A data-driven security game to facilitate information security education
Pages 256 - 257
Abstract
Many universities have started to educate students on how to develop secure software and systems. One challenge of teaching information security is that the curriculum can easily be outdated, because new attacks and mitigation approaches arise. It is therefore necessary to provide software developers with methods and tools that are attractive (e.g., computer games) for self-study and up-to-date information security knowledge during and after the university education. This paper presents an on-going study to develop an educational game to facilitate information security education. The game is developed as a single player Tower Defense (TD) game. The educational goal of the game is to teach developers, who are not security experts, how to choose proper mitigation strategies and patterns to defend against various security attack scenarios. One key benefit of our game is that it is data driven, meaning, it can continuously fetch data from relevant security-based online sources (e.g., Common Attack Pattern Enumeration Classification CAPEC) to stay up to date with any new information. This is done automatically. We evaluated the game by letting students play it and give comments. Evaluation results show that the game can facilitate students learning of mitigation strategies to defend against attack scenarios.
References
[1]
Nah Fiona Fui-Hoon et al. "Gamification of Education: A Review of Literature," Springer LNCS vol. 8527, pp. 401--409, 2014.
[2]
Adam Shostack, "Elevation of Privilege: Drawing Developers into Threat Modeling". In: USENIX Summit on Gaming, Games, and Gamification in Security Education, pp. 1--15, 2014.
[3]
Laurie Williams, Andrew Meneely, and Grant Shipley, "Protection Poker: The New Software Security "Game"". In: IEEE Security and Privacy, vol. 8, no.3, pp. 14--20. 2010.
[4]
Tamara Denning, Tadayoshi Kohno, and Adam Shostack, "Control-Alt-Hack: the Design and Evaluation of a Card Game for Computer Security Awareness and Education". In Proc. of the ACM SIGSAC conf. on Computer & communications security, pp. 915--928, 2013.
[5]
Gregory B. White, "The Cyber Security Collectable Card Game (Version 1.0)," Tech. rep. The University of Texas at San Antonio. URL: http://cias.utsa.edu/ctd_rules.html, 2016.
[6]
Colin Watson et al. "Cornucopia". In: OWASP Cornucopia Ecommerce Website Edition. URL: https://www.owasp.org/index.php/OWASP_Cornucopia, 2012.
[7]
Sean Barnum, "Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™)". In: MITRE Corporation, July, pp. 1--20. ISSN: 1011-6702, 2014.
[8]
CAPEC repository. https://capec.mitre.org/.
[9]
Unity game engine. https://unity3d.com/unity.
[10]
Aaron Bangor, Philip Kortum, and James Miller, "Determining What Individual SUS Scores Mean: Adding an Adjective Rating Scale". Journal of usability studies, vol. 4, no. 3, pp. 114--123, 2009.
Recommendations
Improving software security awareness using a serious game
Protecting people from cyber threats imposes great challenges, not only technically, but also socially. To achieve the intended level of awareness, software security principles need to be shown with concrete examples during security education. This study ...
Information security curriculum creation: a case study
InfoSecCD '04: Proceedings of the 1st annual conference on Information security curriculum developmentInformation Security is a critical part of the technology infrastructure. A survey of undergraduate degree programs in Computer Science, Information Technology, Management Information Science, and others show a lack of emphasis on security issues in ...
From information security to cyber security
The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2019
369 pages
- Conference Chair:
- Gunter Mussbacher,
- General Chair:
- Joanne M. Atlee,
- Program Chair:
- Tevfik Bultan
Sponsors
- SIGSOFT: ACM Special Interest Group on Software Engineering
- IEEE-CS: Computer Society
Publisher
IEEE Press
Publication History
Published: 25 May 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ICSE '19
Sponsor:
- SIGSOFT
- IEEE-CS
ICSE '19: 41st International Conference on Software Engineering
May 25 - 31, 2019
Quebec, Montreal, Canada
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 119Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)2
Reflects downloads up to 22 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in