{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:18:49Z","timestamp":1754158729808,"version":"3.41.2"},"reference-count":43,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2018,7,9]],"date-time":"2018-07-09T00:00:00Z","timestamp":1531094400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2018,7,9]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>Security questions are one of the techniques used to recover forgotten passwords. However, security questions have both security and memorability limitations. To limit their security vulnerabilities, stronger answers need to be used. As serious games can motivate users to change their security behaviour, the purpose of this paper is to explore the features and functionalities that users would require in a serious game that educates them to provide stronger answers to security questions.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>A lab study was conducted to collect users\u2019 feedback on the desired game features and functionalities. In Stage 1, participants selected security questions\/answers. In Stage 2, participants played a game and evaluated the usability and the provided features.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>The main findings reveal that most participants found the current features and functionalities to be desirable; socially oriented functionalities (e.g. getting help from other players) did not seem desirable because users feared that their acquaintances could gain access to their security questions.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>This research recommends that designers of serious games for security education should: use intrinsic rewards to motivate users to have a better learning experience; provide easier challenges during the training period and provide harder challenges only when the game determines that the users learned to play the game; and design their games for mobile devices because even users who usually do not play games would play a security education game on a mobile device.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-03-2018-0033","type":"journal-article","created":{"date-parts":[[2018,6,1]],"date-time":"2018-06-01T07:07:25Z","timestamp":1527836845000},"page":"365-378","source":"Crossref","is-referenced-by-count":6,"title":["Security questions education: exploring gamified features and functionalities"],"prefix":"10.1108","volume":"26","author":[{"given":"Nicholas","family":"Micallef","sequence":"first","affiliation":[]},{"given":"Nalin Asanka Gamagedara","family":"Arachchilage","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"first-page":"211","article-title":"Evaluating the effectiveness of using hints for autobiographical authentication: a field study","year":"2015","key":"key2020092802022703800_ref001"},{"issue":"2","key":"key2020092802022703800_ref002","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1037\/h0033773","article-title":"Recognition and retrieval processes in free recall","volume":"79","year":"1972","journal-title":"Psychological Review"},{"key":"key2020092802022703800_ref003","doi-asserted-by":"crossref","first-page":"185","DOI":"10.1016\/j.chb.2016.02.065","article-title":"Phishing threat avoidance behaviour: an empirical investigation","volume":"60","year":"2016","journal-title":"Computers in Human Behavior"},{"first-page":"S2D-1","article-title":"Internet security games as a pedagogic tool for teaching network security","year":"2005","key":"key2020092802022703800_ref004"},{"key":"key2020092802022703800_ref005","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1016\/S0079-7421(08)60422-3","article-title":"Human memory: a proposed system and its control processes","volume":"2","year":"1968","journal-title":"Psychology of Learning and Motivation"},{"issue":"3","key":"key2020092802022703800_ref006","first-page":"114","article-title":"Determining what individual SUS scores mean: adding an adjective rating scale","volume":"4","year":"2009","journal-title":"Journal of Usability Studies"},{"first-page":"98","article-title":"What\u2019s in a name? Evaluating statistical attacks on personal knowledge questions","year":"2010","key":"key2020092802022703800_ref008"},{"first-page":"141","article-title":"Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google","year":"2015","key":"key2020092802022703800_ref007"},{"key":"key2020092802022703800_ref009","first-page":"4","article-title":"SUS-A quick and dirty usability scale","volume-title":"Usability Evaluation in Industry","year":"1996"},{"key":"key2020092802022703800_ref010","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1016\/j.cose.2013.05.005","article-title":"A framework for continuous, transparent mobile device authentication","volume":"39","year":"2013","journal-title":"Computers & Security"},{"first-page":"20","article-title":"Applying puzzle-based learning to cyber-security education","year":"2013","key":"key2020092802022703800_ref011"},{"issue":"6","key":"key2020092802022703800_ref012","doi-asserted-by":"crossref","first-page":"627","DOI":"10.1037\/0033-2909.125.6.627","article-title":"A meta-analytic review of experiments examining the effects of extrinsic rewards on intrinsic motivation","volume":"125","year":"1999","journal-title":"Psychological Bulletin"},{"first-page":"2615","article-title":"Exploring implicit memory for painless password recovery","year":"2011","key":"key2020092802022703800_ref013"},{"first-page":"915","article-title":"Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education","year":"2013","key":"key2020092802022703800_ref014"},{"key":"key2020092802022703800_ref015","first-page":"118","article-title":"Classifying serious games: the G\/P\/S model","volume":"2","year":"2011","journal-title":"Handbook of Research on Improving Learning and Motivation through Educational Games: Multidisciplinary Approaches"},{"key":"key2020092802022703800_ref016","article-title":"Persuasive technology: using computers to change what we think and do","volume":"5","year":"2002","journal-title":"Ubiquity"},{"issue":"6","key":"key2020092802022703800_ref017","first-page":"20","article-title":"Email-based identification and authentication: an alternative to PKI?","volume":"99","year":"2003","journal-title":"IEEE Security & Privacy"},{"issue":"3","key":"key2020092802022703800_ref018","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MSP.2013.69","article-title":"Security through play","volume":"11","year":"2013","journal-title":"IEEE Security & Privacy"},{"key":"key2020092802022703800_ref019","unstructured":"Google Play (2014), \u201c4 Pics 1 Word\u201d, available at: https:\/\/play.google.com\/store\/apps\/details?id=de.lotum.whatsinthefoto.us&hl=en (accessed 10 July 2017)."},{"first-page":"1383","article-title":"I know what you did last week! Do you? Dynamic security questions for fallback authentication on smartphones","year":"2015","key":"key2020092802022703800_ref020"},{"first-page":"169","article-title":"Where have you been? Using location-based security questions for fallback authentication","year":"2015","key":"key2020092802022703800_ref021"},{"first-page":"8","article-title":"Personal choice and challenge questions: a security and usability assessment","year":"2009","key":"key2020092802022703800_ref022"},{"issue":"1","key":"key2020092802022703800_ref023","doi-asserted-by":"crossref","first-page":"99","DOI":"10.2202\/1944-2866.1013","article-title":"Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour","volume":"2","year":"2010","journal-title":"Policy & Internet"},{"article-title":"Data driven authentication: on the effectiveness of user behaviour modelling with mobile device sensors","volume-title":"Mobile Security Technologies Workshop (MoST 2014)","year":"2014","key":"key2020092802022703800_ref024"},{"key":"key2020092802022703800_ref025","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.ijhcs.2016.12.003","article-title":"An evaluation of the game changer password system: a new approach to password security","volume":"100","year":"2017","journal-title":"International Journal of Human-Computer Studies"},{"issue":"4","key":"key2020092802022703800_ref026","doi-asserted-by":"crossref","first-page":"154","DOI":"10.5121\/ijnsa.2011.3414","article-title":"An ancient Indian board game as a tool for authentication","volume":"3","year":"2011","journal-title":"International Journal of Network Security & Its Applications"},{"year":"2017","key":"key2020092802022703800_ref027","article-title":"A gamified approach to improve users\u2019 memorability of fall-back authentication"},{"year":"2017","key":"key2020092802022703800_ref028","article-title":"Changing users\u2019 security behaviour towards security questions: a game based learning approach"},{"first-page":"177","article-title":"Involving users in the design of a serious game for security questions education","year":"2017","key":"key2020092802022703800_ref029"},{"year":"2017","key":"key2020092802022703800_ref030","article-title":"A serious game design: nudging users\u2019 memorability of security questions"},{"year":"2011","key":"key2020092802022703800_ref031","article-title":"Using avatars for improved authentication with challenge questions"},{"first-page":"112","article-title":"Time to exercise! An aide-memoire stroke app for post-stroke arm rehabilitation","year":"2016","key":"key2020092802022703800_ref032"},{"first-page":"371","article-title":"Stop annoying me! An empirical investigation of the usability of app privacy notifications","year":"2017","key":"key2020092802022703800_ref033"},{"first-page":"284","article-title":"Why aren\u2019t users using protection? Investigating the usability of smartphone locking","year":"2015","key":"key2020092802022703800_ref034"},{"first-page":"189","article-title":"Sensor use and usefulness: trade-offs for data-driven authentication on mobile devices","year":"2015","key":"key2020092802022703800_ref035"},{"first-page":"41","article-title":"Phish phinder: a gamified approach to enhance user confidence in mitigating phishing attacks","year":"2017","key":"key2020092802022703800_ref036"},{"first-page":"13","article-title":"Personal knowledge questions for fallback authentication: security questions in the era of Facebook","year":"2008","key":"key2020092802022703800_ref037"},{"first-page":"375","article-title":"It\u2019s no secret. Measuring the security and reliability of authentication via secret questions","year":"2009","key":"key2020092802022703800_ref038"},{"first-page":"7","article-title":"Correct horse battery staple: exploring the usability of system-assigned passphrases","year":"2012","key":"key2020092802022703800_ref039"},{"first-page":"35","article-title":"Codes v. people: a comparative usability study of two password recovery mechanisms","year":"2016","key":"key2020092802022703800_ref040"},{"issue":"2","key":"key2020092802022703800_ref041","first-page":"273","article-title":"Pass-go: a proposal to improve the usability of graphical passwords","volume":"7","year":"2008","journal-title":"IJ Network Security"},{"first-page":"113","article-title":"Life-experience passwords (leps)","year":"2016","key":"key2020092802022703800_ref042"},{"first-page":"137","article-title":"User authentication by cognitive passwords: an empirical assessment","year":"1990","key":"key2020092802022703800_ref043"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2018-0033\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2018-0033\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:46Z","timestamp":1753406566000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/26\/3\/365-378\/192329"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,7,9]]},"references-count":43,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2018,7,9]]}},"alternative-id":["10.1108\/ICS-03-2018-0033"],"URL":"https:\/\/doi.org\/10.1108\/ics-03-2018-0033","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2018,7,9]]}}}