myREACH: a serious game for measuring security awareness about ransomware

Abstract

Today, raising security awareness among users is one of the most effective preventive cybersecurity strategies. Generally, the current level of security awareness in the organization is measured through standard questionnaires. However, this method suffers from poor participant engagement and low precision due to the explicit evaluation and misunderstandings of the questions. To address these issues, we present a serious video game called “myREACH” to measure the player’s security awareness about ransomware. To the best of our knowledge, this is the first attempt to develop a serious game for measuring security awareness. myREACH has been compared to the standard questionnaire for measuring security awareness about ransomware, known as RSAM. The results obtained from a sample of 172 participants indicate that, in 3 out of 9 categories, the game and questionnaire measurements yield similar results. However, in 5 out of 9 categories, the game measurement is superior. For the remaining category, it is inconclusive whether the game or questionnaire assessment is better. Furthermore, self-report measurements indicate that the temporal and mental demands of playing myREACH and completing the RSAM are the same. The overall performance during playing myREACH is 9% better than completing the RSAM, and participants are 15% more satisfied with the game compared to the questionnaire. © The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2024.