research-article

Open access

Operation Digital Ant: A Serious Game Approach to Collect Insider Threat Scenarios and Raise Awareness

Authors:

Manfred Hofmeier,

Ulrike LechnerAuthors Info & Claims

EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

Pages 14 - 19

https://doi.org/10.1145/3487405.3487655

Published: 22 November 2021 Publication History

All formats PDF

Abstract

Insiders pose severe threats to the supply chain, the security of infrastructures, and the safety of products and services. "Operation Digital Ant" is a tabletop game that explores insider threats in the food supply chain. Three to four teams compete against each other in developing malicious insider roles and attacks. The game can produce plausible and consistent insider threat roles and attacks as a basis for further analyses. “Operation Digital Ant” also raises awareness for insider threats. This article describes the serious game “Operation Digital Ant” with game material, the game development process – following the Design Science paradigm – and the validation methods and results. We released the game Operation Digital Ant with game boards, game cards, and guidelines under a Creative Commons license.

References

[1]

NutriSafe - Sicherheit in der Lebensmittelproduktion und -logistik durch die Distributed-Ledger-Technologie, https://nutrisafe.de, last accessed 2021/01/22.

[2]

ENISA: ENISA Threat Landscape 2020 - Insider Threat (2020).

[3]

Cappelli, D., Moore, A., Trzeciak, R.: he CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Pearson Education (2012).

[4]

Keeney, M. : Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Carnegie Mellon University (2005).

[5]

Bundeskriminalamt: Monitoringbericht Innentäter in Unternehmen 2 – Aktuelle inländische Forschungsbeiträge, wesentliche Ergebnisse und Handlungsempfehlungen (2020).

[6]

Greitzer, F. L., Kangas, L. J., Noonan, C. F., Brown, C. R., Ferryman, T.: Psychosocial Modeling of Insider Threat Risk Based on Behavioral and Word Use Analysis. In: e-Service Journal, 9(1), pp. 106 (2013).

[7]

Shaw, E. D., Ruby, K., Post, J.: The Insider Threat to Information Systems: The Psychology of the Dangerous Insider. In: Security Awareness Bulletin (1998).

[8]

Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., Ochoa, M.: Insight into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures. In: ACM Computing Surveys, 52(2) (2019).

[9]

Hevner, A. R., March, S. T., Park, J., Ram, S.: Design Science in Information Systems Research. In: IS Research MIS Quarterly, 28(1), 75–105 (2004).

[10]

Hevner, A. R.: A Three Cycle View of Design Science Research. In: Scandinavian Journal of Information Systems, 19(2), 87–92 (2007).

[11]

Michael, D., Chen, S.: Serious Games – Games That Educate, Train, and Inform. Thomson Course Technology PTR (2006).

[12]

Zhang-Kennedy, L., Chiasson, S.: A Systematic Review of Multimedia Tools for Cybersecurity. In: ACM Computing Surveys, 54(1), pp. 1–39 (2020).

Digital Library

[13]

Harilal, A. : TWOS – A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition. In: Proceedings of the 2017 International Workshop on Managing Insider Security Threats, pp. 45–56 (2017).

Digital Library

[14]

Andre, T. S. : Augmented Cognition Methods for Evaluating Serious Game Based Insider Cyber Threat Detection Training. In: International Conference on Foundations of Augmented Cognition, S. 395–403 (2011).

[15]

Gupta, S. : Guess Who? - A Serious Game for Cybersecurity Professionals. In: Games and Learning Alliance 9th International Conference, S. 421–427 (2020).

Digital Library

[16]

Alhadeff, E.: Converting Cybersecurity Practice Into Engaging Serious Games, Serious Game Market, https://www.seriousgamemarket.com/2012/02/ converting-cybersecurity-practice-into.html, last accessed 2021/08/10 (2012).

[17]

Rieb, A., Lechner, U.: Operation Digital Chameleon – Towards an Open Cybersecurity Method. In: Proceedings of the 12th International Symposium on Open Collaboration (2016).

Digital Library

[18]

Rieb, A.: IT-Security Awareness mit "Operation Digitales Chamäleon". Dissertation, Universität der Bundeswehr München (2017).

[19]

Denning, T. : Control-Alt-Hack: The Design and Evaluation of a Card Game for Computer Security Awareness and Education. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013).

Digital Library

[20]

Wilhelmi, T.: Beschreibung und Modellierung der NutriSafe-Szenarien Produktion und Logistik von Bio-Kochschinken und Weichkäse. In: NutriSafe Toolkit, https://nutrisafe.de/toolkit (2020).

[21]

Hofmeier, M.: Beispiele für IT-Infrastrukturen in den Wertschöpfungsketten der NutriSafe-Szenarien. In: NutriSafe Toolkit, https://nutrisafe.de/toolkit (2020).

[22]

Hofmeier, M., Lechner, U.: Schwachstellen und Angriffsketten in der Wertschöpfungskette der Fleischproduktion. In: SICHERHEIT 2020, pp. 67-77. Gesellschaft für Informatik e.V., Bonn.

[23]

Operation Digital Ant GitHub Repository, https://github.com/NutriSafe-DLT/operation-digital-ant, last accessed 2021/01/22.

[24]

NutriSafe Toolkit, https://nutrisafe.de/toolkit, last accessed 2021/01/22.

[25]

Sykes, G. M., Matza, D. Techniques of Neutralization: A Theory of Delinquency. In: American Sociological Review, 22(6), pp. 664–670 (1957).

[26]

Rieb, A., Gurschler, T., Lechner, U.: A Gamified Approach to Explore Techniques of Neutralization of Threat Actors in Cybercrime. In: GDPR & ePrivacy - APF 2017 - Proceedings of the 5th ENISA Annual Privacy Forum, pp. 111-127 (2017).

[27]

Meyer, D.: Sprechen über das Kochen: eine rezeptionsanalytische Studie der Selbst-technologien im Rahmen der Gouvernementalität am Beispiel der Fernsehsendung "Das perfekte Dinner". LIT Verlag, Münster (2010).

[28]

Hofmeier, M., Lechner, U.: Vulnerability in the Food Supply Chain - Approaches and Results from the NutriSafe Project. International Workshop on Security (IWSEC), https://www.iwsec.org/2020/posters.html (2020).

Cited By

Pahlavanpour OGao S(2024)A Systematic Mapping Study on Gamification within Information Security Awareness ProgramsHeliyon10.1016/j.heliyon.2024.e38474(e38474)Online publication date: Sep-2024
https://doi.org/10.1016/j.heliyon.2024.e38474
Hofmeier MHaunschild ILechner U(2023)Malicious Insider Threat Types – An Empirical Analysis36th Bled eConference – Digital Economy and Society: The Balancing Act for Digital Innovation in Times of Instability: June 25 – 28, 2023, Bled, Slovenia, Conference Proceedings10.18690/um.fov.6.2023.8(123-136)Online publication date: 12-Dec-2023
https://doi.org/10.18690/um.fov.6.2023.8
Piki AStavrou EProcopiou ADemosthenous A(2023)Fostering Cybersecurity Awareness and Skills Development Through Digital Game-Based Learning2023 10th International Conference on Behavioural and Social Computing (BESC)10.1109/BESC59560.2023.10386988(1-9)Online publication date: 30-Oct-2023
https://doi.org/10.1109/BESC59560.2023.10386988

Index Terms

Operation Digital Ant: A Serious Game Approach to Collect Insider Threat Scenarios and Raise Awareness
1. Information systems
2. Software and its engineering
  1. Software organization and properties

Index terms have been assigned to the content through auto-classification.

Recommendations

Insider Threats: It's the HUMAN, Stupid!
NCS '19: Proceedings of the Northwest Cybersecurity Symposium

Insider threats refer to threats posed by individuals who intentionally or unintentionally destroy, exfiltrate, or leak sensitive information, or expose their organization to outside attacks. Surveys of organizations in government and industry ...
Secure Team Composition to Thwart Insider Threats and Cyber-Espionage
Special Issue on Pricing and Incentives in Networks and Systems and Regular Papers

We develop a formal nondeterministic game model for secure team composition to counter cyber-espionage and to protect organizational secrets against an attacker who tries to sidestep technical security mechanisms by offering a bribe to a project team ...
Curiosity Killed the Organization: A Psychological Comparison between Malicious and Non-Malicious Insiders and the Insider Threat
RIIT '16: Proceedings of the 5th Annual Conference on Research in Information Technology

Insider threats remain a significant problem within organizations, especially as industries that rely on technology continue to grow. Traditionally, research has been focused on the malicious insider; someone that intentionally seeks to perform a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

November 2021

97 pages

ISBN:9781450390491

DOI:10.1145/3487405

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 November 2021

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EICC '21

EICC '21: European Interdisciplinary Cybersecurity Conference

November 10 - 11, 2021

Virtual Event, Romania

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
392
Total Downloads

Downloads (Last 12 months)128
Downloads (Last 6 weeks)17

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pahlavanpour OGao S(2024)A Systematic Mapping Study on Gamification within Information Security Awareness ProgramsHeliyon10.1016/j.heliyon.2024.e38474(e38474)Online publication date: Sep-2024
https://doi.org/10.1016/j.heliyon.2024.e38474
Hofmeier MHaunschild ILechner U(2023)Malicious Insider Threat Types – An Empirical Analysis36th Bled eConference – Digital Economy and Society: The Balancing Act for Digital Innovation in Times of Instability: June 25 – 28, 2023, Bled, Slovenia, Conference Proceedings10.18690/um.fov.6.2023.8(123-136)Online publication date: 12-Dec-2023
https://doi.org/10.18690/um.fov.6.2023.8
Piki AStavrou EProcopiou ADemosthenous A(2023)Fostering Cybersecurity Awareness and Skills Development Through Digital Game-Based Learning2023 10th International Conference on Behavioural and Social Computing (BESC)10.1109/BESC59560.2023.10386988(1-9)Online publication date: 30-Oct-2023
https://doi.org/10.1109/BESC59560.2023.10386988

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents