Learning-to-Explain through 20Q Gaming: An Explainable Recommender for Cybersecurity Education

A team of researchers (Mary Nusrat, Sarfuddin Bhuiyan, Gahangir Hossain) has submitted a new paper to arXiv introducing the Explainable Q20 Cybersecurity Recommender (EQ-20CR), a framework that gamifies cybersecurity education using a 20 Questions approach powered by explainable AI. The system casts the question "Why should I execute this mitigation?" as an interactive game where a policy-based reinforcement learning agent actively queries the learner. The agent's goal is twofold: first, to recommend the optimal security education action, and second, to justify that recommendation with a minimal set of evidential facts presented as a concise dialogue trace.

The framework builds on prior work in reinforcement learning for Q20 gaming and learning-to-explain recommendation systems. EQ-20CR adapts difficulty levels based on user responses, progressively exposing learners to more complex cybersecurity concepts, attack vectors, and defense strategies. The paper includes architectural design, illustrative case studies, and discusses the transformative potential of this interactive, XAI-driven approach for cybersecurity training and awareness. By making explanations interactive and adaptive, EQ-20CR aims to bridge the gap between traditional static learning methods and the intuitive, hands-on understanding needed to combat sophisticated modern cyber threats.