The Research Institution for Socio-technical Cybersecurity (RISCS) features our NCSC-funded project: ‘Gamification as Effective Training to Protect against Socially Engineered Cyber Attacks’.
Research Fellows: Justin Jones
‘We are developing an evidence base for a taxonomy that signposts the most effective training and awareness techniques for defending IT users against socially engineered cyber-attack.
People and processes often present the greatest cybersecurity vulnerabilities to organisations. Any mechanism taking advantage of human operator behaviour to compromise cyber security are often described as socially engineered cyber-attacks (e.g. phishing, social network exploitation, waterholing, baiting and others). Defending against socially engineered cyber-attacks has typically focused on educating and training users. Training aims to enhance user protection, by increasing user knowledge – including how to behave in ways likely to mitigate their vulnerabilities. But training does not necessarily lead to useful habit, and can fade off rapidly. Simulation and use of games to train (gamification) in particular often aim to improve this, causing participants to simulate useful behaviour: often by stimulating users to reflect more deeply upon their own behaviour – as distinct from that of others. Such approaches may be especially important as socially engineered cyber-attack is increasingly tailored around user attributes (which are weaponised as vulnerabilities). Indeed, machine learning techniques may enable such tailored attacks to be performed at scale – rendering redundant the previous view that attacker’s faced trade offs between tailoring and scale.
In this context, the key question this research will address is: What types of training will best protect who, against what, when and why? This research will use a systematic literature review and consequent validation exercise in order to create an evidence-based taxonomy. It will be adapted to consider changes in remote working practices, as well as the impact of next generation machine learning techniques. The work will support a more robust foundation for future cyber protection training that will help organisations better optimise employee cyber security behaviours (and cyber risk management)’