Phooled! Revolutionizing cybersecurity education through gamification 

Information and cybersecurity
Electrical Engineering and Computer Science
In the world of cybersecurity, staying ahead of malicious threats is an ongoing challenge. As cyberattacks evolve, so too must the education and training designed to thwart them.

Enter Phooled!, a novel approach to cybersecurity awareness that merges the worlds of gaming and collaborative learning to solve a serious problem in the real world. Developed by a pair of researchers at the University of Ottawa, this innovative tool promises to revolutionize how organizations train their personnel to detect and mitigate phishing, a process by which an attacker uses fraudulent emails to try to lure people into helping them carry out their attacks.

Vignesh Kumar Karuppasamy, a uOttawa computer science master’s student, is the visionary behind Phooled! Inspired by the connections between cybersecurity research and human behaviour, Vignesh has created a learning tool that transcends traditional teaching methods. He explains that “it’s not just about cybersecurity. It’s also about people, how they learn and how we teach.” Teaming up with Professor David Knox from the uOttawa School of Engineering Design and Teaching Innovation, Vignesh delved into the realms of education science and learning theory to craft a truly immersive experience.

Vignesh Kumar Karuppasamy

“It’s not just about cybersecurity. It’s also about people, how they learn and how we teach.”

Vignesh Kumar Karuppasamy

— Computer science student at the University of Ottawa and designer of the subsecurity tool Phooled!

Collaborative training based on real phishing attempts 

Central to the design of Phooled! is the theory is that people learn best in groups and through interactive experiences. Professor Knox emphasizes that “the key is determining how to change behaviour through peer-based learning. Phooled! was conceived as a collaborative, group-based game that leverages social learning dynamics to engage and educate participants effectively.” Using real-world phishing emails, including ones provided by University of Ottawa Chief Information Officer Martin Bernier and Chief Information Security Officer Mathieu Bertrand, the tool offers a hands-on approach to cybersecurity training using actual phishing attempts. 

However, creating Phooled! posed a unique challenge: striking the delicate balance between gamification and education. Too much gamification risks diluting the educational content, while too much focus on quizzes or learning material can alienate participants. For this reason, games like Phooled! are often called “serious” games since they are not purely for entertainment.  Through testing, iterative development, and user feedback processing, Vignesh refined the interface and mechanics of Phooled! to ensure optimal engagement and improve learning retention.

David Knox

“Phooled! was conceived as a collaborative, group-based game that leverages social learning dynamics to engage and educate participants effectively”

David Knox

— Associate Professor School of Electrical Engineering and Computer Science Faculty of Engineering

Phooled! application tested at the uOttawa-IBM Cyber Range

An important moment in the development of Phooled! came with its alpha test at the uOttawa-IBM Cyber Range, where feedback from security and IT professionals proved invaluable. Insights gained from testers helped refine the functionality and user experience of Phooled!, paving the way for further enhancements. Vignesh notes that “most participants wanted a combined collaborative and competitive training format. We needed to get the balance correct.”

As Phooled! enters its next phase of development, the focus will shift towards scalability and real-world effectiveness. Bug fixes and improvements are underway, guided by the overarching goal of creating an impactful learning tool. With a foundation built on research and user feedback, Phooled! has the potential to make waves in academic and corporate settings. Vignesh is optimistic about its future, stating, “Every organization has data that needs to be protected. Malicious threats don’t distinguish between industries or companies.”

For Vignesh and Professor Knox, the journey is far from over. While Vignesh will apply this research to complete his master’s degree, the need to raise awareness of cybersecurity threats, and to create effective and engaging cybersecurity training in response, will only increase.