The security of computer systems often relies on the actions or decisions of the end users. However, users tend to perform poorly at security tasks or fail to comply with security instructions. This is evident from, for instance, users’ poor handling of passwords, falling for phishing and other social engineering attacks, and not heeding security warnings. As a result of such a human attitude towards security, even theoretically sound security solutions have often failed to provide much security in practice.

To address this dilemma, Prof. Nitesh Saxena and his research group, SPIES, is exploring a new paradigm they call “Playful Security” — the use of intuitive games or game-like constructs, and game elements to make security tasks fun and entertaining for the users. This is dubbed the Tom Sawyer Effect after a popular incident in Mark Twain’s literary classic, The Adventures of Tom Sawyer.  In this incident, the boy Tom is punished to paint a fence on his day off. To escape his plight, the clever Tom treats the task as fun rather than resenting it. Upon observing his delight, his friends insist that they be given an opportunity to paint the fence so that they can enjoy it as well. Much in the same way that Tom convinces his friends to complete what would otherwise be considered an uninteresting job by treating it as a game, the SPIES researchers seek to better (extrinsically) motivate the users during security operations by making these operations enjoyable.

This work is funded in part by a recent Google Research Award.

More info: http://spies.cis.uab.edu