Micro Games for Cyber Threat Awareness
Department of Defense
Agency Tracking Number:
Solicitation Topic Code:
Small Business Information
Wombat Security Technologies
1000 Heberton St, Pittsburgh, PA, -
Socially and Economically Disadvantaged:
AbstractThe goal of this SBIR Phase II proposal is to develop a web-based platform that (1) hosts a collection of micro games for cybersecurity awareness and training; (2) simplifies the development of micro games by maximizing re-use of functionality; (3) helps administrators manage and deploy micro games; and (4) helps analysts assess readiness through a suite of tools for analytics. In Phase I, we explored this design space, developing the requirements for this platform as well as several interface prototypes. We also developed an interactive prototype of a new micro game named Anti-Phishing Phyllis. For Phase II, we will refine Anti-Phishing Phyllis and prepare it for commercial use. We will also develop a robust version of the platform for micro games. Our team is comprised of three computer science faculty from Carnegie Mellon University who co-founded Wombat Security Technologies to commercialize their research in anti-phishing. Part of this research was in developing fun and effective training to protect people from phishing scams, the most successful of which has been a game played over 100,000 people with scientific results demonstrating its effectiveness. As of this writing, the game has been licensed for use by several hundred thousand users. BENEFIT: Organizations often do not have the time to choose between a variety of training options, or deal with the integration and deployment overhead associated with individual training modules. A training platform that facilitates the development and deployment of compelling training games reduces this hassle for organizations, thereby making cyber security training more cost effective. In addition, our work will offer five additional benefits. First, it will make it easier for end-users to educate themselves through a variety of games for security training and assess how they are doing. Second, it will make it simpler for developers to deploy security training games, by providing support for common features. Third, our platform will provide a single centralized location for administrators, rather than having to manage and configure each game individually. Fourth, our platform will make it easier for analysts to assess how an organization is doing with regards to security training and retention. Fifth, our platform, coupled with a large set of games for security training, will lead to better and more effective security training for individuals, thus leading to better overall preparedness for an organization. Our existing anti-phishing game is in use across a broad variety of organizations, including those in finance (e.g. Depository Trust and Clearing Corporation, TD Ameritrade, Banca Popolare di Sondrio), government (e.g. US Department of State, US Department of Energy, BBB, Florida Department of Transportation), schools (e.g. Carnegie Mellon University, University of Buffalo, Dalhousie University), health care (e.g. Children Hospital Los Angeles), ISPs (e.g. Portugal Telecom), and others (e.g. Booz Allen Hamilton, Transplace, CERT Japan). However, the cost of developing a single game remains high, and the cost of deploying individual games may deter organizations from acquiring a comprehensive suite of cyber security awareness and training solutions. Through the new platform we propose to develop and validate under the proposed SBIR grant, we expect to significantly reduce the development and deployment costs and time associated with the introduction of new games. With cyber security threats continuing to evolve quite rapidly, this is critical if one is to ensure that training material remains current and accessible to a broad range of organizations rather to the select few who can afford the necessary investments today.
* information listed above is at the time of submission.