Playing it safe: Reshaping cyber security education

As part of a growing movement challenging the idea cyber security is a field for technical experts, Professor Oli Buckley is educating people through games, storytelling, role-play and creative experiences.

Arguing that cyber security is fundamentally a people problem, Buckley says the most effective way to educate people is through things people actually enjoy.

Buckley was in Australia to collaborate with psychologists at the University of Tasmania - comparing UK and Australian attitudes and understandings of AI.

Visiting the capital on the way to present an exclusive talk at UNSW Canberra, Buckley’s own journey illustrates the shift. 

Having started out as a software developer, he found the technical work stifling and repetitive.

“It’s basically doing the same thing over and over again, using the same design patterns and the same languages, just for different applications,” he says.

“I'm less interested in technology now, and more interested in people and how they interact with tech.”

That instinct has driven him to do things he “finds fun”: Escape rooms place participants in scenarios built around real cyber hygiene issues. One version centres on authentication and passwords, asking players to root through a waste paper bin of crumpled Post-it notes, decode a colour sequence and infer a missing credential.

It is, in essence, a lesson in how easily passwords can be compromised.

“We’re trying to sneak the learning into the fun so that you come out of it thinking, actually, maybe I shouldn't write my passwords down.”

The approach has been tested successfully with primary school children, secondary school students and adults, including at the British Science Festival, where it generated the same level of enthusiasm and the same lessons learned across all age groups.

Board and card games have also proven to be powerful learning vehicles. One game asks players to chain together attack techniques such as rootkits and social engineering in pursuit of a goal. 

The game is designed to be deliberately technology-agnostic, set in a distant sci-fi future rather than tied to a specific current vulnerability.

“It’s the techniques, not the tech,” he says. “In 10 years, it’s going to be relevant – something that can’t be said of a game built around a particular JavaScript exploit.”

The same philosophy informs a broader framework Buckley is developing – one designed to let educators plug and play different cyber security themes into a murder mystery or escape room format. If ransomware suddenly surges as a threat, the framework provides a ready-made structure for creating a scenario that teaches people about the dangers involved. 

The aim is reproducibility: a toolkit for experiential learning that schools and organisations can deploy without needing specialist knowledge to build it from scratch.

Underlying all Buckley’s research is a conviction that broad engagement matters more than deep technical training.

"Raising the broad population five per cent is better than raising the technical population by another two or three per cent to get them to the top," Buckley says.

His research lowers the tech barrier, strips away the stigma and makes the learning stick. When cyber threats are as much about human behaviour as technology, that may be the kind of education the world needs most.