Background
In 2022, 39% of all UK businesses reported identifying a cyber security attack against their own organisation, 83% of which were phishing attempts. A large body of research in cyber security focuses on technical solutions, however humans remain one of the most exploitable endpoints in an organisation. Traditional security training within organisations commonly includes point-and-click exercises and simple video media that employees are required to complete. These training exercises are often seen as unengaging and tedious, and employees are commonly pushed to complete training rather than encouraged to learn and self-educate. Simulations and games are increasingly being deployed for training purposes in organisations, however often either (a) simply raise cyber security awareness rather than deliver key security policy and content, or (b) lack accessibility with complex game pieces and rules not easily understandable by those not accustomed to playing games. We introduce the disPHISHinformation game: a customisable serious game to deliver phishing training specific to the threats businesses face on a day-to-day basis. Drawing on existing taxonomies, the game delivers content on email, voice, and SMS social engineering attacks, in a format that educates players in key social engineering features. In collaboration with a large service organisation, we have also developed a customised edition of disPHISHinformation game which reflects the targeted attacks faced by their staff. By creating an analog serious game to deliver key phishing training, we can stimulate higher employee engagement and deliver a more memorable experience.
Download the disPHISHinformation Game
The disPHISHinformation game can be found using the following links. Empty game card templates can also be found with those files. We welcome all to try the game; although it has been designed with businesses in mind, it can also be played at home. The cards are designed to be relatively generalisable - if you have written your own game rules please let us know! We'd love to hear your ideas.
The first cards for the game were printed on paper, with predominantly LLM generated text. Cards remained portrait and very small scale. Card veracity was indicated with the colour of card rear (red or green). Action cards were part of the game from the early stages of designing.
Calculating the design of cards when landscape-oriented.
Initial landscape cards, with provisinal art design and layout. The layout of cards has since been updated to allow card content (particularly text) to be as large as possible. The cards were additionaly enlarged by approx 30%.
Author
Niklas Henderson is a PhD candidate within the Privacy, Security and Trust research group at the University of East Anglia, and a part-time Game Development lecturer at Norwich University of the Arts. Niklas’s research focuses on making game platforms to elicit effective inoculation interventions against false information. Niklas has particular interest in how analog games (physical games) can be used for this purpose, and how serious game design methods can be used to create more effective interventions. Niklas is also an enthusiastic public speaker, previously presenting at the Norwich Science Festival on topics including games against disinformation, and disinformation in large language models such as ChatGPT. Niklas has often been involved with other outreach programmes, running workshops at schools around Norfolk and Suffolk.
Publications
- The disPHISHinformation Game: Creating a Serious Game to Fight Phishing Using Blended Design Approaches. Henderson, N. (2024). (coming soon)
- The Phishing Game: An Analog Game To Defend UK Organisations From Phishing. Henderson, N. (2024). View Poster
- The disPHISHinformation Game: Creating a Serious Game to Fight Phishing. Henderson, N. (2024). Will Video Games Make You Stupid?. View Conference Presentation
Contact Us
Please feel free to contact me at n.henderson[at]uea.ac.uk. You can find me on Twitter (aka X if you're feeling controversial) or LinkedIn as well.