Gamification Training to Protect Against Socially Engineered Cyber Attacks: An Evidence Based Design

Dates: April 2020 – March 2021  

Lead researchers: Justin Hempson-Jones and Nicolas Melendez, Social Machines, and Dr Francesca Salvi, University of Portsmouth. 


Attacks that take advantage of human operator behaviour to compromise cyber security are often described as socially engineered cyber-attacks. For example, these include phishing (using email or voice-over-internet-protocol channels) in order to prompt users to divulge information or perform another compromising behaviour; social network exploitation; waterholing – where victims are lured to compromised websites and exploited, and baiting (leaving compromised material to lure individuals into compromising systems). This research explored what types of training will best protect users against different types of attack. Evidence assessed through a systematic review was used to modify social engineering taxonomies to map our best current understandings of what works, where, how and why. This was used to create a ‘proof of concept’: a set of fictional but practical use cases demonstrating how the taxonomy can be used to generate practical training packages for users.  

Policy implications

The work aimed to support a more robust foundation for cyber protection training to help organisations better to better optimise cyber security behaviours and cyber risk decision making amongst employees. It will create a foundation for cyber security training in order to encourage take-up of training solutions based on a robust, evidence-based approach to gamified training in this area.  


Systematic literature review, taxonomy development and illustrated proof of concept.  

Find out more  

Funders: RISCS 


Posted on

December 9, 2021