Q&A: Anti-phishing training game

Norman Sadeh, CEO or Wombat Security, is also a Professor in the School of Computer Science at Carnegie Mellon University where he developed Wombat’s anti-phishing filtering technology. In this interview he talks about this technology and how it works.

Introduce (briefly) the Anti-Phishing Phyllis game to our readers.
In the Anti-Phishing Phyllis training game, you help a fun fish character named Phyllis teach her school of fish how to avoid phishing traps in fraudulent emails. Traps covered in the game include fake links, malicious attachments, cash prizes, “respond-to” emails asking for sensitive information and much more. You are given a limited amount of time to analyze each email and spot traps.

As you play the game, you are given feedback on the phishing traps you miss and learn to better protect yourself. The game comes with an extensive collection of randomized legitimate and fraudulent emails, so you can play the game multiple times without seeing the same messages. In just a little over 10 minutes, you proceed through a succession of three rounds, with each round introducing new tips and teaching you how to fend off dangerous email attacks.

Wombat’s management team constitutes mostly of professors. It is no wonder, then, that apart from PhishPatrol, all your other solutions are designed to educate the human element within the technology chain. When you started thinking about a game as potential approach to learning, what problems did you think you would encounter? Were you worried that the concept would be a hard sell?
Our anti-phishing solutions originated as part of a research project started by our co-founders in 2004 at Carnegie Mellon University. We could tell that phishing was going to become a major problem and that existing vendors would continue to respond with more of their traditional solutions: multi-factor authentication, more filters, you name it. The problem with this approach is that it entirely ignores the human element. It essentially looks at the user as being part of the problem, while failing to recognize that users can also be a major part of the solution.

This observation led to the development of the unique suite of training solutions offered by Wombat today: fun and effective training games as well as services to build fake attacks to train your users. And of course, along the way, we also developed some unique filtering solutions focused specifically on catching phishing attacks. But, while our PhishPatrol filter catches significantly more phishing emails than other filters, we know that it will always be possible to craft low-volume, highly customized attacks that have some probability of making it past any filter. This is why ultimately users will always remain an organization’s last line of defense and why it is so important to use effective training solutions.

We knew that traditionally the security community had looked down on training. Some people had compared cyber security training to trying to nail Jell-O on a wall. Learning science teaches us we can do better. The solutions developed by our co-founders draw on learning science principles to create unique teachable moments, when users are more prone to learning and more likely to remember what they have been taught. Extensive studies have confirmed that our training games are significantly more effective than traditional cyber security solutions offered in the past.

Did the users and the companies and institutions that implemented your previous “game” solution (Anti-Phishing Phil) have some helpful feedback to offer that you might have incorporated into Anti-Phishing Phyllis? If so – what changes in approach have you made?
The success of Anti-Phishing Phil and the publicity it garnered took us all by surprise. Our studies had shown that the game was highly effective, but licensing the game for use by millions of people around the world as we have over the past two years went beyond our wildest dreams. In the process, we have learned the importance of making the game easy to customize. Games like Phil and Phyllis are easy to brand, can easily be customized to include specific messages and capture company specific content such as fraudulent emails sent to employees or customers of a given organization. Our games are also designed to be easy to translate into other languages and are SCORM-compliant too.

Once the knowledge from the training game is assimilated (Anti-Phishing Phil was developed to teach employees how to detect phishing URLs), do the users show an increased awareness about potential threats in other security related fields?
This is a very good question. Each game focuses on teaching people to recognize a particular class of attacks: Phyllis teaches users to recognize fraudulent emails whereas Phil teaches them to spot fraudulent URLs. At the same time, beyond the many practical tips offered by both games, we also teach users to never trust information presented to them unless they can verify it. So, while we have never tested this, I suspect that our games do help in some manner increase overall awareness. This being said, we strongly believe that the diversity of threats out there will unfortunately continue to grow. The only way to practically address this will be to continue to beef up our suite of cyber security solutions. Ultimately, Wombat wants to establish itself as the one-stop-shop vendor everyone thinks about when it comes to training their employees and customers.