Gamifying cyber security education proves a win
When faced with cyber threats, it’s easy to let your guard down. A behavioural training game helped increase people’s confidence and enjoyment while learning about cyber security.
The challenge
Cyber attackers use tactics such as identity theft and scam emails to gain valuable personal, corporate and government information. Phishing is an email that tricks people into clicking malicious links or sharing sensitive information. Since the COVID-19 pandemic began, phishing schemes and other cyber attacks have been on the rise, with reported incidents increasing by 50 per cent (PDF 4.02MB). Due to this threat, the NSW government has invested $240m into building their cyber security capability, ranging from delivering more research to developing better training.
Cyber attackers prey on our behavioural vulnerabilities, sending phishing emails when we’re busiest at work or using urgent language to lure us onto malicious websites. Traditionally, we have used training modules and awareness campaigns to share best practices about digital security. However, research shows these approaches do not improve behaviour, such as the reporting of phishing emails. Rethinking how we teach cyber security could be one step towards improving our safety online.
Gamification applies game design to other types of activities, such as education, health and workplace training. In education, gamification has been used to increase engagement and motivation towards learning. Several laboratory studies also show that gamification can improve our ability to identify cyber security threats.
What we did
In 2021, we partnered with the Department of Customer Service Chief Information Security Office to develop a cyber security game to complement existing training for NSW government employees. ‘Tour de Phish’ immerses players into a young cyclist’s first professional race. To complete the course, players must quickly identify whether incoming emails and requests are safe or malicious. Several game mechanics were used, including a point system, leaderboard, time pressure and increased levels of difficulty.
The game complements existing training, by incorporating lessons developed by Cyber Security NSW.
We applied several behavioural principles when designing the game to address barriers that make us more vulnerable to cyber attacks. These principles include:
- Simplification: typical training courses present too many unfamiliar and complex rules, leaving people feeling overwhelmed. Tour de Phish keeps it simple by focusing on a few key cyber security tips and engaging players in a fun learning environment.
- Timeliness: behavioural research tells us that information we learn quickly fades if we don’t have a chance to apply it. In the game, players learn cyber security tips and then immediately practice their phish spotting skills to maximise the chances they remember what they’ve learnt.
- Salience: people often ignore or delete phishing emails as they don’t know what to do or how to report them. Throughout the game, we specifically draw attention to the reporting button to encourage people to act against malicious emails.
- Incentivisation: when players are faced with an email in the game, they can choose to either reply, report or delete it. We reward players if they correctly report an email and penalise points if they reply or delete a phishing email. Rewarding players reinforces the positive impact of reporting and incentivises taking action.
Players receive feedback about what they got right or wrong, as well as the real-world impact of their actions. For example, when a player correctly reports a phish: “By reporting phishing, you have protected our customers’ confidential information from getting into the wrong hands.”
For an incorrect action: “Because you clicked on the suspicious link, hackers have delivered malware into our system and have access to our customers’ confidential information.”
This feedback loop reinforces behaviour change, and helps players improve decisions later in the game.
We also collaborated with staff with disability to make sure the game was accessible, introducing features such as audio descriptions, voice prompts, audio cues, and adjustments for color blindness.
What we found
We tested with users from different teams in the Department of Customer Service. Feedback was overwhelmingly positive, with 89 per cent of users preferring to learn via an online game compared to an online course or face-to-face workshop. Additionally, 92 per cent of users enjoyed playing the game, and 100 per cent of users felt more confident in identifying phishing emails after completing the Tour de Phish.
What’s next
Tour de Phish has been included in the learning platform for all staff in the Department of Customer Service. In addition, when staff mistakenly click into simulated phishing emails they are directed to play our training game to build learning.
The NSW BIU will explore other applications of gamification for other training that supports better citizen outcomes in NSW.
Our results show that gamifying cyber security made learning easy, effective and enjoyable. Can you deliver challenging content in ways that are more fun and engaging? Where could you apply gamification in other mandated learning and development courses?
Want help applying behavioural insights so staff make the most out of training? Book a clinic with the BIU today.