Social science enhances how people respond to cyber security threats, by helping individuals overcome the biases exploited in cyber attacks. A novel approach to cyber security training increases staff self-efficacy when responding to malicious messages.

The following post summarises my team’s recent report.

Summary

• My team worked with a large government organisation to develop an online training game to increase awareness of phishing
• Phishing refers to the tactics used by cyber criminals to trick people into providing personal details that leave their accounts vulnerable. This includes clicking on malicious hyperlinks
• Our training game sought to encourage correct reporting of phishing emails

Background

Cyber security attacks have increased by 50% in New South Wales.

Traditional training focuses on providing cyber safety tips, typically followed by an online quiz. Organisations may also coordinate phishing simulations – a fake email campaign, to see how many of their staff might fall prey to phishing attempts.

These activities expose employees to some of the common ploys used by cyber criminals, but research shows that these approaches have limited effects that fade over time.

Research shows that people don’t recall their training because they don’t get a chance to practice what they learn. They are also busy, often multitasking at work, and they therefore fall for urgent requests included in phishing attempts.

What We Did

We developed an online training game, ‘Tour de Phish,’ that incorporated cyber security principles. Players navigate a bike in a racing game, while responding to cyber security messages, requests and hazards appearing during the course. Players must press buttons that look like the icons used in emails to respond, delete or report phishing.

The game incorporates lessons from existing training into three levels of play, with limited time to complete the course. The characters onscreen are voiced by professional actors. The game includes music, sounds, challenges, and rewards. When players correctly identify phishing, the screen erupts in confetti and cheering. This feedback positively reinforces learning.

Players gain points for speed and correct reporting of phishing emails. They also receive other rewards and penalties throughout the game. The game can be completed in five minutes. The game was designed to be fully accessible to people with disability.

How We Did It

We designed our game using behavioural science principles from gamification. This is an approach that breaks down complex an unfamiliar rules and information into a fun and immersive activity. People are more likely to remember and act on information that is presented in an interactive and novel way.

Our game improved self-efficacy – the confidence to apply training – by providing real-time feedback and rewards during the game.

At the end of the game, players see their own score in a real-time leaderboard, which shows how they compare with the top players in their organisation. Individual scores also contribute towards their group results.

In the backend, the game measures individual outcomes and aggregates results by employee groups. This information can be used to tailor future training offers, and to target phishing simulations more effectively. For example, staff who fall for a phishing simulation can be assigned our game as a refresher, to see if their behaviour improves over time.

Our team used this to promote the game in a site-wide tournament, to promote our training. (I left the project by this stage, to focus on other projects.)

What We Found

During our user testing, all users reported feeling more confident in reporting phishing emails after playing our game.

The site-wide tournament led to almost 1,000 plays during the three-week competition, timed with the Tour de France.

The game is now incorporated into routine training by our partner agency.

Read our research.

How Social Science Helped

Our game design included behavioural principles, such as:

• Timeliness: each level is time-limited, to simulate the environment in which workers typically make decisions when responding to emails
• Salience: the game is attractive, making reporting enjoyable and memorable
• Incentivisation: whenever a player takes action – whether correct or incorrect – they are shown the real-life impact of reporting or not reporting phishing emails. For example, they see a message about how many of their colleagues are impacted by their actions, or how many customer accounts were prevented from hacking.