How to Patch the Brain with Gamified Learning

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
August 28, 2024
Written by
Maxime Cartier
Fact checked by

“Cybersecurity has got two fundamental problems to solve, and both are immense. First, we’ve got technical problems. Second, we’ve got the human problem, end-users who make mistakes. While the technical problems are serious, they can be solved. But we can’t patch problems in the brain.”Mikko Hyppönen, Chief Research Officer, F-Secure

Mikko Hyppönen

Today, Hoxhunt is honored to announce that Mikko Hyppönen joins our advisory board as Chief Scientific Advisor. Mikko works at F-Secure as the Chief Research Officer. His role is to assist us in our quest to solve the human problem. Mikko has been a HoxHunt user for quite some time.

“I’m impressed by the solution created by Hoxhunt. Briefly put, it could be crystallized as gamified individual learning. I’ve used Hoxhunt for more than a year now, and have noticed how it changes your mind,” Hyppönen says.

Change in employee behavior

It’s a sad fact that users remain the weakest link in cybersecurity. Attackers know how easily people fall into their traps by social engineering, and gain victories time and time again.

Of course, many organizations try to educate employees to raise their awareness. They tell them not to do this and stay on the safe side. People may remember the lessons for a couple of weeks, but there is no long-lasting change in behavior no matter how often you repeat the message. Traditional training fails.

What makes this fatal is that technical measures alone are never sufficient to protect against attacks. That is why Hoxhunt was founded.

We figured out that to solve the root problem people must be given incentives that make them stay alert at critical moments. The solution should be scalable, smart, and fit all organization sizes. What did we come up with?

It's in the game!

“During my 25 years in the industry, I’ve noticed that people never learn. No matter how many times you repeat a message, they still make mistakes. However, what seems to work is building a proper motivation. Gamification makes that possible"  said Mikko Hyppönen.

At Hoxhunt, we created a novel solution, an individual learning experience in the form of a game suitable for all employees in any organization. The point is learning by doing  -  continuously, including occasional mistakes to learn from those.

The game consists of simulated malicious emails that come to the employees’ inbox at random intervals. The task of the users is to recognize these messages. When they detect one, they simply push the Hoxhunt add-on button in their email client.

That’s where the actual game begins. After flagging a suspicious email  -  or failing to recognize one  -  the employee receives an immediate response: a brief visualized instruction of tricks used in the email in question. Moreover, successful detections give scores that accumulate in the leaderboard of the whole organization. That spices up the experience by a strong socially shared motivation to learn more.

“When people think they are playing a game it awakens their natural instinct to compete and win”  explained  Mikko Hyppönen.

Why focus on email and employees?

There’s a simple answer: the modern malware highway is email. Around 70 to 90 percent of cyber attacks start by sending malicious messages that play tricks on the employee.

Did we say tricks? Social engineering is used in all email attacks to lure people to make a mistake. Typically, that is a click on a malicious link or an attachment. People usually make mistakes within the first few seconds after checking the message.

The attackers intend to trigger emotions such as fear, curiosity or hope in the recipient of the email. Cheating is storytelling, sometimes simple, sometimes complex. It could be as simple as this message: “This morning, you crashed my car, check the attached photos, and get in touch”.

Targeting the individual is crucial for social engineering to work. That is why we, too, gather data of each user from sources a real attacker could find. Speaking more technically, we use a full repertoire of real attack vectors. There are different phishing attacks: ransomware attacks, CEO scams, and so forth.

Our AI-powered game platform enriches the templates automatically based on the information gathered from the individual users and their performance level. Gradually, hand in hand with the user’s learning curve, the simulated attacks become harder to spot.

Hoxhunt empowers security teams and the employees

Hoxhunt Team with
Team Hoxhunt back in 2017. Today, we are more than 60 people and growing!

Hoxhunt has been live for more than a year. It’s delivered as a globally scalable software-as-a-service (SaaS) solution, now used in more than 25 countries by thousands of people in dozens of organizations, and the number is growing fast.

What’s most important, Hoxhunt makes a difference. Our solution truly empowers security teams and people  -  and greatly reduces the human risk level of the whole organization. Mikko Hyppönen acknowledges that Hoxhunt has achieved something that was supposed to be impossible: we do patch the brain, successfully. No other awareness training can do the same.

“For a company, the approach of Hoxhunt is ideal. Employees become motivated to read their emails more carefully, and they learn to detect malicious messages. In addition to simulated attacks, people will start to recognize real attacks ,  because they have learned to do it. Users can’t tell whether it’s part of the game or something real” explained   Mikko Hyppönen.

We can prove in real-time that everyone can learn to spot attacks intended to cause harm. The employees learn to think for a few extra seconds, thus avoiding the traps. They see their own skills grow as they become familiar with more and more advanced attack techniques. And, naturally, employees can follow how they rise towards the top in the ranking table.

We believe that the greatest asset of any company is its employees. But making your greatest asset stronger is no easy task. One needs an epic user experience that creates a willingness to continue training in a fun and low effort environment, preferably integrated straight to the employees’ regular workflow. That’s why we are here, ready to protect you, too.

Learn more about the unique approach Hoxhunt takes to continuously train and educate your employees:

Gamified Training with Hoxhunt

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this