How to Patch the Brain with Gamified Learning

“Cyber security has got two fundamental problems to solve, and both are immense. First, we’ve got technical problems. Second, we’ve got the human problem, end users who make mistakes. While the technical problems are serious, they can be solved. But we can’t patch problems in the brain.”

Mikko Hyppönen, Chief Research Officer, F-Secure Tweet
Mikko Hyppönen - F-Secure

Today, HoxHunt is honored to announce that Mikko Hyppönen joins our advisory board as Chief Scientific Advisor. Mikko works at F-Secure as the Chief Research Officer. His role is to assist us in our quest to solve the human problem. Mikko has been a HoxHunt user for quite some time.

“I’m impressed by the solution created by HoxHunt. Briefly put, it could be crystallized as gamified individual learning. I’ve used HoxHunt for more than a year now, and have noticed how it changes your mind,” Hyppönen says.

Change in behaviour

It’s a sad fact that users remain the weakest link in cyber security. Attackers know how easily people fall into their traps by social engineering, and gain victories time and time again.

Of course, many organizations try to educate employees to raise their awareness. They tell them not to do this and that to stay on the safe side. People may remember the lessons for a couple of weeks, but there is no lasting change in behavior no matter how often you repeat the message. Traditional training fails.

What makes this fatal is that technical measures alone are never sufficient to protect against attacks. That is why HoxHunt was founded.

We figured out that to solve the root problem people must be given incentives that makes them stay alert at critical moments. The solution should be scalable, smart, and fit all organization sizes. What did we come up with?

It's in the game!

“During my 25 years in the industry, I’ve noticed that people never learn. No matter how many times you repeat a message, they still make mistakes. However, what seems to work is building a proper motivation. Gamification makes that possible. — Mikko Hyppönen

We created a novel solution, an individual learning experience in the form of a game suitable for all employees in any organization. The point is learning by doing — continuously, including occasional mistakes.

The game consists of simulated malicious emails that come to the employees’ real inbox at random intervals. The task of the users is to recognize these messages. When they detect one, they simply push a HoxHunt add-on button in their email client.

That’s where the actual game begins. After flagging a suspicious email — or failing to recognize one — the employee receives an immediate response: a brief visualized instruction of tricks used in the email in question. Moreover, successful detections give scores that accumulate in the leaderboard of the whole organization. That spices up the experience by a strong socially shared motivation to learn more.

“When people think they are playing a game it awakens their natural instinct to compete and win.” — Mikko Hyppönen

Why focus on email?

There’s a simple answer: The modern malware highway is email. Around 70 to 90 per cent of cyber attacks start by sending malicious messages that play tricks on the employee.

Did we say tricks? Social engineering is used in all email attacks to lure people to make a mistake. Typically, that is a click on a malicious link or an attachment. People usually make mistakes within the first few seconds after checking the message.

The attackers intend to trigger emotions such as fear, hatred, curiosity and hope in the receiver of the email. Cheating is storytelling, sometimes simple, sometimes complex: “this morning, you crashed my car, check the attached photos, and get in touch”.

Targeting the individual is crucial for social engineering to work. That is why we, too, gather data of each user from sources a real attacker could find. Speaking more technically, we use a full repertoire of real attack vectors. There are different phishing attacks; ransomware attacks, CEO scams and so forth.

Our AI-powered game platform enriches the templates automatically based on the information gathered from the individual users and their performance level. Gradually, hand in hand with the user’s learning curve, the simulated attacks become harder to spot.

HoxHunt empowers people

HoxHunt Team
Team HoxHunt in 2017

HoxHunt has been live for more than a year. It’s delivered as a globally scalable software-as-a-service solution, now used in 25 countries by thousands of people in dozens of organizations, and the number is growing fast.

What’s most important, HoxHunt makes a difference. Our solution truly empowers people — and greatly reduces the risk level of the whole organization. Mikko Hyppönen acknowledges that we’ve achieved something that was supposed to be impossible: we do patch the brain, successfully. No-one else can do the same.

“For a company, the approach of HoxHunt is ideal. Employees become motivated to read their email more carefully, and they learn to detect malicious messages. In addition to simulated attacks, people will start to recognize real attacks — because they have learned to do it. Users can’t tell whether it’s part of the game or something real.” — Mikko Hyppönen

We can prove in real-time that everyone can learn to spot attacks intended to cause harm. The employees learn to think for a few extra seconds, thus avoiding the traps. They see their own skills grow as they become familiar with more and more advanced attack techniques. And, naturally, employees can follow how they rise towards the top in the ranking table.

We believe that the greatest asset of any company is their employees. But making your greatest asset stronger is no easy task. One needs an epic user experience that creates willingness to continue training in a fun and low effort environment, preferably integrated straight to the employees’ regular workflow. That’s why we are here, ready to protect you, too.

Learn more about the unique approach Hoxhunt takes to continously train and educate your employees.