Role-playing game for studying user behaviors in security: A case study on email secrecy

Abstract

Understanding the capabilities of adversaries (e.g., how much the adversary knows about a target) is important for building strong security defenses. Computing an adversary's knowledge about a target requires new modeling techniques and experimental methods. Our work describes a quantitative analysis technique for modeling an adversary's knowledge about private information at workplace. Our technical enabler is a new emulation environment for conducting user experiments on attack behaviors. We develop a role-playing cyber game for our evaluation, where the participants take on the adversary role to launch ID theft attacks by answering challenge questions about a target. We measure an adversary's knowledge based on how well he or she answers the authentication questions about a target. We present our empirical modeling results based on the data collected from a total of 36 users.