A Gamified Phishing Simulator Using Reinforcement Learning

Abstract

An organisation's security is fundamentally reliant on its people. Regardless of the sophistication of its cybersecurity infrastructure, the absence of comprehensive training and awareness can lead to vulnerabilities. Traditional phishing awareness training typically involves sending simulated phishing emails to employees, allowing organisations to monitor actions such as link clicks, email reporting, and responses. While this method offers valuable insights into employee behaviour, it often struggles to engage users effectively. This conventional approach may not create a dynamic learning environment conducive to better retention of vital security practices. Furthermore, users generally do not receive immediate feedback regarding their interactions with phishing links, leaving organisations more susceptible to social engineering attacks. This research seeks to address the issue by developing an interactive gamified phishing simulator that employs reinforcement learning (RL). The methodology for this study consists of two key components. First, a literature review was conducted to assess existing phishing awareness techniques and explore how RL can be applied effectively. This review examined the integration of RL within cybersecurity education and explored the impact of gamification on user behaviour. For the RL agent, a dataset comprising both phishing and legitimate emails was compiled. The agent was then trained to discern phishing emails from legitimate ones based on various email features.  Then the agent presents users with email challenges and delivers real-time feedback on their selections. The simulator incorporates a reward and badge system that promotes active participation and ongoing learning. This approach aims to overcome the limitations traditionally associated with static phishing training by fostering continuous learning, ultimately reducing user susceptibility. The effectiveness of the proposed simulator was evaluated based on its classification accuracy of phishing and legitimate emails.