{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T20:00:41Z","timestamp":1780776041532,"version":"3.54.1"},"reference-count":54,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2022,3,25]],"date-time":"2022-03-25T00:00:00Z","timestamp":1648166400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Swedish Post and Telecom Authority - PTS","award":["19-10617"],"award-info":[{"award-number":["19-10617"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed.<\/jats:p>","DOI":"10.3390\/fi14040104","type":"journal-article","created":{"date-parts":[[2022,3,25]],"date-time":"2022-03-25T15:31:21Z","timestamp":1648222281000},"page":"104","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["Evaluation of Contextual and Game-Based Training for Phishing Detection"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2084-9119","authenticated-orcid":false,"given":"Joakim","family":"K\u00e4vrestad","sequence":"first","affiliation":[{"name":"School of Informatics, University of Sk\u00f6vde, 541 28 Sk\u00f6vde, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Allex","family":"Hagberg","sequence":"additional","affiliation":[{"name":"Xenolith AB, 541 34 Sk\u00f6vde, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5962-9995","authenticated-orcid":false,"given":"Marcus","family":"Nohlberg","sequence":"additional","affiliation":[{"name":"School of Informatics, University of Sk\u00f6vde, 541 28 Sk\u00f6vde, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jana","family":"Rambusch","sequence":"additional","affiliation":[{"name":"School of Informatics, University of Sk\u00f6vde, 541 28 Sk\u00f6vde, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Robert","family":"Roos","sequence":"additional","affiliation":[{"name":"Xenolith AB, 541 34 Sk\u00f6vde, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0984-7542","authenticated-orcid":false,"given":"Steven","family":"Furnell","sequence":"additional","affiliation":[{"name":"School of Computer Science, University of Nottingham, Nottingham NG7 2RD, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2022,3,25]]},"reference":[{"key":"ref_1","unstructured":"OECD (2019). Hows Life in the Digital Age?, OECD Publishing."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"120293","DOI":"10.1016\/j.techfore.2020.120293","article-title":"Internet adoption and financial development in sub-Saharan Africa","volume":"161","author":"Okafor","year":"2020","journal-title":"Technol. Forecast. Soc. Chang."},{"key":"ref_3","unstructured":"Anderson, M., and Perrin, A. (2017). Technology Use among Seniors, Pew Research Center for Internet & Technology."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1515\/nor-2017-0398","article-title":"Digital equality and the uptake of digital applications among seniors of different age","volume":"38","year":"2017","journal-title":"Nord. Rev."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Milana, M., Hodge, S., Holford, J., Waller, R., and Webb, S. (2022, March 06). A Year of COVID-19 Pandemic: Exposing the Fragility of Education and Digital in\/Equalities. Available online: https:\/\/www.tandfonline.com\/doi\/full\/10.1080\/02601370.2021.1912946.","DOI":"10.1080\/02601370.2021.1912946"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"e395","DOI":"10.1016\/S2589-7500(20)30169-2","article-title":"COVID-19 and the digital divide in the UK","volume":"2","author":"Watts","year":"2020","journal-title":"Lancet Digit. Health"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Joseph, D.P., and Norman, J. (2019). An analysis of digital forensics in cyber security. First International Conference on Artificial Intelligence and Cognitive Computing, Springer.","DOI":"10.1007\/978-981-13-1580-0_67"},{"key":"ref_8","unstructured":"Sfakianakis, A., Douligeris, C., Marinos, L., Louren\u00e7o, M., and Raghimi, O. (2019). ENISA Threat Landscape Report 2018: 15 Top Cyberthreats and Trends, ENISA."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/S1361-3723(20)30098-1","article-title":"Why is phishing still successful?","volume":"2020","author":"Bhardwaj","year":"2020","journal-title":"Comput. Fraud. Secur."},{"key":"ref_10","unstructured":"Dark Reading (2021, December 01). Phishing Remains the Most Common Cause of Data Breaches, Survey Says. Available online: https:\/\/www.darkreading.com\/edge-threat-monitor\/phishing-remains-the-most-common-cause-of-data-breaches-survey-says."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"154","DOI":"10.3390\/fi13060154","article-title":"Towards lightweight url-based phishing detection","volume":"13","author":"Butnaru","year":"2021","journal-title":"Future Internet"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"247","DOI":"10.1007\/s11235-017-0334-z","article-title":"Defending against phishing attacks: Taxonomy of methods, current issues and future directions","volume":"67","author":"Gupta","year":"2018","journal-title":"Telecommun. Syst."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"576","DOI":"10.1016\/j.dss.2011.03.002","article-title":"Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model","volume":"51","author":"Vishwanath","year":"2011","journal-title":"Decis. Support Syst."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/S1361-3723(17)30074-X","article-title":"Defending against spear-phishing","volume":"2017","author":"Steer","year":"2017","journal-title":"Comput. Fraud. Secur."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1109","DOI":"10.1016\/j.promfg.2015.07.185","article-title":"Taking the bait: A systems analysis of phishing attacks","volume":"3","author":"Lacey","year":"2015","journal-title":"Procedia Manuf."},{"key":"ref_16","first-page":"10862","article-title":"Effectiveness of information security awareness methods based on psychological theories","volume":"5","author":"Khan","year":"2011","journal-title":"Afr. J. Bus. Manag."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)","volume":"42","author":"Parsons","year":"2014","journal-title":"Comput. Secur."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: An action research study","volume":"34","author":"Puhakainen","year":"2010","journal-title":"MIS Q."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Bin Othman Mustafa, M.S., Kabir, M.N., Ernawan, F., and Jing, W. (2019, January 29). An enhanced model for increasing awareness of vocational students against phishing attacks. Proceedings of the 2019 IEEE International Conference on Automatic Control and Intelligent Systems (I2CACIS), Selangor, Malaysia.","DOI":"10.1109\/I2CACIS.2019.8825070"},{"key":"ref_20","unstructured":"Bada, M., Sasse, A.M., and Nurse, J.R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv."},{"key":"ref_21","unstructured":"Reinheimer, B., Aldag, L., Mayer, P., Mossano, M., Duezguen, R., Lofthouse, B., von Landesberger, T., and Volkamer, M. (2020, January 7\u201311). An investigation of phishing awareness and education over time: When and how to best remind users. Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), Santa Clara, CA, USA."},{"key":"ref_22","unstructured":"Lastdrager, E., Gallardo, I.C., Hartel, P., and Junger, M. (2017, January 12\u201314). How Effective is Anti-Phishing Training for Children?. Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), Santa Clara, CA, USA."},{"key":"ref_23","unstructured":"Junglemap (2021, January 07). Nanolearning. Available online: https:\/\/junglemap.com\/nanolearning."},{"key":"ref_24","unstructured":"Gokul, C.J., Pandit, S., Vaddepalli, S., Tupsamudre, H., Banahatti, V., and Lodha, S. (2018, January 28\u201331). PHISHY\u2014A Serious Game to Train Enterprise Users on Phishing Awareness. Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts, Melbourne, Australia."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"1105","DOI":"10.1007\/s11277-016-3380-z","article-title":"Design of Security Training System for Individual Users","volume":"90","author":"Lim","year":"2016","journal-title":"Wirel. Pers. Commun."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"102","DOI":"10.1016\/j.cose.2017.10.008","article-title":"Social engineering in cybersecurity: The evolution of a concept","volume":"73","author":"Hatfield","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"22","DOI":"10.1016\/j.ijhcs.2018.05.011","article-title":"Ethical guidelines for nudging in information security & privacy","volume":"120","author":"Renaud","year":"2018","journal-title":"Int. J. Hum.-Comput. Stud."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Gjertsen, E.G.B., Gjaere, E.A., Bartnes, M., and Flores, W.R. (2017, January 19\u201321). Gamification of Information Security Awareness and Training. Proceedings of the 3rd International Conference on Information Systems Security and Privacy, SiTePress, Set\u00fabal, Portugal.","DOI":"10.5220\/0006128500590070"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"101586","DOI":"10.1016\/j.cose.2019.101586","article-title":"Evaluating the effectiveness of learner controlled information security training","volume":"87","author":"Abraham","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Siponen, M., and Baskerville, R.L. (2018). Intervention effect rates as a path to research relevance: Information systems security example. J. Assoc. Inf. Syst., 19.","DOI":"10.17705\/1jais.00491"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Wen, Z.A., Lin, Z., Chen, R., and Andersen, E. (2019, January 4\u20139). What. hack: Engaging anti-phishing training through a role-playing phishing simulation game. Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, Glasgow, UK.","DOI":"10.1145\/3290605.3300338"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"K\u00e4vrestad, J., and Nohlberg, M. (2020). Assisting Users to Create Stronger Passwords Using ContextBased MicroTraining. IFIP International Conference on ICT Systems Security and Privacy Protection, Springer.","DOI":"10.1007\/978-3-030-58201-2_7"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1108\/09685220010371394","article-title":"A conceptual foundation for organizational information security awareness","volume":"8","author":"Siponen","year":"2000","journal-title":"Inf. Manag. Comput. Secur."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness","volume":"34","author":"Bulgurcu","year":"2010","journal-title":"MIS Q."},{"key":"ref_35","unstructured":"Hu, S., Hsu, C., and Zhou, Z. (2021). Security education, training, and awareness programs: Literature review. J. Comput. Inf. Syst., 1\u201313."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Aldawood, H., and Skinner, G. (2019, January 19\u201321). An academic review of current industrial and commercial cyber security social engineering solutions. Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, Kuala Lumpur, Malaysia.","DOI":"10.1145\/3309074.3309083"},{"key":"ref_37","first-page":"5","article-title":"Security awareness training: A review","volume":"1","author":"Basir","year":"2017","journal-title":"Proc. World Congr. Eng."},{"key":"ref_38","unstructured":"EC-Council (2021, May 31). The Top Types of Cybersecurity Attacks of 2019, Till Date. Available online: https:\/\/blog.eccouncil.org\/the-top-types-of-cybersecurity-attacks-of-2019-till-date\/."},{"key":"ref_39","unstructured":"Cybint (2022, March 06). 15 Alarming Cyber Security Facts and Stats. Available online: https:\/\/www.cybintsolutions.com\/cyber-security-facts-stats\/."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Sharif, K.H., and Ameen, S.Y. (2020, January 23\u201324). A review of security awareness approaches with special emphasis on gamification. Proceedings of the 2020 International Conference on Advanced Science and Engineering (ICOASE), Duhok, Iraq.","DOI":"10.1109\/ICOASE51841.2020.9436595"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.ijhcs.2018.06.004","article-title":"Exploring susceptibility to phishing in the workplace","volume":"120","author":"Williams","year":"2018","journal-title":"Int. J. Hum.-Comput. Stud."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.eswa.2018.03.050","article-title":"A survey of phishing attacks: Their types, vectors and technical approaches","volume":"106","author":"Chiew","year":"2018","journal-title":"Expert Syst. Appl."},{"key":"ref_43","unstructured":"Microsoft (2021, December 30). Protect Yourself from Phishing. Available online: https:\/\/support.microsoft.com\/en-us\/windows\/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44."},{"key":"ref_44","unstructured":"Imperva (2021, December 30). Phishing Attacks. Available online: https:\/\/www.imperva.com\/learn\/application-security\/phishing-attack-scam\/."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Cuve, H.C., Stojanov, J., Roberts-Gaal, X., Catmur, C., and Bird, G. (2021). Validation of Gazepoint low-cost eye-tracking and psychophysiology bundle. Behav. Res. Methods, 1\u201323.","DOI":"10.31234\/osf.io\/7nz9y"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"MacFarland, T.W., and Yates, J.M. (2016). Kruskal\u2013Wallis H-test for oneway analysis of variance (ANOVA) by ranks. Introduction to Nonparametric Statistics for the Biological Sciences Using R, Springer.","DOI":"10.1007\/978-3-319-30634-6_6"},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3429888","article-title":"The nudge puzzle: Matching nudge interventions to cybersecurity decisions","volume":"28","author":"Zimmermann","year":"2021","journal-title":"ACM Trans. Comput.-Hum. Interact. (TOCHI)"},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1016\/j.ijhcs.2018.11.003","article-title":"Using protection motivation theory in the design of nudges to improve online security behavior","volume":"123","author":"Vila","year":"2019","journal-title":"Int. J. Hum.-Comput. Stud."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"1316","DOI":"10.1177\/0162243921992844","article-title":"Hacking humans? Social Engineering and the construction of the \u201cdeficient user\u201d in cybersecurity discourses","volume":"46","author":"Wentland","year":"2021","journal-title":"Sci. Technol. Hum. Values"},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"168","DOI":"10.3390\/fi12100168","article-title":"Phishing attacks survey: Types, vectors, and technical approaches","volume":"12","author":"Alabdan","year":"2020","journal-title":"Future Internet"},{"key":"ref_51","first-page":"98","article-title":"Identifying behavioral constructs in relation to user cybersecurity behavior","volume":"9","author":"Mashiane","year":"2021","journal-title":"Eurasian J. Soc. Sci."},{"key":"ref_52","first-page":"1","article-title":"Evaluating user susceptibility to phishing attacks","volume":"309","author":"Das","year":"2022","journal-title":"Inf. Comput. Secur."},{"key":"ref_53","first-page":"7058972","article-title":"Predicting User Susceptibility to Phishing Based on Multidimensional Features","volume":"2022","author":"Yang","year":"2022","journal-title":"Comput. Intell. Neurosci."},{"key":"ref_54","unstructured":"Swedish Research Council (2021, December 30). Good Research Practice, Available online: https:\/\/www.vr.se\/english\/analysis\/reports\/our-reports\/2017-08-31-good-research-practice.html."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/14\/4\/104\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:43:21Z","timestamp":1760136201000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/14\/4\/104"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,3,25]]},"references-count":54,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2022,4]]}},"alternative-id":["fi14040104"],"URL":"https:\/\/doi.org\/10.3390\/fi14040104","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,3,25]]}}}