Nearly a decade ago, the Secure Decisions team created branching, graphic comics by hand for a cybersecurity education research project. The resulting web comics were well received but fairly expensive to create: each one took about a man month of time, and required both a graphic artist and a computer programmer to put together.
Why did we spend all that time creating web comics for cybersecurity education? Stories are how we pass all kinds of knowledge on to children. And as I know from personal experience, most cybersecurity practitioners have a number of “war stories” they share with others about the terrible impacts from a cyber incident, or how they were able to avert a potential disaster. Stories are not constrained by the actual passage of time or a geographic location, they can be broad expansive or dive deeply within a very narrow window, whichever better suits the needs of the storyteller. Stories allow us to explore what could be or what might have happened.
Stories are very useful learning tools, yet they say a picture is worth 1,000 words, and so educational comics were born: a story told through a sequence of pictures with minimal text. In a comic, the reader’s attention can be subtly focused on key details that are truly important to comprehending what actually is happening.
Branching comics can be a great way for learners of all ages to explore cyber events, by helping them comprehend the interaction of cause and effect in cyber events and concepts, by making decisions and seeing the outcomes. The effects of a cyber decision are often not visible to the human that made the decision because they occur too fast, and may result in downstream impacts – things that happen somewhere else or to someone else.
In the context of this style of education—branching web comics—Comic-BEE is a key enabler, a central component of the operational concept of use. This is because without the Comic-BEE technology, it is highly unlikely that the concept of storytelling with branching web comics would ever be applied to the domain of cybersecurity—or any domain, for that matter.