pith. sign in

arxiv: 2604.14996 · v1 · submitted 2026-04-16 · 💻 cs.CR

ConGISATA: A Framework for Continuous Gamified Information Security Awareness Training and Assessment

Ofir Cohen , Ron Bitton , Asaf Shabtai , Rami Puzis This is my paper

Pith reviewed 2026-05-10 10:58 UTC · model grok-4.3

classification 💻 cs.CR
keywords information security awarenessgamificationmobile sensorscontinuous trainingsocial engineeringpassive riskcybersecuritybehavior adaptation
0
0 comments X

The pith

ConGISATA uses continuous gamified training and mobile sensors to improve information security awareness.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper presents ConGISATA, a framework for ongoing gamified training in information security awareness that relies on sensors built into mobile devices. The sensors follow a taxonomy designed to assess users' security behaviors, allowing the system to detect issues and provide feedback in real time. By making users confront their passive risks—such as neglecting to secure information—the framework aims to encourage better habits through game-like elements. Evaluation in the paper shows gains in sensor readings and better results when facing simulated attacks. If this holds, it offers a practical way to address the human element in cybersecurity without relying solely on one-time training sessions.

Core claim

The central discovery is that the ConGISATA framework, built around continuous and gradual gamified training with embedded mobile sensors, enables users to learn from real-life mistakes and adapt their behavior. It specifically transforms passive risk situations, where people fail to act, into active risk situations that users are more likely to address. The authors' evaluation demonstrates that this approach improves individuals' information security awareness both according to the sensor measurements and in simulations of common attack vectors.

What carries the argument

ConGISATA: a continuous gamified ISA training and assessment framework using mobile sensors designed from a taxonomy of security awareness to turn passive risks into active ones.

If this is right

  • Users show measurable improvement in information security awareness through the sensor-based assessments.
  • Participants exhibit better performance when encountering simulated social engineering attacks.
  • The continuous nature allows adaptation based on actual daily behaviors rather than hypothetical scenarios.
  • Passive risks are reframed as active concerns, countering the tendency to underestimate them.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Longer-term studies could test if the observed improvements persist and translate to fewer real-world incidents.
  • Organizations might combine this with other security measures for broader protection against human-targeted attacks.
  • The sensor taxonomy could inspire similar continuous assessment tools in related fields such as data privacy awareness.

Load-bearing premise

The mobile sensors designed from the taxonomy accurately reflect true security awareness, and the improvements seen in training lead to lasting changes that lower actual attack success rates.

What would settle it

Tracking whether individuals who undergo the ConGISATA training experience fewer successful social engineering attacks in their daily use compared to a control group over several months.

Figures

Figures reproduced from arXiv: 2604.14996 by Asaf Shabtai, Ofir Cohen, Rami Puzis, Ron Bitton.

Figure 1
Figure 1. Figure 1: The ConGISATA security awareness training and assessment framework [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Illustration of the different challenges [PITH_FULL_IMAGE:figures/full_fig_p014_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Average passive score deltas per group over time In this study we address the following three research questions: RQ1: Can our framework improve users’ passive ISA score, as measured by the mobile ISA taxonomy? If so, how does it compare to the baseline method? First, we analyzed the pas￾sive score deltas and examined each criterion individually [PITH_FULL_IMAGE:figures/full_fig_p015_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Active score over time RQ2: Does ConGISATA help users improve their active ISA score, as measured using the challenges? If so, how does it compare to the baseline method? We analyzed the active score over time. Similar to other ISA train￾ing methods, the baseline method uses [PITH_FULL_IMAGE:figures/full_fig_p015_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Correlation between the number of views of the learning screen and pas￾sive score delta RQ3: Does increased use of our framework correlate with greater im￾provement in passive behavior? We logged every view of each of the app’s screens and looked for a cor￾relation between views and behavioral change. As expected, the most signif￾icant Pearson correlation was found between the number of views of the learni… view at source ↗
Figure 6
Figure 6. Figure 6: Average score deltas for the groups per criterion, as a function of the [PITH_FULL_IMAGE:figures/full_fig_p019_6.png] view at source ↗
read the original abstract

The incidence of cybersecurity attacks utilizing social engineering techniques has increased. Such attacks exploit the fact that in every secure system, there is at least one individual with the means to access sensitive information. Since it is easier to deceive a person than it is to bypass the defense mechanisms in place, these types of attacks have gained popularity. This situation is exacerbated by the fact that people are more likely to take risks in their passive form, i.e., risks that arise due to the failure to perform an action. Passive risk has been identified as a significant threat to cybersecurity. To address these threats, there is a need to strengthen individuals' information security awareness (ISA). Therefore, we developed ConGISATA - a continuous gamified ISA training and assessment framework based on embedded mobile sensors; a taxonomy for evaluating mobile users' security awareness served as the basis for the sensors' design. ConGISATA's continuous and gradual training process enables users to learn from their real-life mistakes and adapt their behavior accordingly. ConGISATA aims to transform passive risk situations (as perceived by an individual) into active risk situations, as people tend to underestimate the potential impact of passive risks. Our evaluation of the proposed framework demonstrates its ability to improve individuals' ISA, as assessed by the sensors and in simulations of common attack vectors.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The manuscript proposes ConGISATA, a continuous gamified framework for information security awareness (ISA) training and assessment built on a taxonomy of mobile users' security awareness to design embedded mobile sensors. It emphasizes gradual, real-life mistake-based learning to convert perceived passive risks into active risks, with the central claim that evaluation demonstrates improvement in individuals' ISA as assessed by the sensors and in simulations of common attack vectors.

Significance. If the evaluation holds, the framework could provide a practical method for ongoing ISA training that uses mobile sensors for passive monitoring and gamification to target passive risks in cybersecurity. This has potential to improve user behavior and reduce social-engineering attack success rates, offering a contribution to continuous awareness programs beyond one-time training.

major comments (2)
  1. Abstract and Evaluation section: The claim that evaluation demonstrates improvement in ISA supplies no information on participant numbers, control conditions, statistical tests, sensor validation against real behaviors, or post-hoc analysis handling, rendering the central claim unverifiable from the provided details.
  2. Evaluation and Framework sections: The assessment relies exclusively on internal sensor scores and framework-internal simulations without external ground-truth data (e.g., logged phishing clicks, permission grants, or incident reports) linking sensor deltas to reduced real-world attack success; this leaves unaddressed whether improvements persist outside the gamified setting or translate to actual behavior change.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback on our manuscript. The comments have highlighted important areas where additional clarity and transparency are needed. We address each major comment below and describe the revisions we will make to strengthen the paper.

read point-by-point responses

  1. Referee: Abstract and Evaluation section: The claim that evaluation demonstrates improvement in ISA supplies no information on participant numbers, control conditions, statistical tests, sensor validation against real behaviors, or post-hoc analysis handling, rendering the central claim unverifiable from the provided details.

    Authors: We agree that the evaluation details require expansion for verifiability. In the revised manuscript, we will update both the abstract and the Evaluation section to explicitly report the number of participants, describe any control conditions employed, specify the statistical tests used (such as pre-post paired comparisons), explain the validation process of sensor metrics against observed user behaviors during the study, and outline the post-hoc analysis procedures. These additions will directly support and make verifiable the claim of ISA improvement. revision: yes

  2. Referee: Evaluation and Framework sections: The assessment relies exclusively on internal sensor scores and framework-internal simulations without external ground-truth data (e.g., logged phishing clicks, permission grants, or incident reports) linking sensor deltas to reduced real-world attack success; this leaves unaddressed whether improvements persist outside the gamified setting or translate to actual behavior change.

    Authors: We acknowledge this as a valid limitation of the current evaluation design. The study prioritizes demonstrating the framework's internal mechanisms and initial effectiveness via sensor scores and controlled attack simulations. In the revision, we will add a new subsection in the Evaluation or Discussion section that explicitly discusses this gap, including the absence of external ground-truth linkages and the open question of persistence and real-world translation. We will also outline planned future work involving longitudinal studies with real-world metrics. This will clarify the scope of the present claims without overstating them. revision: partial

Circularity Check

0 steps flagged

No circularity: framework and evaluation are independently described with no self-referential derivations or fitted predictions

full rationale

The paper presents ConGISATA as a framework whose sensors are designed from an external taxonomy and whose evaluation uses those sensors plus separate simulations of attack vectors. No equations, parameter fitting, or 'predictions' appear that reduce by construction to the inputs. The central claim of improved ISA is assessed via the framework's own metrics, but this is a standard internal evaluation rather than a load-bearing self-definition or renamed result. The derivation chain is self-contained and does not invoke self-citations for uniqueness or smuggle ansatzes. This matches the default expectation of no significant circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

Only abstract available, so ledger is limited to high-level assumptions visible in the text; main unstated premises concern the accuracy of sensor-derived awareness scores and the effectiveness of gamification for behavior change.

axioms (2)
  • domain assumption Gamification combined with continuous real-world feedback improves security awareness and reduces passive risk behavior
    Invoked to justify the training mechanism and the transformation of passive risks into active ones.
  • domain assumption Mobile sensors can be designed from a taxonomy to reliably assess information security awareness
    Basis for the sensor design and the evaluation metrics.
invented entities (1)
  • ConGISATA framework no independent evidence
    purpose: Continuous gamified ISA training and assessment using embedded mobile sensors
    Newly proposed system whose independent evidence rests on the paper's own evaluation.

pith-pipeline@v0.9.0 · 5538 in / 1471 out tokens · 44603 ms · 2026-05-10T10:58:22.850877+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages

  1. [1]

    & Kumar, N

    Kumar, A., Chaudhary, M. & Kumar, N. Social engineering threats and awareness: a survey.European Journal Of Advances In Engineering And Technology. 2, 15-19 (2015)

    work page 2015

  2. [2]

    Almost 90% of cyber attacks are caused by human error or behavior

    Kelly, R. Almost 90% of cyber attacks are caused by human error or behavior. ChiefExecutive. Net. (2017)

    work page 2017

  3. [3]

    & Nurse, J

    Bada, M., Sasse, A. & Nurse, J. Cyber security awareness campaigns: Why do they fail to change behaviour?.ArXiv Preprint ArXiv:1901.02672. (2019)

    work page arXiv 1901

  4. [4]

    & Nacke, L

    Deterding, S., Dixon, D., Khaled, R. & Nacke, L. From game design elements to gamefulness: defining” gamification”.Proceedings Of The 15th International Academic MindTrek Conference: Envisioning Future Media Environments. pp. 9- 15 (2011)

    work page 2011

  5. [5]

    & Sarsa, H

    Hamari, J., Koivisto, J. & Sarsa, H. Does gamification work?–a literature review of empirical studies on gamification.2014 47th Hawaii International Conference On System Sciences. pp. 3025-3034 (2014)

    work page 2014

  6. [6]

    & Flores, W

    Gjertsen, E., Gjære, E., Bartnes, M. & Flores, W. Gamification of Information Security Awareness and Training..ICISSP. pp. 59-70 (2017)

    work page 2017

  7. [7]

    & Pham, T

    Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. & Pham, T. School of phish: a real-world evaluation of anti-phishing training.Pro- ceedings Of The 5th Symposium On Usable Privacy And Security. pp. 1-12 (2009)

    work page 2009

  8. [8]

    & Shabtai, A

    Bitton, R., Finkelshtein, A., Sidi, L., Puzis, R., Rokach, L. & Shabtai, A. Taxonomy of mobile users’ security awareness.Computers & Security. 73 pp. 266-293 (2018)

    work page 2018

  9. [9]

    & Bereby-Meyer, Y

    Keinan, R. & Bereby-Meyer, Y. ” Leaving it to chance”–Passive risk taking in everyday life..Judgment & Decision Making. 7 (2012)

    work page 2012

  10. [10]

    & Bereby-Meyer, Y

    Keinan, R. & Bereby-Meyer, Y. Perceptions of active versus passive risks, and the effect of personal responsibility.Personality And Social Psychology Bulletin. 43, 999-1007 (2017)

    work page 2017

  11. [11]

    & Shabtai, A

    Bitton, R., Boymgold, K., Puzis, R. & Shabtai, A. Evaluating the Information Security Awareness of Smartphone Users.Proceedings Of The 2020 CHI Conference On Human Factors In Computing Systems. pp. 1-13 (2020)

    work page 2020

  12. [12]

    & Furnell, S

    Newbould, M. & Furnell, S. Playing Safe: A prototype game for raising awareness of social engineering.Australian Information Security Management Conference. pp. 4 (2009)

    work page 2009

  13. [13]

    & Sassone, V

    Hart, S., Margheri, A., Paci, F. & Sassone, V. Riskio: A Serious Game for Cyber Security Awareness and Education.Computers & Security. pp. 101827 (2020)

    work page 2020

  14. [14]

    & Brumley, D

    Chapman, P., Burket, J. & Brumley, D. PicoCTF: A game-based computer security competition for high school students.2014 USENIX Summit On Gaming, Games, And Gamification In Security Education (3GSE 14). (2014)

    work page 2014

  15. [15]

    & Kohno, T

    Denning, T., Lerner, A., Shostack, A. & Kohno, T. Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education.Pro- ceedings Of The 2013 ACM SIGSAC Conference On Computer & Communications Security. pp. 915-928 (2013)

    work page 2013

  16. [16]

    & Kavakli-Thorne, M

    Alqahtani, H. & Kavakli-Thorne, M. Design and Evaluation of an Augmented Reality Game for Cybersecurity Awareness (CybAR).Information. 11, 121 (2020)

    work page 2020

  17. [17]

    & Janicke, H

    Luh, R., Temper, M., Tjoa, S., Schrittwieser, S. & Janicke, H. PenQuest: a gamified attacker/defender meta model for cyber security assessment and education.Journal Of Computer Virology And Hacking Techniques. 16, 19-61 (2020)

    work page 2020

  18. [18]

    & Jianmin, W

    Yasin, A., Liu, L., Li, T., Fatima, R. & Jianmin, W. Improving software security awareness using a serious game.IET Software. 13, 159-169 (2018) ConGISATA: A Framework for Continuous Gamified ISA 21

    work page 2018

  19. [19]

    & Bereby-Meyer, Y

    Arend, I., Shabtai, A., Idan, T., Keinan, R. & Bereby-Meyer, Y. Passive-and Not Active-Risk Tendencies Predict Cyber Security Behavior.Computers & Security. pp. 101929 (2020)

    work page 2020

  20. [20]

    Human Error in IT Security.ArXiv Preprint ArXiv:2005.04163

    Selvam, V. Human Error in IT Security.ArXiv Preprint ArXiv:2005.04163. (2020)

    work page arXiv 2005

  21. [21]

    & Willingham, D

    Dunlosky, J., Rawson, K., Marsh, E., Nathan, M. & Willingham, D. Improving students’ learning with effective learning techniques: Promising directions from cognitive and educational psychology.Psychological Science In The Public Interest. 14, 4-58 (2013)

    work page 2013

  22. [22]

    & Constantino, M

    Canham, M., Posey, C. & Constantino, M. Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks.Frontiers In Education. 6 pp. 536 (2022)

    work page 2022

  23. [23]

    & Nurse, J

    Jaffray, A., Finn, C. & Nurse, J. SherLOCKED: A Detective-Themed Serious Game for Cyber Security Education.International Symposium On Human Aspects Of Information Security And Assurance. pp. 35-45 (2021)

    work page 2021

  24. [24]

    (2022), https://assets.sophos.com/X24WTUEQ/at/b5n9ntjqmbkb8fg5rn25g4fc/sophos- 2023-threat-report.pdf

    Sophos Sophos 2023 Threat Report. (2022), https://assets.sophos.com/X24WTUEQ/at/b5n9ntjqmbkb8fg5rn25g4fc/sophos- 2023-threat-report.pdf

    work page 2023

  25. [25]

    & Mazurek, M

    Redmiles, E., Zhu, Z., Kross, S., Kuchhal, D., Dumitras, T. & Mazurek, M. Asking for a friend: Evaluating response biases in security user studies.Proceedings Of The 2018 Acm Sigsac Conference On Computer And Communications Security. pp. 1238-1255 (2018)

    work page 2018

  26. [26]

    & Shabtai, A

    Solomon, A., Michaelshvili, M., Bitton, R., Shapira, B., Rokach, L., Puzis, R. & Shabtai, A. Contextual security awareness: A context-based approach for assessing the security awareness of users.Knowledge-Based Systems. 246 pp. 108709 (2022)

    work page 2022

  27. [27]

    & Bick, M

    B¨ ockle, M., Novak, J. & Bick, M. Towards adaptive gamification: a synthesis of current developments. (2017)

    work page 2017

  28. [28]

    & Omoronyia, I

    Alahmari, S., Renaud, K. & Omoronyia, I. Moving beyond cyber security awareness and training to engendering security knowledge sharing.Information Systems And E-Business Management. pp. 1-36 (2022)

    work page 2022

  29. [29]

    & Chengalur-Smith, I

    Dincelli, E. & Chengalur-Smith, I. Choose your own training adventure: designing a gamified SETA artefact for improving information security and privacy through interactive storytelling.European Journal Of Information Systems. 29, 669-687 (2020)

    work page 2020

  30. [30]

    & Shepherd, L

    Scholefield, S. & Shepherd, L. Gamification techniques for raising cyber security awareness.HCI For Cybersecurity, Privacy And Trust: First International Confer- ence, HCI-CPT 2019, Held As Part Of The 21st HCI International Conference, HCII 2019, Orlando, FL, USA, July 26–31, 2019, Proceedings 21. pp. 191-203 (2019)

    work page 2019

  31. [31]

    & Shamala, P

    Omar, N., Foozy, C., Hamid, I., Hafit, H., Arbain, A. & Shamala, P. Malware aware- ness tool for internet safety using gamification techniques.Journal Of Physics: Conference Series. 1874 pp. 012023 (2021)

    work page 2021

  32. [32]

    & Wen, F

    Wu, T., Tien, K., Hsu, W. & Wen, F. Assessing the effects of gamification on enhancing information security awareness knowledge.Applied Sciences. 11, 9266 (2021)

    work page 2021

  33. [33]

    & Qasempour, K

    Heid, K., Heider, J. & Qasempour, K. Raising Security Awareness on Mobile Sys- tems through Gamification.Proceedings Of The European Interdisciplinary Cyber- security Conference. pp. 1-6 (2020)

    work page 2020