Involving Users in the Design of a Serious Game for Security Questions Education

When using security questions most users still trade-off security for the convenience of memorability. This happens because most users find strong answers to security questions difficult to remember. Previous research in security education was successful in motivating users to change their behaviour towards security issues, through the use of serious games (i.e. games designed for a primary purpose other than pure entertainment). Hence, in this paper we evaluate the design of a serious game, to investigate the features and functionalities that users would find desirable in a game that aims to educate them to provide strong and memorable answers to security questions. Our findings reveal that: (1) even for security education games, rewards seem to motivate users to have a better learning experience; (2) functionalities which contain a social element (e.g. getting help from other players) do not seem appropriate for serious games related to security questions, because users fear that their acquaintances could gain access to their security questions; (3) even users who do not usually play games would seem to prefer to play security education games on a mobile device.