Enhancing cybersecurity awareness: The Role of AI in a New Phishing Study

Information Technology
hand out of a phone trying to hold card and attention sign
Want more from your cybersecurity awareness training? AI is being used to modernize training in this study, but we need your help.

Traditional cybersecurity awareness training can sometimes become a routine: watching videos, taking quizzes (sometimes repeatedly), and revisiting the cycle every few years. But what if training was tailored to your specific skills in spotting and reporting suspicious emails? And what if it was in a format that made you want to come back and learn more?

Enter Phishducation, an upcoming phishing awareness and cybersecurity training study. The study comes after successful alpha testing of Phooled!, a gamified training tool developed by two uOttawa researchers—Computer science master’s student Vignesh Kumar Karuppasamy and School of Engineering Design and Teaching Innovation Professor David Knox. Future iterations of the Phooled! tool on the Phishducation research platform will use AI to analyze and improve training by customizing individual and multiplayer learning environments. By merging cybersecurity awareness training and AI, Phishducation aims to create a more inviting experience that transcends traditional online learning methods. 

AI Offer New Insights

Most cybersecurity awareness training is built for the average or beginner user and can remain static over time. Through Phishducation, Vignesh and Professor Knox hope to make the training effective, fun and more responsive to individual users or groups. “To engage people in becoming lifelong learners, training needs to: save time, be effective, and be enticing for users and also keep up with changes in the attacker’s strategies and methods” Professor Knox elaborates.

This is where AI will be used to enhance the user experience. As Vignesh explains, “The challenge here is creating the recommendation system. We know which emails are tricky, but the next stage is connecting different emails to different learners. We are trying to look at things in another way.”

To be able to accommodate all types of learners and different scenarios, the team will look at large amounts of data. Numerous factors will be considered—type of learner, learning modes, and whether they respond based on instinct or rational thought, to name a few. AI will be fundamental in processing and analyzing layers of data.

“This is why we are going to be attempting to adapt AI and Machine Learning methods to classify both the difficulty of email samples and the expertise or aptitude of learners, with an eye to customizing the learning. The initial training sets are not large, and the attacker actively adapts their attacks to thwart machine-based pattern detection algorithms. We want to use AI and Machine Learning methods to make the teaching of people, not machines, more effective,” explains Professor Knox. 

Machine Learning is an AI method, often based on data and algorithms to imitate human learning through the identification of patterns. It can identify complex patterns to provide insights and predictions. However, it needs (a large set of) “ground truth” training samples, that probably need to be labeled manually. If an attacker is changing their tactics to avoid detection by such algorithms, potential victims (and the Phishducation teaching platform itself!) also need to adapt in real time too. To customize cybersecurity awareness training for different learners, the researchers will need to gather and analyze data from many different types of users at different stages in their learning processes.

Contribute to a New Era of Learning

The Phishducation study will be launched, later this summer, to the uOttawa community. It relies on users like you to provide insights in how phishing emails are identified and classified. By participating, you can help make your future cybersecurity awareness training both more fun and more interactive. Sign up for Phishducation updates.

Phishducation is a study conducted through the Faculty of Engineering. Information Technology provides support in the form of example emails, testing and feedback, and promotions for the upcoming Phishducation campaign.