Factors Influencing Players’ Susceptibility to Social Engineering in Social Gaming Networks

Social gaming networks have become a new phenomenon, especially for young people, who may become addicted to some extent. However, this phenomenon also increases their susceptibility to hacking, cyber-attack, and other types of security breaches. Various studies have found that current technology is inadequate in terms of online security. Thus, researchers have started to pay attention to the human aspect of security, which is based on interactions with strangers who may trick other gamers into revealing personal or financial information, that is, social engineering. There is little in the social gaming network literature to help players, researchers, and organizations to address the human aspect of online security, and thus there is a need to investigate the factors affecting this aspect of security. The current study aims to identify the factors influencing social engineering victimization in social gaming networks. The model developed in this study is based on the health belief model and cooperation and competition theory. The results show that the perceived severity of the threat, perceived barriers, perceived benefits, self-efficacy, competition, and cooperation are significant factors in the prediction of social engineering victimization.


I. INTRODUCTION
Social games enable people to enjoy interacting with both friends and strangers, and online gaming has created significant social networks over the last decade. A 2015 US survey found that 72% of teenagers played games, 75% of them online, and of those, 54% only played with friends online, while 52% also played with strangers online [1].
Social gaming networks (SGNs) are defined as computer networks that are simultaneously inhabited by multiple players for the purpose of playing games. As SGNs are Internet-based and offer people the opportunity to interact with others and exchange information, they significantly increase people's susceptibility to various types of threats. Greenhill [2] found that 55% of players had experienced, either directly or indirectly, some form of victimization while playing games online.
Security threats in relation to online gaming include two types: human threats, which are based on interactions with strangers who may trick others into revealing per-The associate editor coordinating the review of this manuscript and approving it for publication was Chunsheng Zhu . sonal or financial information (so-called social engineering); and technology-based threats, which are based on computer programs including viruses, Trojan horses, worms, and spyware [3].
The most significant security threats are posed by social engineering [4]- [7], which is ''a term used to describe how one person persuades another person to access confidential information or to give them the information that they want'' [6]. However, although the term itself is brief and straightforward, social engineering is clever and complex in nature. There are some circumstances in which victims have little time to think, such as instances of attention blindness or situations where their anger or stress enable social engineers to exploit them using tactics designed to obtain their trust, such as pretending to help the victim so that they can obtain the desired information [4].
Social engineering in SGNs is a serious problem in terms of information security, and developers and designers of software applications are continually working to address this issue. However, at present there is little to help players, researchers, and organizations in addressing the problem because the underlying factors have not yet been thoroughly VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ investigated. Most studies on SGNs have focused on security and cyber-attacks related to software architecture, violent content, virtual property, cheating, and modifying game software or networks [8]- [10]. Because technology alone is insufficient to ensure the security of players, researchers have realized that it is necessary to consider the human aspect of security [11]. Identifying and understanding the human factors that lead players to fall victim to social engineering will support awareness raising and training programs for players and society in general, and the optimization of detection software to provide advanced solutions, as well as enabling future studies to identify better solutions and mitigate social engineering attacks in SGNs.
In this study, we aim to identify the factors influencing players' behavior in response to social engineering victimization and to identify the relationships among cooperation, competition, and social engineering victimization.
The rest of the paper is organized as follows. Section 2 presents a review of the relevant literature, Section 3 discusses the theoretical background and presents several hypotheses, Section 4 explains the methodology, Section 5 tests the hypotheses and reviews the results, and Section 6 concludes with a discussion of the results and a summary of the contributions and limitations of this study.

II. LITERATURE REVIEW
Several studies have investigated social engineering in social networks. For example, Alqarni identified various types of social engineering attacks on social networking sites, along with the objectives of those attacks and the reasons why various individuals fell victim to such attacks. The results showed that the main tool used in social engineering is impersonation [12]. Albladi also examined the factors causing users to be more susceptible to social engineering attacks including their online habits, personality traits, and demographics [13]. Another study found that users who are highly active on social networking sites are more susceptible to attack than less-active users [14]. A study investigating how social networking habits can influence users' vulnerability to attacks found that victimization through social engineering can be predicted based on the degree of social media usage, which has a significant influence on the likelihood of an individual being attacked [15].
Although some researchers have studied social engineering in relation to social networks, social gaming environments involve different behaviors and methods of social engineering attacks than general social networking sites, leaving players even more vulnerable to social engineering attacks. For example, in a game-playing situation involving cooperation, research suggests that players fail to adequately check about 95% of the emails they receive, trusting them implicitly if they appear to have been sent by a friend [16]. Moreover, Waddell and Peng found that players do not appear to differentiate between friends and strangers with regard to in-game collaboration [17]. Several studies [18]- [20] have found that cooperative game-playing situations lead players to erroneously help, share information with, or trust other people more than they would do otherwise. Furthermore, studies have found that a player's reputation can significantly improve the level of cooperation they receive. Influential players are more able to persuade other players [21], [22]. Thus, other players' susceptibility to social engineering victimization increases [6], [23].
Most social networking sites provide their services for free (e.g., Twitter, Facebook, and Snapchat). However, most SGNs charge players a fee to download or play a game. Furthermore, the prices of some of the games are relatively high. In 2010, the Pew Research Center found that 65% of Internet users had paid money to download or access digital content, while only 19% had paid for online games [24]. This has created the temptation for players to think about stealing money from other players' accounts so that they can purchase and play new games. In addition, it may cause potential players who cannot afford the price of a game to fall victim to phishing attacks when they try to access games from fake websites that are offering the games for free.
Most online gaming sites have online stores, and players' gaming accounts are usually connected to their payment information. Once an attacker obtains access to a player's account, the attacker can obtain the player's credit card information and even make use of any account balance (or games that have been paid for). Attacks have also occurred in relation to trading of games when there has been no security mechanism in place toprotect players. Players often like to exchange games, but some players have not had their games returned. It was reported that one person earned around US$11,000 through this type of behavior by accepting money from players but not sending any games [9]. This results in both a financial impact and a psychological impact on players who have behaved honestly.
This study focuses on players' behavior in response to social engineering attacks, with the aim of increasing players' knowledge and security while using SGNs. We attempt to predict players' susceptibility to falling victim to a social engineering attack in an SGN based on behavioral factors and to identify the relationships among competition, cooperation, and susceptibility to social engineering attacks.

III. THEORETICAL BACKGROUND AND HYPOTHESES A. HEALTH BELIEF MODEL (HBM)
Numerous studies have applied theories from the healthcare domain to the investigation of information security [25]- [27]. ''The health belief model (HBM) is a model that attempts to predict and explain behavioral intentions or the likelihood of an individual's behavior'' [28]. The HBM contains four core constructs. The first is dependent on two beliefs regarding threats, namely, the perceived severity of threats and perceived susceptibility to threats. The second involves evaluating behavior, which is dependent on the perceived benefits of preventing threats through specific behaviors and the perceived cost of the preventive behavior. The third construct, which is a recent addition, involves cues to action. Cues to action include a diverse range of triggers such as security education and advice from others. The fourth construct is selfefficacy, which is defined as a user's confidence in his or her ability to undertake a specific behavior [28], [29].
Studies on security-related behavior investigating the perceived severity of and susceptibility to threats have produced inconsistent findings. Workman found that people's perceptions of the severity of the threat and their susceptibility to threats affected their responses to a social engineering threat [23], while other studies have found that perceived susceptibility to a threat has a significant impact on behavior, although the perceived severity of the threat does not [25], [30], [31]. Conversely, Tsai found that the perceived severity of a threat was a significant predictor of behavior intended to enhance online safety, while perceived susceptibility to a threat was not [32]. Despite these contradictory findings, the general consensus among researchers is that both perceived susceptibility to threats and the perceived severity of threats have a positive impact on behavior designed to increase players' security. Therefore, in this study, we assume that at least one of these factors influences players' behavior in response to the possibility of social engineering attacks. Thus, the following hypotheses are proposed in relation to the abovementioned constructs: H1: the perceived severity of a threat in an SGN is negatively correlated with social engineering victimization.
H2: the perceived susceptibility to a threat in an SGN is negatively correlated with social engineering victimization.
Perceived barriers are a significant factor in reducing behavior aimed at mitigating threats to players' security [30], [31]. These include the perceptions that exercising security measures while playing the game is time-consuming and that anti-phishing software will affect performance. Therefore, there is a high probability of a social engineering attack in an SGN environment. Thus, we propose the following hypothesis: H3: the level of perceived barriers to online games-related security is positively correlated with social engineering victimization.
The perceived benefit construct used in this study aims to determine to what degree a player agrees to exercise securityrelated behavior to protect them from social engineering threats. Thus, we propose the following hypothesis: H4: the perceived benefit of online games-related security behavior is negatively correlated with social engineering victimization.
Most previous studies have found that individuals with a high level of self-efficacy are extremely cautious about making online payments, and thus make very few payments. These studies have concluded that self-efficacy is a vital element in mitigating risky online behavior [25], [26], [33], [34]. In this study, we expect that a player with a high level of selfefficacy is likely to follow the recommended security-related behaviors while playing online games and respond positively to the necessary security measures. Therefore, we propose the following hypothesis: H5: self-efficacy in SGNs is negatively correlated with social engineering victimization.
In the HBM, cues to action can include both external triggers such as knowledge of other individuals experiencing security issues, security awareness programs, and media alerts regarding security vulnerabilities, and internal triggers such as previous experience of the problems that can occur [26], [35]. While cues to action may be important, to date there have been few studies focusing on this topic [30]. However, Dodel found that previous experiences are directly linked to preventive behaviors [35]. Thus, in this study, we aim to determine whether cues to action affect players' responses to social engineering attempts. Thus, we propose the following hypothesis: H6: Cues to action in SGNs are negatively correlated with social engineering victimization.

B. COMPETITION AND COOPERATION THEORY
A key element in understanding the nature of cooperation and competition is the type of goal interdependence that is identified among players. Goals may exhibit negative interdependence, that is, one player's success may correlate with the other's failure. Such situations tend to involve competitive relationships with a win-lose orientation. Alternatively, goals may exhibit positive interdependence, where the success of one player is correlated with the success of another, while failure of one is correlated with failure of the other. These situations tend to involve cooperative relationships with a win-win orientation [8], [36].
Cooperation is induced by perceived similarities in relation to beliefs and attitudes, a willingness to be helpful, openness in communication, and a trusting, friendly attitude [36], [37]. Thus, it can be seen that there is a positive correlation between cooperation and susceptibility to social engineering victimization. Numerous studies such as [18]- [20] have found that trust is the key to cooperation, whereas other studies have found that trust is a key factor in social engineering success [4], [23]. Thus, it is expected that some players will respond to deceptive behaviors. Therefore, we propose the following hypothesis: H7: Cooperation in SGNs is positively correlated with social engineering victimization.
The opposite effect can be seen in relation to competitive situations because it is difficult to maintain trust in communications between competitors [38]. Previous studies have found that competition is associated with very little information, as it almost completely eliminates the element of trust [39], [40]. Thus, we propose the following hypothesis: H8: Competition in SGNs is negatively correlated with social engineering victimization.

A. SCALE DEVELOPMENT AND TESTING
A quantitative approach was used to test the eight hypotheses. This is the most frequently used approach in the field of VOLUME 8, 2020 information systems [41]. Pre-test items relating to the HBM and competition and cooperation theory were developed to address the research items and guide the survey question design. Pre-existing scales were used in most of the scenarios. The scales developed in earlier studies have been verified for reliability and validity, although we tested them again prior to our analysis.
To extract a better measure, the strategy recommended by Churchill and Dedic has been followed [42]. The first step in their strategy involves specifying the construct domain. In this study, we reviewed the literature in relevant disciplines such as health, information technology, psychology, sociology, behaviorism, and human communication to discover any potentially essential constructs. It was found that the concepts of the HBM and competition and cooperation theory have been conceptualized and operationalized for various purposes using different samples and populations in fields other than our area of interest. The second step involves refinement of the item sample, whereby a sample of items is chosen from the initial pool. The challenges at this point are related to adjusting these concepts to fit the background and context of information security and social engineering attacks while retaining item validity.
The Delphi method was used to test and develop the items while reducing the error factor and make the questions more specific to SGNs. The items are shown in Table 1. A fivepoint Likert scale was used to measure responses to all of the items and SPSS version 25.0 statistical software was used to analyze the data.

B. PILOT STUDY
A pilot study was conducted to test the measurement scale before undertaking the main study. The purpose of the pilot study was to validate the measurement scale for every factor related to social engineering in SGNs. The experimental design and procedures for the pilot study were similar to those of the main study, although the participant selection strategy differed. The participants in the pilot study were selected based on convenience and their willingness and ability to participate. Thirty participants completed the survey, of which 60% were male and 40% were female. All of the participants in the pilot study were from Saudi Arabia. Analysis of the data from the pilot study showed that in terms of reliability, Cronbach's alpha was 0.79, as shown in Figure 1.

C. APPROACH AND SAMPLE
In the online gaming environment, most gamers are members of social networks and know each other, especially the famous players. Thus, the snowballing method is the best approach. The online survey was distributed through these groups via their accounts on various social networking sites (e.g., Instagram, WhatsApp, Twitter, and Facebook). In the Twitter application, we asked famous Saudi gamers to support the study by completing the survey and then retweeting it to other players' accounts. We also sent the survey directly to players' private statements with the request that they dis- tribute it to other players. We received 302 responses, all from Saudi Arabia.

V. DATA SCREENING AND FACTOR ANALYSIS
We commenced our analysis by addressing all of the requirements of structural equation modeling (SEM) including limited missing values, freedom from extreme outliers, lack of significant distortion by specific groups, and assumptions of normality and linearity. Then, we computed the reliability of the scales using Cronbach's alpha.
As shown in Table 2, factor analysis revealed nine factors with an eigenvalue of 1 or greater and the minimum Cronbach's alpha value was 0.70. The overall Kaiser-Meyer-Olkin measure of sampling adequacy was 0.76 (P < 0.0001), and the total variance was 1.2. The overall reliability of the items used in the survey based on Cronbach's alpha was 0.72.

VI. TESTING THE HYPOTHESES
The hypotheses proposed the existence of negative correlations between social engineering victimization and the perceived severity of the threat, perceived susceptibility to threats, perceived benefits, cues to action, self-efficacy, and competition, while they proposed a positive correlation between susceptibility to social engineering victimization and perceived barriers and cooperation.
To improve validity and provide further explanation of the impacts of the various factors involved in the hypotheses, multiple regression analyses were undertaken using SPSS. The model included a dependent variable, namely, social engineering victimization, and eight independent variables, namely, perceived severity, perceived susceptibility, perceived barriers, perceived benefits, cues to action, selfefficacy, competition, and cooperation.
In addition, it was important to examine how well the model was fitted using plot diagrams. Figure 2 shows that the data were normally distributed, while the scatter plot in Figure 3 shows that there was a high linear correlation and close relationship between social engineering victimization and most factors (perceived severity of threats, perceived barriers, perceived benefits, self-efficacy, competition, and cooperation).  The coefficients are presented in Table 3. It can be seen that perceived barriers was the strongest predictor (β = 0.540, p < 0.0001), followed by perceived severity of threats (β = −0.208, p < 0.0001), competition (β = −0.146, p < 0.01), self-efficacy (β = −0.136, p<0.01), cooperation (β = 0.135, p < 0.01), and perceived benefits (β = −0.122, p < 0.01). Neither perceived susceptibility nor cues to action were significant predictors of social engineering victimization (p > 0.05).

VII. STRUCTURAL MODEL FIT ASSESSMENT
SEM is a multistep technique that is used to assess the validity of a theoretical model by evaluating the relationships between the constructs in such a model, while taking into account measurement errors during statistical analysis [50]. SEM is considered to be an extension of multivariate statistical methods such as regression analysis.
In this study, SEM involved two main tasks. The first task was addressing the data requirements, as explained in Section V, while the second task was examining the goodness VOLUME 8, 2020 of fit of the model [51]. The model assessment process included examining the standardized path coefficients of the relationships included in the model and examining the model fit indices [50].
The results of the testing of the final model using SPSS AMOS are shown in Figure 4. All correlation coefficients were significant predictors of susceptibility to social engi-   neering, supporting six of the hypotheses. Further assessment was undertaken regarding the goodness of fit. The model appears to display good fit, with the minimum discrepancy (chi-square, χ 2 ) divided by the degrees of freedom (df) < 5.0, the comparative fit index = 0.90, the incremental fit index = 0.902, and the root mean square error of approximation = 0.04. These values satisfy the requirements of SEM [50] and are presented in Table 5.

VIII. DEMOGRAPHIC ANALYSIS
In this section, we examine the relationship between the players' demographics and social engineering victimization by measuring players' overall susceptibility to social engineering victimization. The results presented in Table 6 show  that gender has a significant effect on susceptibility to social engineering victimization (p = 0.002), with ANOVA analysis showing that males are more susceptible to social engineering than females (mean for females = 3.33 and mean for males = 3.73).

• Summary of Results
In this study, we investigated the factors that are associated with susceptibility to social engineering victimization in SGNs. The components of the proposed model are derived from the HBM and competition and cooperation theory. Eight hypotheses were proposed and tested, and six were found to be supported.
The results showed a significant relationship between perceived severity of threats and social engineering victimization. Of the other factors, perceived barriers were the most significant predictor of social engineering victimization. Perceived benefits were also found to have an influence on responses to social engineering attacks.
There was a significantly negative relationship between self-efficacy and susceptibility to social engineering victimization, supporting the findings of most of the previous studies on online security behavior [25], [26], [29]. Our findings also indicate that both cooperation and competition have a significant relationship with social engineering victimization.
Conversely, perceived susceptibility and cues to action did not have a significant impact on susceptibility to social engineering victimization. Inconsistent findings and unexpected results are common in studies related to virtual environments such as SGNs, with one study finding that individual behavior on social networking sites differs from that displayed in realworld situations [52]. However, the unsupported hypotheses require further investigation, and present opportunities for future research.

• Contribution
In this study, we investigated the relationship between falling victim to social engineering attacks in a new environment such as SGNs, which exhibit different characteristics to other social networks. We applied two important theories (the HBM and cooperation and competition theory), which have been developed in different disciplines, to a crucial problem in relation to online information security, namely, social engineering in SGNs.
This study makes a significant contribution to the literature in several fields including information systems, information science, and cybersecurity. In terms of user susceptibility, several information systems studies have investigated individuals' susceptibility to security victimization using various theories and techniques, such as protection motivation theory (e.g., [53]- [55]), electroencephalography (e.g., [56]), technology threat avoidance theory ( [57]), and routine activity theory (e.g., [58]). This study contributes to this stream of research by identifying the impact of players' susceptibility to social engineering victimization in a new environment, namely, SGNs.
In addition, this study makes a significant contribution by providing increased understanding of and a possible solution to a serious problem in the field of information security. Players have been found to be extremely vulnerable to falling victim to various social engineering threats including phishing, clickjacking, pretexting, financial abuse, and identity theft.
Furthermore, this study is unique in pinpointing the high level of threat presented by social engineering in SGNs. The findings of this study can be used in conjunction with the findings of previous studies to address social engineering victimization issues.
Automated tools have been established and promoted to alert users to potentially fraudulent websites and emails, but even though these tools are useful, social engineering continues to occur. Tools and software are not sufficient to protect people from online social engineering attacks. They can prevent frequent technical attacks, but not social engineering attacks. One study used 200 verified phishing URLs from two sources and 516 legitimate URLs to test the effectiveness of 10 popular anti-phishing tools and found that only one tool was able to consistently identify more than 90% of phishing URLs correctly. However, it also incorrectly identified 42% of legitimate URLs as phishing URLs. Of the remaining tools, only one correctly identified more than 60% of phishing URLs from both sources [59]. Moreover, another study found that 97% of the participants in our experiment were successfully deceived by at least one of the phishing messages that we sent them. When they issued a ''passive warning,'' only one participant heeded the warning [60]. The findings of our study will help to identify the best solution to the problem of social engineering attacks by identifying the factors affecting people's susceptibility to these attacks.
The results of this study are important for organizational policy makers who aim to control insider threats based on theoretical knowledge. Many organisations allow their employees to use SGNs while at work. While it is important for organisations to utilise technical security defences, the result of this study shows that it is more important to utilise behavioural defences and improve employees' capabilities to defend against such attacks. For example, the results of this study showed that enhancing employees' perceived severity of social engineering threat, and perceived barriers, can help in improving employees' capabilities to defend against social engineering. Enhancing employees' perceived severity of social engineering threat, and perceived barriers can be done through raising employees' awareness, which can be done using training, brochures, and others tools.
In addition, organisations are recommended to have a set of policies that control how employees use SGNs while at work, and they should consider the factors that have been highlighted in this study when making policies. Those factors have been found to be very influential on users' decisions to accept or reject threats. Furthermore, auditing and testing have also been suggested as important countermeasures to address human vulnerabilities. Organisations are encouraged to use the factors that have been found in this study when testing their employees' abilities to react to social engineering tricks.
The findings of this study have also a number of important implications for individuals, parents, educators, and SGNs providers. For example, individuals are advised to use the results of this study, especially the results of the competition and cooperation situations, in order to determine their special vulnerabilities. In addition, the results of this study indicate that it is useful for parents to enhance children's perceived cost, in comparison to perceived benefit, when dealing with strangers in SGNs. The findings of this study will also be helpful in deriving a set of best practices such as SETA programs and computer monitoring, which have been identified the best way to avoid or mitigate human-based information security incidents [61]. Educators are encouraged to take the results of this study in considerations, and provide guidelines and specific educational curricula that address children and youth safety in SGNs. Finally, SGNs providers are encouraged to promote the usage of some online games to help show children how to make responsible decisions about online communication and learn about key issues of digital world. Online activities can include exploration of methods of communication in chat rooms, social gaming networks, and emails.