Liam Sheehan ← Portfolio
← Back to Portfolio
Case Study

CyberWise: Building a Gamified Cybersecurity Training from Scratch

A custom React application that teaches cybersecurity fundamentals through five days of branching scenarios at a fictional company. Built to demonstrate that effective security training can feel like a game without sacrificing instructional rigor.

Timeline

~2 Weeks

Type

Custom Build

Stack

React + TypeScript

Scenarios

5 Days, 20+ Steps

AI-Assisted

Claude for Dev

Achievements

10 Unlockable

The Problem I Was Solving

Cybersecurity awareness training is one of the hardest briefs in L&D. The subject matter is technical, the compliance requirements are rigid, and the timelines rarely leave room for the kind of interactivity that actually changes behavior. The people building this training are doing skilled work under real constraints, and the results reflect those constraints more than any lack of talent.

But I kept thinking about what becomes possible when you remove those constraints. What if you could start from a blank canvas, with no LMS packaging requirements or seat-time mandates, and build a cybersecurity training that felt like something people would choose to engage with? I have a longstanding belief that the mechanics games use to teach players complex systems (progression, consequence, feedback loops) are exactly what workplace training needs more of. CyberWise was my chance to put that belief into practice.

The idea was straightforward: place learners inside realistic threat scenarios, let their decisions carry visible consequences, and build the kind of pattern recognition that actually transfers to the real world. But behind that idea was a broader argument I wanted to make: that game design isn't a novelty layer you add on top of training. It's a design discipline with decades of research on motivation, difficulty curves, and knowledge transfer, and it belongs at the center of how we think about learning experiences.

I set out to build something that demonstrated this on every level.

Instructional Design Approach

Bloom's Taxonomy Progression

Each day of the training maps to a progressively higher cognitive level, creating a deliberate difficulty curve that mirrors how real security knowledge develops: you learn to recognize threats before you're asked to respond to them.

Monday

Knowledge

Identify phishing

Tuesday

Comprehension

Explain social engineering

Wednesday

Application

Apply physical security

Thursday

Analysis

Analyze data handling

Friday

Evaluation

Evaluate incident response

Core Design Decisions

Three-part feedback on every choice.

Every decision triggers a quality rating with score impact, an instructional explanation of the principle at play, and a real-world context section connecting to actual breaches and statistics. The learner always knows what they got right, why it matters, and where it's happened in the real world.

Branching consequences, not just feedback.

Poor or dangerous choices don't just dock points. They route the learner into consequence branches that show the fallout of their decision, then return them to the main path. Forward a phishing email to a coworker? You'll deal with the aftermath before moving on.

Dual-metric scoring: Security Score + Trust Level.

Security Score tracks technical correctness. Trust Level tracks professional judgment and how your manager perceives you. Both start mid-range (75 and 50 respectively), and poor trust can lock you out of optimal choices later in the week. This mirrors how real workplace credibility works: bad decisions compound.

Trust-gated choices.

Some optimal responses on Thursday and Friday require a minimum trust level to unlock. If the learner has burned too much credibility earlier in the week, those options appear locked. This mechanically reinforces a core lesson: your track record determines your options.

Merrill's First Principles of Instruction.

New knowledge is activated through realistic problems, demonstrated through simulation, applied through decision-making, and integrated through feedback that connects to real-world incidents. The learner isn't told about phishing, they experience catching (or missing) a phishing email.

Game Design & Mechanics

The learner plays as a new Security Analyst at NovaTech Industries, navigating their first week on the job. Each day presents a different category of cybersecurity threat through 4 scenario steps with 4 choices each. The narrative framing creates immersion while the game systems reinforce learning.

Scoring System

  • Optimal: +5 score, +5 trust
  • Acceptable: +2 score, +2 trust
  • Poor: -5 score, -3 trust
  • Dangerous: -10 score, -8 trust

Ending Tiers

  • Champion (80-100): Recognized at all-hands, invited to Security Ambassador program
  • Getting There (50-79): Enrolled in additional security training
  • Compromised (0-49): Placed on performance improvement plan

Trust Penalty Mechanic

If the player's final trust drops below 20, their ending is downgraded one tier. A Champion becomes Getting There. Getting There becomes Compromised. The downgraded ending includes additional narrative about trust erosion, reinforcing that technical competence alone isn't enough.

Achievements (10 Total)

Trigger-Based (5)

  • Eagle Eye - Catch the first phishing email
  • Social Shield - Resist IT impersonation
  • Clean Desk Champion - Secure your workstation
  • Data Guardian - Classify data correctly
  • First Responder - Handle first incident alert

Computed (5)

  • Security Champion - Final score 80+
  • Perfect Day - All optimal in a single day
  • Trust Builder - Reach 80+ trust
  • Quick Learner - Optimal right after a mistake
  • Zero Incidents - No dangerous choices all week

Simulation Design

Each day uses a different simulated interface to deliver its scenarios. This prevents visual fatigue across five days of content and reinforces the idea that threats show up in different channels. The simulations use a dark slate theme to create the feeling of looking at a screen within the screen.

Email Client

Monday

Dark-themed inbox with sender details, subject lines, attachment badges, and "SUSPICIOUS" tags for phishing emails. Used for phishing detection scenarios.

Phone Call

Tuesday

Active call interface with caller info, pulsing indicator, and indented transcript lines. Used for social engineering scenarios where the threat comes through voice.

! Desktop View

Wednesday

Workstation screen with notification cards (info, warning, error, USB) each with distinct colors and icons. Used for physical security scenarios.

# Chat Window

Thursday

Slack-style interface with colored avatars, sender names, timestamps, and message bubbles. Used for data handling scenarios where threats appear in team communication.

Friday uses a mixed simulation renderer that combines all four formats, reflecting how real incident response draws from multiple channels simultaneously.

Technical Architecture

CyberWise is a fully static single-page application with no backend. All game state persists to localStorage via Zustand, and the app deploys as a subfolder of any static site. This was a deliberate choice: the training needs to be hostable anywhere without server dependencies.

The architecture separates concerns cleanly: pure game logic lives in game/, scenario content lives in data/, and React components handle rendering. Adding a new day of content means adding a new scenario file without touching game logic or UI code.

Key Technical Decisions

State persistence.

Zustand with localStorage means learners can close the tab and pick up where they left off. Choice history, scores, achievements, and current progress all survive between sessions. An undo system reverses score changes when learners use the back button.

Scenario engine.

A central hook handles all game logic: processing choices, routing into consequence branches, advancing steps, and shuffling choice order to prevent positional pattern-learning (no more "always pick A").

Simulation rendering.

A polymorphic renderer routes to the correct simulated interface (email, chat, phone, desktop) based on scenario type. Friday's mixed type combines multiple formats in a single step, mirroring how real incident response pulls from multiple channels.

Animation and pacing.

Framer Motion handles page transitions, micro-interactions, achievement toasts, and a red flash overlay on dangerous choices. Narrative text uses a typewriter effect at 18ms per character with click-to-skip, creating pacing without forcing the learner to wait.

Component Architecture

// Layout layer

AppShell (TopBar + ProgressBar + AchievementPopup)

// Page layer (7 routes)

LandingPage, ObjectivesPage, DaySelectPage,

ScenarioPage, DayTransitionPage, ResultsPage, AboutPage

// Simulation renderers

EmailClient, ChatWindow, PhoneCall, DesktopView

// HUD components

SecurityScoreGauge (SVG), TrustLevel (bar), AchievementPopup

// Interaction components

NarrativePanel, ChoiceCard, FeedbackPanel,

ConsequenceScene, TrustWarningModal

Real-World Grounding

Every feedback panel includes a real-world context section connecting the scenario to actual cybersecurity incidents. This grounds the training in reality and gives learners specific examples they can reference. Some of the incidents and frameworks woven into the content:

  • 2022 Uber breach (MFA social engineering)
  • 2023 MGM Resorts social engineering attack
  • 2013 Target breach (ignored alerts)
  • FBI BEC statistics ($2.9B in losses)
  • 2020 SolarWinds supply chain attack
  • 2024 Change Healthcare ransomware
  • 2025 Verizon Data Breach Report
  • NIST SP 800-61 Incident Response framework
  • IBM Cost of a Data Breach report
  • Equifax $700M settlement

Tools & Credits

Tool Use
React + TypeScript Application framework and type safety
Vite Build tooling and dev server
Tailwind CSS Styling and design system
Framer Motion Animations, transitions, and micro-interactions
Zustand State management with localStorage persistence
Claude (Anthropic) Development support, scenario writing, architecture planning
GitHub Pages Hosting and deployment

What I'd Do Differently

Multiplayer or team mode

The current build is single-player. A team mode where groups discuss choices before committing would add a collaborative learning dimension and better mirror how real security decisions often involve multiple people.

Analytics dashboard

With a lightweight backend, the app could track aggregate choice patterns across all learners. This would surface which threats are most commonly misidentified and inform targeted follow-up training.

More complex branching trees

The current branch structure is one level deep: a bad choice triggers a consequence branch, then returns to the main path. Deeper branching where early decisions fundamentally change what scenarios appear later would increase replayability and reinforce that security decisions compound over time.

Try It Yourself

Navigate your first week at NovaTech Industries. Can you spot the phishing emails, resist the social engineering, and make it to Friday with your security score intact?

Play CyberWise