A Review of Gamification Applied to Phishing

: Phishing is a set of devastating techniques which lure target users to provide critical resources. They are successful because they rely on human weaknesses. Gamification which is a recent and non-traditional learning method with purpose to motivate and engage user to carry out activities, is more and more applied to prevent such cyber threats. This paper provides the first survey of gamified solutions dedicated to educate against phishing from 2007 to 2019. The investigation is conducted on eight proposals in terms of core concepts, game mechanics and learning process. We provide three taxonomies of dimensions to systematically characterize researches on gamified solutions, discuss lacks of surveyed works and opens further orientations to enhance this research area. Some key results are: solutions do not consider elementary level of knowledge and do no offer basic notions; solutions are not adapted to general audience and therefore not reliably applicable in different contexts; platforms partially educate about phishing; learners are evaluated predictably and within a short period. This study constitutes a cornerstone to understand and enhance research on phishing education.


Introduction
Phishing is defined as "a criminal mechanism employing both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials." [1]. Phishing is one of the serious threats within cybersecurity [2]. Anti-Phishing Work Group (APWG) reported that the first quarter of 2018 had recorded an increasing number of phishing attack up to 46% compared to the last quarter of 2017. Phishing exploit users' weaknesses and computer or technology weaknesses [3,4].
Phishing attacks can be delivered through three main media which are Internet, Short Message service (SMS), and voice with the help of social engineering tips. Financial gain, fame and notoriety are the main motivations behind phishing [5]. One mechanism in literature to decelerate phishing is to provide up-to-date surveys to readers for examining gaps and open issues. Authors survey attacker strategies and solutions to detect and prevent phishing ( [5][6][7][8]). They also propose solution taxonomies and elaborated challenges issues to which research should be orientate to mitigate this flaw. Preventive solutions consist to increase awareness and educate users by designing educative platforms. A new interesting potential in the 21st century to build such learning tools is called gamification [9]. It provides an immediate end-user's behavior change [10]. Gamification is an interactive mood for education on specific topic, engaging and keeping learner focuses on activities with fun, compared to the traditional methods like instructor-based, or email based message

Phishing
Phishing is a cybersecurity threat recognized online as identity theft, which records significant evolution since the first attack on users' accounts of America On-Line (AOL) in 1996 [5]. Attacking strategies fall always into one of the three groups: mimicking attack, here attackers lure their victims with visual illusory tips [2]. The two others are forwards and pop-up attacks where attacker uses mainly Man-in-the-middle techniques and tools. Among the well-known phishing attacks encountered in the literature, there are:

Spear Phishing
Spear phishing is recognized to be a targeted attack compared to traditional approach where attacker sent massive emails to random email addresses. With spear phishing, attack is designed for specific group of person or organization.

Social Engineering
This type of attack is frequently delivered through emails, websites, and social media, among others. The purpose is to lure potential victims that they are making a rational action, while it is an emotional action.

Drive-by-download
This attack affects the victims' computers with a malicious program (malware), virus or shell-code. The malicious program can infect through an email attached document or when user visits some malicious websites.

Whaling
The whaling attack like spear phishing is a targeted attack. It targets important responsible of organizations or enterprises with high privileges. This kind of attack requires more effort and time to phishers because they need to study and spy their potential victims, to design and deliver accurate phishing attack.

Smishing
Smishing is a form of phishing attack through Short Message Service (SMS).

Vishing
Vishing is a form of phishing attack through voice call, conducted mainly via VoIP.
These are only few forms of phishing attack among a wide range of possible scenario of attack. Nevertheless, refer to [2] for a landscape overview of phishing attacks and possible combination of them.

Gamification
This section presents concepts around gamification.

Definitions
Literature adopted the definition of Deterding and colleagues stating that gamification is "the use of game design elements in non-game context" [18]. The concept of gamification has gained many domains of activities and according to those domains, this definition can differ slightly. For instance, concerning education and training, it is defined as "the use of game-based mechanics, aesthetics, and thinking to engage people, motivate action, promote learning, and solve problems" [19]. Gamification is encountered into fields like marketing and business, health, public governance, Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 8 March 2020 doi:10.20944/preprints202003.0139.v1 and learning to name just few. Indeed, game-based learning is recognized to enhance learner motivation, outcomes, and participation to activities [20].

Categories
There are two categories or types of gamification: structural gamification and content gamification [21]. A structural gamification is the process of applying game elements to drive learning through content without altering this content. So, the learning content does not become game-like, but structures around do. While, with game-like content and game thinking elements alter learning contents and make it more game-like, like using a story or challenges to present lessons.

Mechanics
Game mechanics used for a gamification project differ from one project to another. But there are Points used to reinforce and rewards good action or behavior, badges which are generally digital token and used to support achievements and provide some kind of recognition, leaderboards are used mainly for ranking and can be viewed as public recognition of work done. These three elements represent the core gamification's elements encountered into the literature ( [12,22,23]). We can add levels, challenges or quests to these elements. However, Kim et al. [24] propose a taxonomy with fifteen elements for education domain.

Gamification designs
There are four frameworks relevant for designing gamified solutions in literature. a) User-Centered Design: User-Centered approach focuses therefore on user. User needs and goals are central objectives of this design and its development process. According to Nicholson et al. [25], "this framework places the user at the center of the experience and designing process with their needs and desires in the mind". b) MDA framework: MDA gamification framework was proposed by Hunicke et al. [26]. This theoretical framework stands for Mechanics, Dynamics, and Aesthetics. It is mainly used for pure game design purpose. This framework breaks game design process into three steps which are: rule, system and fun. These steps are translated respectively into mechanics, dynamics and aesthetics: Mechanics describes the particular component of the game at the level of data representation and algorithms; Dynamics describes the run-time behavior of the mechanics; and finally, Aesthetics describes the emotional response when the player interacts with the game system. c) Schell's framework: Schell's gamification [27] considers four game elements such as story, mechanism, technology, and aesthetic. Story represents the path of event that player can experiment while playing the game. Mechanism describes rules and procedures for the game, and it affects the evolution of the story. Technology includes materials, hardware for game creation. Aesthetic deals with look and feeling that player can get within the game through audio and visual elements which directly influence player experience. d) Werbach and Hunter's framework: This framework was proposed by Werbach and Hunter [28], commonly known as 6D framework and encompasses the following steps: definition of business objectives and then proceeding to target the outcome behaviors; description of players; devising the activity loops without losing the fun; the last step is to deploy the gamified solution with the necessary tools. Mora et al. [29] propose to classify different frameworks into three categories: user-centered, game-centered, and technology-centered, with self-determination theory (SDT) as a predominant approach to support intrinsic motivation.

Games vs. Rewards vs. Gamification
There are more or less relations between games, rewards and gamification which share similar mechanics [21]. Rewards programs are programs which use game mechanics to engage user at transactional level, mainly used into business domain to keep user into a consumption loop. Games are more related to entertainment, with characteristics like fun as the primary currency. Its activities are chosen for their light-hearted character. They are governed by rules and uncertain since the outcome could be other than what player expect. Games also used fiction to immerse player into an imaginary word [29]. Gamification has different purposes in contrast with games and rewards programs. There is no entertainment but fun, the objective is to motivate people to carry out by the funny way some boring task [29]. It engages users at the emotional level for attitudes and behavior change, as well as knowledge acquisition [30]. Nevertheless, there are not clear boundaries between these concepts of games, rewards programs and gamification [19].

Methodology
The research methodology follows basically seven main steps: • The first step defines the research questions required to set the scope of the paper and identifies the relevant information to collect the literature.
• The second step consists to select different search keywords able to retrieve the largest possible set of relevant publications.
• The third step is a keyword-based search on Google scholar.
• In the fourth step, exclusion criteria are used to filter results.
• The sets of results from both search strategies are merged to produce the overall list of publications to review.
• A pre-processing from the selected papers is made with the aim to identify criteria to categorize them. A systematic literature review taxonomy based on those criteria is built.
• Reviewed results are analyzed to identify gaps and future directions within "malware detection based on system calls" research area.

Research Questions
This paper aims to address three research questions: RQ1: How to classify current research on gamification solutions for phishing? RQ2: What is the current state of gamification for phishing with respect to the proposed taxonomies? RQ3: What are the weaknesses in the current research and what enhancement can be performed?

Search Strategy
Some keywords have been exploited to perform the search. The search terms include keywords that are related to (1) gamification, (2) phishing, (3) phishing education, (4) learning and (5) awareness. Table 1 shows keywords used in a manual investigation in Google scholar. For instance, e.g., line 6 = phishing AND learning

Inclusion and Exclusion Criteria
Google scholar was exclusively the collection repository of retrieved papers. The search done using the terms in Table 1, provides a dataset of 110 papers. The dataset has been filtered based on exclusion and inclusion criteria.
Papers excluded are those: • dealing with educational solutions other than gamification, such as gaming; • dealing with cyber security in general; • which apply gamification to areas other than phishing.
Papers retained are those dealing with gamification applied specifically to phishing and its related forms such as spear-phishing, vishing etc.. Thirty (24) papers remained after applying the above criteria. A careful manual filtering was performed to purge irrelevant publications related to this area. This activity allows keeping eight (08) papers. Figure 1 shows these papers by publication years.

Taxonomies
This paper provides different dimensions and properties found in existing surveys. The proposed taxonomy is designed in three sub-taxonomies relying on the surveyed works. The hierarchy of that taxonomy categorizes research following three questions: 1. What are the contextual characteristics of the gamification solutions?
2. What are the structure components of the gamified systems?
3. How do authors evaluate and validate their solutions?

Taxonomy 1
The first part of the taxonomy concerns the characterization of the game. It includes five dimensions, as shown in Figure 2. Hunter's. They can be summarized in User-Centered, Game-centered, and Technology-centered.

Taxonomy 2
The second taxonomy concerns different elements constituting the gaming platform. It includes six dimensions, as shown in Figure 3. • Narrative that explains to the player what has been realized so far, the actual state of the game and the remaining steps; • Learning steps as described in the previous dimension; • Guidance that is referred if the player is not able to decide about the nature of URL or email; • Progress check which controls the evolution of the game; • Quizzes which assess the level of knowledge gathered in each step.
Assessment: This dimension is grouped in two categories: inline if players are evaluated within the platform and offline if players are evaluated outside the platform may be through emails.
Hosting: This dimension presents the device where people can install the gamified platform: Desktop or smartphone or hybrid.
Simulation: Platforms simulate real scenarios of phishing to bring players closer to reality. They simulate urgency, how an email is processed by attacker, and what vulnerabilities, the potential victim, derives while interacting with technologies.

Taxonomy 3
The third taxonomy specifies components considered by authors to evaluate gamified solutions. It includes five dimensions, as shown in Figure 4.

Survey Results
This section has two orientations. The first shows a landscape of existing gamified solutions devoted to educate people about phishing attack, in terms of their core concept, game mechanics, as well as the learning process. The second orientation characterizes those works into different taxonomies.

First Step -Description of Existing Gamified Solutions
Anti-phishing Phil: Anti-phishing Phil ( Figure 5) is a web-based anti-phishing solution devoted to teach users good habits useful to avoid phishing attacks [12]. Authors postulate that end users should be guided in automated system for detecting phishing attacks. It is justified because those systems are not 100% accurate especially when it requires some contextual knowledge information.  NoPhish: NoPhish ( Figure 6) is an Android application dedicated to educate people about phishing by assessing, parsing and checking URLs [13]. They assume that smartphone users are more likely to access phishing websites than desktop users. This anti-phishing application was designed by following a user-centered design approach. NoPhish has two introductory parts. The first part referring to the game part includes several gamification's elements such as ten levels, with lives, levels, leaderboards and achievements. The first part is dedicated to raise awareness of spoofed messages. The second part presents to user how to access the address bar and view the entire URL within the mobile phone screen size constraints. They recommend that user to scroll entirely the address bar to view the complete URL. The core game part is split into ten levels with increasing  CyberPhishing: CyberPhishing (Figure 7a and 7b) is a web simulation platform allowing researchers to dynamically build content and then, customizable experience related to phishing [14] . The idea behind this tool is that realism should pervade user experience and immerse user within the context. To achieve this vision, the application includes three primary interfaces which show real world experiences. The first one is a story dashboard used as landing page. The second users' awareness about online phishing scams [15]. The game's scenario used to educate user is based on real life activity which is online shopping. This game is under three purposes. The first purpose is to teach user about phishing scams, how to protect themselves, as well as the importance to remain vigilant online. The second purpose is to entertain learner by promoting fun. This purpose is used to encourage player to continue the learning process and acquire knowledge without feeling bored. The third purpose is to provoke discussion and debate among player on phishing related topics. This purpose will help to link the cybersecurity learning content to their real-life activities.
Players start the game virtually with certain amount of money (pre-paid credit card) and a list of items that they should buy. Each action yields a positive or negative outcome which will affect the game process. Authors used cartoon to depict the game by using cards (task cards, police cards,  Phish Phinder: Phish Phinder ( Figure 9) is a serious game prototype designed by Gaurav and colleagues to boost the user's confidence. It mitigates phishing attacks by providing both conceptual and procedural knowledge on phishing [3]. Users are trained through a series of gamified challenges, designed to educate about most relevant phishing related concepts, all this within an interactive User Interface (UI). The key aspect of this solution is 'self-efficiency or self-confidence', as users make better decision when they are confident and sure on their skills and ability to deal with not difficult situations [31]. Unlike the two first solutions, Phish Phinder deals with the phishing email topic rather than only URLs topic. Indeed, this solution introduces phishing email's concepts like: subject line, reply-to, HTML in the body of the email, and spoofed email' sender name. Nevertheless, Phish Phinder is too similar to Anti-phishing Phil. Indeed, the core game story turns also around a small fish and its father, an experienced big fish. The young fish is named 'Johnny' rather than 'Phil' and the second a knowledgeable big fish is named 'Shifu'. There are also worms that the small fish should eat to become a big fish. Johnny has to take care as each worm as it is attached to the content.
This content could be a URL or an email message. There are obviously good and bad worm.
However, authors argue that their solution is different to [12] in the way that it integrates self-efficiency to the game processes. An interesting concept of this solution as technology evolves is that authors present URLs obfuscation techniques like URL's shorteners. But they lack to show its malicious utilization to deliver phishing attacks. Although Phish Phinder is still a prototype project, it presents and deals with very important phishing topics. What.Hack: What.Hack ( Figure 10) is an anti-phishing game built to teach defense methods and information security for social engineering threats. The player walks through a sequence of puzzle [16]. Each puzzle requires that the player respects some set of rules recorded into a rulebook. The  Bird's Life: Bird's Life ( Figure 12) is a 2D educational game aiming to teach college students about cybersecurity [17]. Players learn phishing attacks and anti-phishing techniques through real-world scenarios by using a fun gaming context. Bird's Life is a decision-making game, where the main character is controlled using arrow keys on PC and motion controls on mobile devices. It is structured in three main levels: level one introduces the game story, in which designers encourage player to dive into the game. Level two gathers phishing prevention tips. The player starts with five lives, the learning currencies are worms in this level. Red worms represent phishing email and scam whereas grey worms represent tips that user should collect (five grey worms collected consecutively give a tip). Rewards earned can be used to purchase health. At the end of this level, player is expected to know exactly what to do during a phishing attack before diving into the last level.

Preprints
During the last level, player uses knowledge acquired during the previous level to spot out phishing emails. The player needs to answer four correct on five questions to pass the level.

Second
Step -Classification of Proposals in Taxonomies 1) Classification according to characterization of the game: Table 3  2) Classification according to the structure of gamified platform: Table 4 classifies different approaches into dimensions related to structure of gamified platform. Authors insert mechanics such as points (75%), rewards (75%), interaction mechanisms between learning materials and the platform (50%), and leaderboards (12.5%). We see that those mechanics exist to engage and motivate the player along the game. They help to gamify nongaming educative environments. Most of gamified solutions start to describe phishing concepts, then ways to avoid phishing and tips to 3) Classification according to game evaluation: Table 5  show its contribution to others. This evaluation phase has not been done by others. Technology-centered -0%

Discussions and Open Issues
Some points are relevant to discuss and to explore.

Discussions
We to conduct other illegal activities. It is found that solutions educate only on the attack phase. It is therefore a partial education. Participants are evaluated within a short period and they know that they are evaluated. This fashion is predictable and predisposes learners to guess responses.

Further Research
Some open issues for further research are the following.
• Game theory: Game theory is useful to design a game and interactions between different players. We believe that research should look into building games predicting future phisher or defender intents based on simulated scenarios. This information is interesting because it helps to think as the attacker.
• Extracting similarities: There are similar and different features in gamified solutions.
Applying techniques of software product lines could give a good support from which new products can be mounted. Research could therefore provide anti-phishing gamified products for different class of customers: students or company employers.
• Association with intelligent detective solutions: Attackers develop sophisticated phishing attacks with the evolution of technology. This requires also adapted solutions which sometimes include artificial and computational intelligence. Gamified and up-to-date modules should be inserted in such solutions to learn administrators about new phishing vacuums when they deploy solutions for detection in the network.
• Crowd-gamification: Authors should design gamified solutions involving collaborative intelligence. It means that people across the cloud could participate in educating about phishing experiences and countermeasures.
• Multiple players: We believe that solutions with multiple players are closer to the reality and can participate to strengthen learning situations.
• Multi-steps education: Authors of gamified platforms should educate users about each phase of phishing.
• Unpredictable game: Developers should insert the game into normal communication activities of the learner such that they ignore that incoming messages or mails are related to the game. Therefore the evaluation could in a long period and repeated. To achieve this, various sets of simulated phishing scenarios must be designed and updated over time.

Conclusion
This paper investigated gamified solutions applied for phishing education. While many researches using gamification approach have been conducted in cybersecurity in general, none of them were dedicated to phishing. Therefore, we presented eight main anti-phishing solutions which use game mechanics to motivate players to remain engaged through the learning process. These solutions are not equivalent according to the game mechanics, the type of gamification structure and the level of

Author Contributions
Franklin Tchakounté performed formal analysis, proposed the research design and taxonomies, Leonel Kanmogne Wabo collected data and proposed a summary of the papers. Marcellin Atemkeng provided technical review, and edited the manuscript.
E.S. conducted formal analysis and drafted the manuscript, S.K. developed the concept of the study, directed the analysis, provided technical review, and edited the manuscript, and P.T. collected data and performed descriptive analysis of this study.

Conflicts of Interest:
The authors declare no conflict of interest.