Understanding "on the go" learnability of currently popular MMO games 

Learnability determines whether players will return to play a game, or adopt the game. How do upwards of 5 million daily players, not necessarily previous gamers, learn how to play popular games like PUBG and Fortnite without a tutorial ? (MMO: Massively Multiplayer Online)

Classroom based independent project for course: Learning and Experience Design at DePaul University.

Course report can be accessed here


Ubiquitous and multi-platform gaming has changed the way people perceive gaming 

Users' presence on the web is constantly increasing through many devices and sensors, and the risk of personal data theft is pervasive. Though a vast array of security products and information sources are available, people don't often employ safe measures.

Americans have an online account associated with their personal information, and nearly 2/3rds of those reported having experienced data theft or fraud[source]

Average number of accounts are associated with an email in the US[source], but people tend to reuse their passwords, don't use two-factor authentication, and share data over unsecured networks[source]



 research questions 

We are beyond the antivirus era of device security, but do people view security from the same lens?

Exponential rates of growth in consumer technology has left potential gaps in adoption of cybersecurity measures. We surveyed literature to understand what kind of gaps there may be

What is risk: Research has established that cybersecurity terminology doesn't resonate with people, and few indulge in the privacy legalese of "notice and choice" [source] models. 

What put's my information at risk: A study of effectiveness of cybersecurity campaigns suggests that the reason behind the ineffectiveness of informative campaigns is a disconnect between risk perception, and applying security advice towards reducing risk [source].

The convenience/security trade-off: A study of novice and expert users employing security measures revealed that novice users perceived less benefit in following security measures, and valued convenience over expert users [source]. 

What can I really control: In their study of cybersecurity attitudes, PEW reported - "Many Americans do not trust modern institutions to protect their personal data – even as they frequently neglect cybersecurity best practices in their own personal lives" [source].

internet use.png


HOW people use the web has changed vastly over time.

DOEs that parallel a similar understanding of changes in cyber risk and safe behavior?

 research methodology 

Our team conducted user research to understand how people perceive cybersecurity risk, and how it aligns with the way they practice secure behaviour

Drawing inferences from research, we wanted to understand:

1. Risk perception of dangers of surfing the web

2. Risky behavior 

3. Perceptions of cybersecurity in light of data breaches

4. Perception of security measures in day to day behavior

The research questions across methods were the same, but different methods allowed us to explore ways of generating unfiltered responses, and corroborate our line of exploration.

Task based observations


We asked 4 participants to create new Gmail accounts, and recorded their behavior around passwords, privacy notices, and data sharing in the presence of Gmail's security suggestions on the account creation pages

See Research protocol here



We conducted interviews with 8 participants, asking about perceptions of actions in browsing and browser features, account related activity, payment related activity, and using internet on different devices. We used this data to identify trends/themes to inform our data collection in the survey

See Research protocol here



We received 38 responses on our survey designed using Qualtrics. We asked people questions similar to the interview, but a mix of open ended, single choice, multiple choice and matrix choice questions may have allowed for unbiased responses. 

We conducted statistical analyses to find correlations between groups, and qualitative analyses of responses to different topics. 

See Research protocol here


online survey hosted on qualtrics

 findings- risk and safety perceptions 

We organized our findings into themes that emerged around security concerns. 

In order to understand people's risk perception , and how it affects the way they practice safe measures, we divided them into groups of high risk perception or low risk perception, and safe or unsafe practices (based on number of measures followed, with scores assigned to each measure)


The 25 people who perceived high risk from browsing were equally likely to conduct safe or unsafe practices (No correlation between high risk and safe practices in a Chi square analysis). We then qualitatively analysed participant responses to understand how they approach cyber security.

1. Risk perception was highly influenced by current news, and risk was perceived from "unsecure websites"

  • When we asked people to describe risk associated with browsing, 19 out of 38 survey participants mentioned data breach as a risk. 21 people mentioned website based articles as their major source of cybersecurity information

  • Others perceived risk from hacking, phishing and fake websites, and indicated that they perceived risk from unsecure websites

  • 38 survey participants assigned mean scores of >3 on a scale of 1(unsecure)-5(very secure) to brand name websites, websites with privacy policies, and well designed websites

38 participants rated items on a scale of 1 (very un-secure)- 5 (very secure). this figure shows mean scores

2. Visiting secure websites to be safe, people tended to rely on browsers and brand name websites to block un-secure areas of the web

  • 63% people were likely to rely on browsers and brand name websites to keep them safe from cyber risk. ​(Chi square goodness of fit, at alpha=0.10, n=38)

  • Participants heavily relied on the browser to block popups, unsecure websites, and harmful file downloads (See high mean scores in figure below)

  • Yet, when asked about what makes them safe on the web, not a single participant mentioned popup-blockers and ad-blockers

  • They cited visiting trusted websites, and avoiding unsecure websites as a safety practice. Validity of website was based on brand name, privacy policy, https:// and website look and feel.

participants scored security features on how much trust their browser to handle. Figure shows mean scores for 38 participants, on the scale of 1(do not rely on browser) - 5(heavily rely on browser)

3. It seemed to be more than a matter of convenience. People did not rely on the browser for the safety of their  passwords and payment information, and actively took measures.

  • For sensitive data such as passwords and payment information, 16 participants reported that they don't rely on the browser (See low mean scores in figure above)

  • Participants mentioned using safe passwords, changing passwords, not saving credit card information

  • 18 out of 38 mentioned a combination of numbers, special characters, letters for safe passwords, 19 mentioned using two-factor authentication, and many used 3rd party softwares such as Apple Pay for payment information

4. People perceived browsing to be secure on trusted websites, but they did not perceive control over the personal data they share with these websites when creating accounts or conducting transactions

  • 25 out of 38 participants mentioned their trust in brand name websites to keep their data safe, and cited visiting trustworthy websites as a safe practice. One of the factors affecting website trust was the presence of a privacy notice

  • In the task-based observation of creating a Gmail account, participants briefly scrolled through the privacy notice and did not read the content

  • 17 out of 38 survey respondents mentioned never changing autofill default settings, but did not particularly think of autofill as secure.

  • Control of data sharing was hidden under a "more options" link, and participants assumed that they had no choice over what data about themselves they could share

5. Beyond the idea of secure and unsecure websites, safe passwords and payment mechanisms, there seems to be a knowledge gap in terms of data at risk, and unsafe actions

  • Participants perceived password managers as not related to security, but remembering multiple passwords

  • More than half of the participants mentioned using anti-virus, but whether it was for web or device security wasn't clear

  • Most interview participants mentioned virus, trojan and malware as threats, but didn't mention how the threats affect their personal data

  • Participants indicated loss of control with the type of information being saved in autofill

  • Many perceived no benefit from device and application updates (which usually contain security patches)

 user mental models of cyber security 

Picturing a mental model of user perceptions of risk and security on the web beyond passwords

Risk associated with unsecure websites, rather than unsecure actions

  • People tended to associate risk with unsecure websites, and relied on their browsers to block unsecure websites

  • As a safety practice, they accessed trusted websites, but did not particularly focus on safety measures such as sharing passwords, connecting to free networks and security updates

The idea of what data is at risk, and what puts it at risk is unclear, limited to unsafe passwords or websites. People assumed no control over what data they can share when creating accounts

  • Most people used autofill, but did not edit browser settings to control what information is saved

  • While creating accounts, they did not perceive control over data sharing, but the existence of a privacy policy assured them of safety

  • Participants mentioned data breach, hacking and identity theft as risk on unsecure websites, but did not associate risk with their actions while browsing

use models.png

Safe and unsafe areas of the web, and visiting trusted websites as secure behavior

  • More information about what data is at risk, such as contact information, browsing history and user profiles 

  • Educating users by mapping web behavior to risk 

  • Promote an understanding of secure and unsecure actions while browsing, such as using form autofill

  • Make existing security mechanisms more explicit, such as push notifications for updates with security patches, or warnings while connecting to public networks 

  • Design of products with trust and privacy as core values, such as providing the right security information in a digestible form

How might we make cyber-risk and data sharing more transparent?