Email security, Vulnerability Management

‘CSI: Phishing’ takes gamification approach to improve awareness training

An image made from video of the “CSI: Phishing” game released by Global Learning Systems. (via YouTube)

Global Learning Systems on Tuesday released its "CSI: Phishing" game, developed to address the growing threat of cyberattacks and data/security breaches resulting from human error and bad email security habits.

The phishing awareness training game simulates a real-world security breach by using a game-based design. It challenges learners to apply their knowledge and analytical skills in a fun, engaging way.

CSI: Phishing places the user in the role of a cybersecurity “investigator” assigned to find the source of a recent security breach in their client’s network. The game takes place over a remote desktop simulation, where the investigator reviews and analyzes the email and social media/networking accounts of various employees, trying to assess the source of the breach. Evaluating a variety of emails and posts — some of which are safe, others which are not — the user flags any items they think are suspicious. As the game ends, a “supervisor” shows the player a project evaluation and gives the player a score based on how well they identified the risky items.

"While the marketplace offers standard tutorial-based training, as well as phish testing, there are very few training options that effectively utilize pure gamification to engage and educate learners," says Larry Cates, president and CEO at Global Learning Systems. "We see game-based learning as a key missing piece."

Oliver Tavakoli, CTO at Vectra said while gamification of anti-phishing training may result in lower click-through rates on phishing emails for users who played the game, it’s important to keep a perspective on the limits of such training in helping prevent breaches. Tavakoli said breaches typically result from a cascade of failures and while a successful phishing attempt may often represent the beginning of an attack chain, disrupting any part of the chain can prevent the attack from succeeding.

“So anti-phishing efforts should be thought of an effort to improve one of the filters in the defensive fabric,” Tavakoli said.

Patrick Harr, CEO at SlashNext, said security training has become an important component of good cyber resiliency. Harr said while sophisticated phishing, coming from a trusted service, is very hard for humans to identify, training that serves to enhance a user’s analytical skills has become critical for phishing that makes it through security defenses.

“A good training program, combined with AI-powered behavioral learning technology, is the right combination needed to stop phishing from impacting an organization,” Harr said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.