Afternoon Cyber Tea with Ann Johnson 1.24.23
Ep 67 | 1.24.23

Storytelling and Cybersecurity Awareness


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson, and on today's episode of "Afternoon Cyber Tea," we are going to cover a really fascinating topic at the intersection of cyber awareness and storytelling. I am joined by Tim Murck, who is an actor, producer and co-founder of Flavour, an applied gaming and storytelling company, and HackShield, a gamified cybersecurity learning experience for children. Tim is a creative, passionate about storytelling, gamification and helping people turn themselves into problem-solvers. Welcome to "Afternoon Cyber Tea," Tim. I'm thrilled to have you on today.

Tim Murck: Thank you very much, Ann - nice to be here on the podcast. 

Ann Johnson: So you have this fascinating background as an actor and a producer and now, what I would say, as a cybersecurity awareness advocate and working with children also. I was really excited to do this podcast 'cause it's going to be a little bit different than what we normally do. So to get us started, can you tell us just a bit about your journey and what led you to co-founding Flavour and HackShield? 

Tim Murck: Yeah, of course - yeah, with pleasure. Yeah, for me, it's a very organic route. I started as an actor. I think I finished my school in 2006. I really like to tell stories and also use that stories to make people think, reflect and maybe, hopefully, sometimes change something in society. And at some point, I was very - yeah, I started to get very fascinated about new technologies and also about the potential interactive part of it. So I often give this example that I was trained by actors who were big stars in the Dutch theaters, and television was not there yet. So it's such a long time ago. And when I left my school, the first iPhone was on the market - so 2006, 7 in the Netherlands. So I was really fascinated. Like, the whole storytelling aspect didn't change, but the media, the channel you could use, was completely different. 

Tim Murck: So there were, like, kids in the theater, while I was playing there, watching their phones. And some colleagues were frustrated because they thought, hey; you have to learn how to watch culture and theater. And I thought, hey; why don't I integrate that phone in my storytelling? So at some point I did a suggestion to my director. I said, what if I could app with my audience during the show? And the director did not think that was a very good idea, but that was the start for me to think, hey; I want to start experimenting more with new, innovative ways of storytelling. 

Tim Murck: Yeah. And first, I was mainly focused on interactive storytelling, like interactive websites, documentaries, things like that. And slowly, my attention shifted to gamification because it's amazing. You can really put your audience in the role of the main character, so you can have them live through a story. And it has a lot of benefits because it's very immersive. They learn a lot. So this is what I've been working on for the last, I guess, 10 years. Yeah, I'm trying to use storytelling and gamification to - yeah, what you just said - create problem-solvers. 

Ann Johnson: You know, I find Flavour fascinating, right? And I frequently talk about how we need people to change the language of cybersecurity and change the methods of education if we actually want the average consumer or those who are younger - people who aren't cyber pros - right? - if we want them to understand it, we actually need to change the industry fundamentally. And part of that is how we tell the story about cyber. So what's your perspective on storytelling as it relates to helping people specifically understand complex topics and then specific to cybersecurity? 

Tim Murck: Good question. There are a lot of things that I can answer on this question. So at first, there is something very interesting in how we learn. So when I started HackShield, me and my colleagues - we were advised by a lot of, let's say, people with real knowledge about how people learn. And they gave us a lot of advice. And I remember two big things, and one was how you create a security mindset. And if you want to create a security mindset, they told us you have to learn people's adversarial thinking. So the simple explanation for me was learn to think as the bad guy. If you know what potential threats are, you could try to avoid them, of course. So the second thing was representation of fluency. And it was also very inspiring for us because they said to us, hey; if you really want to change behavior and want to learn something, you have to, like, rewire their brains, meaning that you have to use all different part of the brains to give them the tools to see things differently. And there was an example they used - Pythagoras? I don't know how you pronounce it in English. You know, the triangle professor? Pythagoras, we say. So the thing was if you want to learn a person what a triangle is, you want to not only give them the algebra version, but you also want to give examples, like a pyramid is a triangle, and you also want to have that person come up with own experiences, like triangles that the person know from his own environment and own experience. And if you learn how to connect those three areas in the brain, then you give the tool to easily and very fast make the connection. So for instance, when we learn kids about phishing, then we always also use a character - we call it the Phishing Lynx because it really visualizes the whole aspect of it - and we give concrete examples of phishing. And we ask kids to come up with examples of their own. So it's really like trying to activate all different parts of the brain. 

Tim Murck: So this was maybe the boring part of the fascination, and the other side is that we want to make people the heroes that solve the problem. And we don't want to see them as the potential victims or perpetrators. But our kids are the heroes that are really changing this situation. So we try to give them a sense of urgent and self-esteem and responsibility in society. So I hope this gives an answer on your question. 

Ann Johnson: It does. And if you think about kids - and even though I'm not familiar with that concept, by the way - but if you think about kids and how they learn, it's fundamentally different than how adults learn, right? And we have to make things more creative for them and fun - right? - or they're going to check out. We can force adults, to a certain extent, to sit through, you know, somewhat boring training courses. Kids will just check out. They'll mentally check out. They'll do something else. And they're digital natives, now - right? - so they're used to everything being gamified. They've had devices in their hands since they could walk and talk. So it's fascinating to me that you're taking these concepts and actually making them tangible for children. 

Tim Murck: Yeah, and it's - I think it's - you know, people are really amazing. They can learn to prevent danger by listening to experiences of other people that experienced danger. That's really amazing, so if somebody tells us a story about what they went through, then our brain is really, like, translating it to an own experience. Everything to make sure that we prevent it from happening to ourselves or in our lives. But nothing works better than putting somebody really in that situation and let them experience it themself. And I think the cool thing about storytelling, and especially gamification, is that you can let a kid experiment with how it is to be a victim and how it is to be a perpetrator without having to deal with real-life consequences. So it's, like, the most impactful way of learning. It's the most immersive way of learning. And, to be honest, I don't think that's just for kids, but it's just the best way to learn. 

Ann Johnson: Yeah. And thank you for making that investment. You know, one of the concepts you talk about at Flavour is the hero center. 

Tim Murck: Yeah. 

Ann Johnson: So I believe cybersecurity is a team sport. We all talk about that, and everyone has a role to play and can be a hero in some way. Can you talk about this concept and how it plays a role in what you built at Flavour? 

Tim Murck: Yeah, so I think how we do that at - HackShield is maybe the best example. So we train kids to become junior cyber agents. So we use a game for them to train, and they have a lot of fictional characters that help them with all the different subjects. But then we really stimulate them to transfer the knowledge towards their parents and grandparents, or to their parents and grandparents and friends and classmates and et cetera. So it's not only the best way to remember something yourself if you are, like, stimulated to explain that what you learned to somebody else, but it's also a very nice way to motivate the culture and to reach vulnerable target groups like their grandparents who we normally just don't reach about these subjects. So I think the cool thing about creating heroes is that you really make someone an ambassador about something instead of, yeah, trying to create only fear because that's what happens a lot, of course, in society. Look out, all our data is gone. Look out, cybercriminals are rising. Everything is going to beep (laughter). And this is really in, like, a positive alternative. We say, hey, the internet is great. Of course there are threats, but you can be the hero that solves that. Yeah. That's our - how we look at, like, hero-centered design, how we call it. 

Ann Johnson: And do you create - in this experience, is there competition amongst the kids? Do they get positive recognition in the term of some type of badge or something that they're trying to achieve? 

Tim Murck: Yeah, a lot, yeah - a lot of different ways because you have different player types, different people, different ways to evaluate somebody. But you can really compare it to Scouts. So it's like digital Scouts. So every lesson they learn, they receive a shield. That's how we call it, but it's really a badge. And every shield has its own learning goals or competence things (laughter). It's - every shield has its... 

Ann Johnson: Competency. 

Tim Murck: Yeah, exactly. So, yeah, they get a lot of badges. And the kids that like to collect things - for them, it's very stimulating. But some kids need some level of competition, so there's also competitiveness. They can rise through the ranks, and when they are high in their list of honor, we call it, which is always connected to their municipality, their region that they live in, then we make sure that the parents of the players that are high in the list of honor gets into contact with the local, like, police and the mayor. And then they get honors, like, in city hall, or the police goes to their class and celebrates them for being such a great and important junior cyber agent. So the whole rewarding part is not only in-game but also on a community level - yeah - where the Dutch authorities really play an important role. 

Ann Johnson: That's so cool. That is - I can imagine that it's really fun for the kids. And can we talk about HackShield specifically? So I know you've been talking about it a bit, but when you think about it, why did you focus on the cyber game for kids? And do you have collaboration with educational institutions and with government and those type of things, or is this something that you're really doing all on your own? 

Tim Murck: No, we - no, no, no, no. We work with a lot of knowledge partners because - yeah, we think we know how to make a game, and we think how to activate a community. But we work with a lot of public and private partners. Every time that we have a new theme or subject, we are not the cyber experts. We work with cyber experts. We only help translating it. In the Netherlands - and I don't think how the rest of the world is - if they are really up to date with digital literacy in the curriculum. But in the Netherlands, it's still not fixed. It's still not - the curriculum is still not up to date. So everything from learning what phishing is to how to make a password but also what data is and what the internet is, cyberbullying, sexting, etc. - all those cyber themes are not embedded or integrated in the curriculum at primary schools. 

Tim Murck: So one of our biggest motivations is to constantly create new content about actual themes, important themes that the school system isn't providing in. And thereby, we try to, like, close the knowledge gap. So our material is - kids can play it on an individual level. Everything for free, by the way - it's free of marketing also, so you can just play it online or download the app as a kid. The teachers can also use our lessons. We already developed eight of them, and we are constantly adding new ones. And then our fictional characters give a guest lesson about an important theme, and that's played - it's used a lot. So a lot of the primary schools and teachers use our material to educate their and our kids. Yeah. 

Ann Johnson: That's absolutely fascinating. I don't think that there's broad curriculum in any part of the globe for children on... 

Tim Murck: I'm afraid you're... 

Ann Johnson: ...Cybersecurity. 

Tim Murck: ...Right. Yeah. 

Ann Johnson: Yeah. Can you talk about some of the experience that the kids are learning as they play and some of the skills that they're going to come away with? 

Tim Murck: Yeah, of course. So, yeah, a lot is about - our whole game world is based on chess. So it's really trying to outsmart the other, and the other is always a character embodying a different theme. So we have the Phishing Lynx. We have the DarkHacker. We have Kimi Klepto, who's addicted to data thievery. We have the - Richie the Money Wolf, who's very - I like him. He's a lot of fun. He also has his own shop in our game world where he tries to sell them skins just like they do in Fortnite, etc., but then it's with fictional money. And then later on in the game, they have to resell their stuff, and he pays them less. 

Tim Murck: So the whole game is based on trying to let kids make all the mistakes that you want to prevent them from making in real life. So this is something that they experience in the game itself, but they also have to answer a lot of knowledge questions. They have to solve puzzles. They learn that everything you see online is potentially something somebody else can manipulate. So it's all data. It's all an illusion. It's all brought there with reason by someone with a goal. And that's the base, and then we have very theme-based lessons from disinformation, misinformation to sexting to cyberbullying to learning the consequences of being a hacker yourself. And we work closely together with a lot of different knowledge partners per theme - so if it's the Dutch police or it's an organization that works with victim from a sex thing or cyberbullying. Yeah. Every theme has its own, like, bunch of partners. 

Ann Johnson: That's really amazing. And I would imagine that people in business - right? - are continually getting phished. They don't understand cybersecurity, or training methods aren't effective. Thinking about your experience in educating children, what's your advice for business leaders and cyber advocates and others on how we can use storytelling to more effectively educate folks? 

Tim Murck: Well, what I always find very difficult to understand is when I speak with scientists, researchers, cyber experts, they often tell me that the only real way that's proven effective is if you scare someone. So imagine, you know the programs and - where the employees get a mail, a phishing mail, and they have to, like, click on it and then they get a mail back from the security program. Hey, you just clicked on a phishing mail. Boo hoo (laughter). Learn from it. 

Ann Johnson: Yeah. Yeah. 

Tim Murck: Never do it again. So on a short notice, of course, this is impactful. It's just like when my kids are stealing cookies from my kitchen, and when I get very mad, they probably won't steal a cookie next day. But my idea is that in the long run, you are creating a distance from people being open for new knowledge or people being open to experiment in the online world and to learn the things they don't already learn from somebody else. So often I think that our way of teaching others using fear and only repeating what all the difficult and dangerous consequences potentially are in the online world - I think, in the long run, you're creating people that are feeling distant and just, like - I don't know - just stop learning at all and, at the same time, clicking on every link using every device. So the thing I learned most till now, the last years, from working with kids is that if you motivate them and you make them proud of what they already learned and you make them curious towards what kind of new tricks the hackers found out now and - you give them a responsibility to share that knowledge with their colleagues, and I think that's so much more effective than scaring the hell out of them. 

Ann Johnson: Yeah. I do too. By the way, we try not to sell fear with cybersecurity... 

Tim Murck: Yeah. 

Ann Johnson: ...Because what happens is you turn people off, right? 

Tim Murck: Yeah. That's it. 

Ann Johnson: Over time, people just check out. 

Tim Murck: Yeah. 

Ann Johnson: They aren't interested. And you try to use the carrot versus the stick. I don't know if that translates well as an expression, but... 

Tim Murck: Yeah, yeah. It translates very well. I understand what you mean. Yeah. 

Ann Johnson: Like, what we try to do is if someone fails that phishing test, we don't turn them off, and we don't penalize them. We say - we send them training courses and said, hey, here's a few things that you could check out and you could learn, right? 

Tim Murck: Yeah. 

Ann Johnson: We try to incent them to modify their behavior. And one last thing I'll comment on is we talk a lot about the culture of cybersecurity. If your entirety of your organization has a culture of cybersecurity, it's easier to bring people along. 

Tim Murck: Yeah. And I think that an organization is just a metaphor for society. So I think this is just how it works in society. We have to create a cybersecurity mindset in our whole society. And I'm totally with you. Fear is not the best ingredient in creating that culture. 

Ann Johnson: Well, thank you so much for sharing and coming on and making the time. We always send our listeners off with one or two key takeaways and some inspiration and optimism for the future. So what is it about cyber that you are most optimistic about right now? 

Tim Murck: I think that the digital future is amazing. It's full of opportunities. They're endless. The only thing we really have to make sure is that everybody has an equal chance to safely benefit from all those opportunities. I think in the end, it's all about if everybody has equal opportunity. And maybe if people are better educated and they have more equal opportunities, then the whole criminal part is also less interesting for people. 

Ann Johnson: I agree. And I think the work that you are doing is just really, really incredibly impactful because you're getting folks early. You're training them on cybersecurity early so this next generation, as they come into the workforce - they'll have a baseline of knowledge, right? So thank you for everything that you were doing and thank you again for taking the time to join me today. 

Tim Murck: Thanks, Ann. Thank you very much. 

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: I invited Tim Murck to join me because he has this fascinating work that he does in educating children through a gamified experience, and broader society, by the way, on cybersecurity, and it's something that makes cyber really consumable for your non-cyber professionals. And it was a great conversation, and I know the audience will just really enjoy it.