware card.
The team again canvass the other groups and found that the group with a malware card
requires a phishing card. They trade the phishing card for the malware card and then with
the Vishing card.
Now the team presents their scenario and relevant risk cards to the game master and
draws two defence cards. Using the cybersecurity tip sheet, the team can now identify the
two defence cards. Let us say the two defence cards drawn are training and awareness and
screen lock. The team can use the training and awareness card. However, they need do not
respond to such calls card as well. So the group members again canvass the other groups,
hoping to trade screen lock card for do not respond to such calls card. Let us assume they got
the card that was required. They win because they are the first team to identify the risk in
ICS their scenario card and get the right risk card and defence cards. The game continues with
31,5 the other teams.

5. Research methodology
This paper aims to present the design and evaluation of the proposed cybersecurity awareness
game. The game’s design and development were described in the previous section. This section
586 presents the study design and experiment details of the Cyber Suraksha game. The researchers
have used the perception-based evaluation method for the pilot study and the knowledge-based
evaluation method for the main study. The researchers used the knowledge-based evaluation
method as it reduces the risk of response bias compared to the perception-based evaluation
method (Kävrestad and Nohlberg, 2021).
This research was conducted in three phases, i.e. pilot study, main study and follow-up,
as shown in Figure 2. The researchers conducted a pilot study before the actual experiment.
The researchers collected data about the players’ demographics, cybersecurity behaviours,
motivation, ability and threat awareness. The researchers used the game experience
questionnaire (GEQ) scale to measure playability during the pilot study. Similarly, they used
the RBD scale during the main study to understand the risk behaviour of the control and
intervention groups.

Figure 2.
Study flow
5.1 Pilot study Cyber
The objective of the pilot study was to understand the playability of the game. In all, 34 Suraksha
students participated in the pilot study. All students were recruited from the final year
of the Bachelor of Technology (Information Technology) program. Players were given
instructions before playing the game. The game was played in two sessions. In all, 20
students participated in the first session, and 14 students participated in the second
session. After playing the game, the players were asked to complete the survey
questionnaire. The pre-validated survey instrument used by Shah and Agarwal (2020a,
587
2020b) was used to capture the response from the player about their cybersecurity
behaviour. The researchers used the GEQ to measure the gameplay experience
(IJsselsteijn et al., 2013). It assesses game experience as scores on seven components:
immersion, flow, competence, positive and negative affect, tension and challenge. GEQ
is widely used in multiple game genres, user groups, gaming environments and
purposes (Norman, 2013; Mekler et al., 2014). The researchers used the core module of
GEQ, consisting of 33 statements, to be rated on a five-point Likert scale (1 = not at all
slightly to 5 = extremely). The cybersecurity practitioner and two experienced
academicians discussed scenarios, risks and defence cards. Some modifications in the
gameplay and content were made based on the feedback. For example, the researchers
initially decided to assign the point to the players for the successful matching of cards.
However, it was difficult to assign the score and simultaneously provide feedback on
the correctness of the player’s response. The researchers emphasized feedback over
scoring, as providing feedback is the key element of serious game design and
constructivism learning principles. Hence, the researchers did not provide scores to the
players during the study.

5.2 Main study

The objective of the main study was to test the effectiveness of Cyber Suraksha. The
researchers used a between-group design to compare control and treatment/intervention
groups in the main study. The participation bias is arguably more problematic in research
measuring security awareness and behaviour. Pre-post test design may increase such bias as
compared to between-group design (Kävrestad and Nohlberg, 2021). Hence, the researchers
used a between-group design instead of a pre-post test. Also, previous studies have used
between-group design to evaluate security training methods (Albayram et al., 2017; Kävrestad
et al., 2022). The overview of the main study is presented in Figure 3. The participants were
recruited from the computer/IT program of the leading institute using a self-selection sampling

Figure 3.
Main study research
process overview
ICS method. In the self-selection sampling method, the subjects choose to participate in research on
31,5 their own accord. Self-selection sampling may introduce self-selection bias. The social
desirability bias effect was reduced using a self-administered questionnaire. This method is
useful when the survey is simple and items are mainly closed-ended (Nederhof, 1985). This type
of sampling method has been used in previous studies (Zhang et al., 2017; Shah and Agarwal,
2020a, 2020b). Notice regarding the game was posted on the learning management system of
588 the institute. Participants were required to register themselves for the same. Upon registration,
the researchers assigned 94 participants randomly to the treatment and control groups to avoid
self-selection bias. All the participants were in the age group of 18–24. One of the researchers
acted as the game master while playing with the intervention group. The average time for
playing the game is 25–30 min.
5.2.1 Similarity of groups. Participants for this study were students of the same cohort
batch. Hence, the researchers assume no significant difference in knowledge level. The
researchers used Pearson’s Chi-square test with a 5% significance level to ascertain
similarity between the two groups for gender, mobile OS, previous cybersecurity training,
cybersecurity behaviours, motivation, ability and threat awareness. The demographic
details of the participants are given in Table 5. The researchers considered the following
cybersecurity behaviours for comparison:

use of screen lock;

encryption of data on smartphone;

noting of IMEI number;

disabling GPS and Bluetooth when not required;

secure disposal of memory card;

clicking on the link in unknown emails, SMS and WhatsApp messages;

downloading apps from untrusted third-party websites;

scanning phones with anti-malware solutions;

connecting to unsecured public Wi-Fi;

downloading attachments from an unknown email;

location-based updates on social networking sites;

app update;

checking permission while installing the app;

remote tracking and locking of the device; and

remote wiping of data.

Items Control group Intervention group

Gender – male 32 35
Gender – female 14 13
Android OS 33 36
iOS 13 12
Cybersecurity training – yes 10 14
Table 5. Cybersecurity training – no 36 34
Demographic details
of participants Source: Created by authors
The researchers used the risk behaviour diagnosis (RBD) scale to capture players’ responses Cyber
after playing the game. It is an assessment tool that allows for identifying where the Suraksha
audience is in terms of his/her beliefs about the threat and the efficacy of the recommended
response. This scale is widely used in the health domain. The theoretical basis for RBD is
the extended parallel process model (EPPM). According to EPPM, a health risk may invoke
any of the following responses in individuals: no response, fear control and danger control.
No response indicates that individuals ignored the risk message. When the perceived threat
and efficacy are high, people are motivated to adopt the recommended response, leading to 589
danger control. People will adopt a fear control response when the perceived threat is high
and the efficacy is low. This means that people may reject the recommended response by
denying of threat. The goal is to induce danger control processes and responses with health
risk messages. Specifically, the researcher wants people to have strong perceptions of threat
and efficacy so they are motivated to consider the health threat and adopt recommended
responses. Since cybersecurity is also a risk faced by individuals, and each individual may
or may not adopt the recommended cybersecurity control, the researcher has adapted RBD
to suit the current context. RBD is a 12-item, five-point Likert scale. The main variables in
the scale are perceived threat and perceived efficacy. A perceived threat consists of threat
susceptibility and severity, while perceived efficacy comprises response efficacy and threat
efficacy. There are three questions related to each variable. The RBD scale is simple to use.
The researcher followed the steps given below:

clearly define the threat and recommended response;

develop the RBD-scale version to suit the context;

administer the survey;

add the numerical scores for the efficacy items;

add the numerical scores for the threat items; and

subtract threat score from efficacy score. A positive value means a danger control
response and a zero or negative value means a fear control response from an
individual.

The game aims to motivate players to adopt the recommended cybersecurity controls.
Hence, the researchers posit the following hypothesis:

H1. Participants in the treatment group will display danger control behaviour.

5.3 Follow-up study

A week later, the researchers randomly asked the players in the intervention group (48
participants) to demonstrate the ability to track and lock their smartphones remotely. The
researcher also asked them to describe steps to remotely wipe the data on their smartphones
in case they are lost or stolen. The players used their smartphones to demonstrate these
behaviours. These three behaviours were selected as they are unique to smartphones and
may be very helpful in minimizing the impact resulting from lost or stolen smartphones.

5.4 Threats to validity and reliability

Validity and reliability are critical in evaluating a measurement instrument. Validity refers
to the extent to which an instrument measures what it is intended to measure, whereas
reliability is concerned with the ability of an instrument to measure consistently. The main
threats to the validity of this study are construct validity and internal and external validity.
ICS Construct validity refers to generalizing the experiment’s results to the concepts and theory
31,5 that underpins it. The main construct validity threat in this study is using a questionnaire.
This threat is mitigated using a validated questionnaire (GEQ and RBD). Pre-validated
questionnaire will also ensure the reliability of the instrument. Internal validity refers to the
degree to which research establishes a reliable cause-and-effect relationship between a
treatment and an outcome. One of the authors of this paper, acting as a game master, is the
590 main threat to internal validity. The participants might have felt an obligation to rate
positively. The researchers mitigated this threat by having anonymous responses from the
participants, and the participants were made aware of this in advance. External validity
refers to generalizing an experiment’s results outside the experiment’s setup. It may be
affected by the selected objects and subjects of the study. This threat is mitigated using real-
life cyber-attack scenarios rather than an abstract description. Another threat may be the
selection of undergraduate computer/IT program students as the participants in the study.
These students may be assumed to have more knowledge and inclination towards
cybersecurity than other students. Both groups’ participants (control and intervention) are
computer/IT program students. Hence, in this study, the comparison is between students
with similar backgrounds and knowledge. The researchers used IBM SPSS Statistics v 25
software to analyze participants’ responses.

6. Results and analysis

The researchers present the results and analysis of the participants’ data in this section. The
result of the pilot study is discussed first, followed by the main and follow-up study.
The primary objective of the pilot study was to understand the player’s gameplay
experience. Pilot testing was done with 34 students, including seven female students. In all,
25 participants were using Android OS-based smartphones. Table 6 shows the average
rating of the players for the seven components of GEQ.
Competence refers to the ability of the player to play the game. The higher average value
of this component indicates that the players could easily play the game. In other words, the
game was simple to play. The immersion subscales indicate aesthetics and exploration
within the game. A fairly high value for this component indicates that the players like the
look and feel of the game. They were able to explore ideas during the play. The flow
subscales refer to engagement with the game. The value of this component indicates that the
players were moderately engaged while playing the game. Tension/annoyance refers to the
frustration felt while playing the game. A low value indicates that the players were not
frustrated or irritated. The challenge subscale indicates the challenge the game offers to
complete the task. Low value implies that the players were not pressured while playing the
game. The game was simple, and the learning time required was less. A low value of

Sr no. Component Mean Mode

1 Competence 4.11 4.0

2 Sensory and imaginative immersion 3.78 3.8
3 Flow 3.03 2.6
4 Tension/annoyance 1.20 1.0
5 Challenge 1.77 1.0
Table 6. 6 Negative affect 1.29 1.0
GEQ components 7 Positive affect 4.26 4.0
and their average
value Source: Created by authors
negative affect implies that the game was not boring, and a high value of positive affect Cyber
indicates that the players had fun while playing the game and enjoyed it. The researchers Suraksha
can conclude from this pilot study that the game is enjoyable and fun.
The game’s objective is to create awareness and prompt players to adopt the
recommended cybersecurity behaviours. The RBD scale captures the player’s perception of
the threat and response efficacy. Players will exhibit danger control behaviour when they
perceive a high threat and believe in recommended response efficacy to mitigate it. The
intervention is effective if more players in the intervention group exhibit danger control 591
behaviour. Table 4 shows the frequency of fear and danger control responses for the control
and intervention groups. In the intervention group, there are more participants with a
danger control response than in the control group, as seen in Table 7.
The researchers used Pearson’s Chi-square test of independence with a 5% significance
level to test whether there is a statistically significant difference between the two groups.
The researcher found a significant difference between the two groups [X2(1, N = 94) = 5.311,
p = 0.021]. This analysis supports hypothesis H1. The researcher also calculated the odds
ratio. The odds ratio was 2.65. The odds ratio of 2.65 suggests that participants in the
intervention group are 2.65 times more likely than those in the control group to display
danger control behaviour. Hence, participants in the intervention group are 2.65 times more
likely to adopt recommended behaviour. The observed difference in the target behaviour
may be attributed to the intervention, as both the groups were similar regarding
cybersecurity threat awareness, ability and motivation before the intervention.
A week later, the researcher asked all the players in the intervention group (48 players) to
demonstrate the ability to track and lock their smartphones remotely. The researcher also
asked them to describe steps to remotely wipe the data on their smartphones. Around 70%
of the participants successfully demonstrated their ability.
The researchers can infer from the above analysis that the Cyber Suraksha game effectively
motivates the user to adopt the recommended security control for the target behaviours. The
participants enjoyed playing the game. The game master’s feedback on matching the scenario
card with the risk and defence cards while playing the game added to the players’ learning.

7. Discussion and reflections

Many cyber incidents occur because of human errors. Literature mentions human users as
the weakest link and suggests security awareness and training as countermeasures to
mitigate the same. Serious games are emerging as a promising approach for implementing
effective security awareness and training programs. This research implemented and
evaluated a serious game called Cyber Suraksha. This study’s result indicates Cyber
Suraksha effectively motivates players to adopt recommended security control.
Cyber Suraksha is based on the theoretical framework of constructivism theory, game
design principles and the FBM. The game aims to motivate players to adopt the
recommended cybersecurity countermeasures through active learning. Game-based
learning provides pedagogical benefits for learning, like better engagement with the learner.

Types of behaviour Control group Intervention group

Danger control 15 27
Table 7.
Fear control 31 21 Responses for fear
control and danger
Source: Created by authors control
ICS It has been used for cybersecurity education. There is no clear agreement among the
31,5 researchers regarding the effectiveness of fear appeals in cybersecurity (Renaud and
Dupuis, 2019). This research used fear appeal and hope to design cards, unlike previous
research, which used only fear appeal. Fear and hope improve the game’s effectiveness, as
only fear may have a negative impact (Dupuis and Renaud, 2021).
The cybersecurity threat landscape is ever-changing. The main challenge for the game
592 design was to identify the specific threats faced by smartphone users and develop scenarios
to reflect real-life situations. The researchers identified the following trade-offs that were
considered while designing Cyber Suraksha. One of the main questions was whether to
design a physical card game or a digital card game. The researchers decided to design and
develop a physical card game for the following reasons:

Previous research shows that the older age group experiences difficulty using
technological devices and their advanced features (Mohadis and Ali, 2014; Salman
et al., 2018). The researchers believe that physical card games will have a lower
learning curve for all age groups.

Physical card games may support the constructivist approach as players construct
their scenarios without software programming.

The researchers believe that providing customized intermediate feedback to the player
will improve their learning compared to standard feedback provided through digital
games.

7.1 Game cards

The researchers used real organizations like Reliance Digital rather than imaginary ones. The
researchers purposely used the real names so that players could relate to the scenarios as they
might have interacted with the organizations in the past or received marketing calls from such
organizations. Players’ experiences with such organizations may improve learning rather than
abstract or imaginary situations. The researchers have used fear and hope to motivate
smartphone users to adopt the recommended countermeasure. The previous research indicates
the interaction between hope and self-efficacy predicts behavioural intentions (Nabi and
Myrick, 2018). A fear appeal must address the threat that creates the emotion of fear, along
with a recommendation to mitigate the threat. The effectiveness of recommendations provides
hope, which enhances fear appeal effectiveness (Nabi and Myrick, 2018; Black et al., 2021).

7.2 Scoring
The researchers concluded from the pilot study that players were not interested in the points
gained during the game. This could be explained by the fact that players get feedback about
their responses from the game master and other players. Furthermore, scoring may harm a
player’s learning; a player’s focus on gaining points might cause them to lose sight of the
game’s teachings.

7.3 Game master

The researchers realized after the pilot study the focal role of the game master in promoting
active learning. The game master is critical to stimulating active learning for the players.
The game master should encourage critical thinking and provide feedback on matching
scenarios with related risk and defence cards.
7.4 Contributions and limitations Cyber
The main contributions of this research are listed below: Suraksha

This study aims to improve smartphone users’ cybersecurity awareness using fear
appeal and hope. Prior research has revealed conflicting findings about the
effectiveness of fear appeals in improving cybersecurity awareness. This study used
a hope and fear appeal in the design of Cyber Suraksha. The results indicate that the
intervention improved smartphone users’ cybersecurity awareness. Hence, the 593
researchers would like to recommend that other researchers explore the combination
of fear appeal and hope in the design of SETA programs.

The FBM is widely used in persuasive design. However, its use in the cybersecurity
context is limited. This study has used one motivating factor of FBM, i.e. anticipation, and
found it effective. Hence, this study demonstrates the suitability of FBM for the design of
a serious game for cybersecurity awareness. The remaining two motivators, as mentioned
in the FBM, or a combination of all three, may be explored in future studies.

The researchers observed that the interaction between the game master and players
during the game was critical for active learning. The specific comments rather than
general feedback provided by the game master during the play encouraged critical
thinking among the players. Such customized feedback and player engagement may
not be possible in digital games. Hence, the researchers would recommend that
cybersecurity practitioners use serious games involving interaction between game
masters and players to improve cybersecurity awareness.

This research suffers from a few limitations. The first limitation arises from the self-
selection sampling method used in this research. The self-selection sampling method may
induce self-selection bias. The Computer/Information Technology UG program students
are participants in this study. They may have an interest in the cybersecurity game,
which may lead to self-selection bias. Hence, the sample might not accurately represent
smartphone users in India. Hence, it might be difficult to generalise the research results.
Nevertheless, the results may be valid as the comparison is between two similar groups
using the between-group design. The main and follow-up studies’ results indicate the
game’s effectiveness in motivating users to adopt the recommended cybersecurity
behaviours. The second limitation arises because of the survey methodology used in the
pilot and main studies. The researchers reduced the social desirability bias effect using a
self-administered questionnaire. The participants were not required to reveal their
identities. Thus, participants remain anonymous and may provide honest responses to
the questionnaire.

8. Conclusion and future work

Human error is one of the reasons for a cybersecurity incident. Previous research suggests
cybersecurity education, training, and awareness as countermeasures to minimize
cybersecurity incidents due to human error. Many approaches have been used in the past.
Traditional approaches like paper-based delivery, CBT and WBT have limited success in
motivating the end user to adopt the recommended security control. Game-based methods or
serious games are becoming popular in academia and industry because of their pedagogical
benefits. Serious games are effective for behavioural change and training (Alotaibi et al.,
2017). There are very few games that focus on the threats faced by smartphone users. The
researchers developed a tabletop card game to fill the gap mentioned earlier.
ICS This study presents the design aspect and evaluation of the cybersecurity awareness
31,5 card game called Cyber Suraksha. Constructivism learning principles and FBM are the
theoretical frameworks for developing this game. Cyber Suraksha creates an active
learning environment for the players to learn about different attacks and
countermeasures. The game has three different types of cards: scenario cards, risk cards
and defence cards. The players are randomly provided with real-life attack scenarios.
594 Players must match the scenario card with the associated risk card and then with the
relevant defence cards. A game master facilitates discussion among the players and
provides immediate feedback on the correctness of the identified risk and
countermeasures for the given scenario.
The gameplay experience of the participants was evaluated using a game experience
questionnaire. The result indicates that the game is engaging and fun to play. The gameplay
is simple and easily understood by the players. The game provides an appropriate level of
challenge for the players to complete the task and provides the opportunity to learn from
peers. The researchers experimented with the control and intervention groups to study the
game’s effectiveness. The researchers used the RBD scale to capture players’ responses
after an experiment. The results indicate more danger control responses in the intervention
group than in the control group. The researchers can infer that the Cyber Suraksha
improved the threat awareness of the participants and motivated them to adopt the
recommended security controls. The effectiveness of the Cyber Suraksha may be attributed
to the use of fear and hope as a core motivator and the constructivist learning principles
used in the game mechanics.
The researchers plan to continue further research on the effectiveness of the Cyber
Suraksha by conducting experiments with different age groups. Also, a longitudinal
study may be conducted to study participants’ motivation and usage of recommended
security controls. Further, a digital card game may be created, and its effectiveness may
be studied. A study may compare the effectiveness of digital card games with tabletop
card games.

References
Abawajy, J. (2014), “User preference of cyber security awareness delivery methods”, Behaviour and
Information Technology, Vol. 33 No. 3, pp. 236-247.
Aladawy, D., Beckers, K. and Pape, S. (2018), “PERSUADED: fighting social engineering attacks with a
serious game”, 15th International Conference in Trust, Privacy and Security in Digital Business,
Springer, pp. 103-118.
Albayram, Y., Khan, M.M., Jensen, T. and Nguyen, N. (2017), “. . .Better to use a lock screen than to
worry about saving a few seconds of time’: effect of fear appeal in the context of smartphone
locking behavior”, Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017),
USENIX Association, Santa Clara, CA, pp. 49-62.
Al-Daeef, M.M., Basir, N. and Saudi, M.M. (2017), “Security awareness training: a review”, Proceedings of the
World Congress on Engineering 2017, International Association of Engineers, London, Vol I,
pp. 446-451.
Alotaibi, F., Furnell, S., Stengel, I. and Papadaki, M. (2016), “A review of using gaming technology for
Cyber-Security awareness”, International Journal for Information Security Research, Vol. 6 No. 2,
pp. 660-666.
Alotaibi, F., Furnell, S., Stengel, I. and Papadaki, M. (2017), “Enhancing cyber security awareness with
mobile games”, The 12th International Conference for Internet Technology and Secured
Transactions, IEEE, pp. 129-134.
Alqahtani, H. and Kavakli-Thorne, M. (2020), “Design and evaluation of an augmented reality Cyber
game for cybersecurity awareness (CybAR)”, Information, Vol. 11 No. 2, doi: 10.3390/
info11020121.
Suraksha
Alshaikh, M., Naseer, H., Ahmad, A. and Maynard, S.B. (2019), “Toward sustainable behaviour change:
an approach for cyber security education training and awareness”, 27th European Conference
on Information Systems (ECIS), AIS Electronic Library (AISeL), Stockholm and Uppsala,
Sweden.
Arachchilage, N.A. and Hameed, M.A. (2017), “Integrating ‘self-efficacy’ into a gamified approach to 595
thwart phishing attacks”, CoRR, Arxiv, available at: https://arxiv.org/pdf/1706.07748.pdf
Arachchilage, N.A. and Love, S. (2014), “Security awareness of computer users: a phishing threat
avoidance perspective”, Computers in Human Behavior, Vol. 38, pp. 304-312.
Aydogdu, B. and Selanik-Ay, T. (2016), “Determination of teacher characteristics that support
constructivist learning environments”, Eurasian Journal of Educational Research, Vol. 16 No. 63,
pp. 293-310.
Bada, M., Sasse, A.M. and Nurse, J.R. (2019), “Cyber security awareness campaigns: why do they fail to
change behaviour?”, arXiv preprint arXiv:1901.02672.
Bahrini, M., Volkmar, G., Schmutte, J., Wenig, N., Sohr, K. and Malaka, R. (2019), “Make my phone
secure!: using gamification for mobile security settings”, MuC’19: Proceedings of Mensch und
Computer 2019, ACM, pp. 299-308.
Bawazir, M.A., Mahmud, M., Molok, N.N. and Ibrahim, J. (2016), “Persuasive technology for improving
information security awareness and behavior: literature review”, 2016 6th International
Conference on Information and Communication Technology for The Muslim World, IEEE,
pp. 228-233.
Beckers, K. and Pape, S. (2016), “A serious game for eliciting social engineering security requirements”,
24th International Conference in Requirements Engineering, IEEE, pp. 16-25.
Bhardwaj, J. (2019), “Design of a game for cybersecurity awareness”, North Dakota State University,
available at: https://hdl.handle.net/10365/29758
Black, I., Baines, P., Baines, N., O’Shaughnessy, N. and Mortimore, R. (2021), “The dynamic interplay of
hope vs fear appeals in a referendum context”, Journal of Political Marketing, Vol. 22 No. 2.
Boshoff, C. and Toerien, L. (2017), “Subconscious responses to fear-appeal health warnings: an
exploratory study of cigarette packaging”, South African Journal of Economic and Management
Sciences, Vol. 20 No. 1.
Boss, S., Galletta, D., Lowry, P.B., Moody, G.D. and Polak, P. (2015), “What do systems users have to
fear? Using fear appeals to engender threats and fear that motivate protective security
behaviors”, MIS Quarterly, Vol. 39 No. 4, pp. 837-864.
Braue, D. (2021), “Global cybersecurity spending to exceed $1.75 Trillion From 2021-2025”,
Cybersecurity Ventures, available at: https://cybersecurityventures.com/cybersecurity-
spending-2021-2025/#::text=The%20imperative%20to%20protect%20increasingly,2025%2C
%20according%20to%20Cybersecurity%20Ventures
Brooks, C. (2021), “Alarming cybersecurity stats: what you need to know for 2021”, Forbes, available at:
www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats–––-what-you-need-
to-know-for-2021/?sh=565fad7158d3
Brown, L. (2014), “Constructivist learning environments and defining the online learning community”,
I-Manager’s Journal on School Educational Technology, Vol. 9 No. 4, pp. 1-6.
Carpenter, P. (2019), “Transformational security awareness: what neuroscientists, storytellers, and
marketers can”, John Wiley and Sons, Indianapolis.
CERT-In (2020), “CERT-in annual report 2020”, Ministry of Electronics and Information Technology
(MeitY), Government of India.
ICS Chakraborty, D., Hanzlik, L. and Bugiel, S. (2019), SimTPM: User-Centric TPM for Mobile Devices. 28th
USENIX Security Symposium, USENIX Association, Santa Clara, CA, pp. 533-550.
31,5
Chothia, T., Holdcroft, S., Radu, A.-I. and Thomas, R.J. (2017a), “Jail, hero or drug lord? Turning a cyber
security course into an 11 week choose your own adventure story”, 2017 USENIX Workshop on
Advances in Security Education, Usenix Association, VANCOUVER.
Chothia, T., Holdcroft, S., Radu, A.-I. and Thomas, R.J. (2017b), “Jail, hero or drug lord? Turning a cyber
596 security course into an 11 Week choose your own adventure story”, USENIX Adancements in
Security Education Workshop (USENIX ASE’17), USENIX Association.
CISA (2022), “CISA cybersecurity awareness program”, CISA, available at: www.cisa.gov/
cybersecurity-awareness-month
Coenraad, M., Pellicone, A., Ketelhut, D.J., Cukier, M., Plane, J. and Weintrop, D. (2020), “Experiencing
cybersecurity one game at a time: a systematic review of cybersecurity digital games”,
Simulation and Gaming, Vol. 51 No. 5, pp. 586-611.
Compte, A.L., Watson, T. and Elizondo, D. (2015), “A renewed approach to serious games for cyber
security”, 7th International Conference on Cyber Conflict: Architectures in Cyberspace, NATO
CCD COE Publications, pp. 203-216.
Coventry, L., Briggs, P., Briggs, P. and Tran, M. (2014), “Using behavioural insights to improve the
public’s use of cyber security best practices”, UK Government Office for Science.
Denning, T., Lerner, A., Shostack, A. and Kohno, T. (2013), “Control-Alt-Hack: the design and
evaluation of a card game for computer security awareness and education”, Proceedings of the
2013 ACM SIGSAC conference on Computer and communications security, Berlin, Germany,
ACM, pp. 915-923.
Denning, T., Lerner, A., Shostack, A. and Kohno, T. (2013), “Control-Alt-Hack: the design and
evaluation of a card game for computer security awareness and education”, Conference on
Computer and Communications Security, ACM, pp. 915-928.
Dupuis, M. and Renaud, K. (2021), “Scoping the ethical principles of cybersecurity fear appeals”, Ethics
and Information Technology, Vol. 23 No. 3, pp. 265-284.
ENISA (2018), “Cybersecurity culture guidelines: behavioural aspects of cybersecurity”, European
Union Agency For Network and Information Security.
ENISA (2021), “Cybersecurity for SMES challenges and recommendations”, European Union Agency
for Cybersecurity, ENISA.
Farooq, A. (2019), In Quest of Information Security in Higher Education Institutions, University of
Turku, Turku.
FBI (2020), “Internet crime report”, FBI IC3.
Fogg, B.J. (2009), “A behavior model for persuasive design”, Persuasive 0 09: Proceedings of the 4th
International Conference on Persuasive Technology, ACM, pp. 1-7.
Forcepoint (2018), “2018 security predictions”, FORCEPOINT Security Labs.
Furnell, A. L., Khern-Am-Nuai, W., Esmael, R., Yang, W. and Li, N. (2018), “Enhancing security
behaviour by supporting the user”, Computers and Security, Vol. 75, pp. 1-9.
Gasiba, T.E., Lechner, U. and Pinto-Albuquerque, M. (2021), “Cyber security challenges: serious games
for awareness training in industrial environments”, Arxiv, available at: https://arxiv.org/abs/
2102.10432
Ghazvini, A. and Shukur, Z. (2017), “A framework for an effective information security awareness
program in healthcare”, International Journal of Advanced Computer Science and Applications,
Vol. 8 No. 2, pp. 193-205.
Gondree, M. and Peterson, Z.N. (2013), “Valuing security by getting [d0x3d!]: experiences with a
network security board game”, 6th Workshop on Cyber Security Experimentation and Test.
Washington, DC, D.C, USENIX Association.
Graffer, I., Bartnes, M. and Bernsmed, K. (2015), “Play2Prepare: a board game supporting it security Cyber
preparedness exercises for industrial control organizations”, Norsk Informasjonssikkerhetskonferanse
(NISK), pp. 58-69.
Suraksha
Haggman, A. (2019), Cyber Wargaming: Finding, Designing, and Playing Wargames for Cyber Security
Education, Royal Holloway, University of London, London.
Hart, S., Margheri, A., Paci, F. and Sassone, V. (2020), “Riskio: a serious game for cyber security
awareness and education”, Computers and Security, Vol. 95, doi: 10.1016/j.
cose.2020.101827. 597
Hendrix, M., Al-Sherbaz, A. and Bloom, V. (2016), “Game based cyber security training: are serious
games suitable for cyber security training?”, International Journal of Serious Games, Vol. 3 No. 1.
Hom, E.J. (2022), “Mobile device security: startling statistics on data loss and data breaches”, Channel
Network, available at: www.channelpronetwork.com/article/mobile-device-security-startling-
statistics-data-loss-and-data-breaches
Hutchinson, G. and Ophoff, J. (2019), “A descriptive review and classification of organizational
information security awareness research”, 18th International Information Security Conference,
ISSA 2019, Johannesburg, Springer, pp. 114-130.
IBM Security (2020), “Cost of data breach report 2020”, IBM.
IBM Security (2021), “Cost of a data breach report 2021”, IBM.
IJsselsteijn, W., Kort, Y. D. and Poels, K. (2013), The Game Experience Questionnaire, Technische
Universiteit Eindhoven, Eindhoven.
ITA (2022), “Smartphone Theft Statistics”, Identity Theft Awareness, available at: www.identity-theft-
awareness.com/smartphone-theft-statistics.html
Jansen, J. and Schaik, P. V (2018), “Persuading end users to act cautiously online: a fear appeals study
on phishing”, Information and Computer Security, Vol. 26 No. 3.
Jansen, J. and Schaik, P. V (2019), “The design and evaluation of a theory-based intervention to promote
security behaviour against phishing”, International Journal of Human-Computer Studies,
Vol. 123, pp. 40-55.
Johnston, A.C. and Warkentin, M. (2010), “Fear appeals and information security behaviors: an
empirical study”, MIS Quarterly, Vol. 34 No. 3, pp. 549-566.
Jordan, B., Johnson, B., Witschey, J. and Murphy-Hill, E. (2014), “Designing interventions to persuade
software developers to adopt security tools”, SIW ’14: Proceedings of the 2014 ACM Workshop
on Security Information Workers, ACM, AZ, pp. 35-38.
Kävrestad, J. and Nohlberg, M. (2021), “Evaluation strategies for cybersecurity training methods:
a literature review”, Human Aspects of Information Security and Assurance. HAISA,
Vol. 2021.
Kävrestad, J., Hagberg, A., Nohlberg, M., Rambusch, J., Roos, R. and Furnell, S. (2022), “Evaluation
of contextual and game-based training for phishing detection”, Future Internet, Vol. 14
No. 4.
Kulshrestha, S., Agrawal, S., Gaurav, D., Chaturvedi, M., Sharma, S. and Bose, R. (2021), “Development
and validation of serious games for teaching cybersecurity”, Joint International Conference on
Serious Games 2021, Springer, Cham, pp. 247-262.
Larson, K. (2020), “Serious games and gamification in the corporate training environment: a literature
review”, TechTrends, Vol. 64 No. 2, pp. 319-328.
Lebek, B., Uffen, J., Breitner, M.H., Neumann, M. and Hohler, B. (2013), “Employees’ information
security awareness and behavior: a literature review”, 46th HI International Conference on
System Sciences. IEEE Computer Society.
Lebow, D. (1993), “Constructivist values for instructional systems design: five principles toward a new
mindset”, Educational Technology Research and Development, Vol. 41 No. 3, pp. 4-16.
ICS Liljestrand, I., Gonzales, M. and Shin, D. (2019), “Developing a mental model for use in the context of
computer security”, SAC ’19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied
31,5 Computing, Cyprus, ACM, pp. 2336-2339.
Lope, R.P. and Medina, N.M. (2016), “A comprehensive taxonomy for serious games”, Journal of
Educational Computing Research, pp. 1-44.
Lopes, I.G., Morenets, Y., Inacio, P.R. and Silva, F.G. (2018), “Cyber-detective – a game for cyber crime
prevention”, Play2Learn 2018 Proceedings, pp. 175-191.
598
Løvgren, D.E., Li, J. and Oyetoyan, T.D. (2019), “A data-driven security game to facilitate information
security education”, 2019 IEEE/ACM 41st International Conference on Software Engineering:
Companion Proceedings (ICSE-Companion), IEEE.
MeitY (2022), “Cyber Swachhta Kendra”, Cyber Swachhta Kendra, available at: www.csk.gov.in/index.
html
Mekler, E.D., Bopp, J.A., Tuch, A.N. and Opwis, K. (2014), “A systematic review of quantitative studies
on the enjoyment of digital entertainment games”, CHI’14: Proceedings of the SIGCHI
Conference on Human Factors in Computing Systems, ACM, New York, NY, pp. 927-936.
Michie, S., Stralen, M.M. and West, R. (2011), “The behaviour change wheel: a new method for characterising
and designing behaviour change interventions”, Implementation Science, Vol. 6 No. 1.
Mohadis, H.M. and Ali, N.M. (2014), “A study of smartphone usage and barriers among the elderly”, 3rd
International Conference on User Science and Engineering (i-USEr), IEEE, pp. 109-114.
Nabi, R.L. and Myrick, J.G. (2018), “Uplifting fear appeals: considering the role of hope in fear-based
persuasive messages”, Health Communication, Vol. 34 No. 4.
Nabi, R. and Myrick, J.G. (2019), “Uplifting fear appeals: considering the role of hope in Fear-Based
persuasive messages”, Health Communication, Vol. 34 No. 4, pp. 463-474.
Nederhof, A.J. (1985), “Methods of coping with social desirability bias: a review”, European Journal of
Social Psychology, pp. 263-280.
NCSC (2022), “The national cyber security Centre”, The National Cyber Security Centre, available at:
www.ncsc.gov.uk/
Norman, K.L. (2013), “GEQ (game engagement/experience questionnaire): a review of two papers”,
Interacting with Computers, Vol. 25 No. 4, pp. 278-283.
O’Dea, S. (2021), “Number-of-smartphone-users-worldwide/”, available at: www.statista.com/:www.
statista.com/statistics/330695/number-of-smartphone-users-worldwide/
OWASP (2012), “OWASP cornucopia”, Owasp, available at: https://owasp.org/www-project-cornucopia/
Pande, M. and Bharathi, S.V. (2020), “Theoretical foundations of design thinking – a
constructivism learning approach to design thinking”, Thinking Skills and Creativity,
Vol. 36, p. 100637.
Parkin, S., Redmiles, E.M., Coventry, L. and Sasse, M.A. (2019), “Security when it is welcome: exploring
device purchase as an opportune moment for security behavior change”, Workshop on Usable
Security (USEC) 2019. San Diego, CA, NDSS Symposium.
Renaud, K. and Dupuis, M. (2019), “Cyber security fear appeals: unexpectedly complicated”, NSPW’19:
Proceedings of the New Security Paradigms Workshop, ACM, pp. 42-56.
Roepke, R. and Schroeder, U. (2019), “The problem with teaching defence against the dark arts: a review
of game-based learning applications and serious games for cyber security education”, 11th
International Conference on Computer Supported Education (CSEDU 2019), SCITEPRESS –
Science and Technology Publications, pp. 58-66.
RSA (2020), “RSA quarterly fraud report”, RSA.
Salman, H.M., Ahmad, W.F. and Sulaiman, S. (2018), “Usability evaluation of the smartphone user
interface in supporting elderly users from experts’ perspective”, IEEE Access, Vol. 6,
pp. 22578-22591.
Shah, P.R. and Agarwal, A. (2020a), “Cybersecurity behaviour of smartphone users in India: an Cyber
empirical analysis”, Information and Computer Security, Vol. 28 No. 2.
Suraksha
Shah, P.R. and Agarwal, A. (2020b), “Cybersecurity behaviour of smartphone users through the lens of
Fogg behaviour model”, International Conference on Communication Systems Computing and
IT Applications, (CSCITA 2020), IEEE, Mumbai, India.
Shostack, A. (2010), “Elevation of privilege (EoP)”, microsoft.com, available at: www.microsoft.com/en-
in/download/details.aspx?id=20303#::text=Elevation%20of%20Privilege%20(EoP)%20is,or
%20security%20experts%20can%20play 599
Tannenbaum, M.B., Hepler, J., Zimmerman, R.S., Saul, L., Jacobs, S., Wilson, K. and Albarracin, D.
(2015), “Appealing to fear: a meta-analysis of fear appeal effectiveness and theories”,
Psychological Bulletin, Vol. 141 No. 6, pp. 1178--1204.
Thinkfun (2022), “Hacker – Thinkfun”, Think Fun, available at: www.thinkfun.com/learn-coding/hacker/
Thompson, M. and Irvine, C. (2011a), “Active learning with the cyberciege video game”,
Proceedings of the 4th Conference on Cyber Security Experimentation and Test, USENIX
Association.
Thompson, M. and Irvine, C. (2011b), “Active learning with the CyberCIEGE video game”, CSET’11:
Proceedings of the 4th Conference on Cyber Security Experimentation and Test. ACM.
Tu, Z., Turel, O., Yuan, Y. and Archer, N. (2015), “Learning to cope with information security risks
regarding mobile device loss or theft: an empirical examination”, Information and Management,
Vol. 52 No. 4, pp. 506-517.
Verizon (2021), “Mobile Security Index 2021”, Verizon.
Visoottiviseth, V., Jongjariyangkul, T., Khambanguay, P. and Toranathumkul, C. (2018), “POMEGA:
Security game for building security awareness”, 25th International Computer Science and
Engineering Conference (ICSEC), IEEE, pp. 206-211.
Weanquoi, P., Johnson, J. and Zhang, J. (2018), “Using a game to improve phishing awareness”, Journal
of Cybersecurity Education, Research and Practice, Vol. 2018 No. 2, p. 2.
Wen, Z.A., Lin, Z., Chen, R. and Andersen, E. (2019), “What hack: engaging anti-phishing
training through a role-playing phishing simulation game”, CHI’19: Proceedings of the
2019 CHI Conference on Human Factors in Computing Systems, ACM, Glasgow,
pp. 1-12.
Williams, L., Meneely, A. and Shipley, G. (2010), “Protection poker: the new software security “game”,
IEEE Security and Privacy Magazine, Vol. 8 No. 3, pp. 14-20.
Wittrin, R., Tolkmitt, V., Eibl, M., Pfleger, P., Wittrin, R., Platte, B. and Ritter, M. (2021), “Comparison of
serious games with established strategy games in the context of knowledge transfer”, Joint
International Conference on Serious Games, Springer, Cham, pp. 20-30.
Yasin, A., Liu, L., Li, T., Wang, J. and Zowghi, D. (2018), “Design and preliminary evaluation of a cyber
security requirements education game (SREG)”, Information and Software Technology, Vol. 95,
pp. 179-200.
Yusoff, A., Crowder, R., Gilbert, L. and Wills, G. (2009), “A conceptual framework for serious
games”, Ninth IEEE International Conference on Advanced Learning Technologies, IEEE,
pp. 21-23.
Zargham, N., Bahrini, M., Volkmar, G., Sohr, K., Malaka, R. and Wenig, D. (2019), “What could go
wrong?: raising mobile privacy and security awareness through a decision-making game”, CHI
PLAY’19 Extended Abstracts: Extended Abstracts of the Annual Symposium on Computer-
Human Interaction in Play Companion Extended Abstracts, ACM, pp. 805-812, doi: 10.1145/
3341215.3356273.
Zhang, X.J., Li, Z.Z. and Deng, H. (2017), “Information security behaviours of smartphone users in
China: an empirical analysis”, The Electronic Library, Vol. 35 No. 6, pp. 1177-1190.
ICS Further reading
31,5 Briggs, P., Jeske, D. and Coventry, L. (2017), “Behavior change interventions for cybersecurity:
psychological and technological perspectives”, in Little, L. Sillence, E. and Joinson, A., (Eds),
Behavior Change Research and Theory, Academic Press, Cambridge, pp. 115-136.
Frey, B.B. (2018), The Sage Encyclopedia of Educational Research, Measurement, and Evaluation, Sage
Publishers, CA.
600 Prey (2020), “Mobile theft and loss report 2020”, Prey, San Francisco.
Yasin, A., Liu, L., Li, T., Fatima, R. and Wang, J. (2019), “Improving software security awareness using
a serious game”, IET Software, Vol. 13 No. 2, pp. 159-169.

Corresponding author
Pintu Shah can be contacted at: pintu.shah@nmims.edu

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com
Reproduced with permission of copyright owner. Further
reproduction prohibited without permission.