Making Cybersecurity training Fun- Make a Phish.

Project Overview

Make a Phish is an application that aims to make cybersecurity training fun by helping users recognize phishing emails by creating one.

Final Design

Project Type

Cybersecurity Design Challenge

Timeline

October 2021- February 2022

Team

Product Manager (1)
Product Designer (3)

Outcome

First Prize

My Role

Context study, User Research, conduct Interviews, Concept Development, UX concept, Visual Development, Co-designed UI.

The Design Process

Discovery 🔎

Context Study, Interviews, Competitive Analysis

Ideation 💭

Concept Relay
Design Principles
User Flows

UX Design 🏗️

UX Flow (IA)
Storyboarding
Wireframing

UI Design 🖼️

Typography
Color Palatte
Color Explanation

MetroStar+ Dimension Mill: The Design Challenge

Value through Design Solution

Make a Fish is a platform for employees to construct their phishing emails for a company-wide competition of who can write the most convincing phishing email trick their colleagues.

Creating Awareness 👀

Cultivating Culture 🙇

Learning through Engagement. 😇

1. Home Page and Aquarium

The Homepage has a aquarium, with each employee in a fish avatar. The fish avatar gets crown if they trick employee successfully. The fish can also get shield if the employee reports a correct phishing mail.

2. Phishing email simulator

We provide several tools to help employees create convincing phishing emails. Through this process, the employee learns about the tricks of hackers cultivating phishing awareness.

3. Learning to recognizing phishing mails

A number of tips that are updated according to current trends that helps user recognize phishing mails, which on reporting they get rewards in the form of shield.

Reporting Phishing mail

A button to report phishing mails thus making employees more vigilant when going through email content.

The Design Process: The story behind the Product.

1. Discovery : User Experience of existing phishing training in companies.

Context Study

1.1 Secondary Research : Why is cybersecurity training so important?

phishing attacks are responsible for more than 80% of reported security incidents.

90% of data breaches occur due to phishing according to2021 Cybersecurity Threat Trends report

A breach caused due to phishing costs organizations an average of $4.65 million.

1.2 Primary Research : Experience of Employees in Existing Products.

To understand issues in user experience of the employees we interviewed 7 employees (2 cybersecurity specialists and 5 employees) of the small-medium company. The main themes of the interview focused on: ‍

1. How is the experience of the existing phishing training in companies?
2. How do cyber experts conduct phasing awareness training in companies?

Identified painpoints in existing phishing training user experience.

😕
"It's just a compliance and quarterly annoyance. None of usually pay attention. We just play it in background and mark it complete."

😔
‍"It is very difficult to make the employees complete it. We have to send out multiple mails to complete it giving them deadlines."

😒
"I have never been phished and we already have so many spam filters and company implemented softwares that keep our mailbox safe from such mails."

Competitive Analysis : Existing cybersecurity training and their features.

Painpoints in existing applications

We identified some existing issues with current cybersecurity programs to increase awareness among employees

😕
Employees participation reminds low.
Employees forget what they have learnt and loose interest.

😔
Cybersecurity trainings are administrative burden.
Cybersecurity trainings focus on compliance and not results.

Context Study Results : Painpoints to Key Opportunity Areas

01
Engaging

Real life simulation of dangers that is more engaging than watching videos.

02
Fun

Employees writing phasing mails to trick their colleagues and competiting to phish as many people.

03
Informative

Frequently updated phishing Emil patterns to keep employees updated with latest trends that hackers use to phish.

How it connects to my design philosophy

Educating employees helps users be more aware of the dangers of phishing mails. Real life simulation of the phishing emails help users realize impact and importance of cybersecurity awareness, and making it fun and give power to employees by ranking them.

2. Ideation

Brainstorming: Concept Relay

We did concept relay to brainstorm and ideate Instead of the cybersecurity support team creating simulated mail, we ideated that employees would create simulated emails and send them to colleagues.
We wanted a solution that is fun, engaging and informative.

We came up with around 16 ideas and choose 4 out of them based on whether they are novel than the existing solutions and if they add value.

Fun - Using the Metaphor of Fish, most common workplace pet.

1. Using fish as a visual works two ways for us. It is a pun on the word "Phish". Also aquariums are commonly workplace, giving the place a touch of nature and it produces higher positive mood among workers according to World Health Design. Having the metaphor of Fish in our Email Phishing product, adds a flair of fun goof.

Engaging - Rank List and Fish visual upgrades to Fish avatar.

1.Rank List

1. Fishing Avatar Upgrades

Informative

1.Tips about latest trends in phishing emails.
2. Getting into the mind of a Hacker

Story Boarding : Envisioned product experience.

Employees 'make a phishing email, learning in the process, what pitfalls to avoid and send them to colleagues, hence cultivating awareness by observing phishing emails and creating them.

3. Concept Testing & Iterations

The aim of our concept was to create motivation for learning and cultivating phishing awareness.
We interviewed four employees (1 cybersecurity specialist and 3 employees). Every participant liked our concepts and showed excitement about the phising game. The Spirit of competition and winning by sending phishing emails to colleagues can be a motivation to learn and cultivate phishing awareness.

😄
"I like the idea. Employees can learn something and have fun. I would be happy to send a letter to harass colleagues."
-Employee

😁
‍"I like the knowledge sharing(ranking list) because people get to learn how some phishing emails work."
-Cybersecurity Expert

😆
"I will keep watching aquarium because it's interesting"
-Employee

Concerns in our Design

01
Too many spam mails

The inbox might be filled with too many phishing emails sent by all the employees.

02
Scalability

How does this product work for companies of varied size?

03
Too much effort and time into crafting mails

Since employees need to learn and create convincing phishing email, it might be a waste of lot of resources.

Iteration 1

To deal with scalability, we brainstormed on how to make the system work independent of employees. We got an inspiration from 'Secret Santa', every employees send out one one mail to the their colleague.

Simplified Rules

Here the Employee gets to play too roles

You as the Hacker:
Creating convincing phishing emails.

You as an informed employee
Identifying and reporting phishing emails sent to them.

4. Wireframe

Lo-Fi Wireframe

5. Final UI Design

6. Future Scope & Design Takeaways

Future Scope

More user testing with varying company size. : Our users for testing were mostly from small to midsize companies, we wanted to also test it with employees of companies of larger size.
Brainstorm more about better rewarding system to engage employees better. : Overtime, the novelty of this product might die off, so we needed to ideate more on how to still have it engaging and fun.
Develop a full working product. : We had presented our solution to a varied panel of judges and they saw a potential in our product and even advised on a full scale development, however, we didn't have enough resources and bandwidth to carry it on.

Reflection

Considering engineering constraints: Some of our initial features were not feasible due to technical limitations. I had to iterate and brainstorm to adjust and make features more feasible from development side.
Defining Product Goal: When we started off with the designing, it was just a solution for a Cybersecurity showcase, the modification following it was solely based on user testing. We spent a lot of time discussing wireframes and features. I think it is important to define product goal before going ahead with the whole design process.
More high fidelity prototypes than wireframes for user testing: Due to time constraint, most user testing was done on rough prototype and I realized that could also be the reason, the users don't get the feel of real product. In future, I would concentrate more on using high fidelity prototypes for user testing.

More of My Work.

SUMMER'22 INTERNSHIP

JobStart by SureStart

A dedicated platform to help recruiters find the perfect match for their needs and vacancy through skills and help companies remove unconscious bias in hiring.

View Project

Information architecture'22

Chinatown San Francisco

Redesigning the website of Chinatown San Francisco by solving the major and minor User Interface issues of the present website.

View project

Adobe creative jam, top 10 finalists

GoodBuy

Good Buy facilitates conscious buying by helping users identify ethical brands that make a difference through their transparent fair trade factories and inside stories.

View PRoject

cybersecurity solution showcase, first prize

Make a Phish

Make a Phish is a platform to create phishing email awareness amongst employees and teams by helping create fun and engaging phishing email competitions.