I led a project where our team created an online cyber security training game. We used behavioural science to develop the game. I hired an intern who did a wonderful job building the prototype. Our team then contracted a great agency to work with us to enhance the game. Having an applied sociologist at the helm meant that accessibility and game design was developed with inclusion from inception.
Our game gives people an opportunity to practice training on how to accurately report phishing emails. Phishing refers to malicious emails that try to trick people into clicking on links or otherwise give away sensitive information. Many workplaces provide some cyber security training on phishing and other attacks, however, much of it follows a traditional model. That is, people are presented with education about cyber safety, and they are then asked to answer questions about the training. This model measures immediate comprehension, but does not tell us much about whether people’s behaviour has changed as a result of the training.
Cyber attacks are on the rise globally, and have increased since COVID-19 pushed many businesses to work from home or go online. Cyber attackers prey on our behavioural biases. Unfortunately, most training does little to address this pattern. For example:
- Training is hard to remember and the perception of risk fades over time. You might do cyber training in January. By June, when you receive a phishing email, you may have forgotten what to look for and fall prey to a cyber attacker (availability bias)
- People lack time and mental bandwidth to respond to phishing. The average worker receives over 100 emails a day. We are busy and respond quickly. We may therefore overlook clues in a phishing email (scarcity)
- There are too many unfamiliar rules. Cyber security training introduces many ideas that most people are not used to thinking about, such as how to spot illegitimate domain addresses. Training therefore tends to overwhelm novices who are less engaged with technology (information overload)
- People don’t know how to report and therefore take no action when they see a suspicious email. Reporting functions also vary across each email platform. The button to report on Outlook that you use at work may be different than your personal email client, such as Gmail (the latter emphasises spam, not phishing). When people see an email they mistrust they are more likely to ignore it or delete it. This means that other people in your organisation may fall for the phishing, because it was not reported by others who received the email earlier (default bias)
- People don’t know what happens when they report a suspected phishing email. Do you recall the last time you reported a suspected phishing email? It is often an anti-climax. The email usually disappears into the ether and you get no reinforcement for your good deed. Nor do you receive feedback as to whether you were right to report it. Our research shows that people prefer not to report because they fear they may get it wrong, or that it’s not worth the hassle. People prefer to avoid what is unfamiliar (ambiguity bias)
- People don’t see reporting as their primary responsibility. We are used to seeing our computers and software automatically update. We are often prompted to change our passwords periodically by machines. Generally speaking, unless they work on cyber security, most individuals don’t think that cyber security is part of their remit. They trust that other experts, or their latest software, offer enough protection (motivation)
For these reasons and more, phishing reporting is not at the top of people’s minds.
We used the principle of gamification to build our cyber security training game. Gamification uses game design principles to solve problems. The goal of gamification is to break down complex and unfamiliar rules into a fun activity. The process involves building behavioural science prompts into an immersive learning environment. People are drawn into an interesting story or quest, where they are given positive reinforcement to learn. This might be points or other rewards when they apply learning correctly. The narrative challenges people to apply learning in an interactive way. Most importantly, gamification gives people an opportunity to practice what they learn in a timely way, rather than simply expecting them to remember facts.
As we’ve seen, many people find the topic of cyber security daunting or overly technical, and often switch off. Gamification has been shown to increase the likelihood that users will distinguish cyber safe emails from illegitimate emails. Most phishing training games provide people with positive motivation to apply training. Gamification has been shown to enhance self-efficacy, making individuals more confident about cyber security.
Our game has players taking the role of a cyclist playing for their team in a competition, Tour de Phish (based on what else – the Tour de France!). Through the game, we give players opportunities to exercise their phish-spotting skills in various scenarios. This includes messages resembling phishing emails, other riders making nefarious phishing offers along the route, and other obstacles in the course. Critically, learners also have to respond correctly to genuine requests, just as they would at work. The game has timed levels, so users practice phishing tips under pressure, to distinguish legitimate and illegitimate information requests.
Players receive tips and feedback. There are various rewards and penalties throughout the game. Players see a real-time podium where their score is compared to others in the organisation and their points count towards their team. This is all designed to tap into personal motivations to improve, as well as a social desire to help their team win.
Gamification makes learning more salient. Rather than simply being quizzed at the end of an online module (standard fodder in most training), people are sent a link to our training game, where there is an interactive story that prompts them to apply their training. Behavioural research shows that people are more likely to act when information is presented in a novel way. Our user testing shows that 89 percent of people who played our game prefer to learn via an online game compared to an online course or a face-to-face workshop. Additionally, 92 percent of people enjoyed playing our game, and 100 per cent of people felt more confident in identifying phishing emails after completing Tour de Phish.
The game was built in close consultation with people with disability to make it accessible to people who are blind or have low vision. I also designed the characters to represent diversity. I am grateful to the graphic design team, game developers, and our team who overcame many hurdles in building an inclusive game.
Read more about the behavioural science on our website.
Gokul, C. J., Pandit, S., Vaddepalli, S., Tupsamudre, H., Banahatti, V., & Lodha, S. (2018). Phishy – A serious game to train enterprise users on phishing awareness. CHI PLAY 2018 – Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts, 169–181. https://doi.org/10.1145/3270316.3273042
INTERPOL. (2020, August 4). INTERPOL report shows alarming rate of cyberattacks during COVID-19. https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19
Tchakounté, F., Wabo, L. K., & Atemkeng, M. (2020). A Review of Gamification Applied to Phishing. Preprints. https://doi.org/10.20944/PREPRINTS202003.0139.V1
Weanquoi, P., Johnson, J., & Zhang, J. (2017). Using a game to teach about phishing. SIGITE 2017 – Proceedings of the 18th Annual Conference on Information Technology Education, 75. https://doi.org/10.1145/3125659.3125669