When it comes to cyber security, it has long been understood that humans are the weakest link. We can build strong systems on robust cryptography, but be undermined by user error, and since criminals follow the path of least resistance, users face the greatest threat. However, it is valuable to review this narrative. If humans pose the greatest vulnerability, cyber skills present the greatest opportunity.
Much work has been conducted to enhance cyber skills. Cyber Streetwise was emblazoned on adverts across the web and the tube, and an earlier initiative, Get Safe Online, was driven by the need for expertise across industry and government. Unfortunately, while awareness campaigns can raise alertness, this seldom results in refined behaviour. Research suggests that awareness should be followed by both education and incentives. Without the former, users will not understand the threat; without the latter, they might not feel encouraged to change their settings or their behaviour or not feel encouraged.
The real challenge is incentivisation, particularly when security requires engagement. Firstly, settings are often lax by default, forcing users to invest effort. Secondly, since data funds functionality, individuals might appreciate the benefits of sharing. Finally, users often underestimate the sensitivity of their information. While location details might appear innocuous, they could be aggregated to perform predictions. If people don’t feel at risk, they won’t seek to use cyber skills.
One avenue is that of educational games – These apps align desired behaviour with gameplay challenges. Over time, players associate virtual progress with intrinsic motivation, and these games have been found to be more persuasive than conventional campaigns. Indeed, gamification has delivered success in health, exercise and education too. As a further advantage, their content can be closely customised. This, ensuringes their narrative is relevant, unlike mass-market initiatives. Finally, since games are interactive, they tend to engage their audience. This is particularly true for younger users, who may not fully understand how their actions today, and the records they create, may be used or abused tomorrow.
To test our theory, we designed security games for behaviour change. We targeted smartwatches, since they hold a variety of sensitive data. Watches They often have smartphone apps, while also tracking biometrics. Despite the risks, users rarely use features such as passwords. This presented a good test case for educational games.
Our app tasked players to traverse a virtual world. En route, they sought to collect coins and evade thieves. Each time a thief was encountered, users were assigned a security challenge. This might be to adjust permissions or disable GPS. Quick responses were rewarded by points, building positive reinforcement. Incorrect answers resulted in game termination, encouraging players to memorise the process. This feedback loop associated security with success and insecurity with failure.
The game proved successful in enhancing cyber skills. Participants were given a watch and monitored for three weeks. While some enabled a password, most loosened their privacy settings. In the next phase, we installed an interactive application on each watch. Half of the users were given our security app. The others received an un-themed game, enabling comparison of success. After seven days of interaction, we tracked behaviour for a final three weeks. As expected, we found the un-themed game had no influence on protection. In contrast, the security app enhanced password usage by 30%. With this achieved on a watch, the potential is great on fully-fledged interfaces.
Cyber skills are challenging to develop, as evidenced through high-profile campaigns. Educational games offer new opportunities, aligning awareness with engagement and outcomes with incentives. Children face many of the greatest risks as the digital world expands. Such games are well-suited to this audience and could be introduced in secondary schools or even primary schools. By enhancing cyber skills, the weakest link can become the strongest defence.