Game Based Cyber Security Training: are Serious Games suitable for cyber security training?
DOI:
https://doi.org/10.17083/ijsg.v3i1.107Keywords:
Games, Serious Games, Cyber Security, Training, Online Safety,Abstract
Security research and training is attracting a lot of investment and interest from governments and the private sector. Most efforts have focused on physical security, while cyber security or digital security has been given less importance. With recent high-profile attacks it has become clear that training in cyber security is needed. Serious Games have the capability to be effective tools for public engagement and behavioural change and role play games, are already used by security professionals. Thus cyber security seems especially well-suited to Serious Games.
This paper investigates whether games can be effective cyber security training tools. The study is conducted by means of a structured literature review supplemented with a general web search.
While there are early positive indications there is not yet enough evidence to draw any definite conclusions. There is a clear gap in target audience with almost all products and studies targeting the general public and very little attention given to IT professionals and managers. The products and studies also mostly work over a short period, while it is known that short-term interventions are not particularly effective at affecting behavioural change.
References
[1] R. H. Flin and K. Arbuthnot, Incident command: Tales from the hot seat. Ashgate Pub Limited, 2002.
[2] H. Eriksson, R. Kovordányi, and A. Rankin, “CRISIS–Virtual-Reality-Based Training for Emergency Management,” presented at the First National Symposium on Technology and Methodology for Security and Crisis Management (TAMSEC), Linköping, Sweden, 2010.
[3] S. Arnab, I. Dunwell, K. Debattista, and I. G. I. Global, Serious games for healthcare: Applications and implication. Medical Information Science Reference, 2013. http://dx.doi.org/10.4018/978-1-4666-1903-6
[4] B. Cugelman, “Gamification: What It Is and Why It Matters to Digital Health Behavior Change Developers,” JMIR Serious Games, vol. 1, no. 1, p. e3, Dec. 2013. http://dx.doi.org/10.2196/games.3139
[5] V. Cauberghe and P. De Pelsmacker, “Advergames,” J. Advert., vol. 39, no. 1, pp. 5–18, 2010. http://dx.doi.org/10.2753/JOA0091-3367390101
[6] I. Dunwell, P. Petridis, S. Arnab, S. de Freitas, P. Lameras, C. Stewart, and M. Hendrix, “A Game-Based Learning Approach to Road Safety: The Code of Everand,” in CHI’14: Proceedings of the 2014 CHI Conference on Human Factors in Computing Systems, 2014. http://dx.doi.org/10.1145/2556288.2557281
[7] UK Cabinet Office, “The Cost of Cyber Crime.”
[8] “Serious Game Classification,” 2014. [Online]. Available: http://serious.gameclassification.com/.
[9] T. S. Andre, C. M. Fidopiastis, T. R. Ripley, A. L. Oskorus, R. E. Meyer, and R. A. Snyder, “Augmented cognition methods for evaluating serious game based insider cyber threat detection training,” in Foundations of Augmented Cognition. Directing the Future of Adaptive Systems, Springer, pp. 395–403, 2011. http://dx.doi.org/10.1007/978-3-642-21852-1_46
[10] G. Arachchilage and N. Asanka, “Security awareness of computer users: A game based learning approach,” Brunel University, School of Information Systems, Computing and Mathematics, 2012.
[11] N. A. G. Arachchilage and S. Love, “A game design framework for avoiding phishing attacks,” Comput. Hum. Behav., vol. 29, no. 3, pp. 706–714, 2013. http://dx.doi.org/10.1016/j.chb.2012.12.018
[12] N. A. G. Arachchilage and S. Love, “Security awareness of computer users: A phishing threat avoidance perspective,” Comput. Hum. Behav., vol. 38, pp. 304–312, 2014. http://dx.doi.org/10.1016/j.chb.2014.05.046
[13] P. G. Nyeste and C. B. Mayhorn, “Training Users to Counteract Phishing,” in Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 54, pp. 1956–1960, 2010. http://dx.doi.org/10.1177/154193121005402311
[14] S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish,” in Proceedings of the 3rd symposium on Usable privacy and security, pp. 88–99, 2007. http://dx.doi.org/10.1145/1280680.1280692
[15] S. Ariyapperuma and A. Minhas, “Internet security games as a pedagogic tool for teaching network security,” in Frontiers in Education, 2005. FIE’05. Proceedings 35th Annual Conference, p. S2D–1, 2005. http://dx.doi.org/10.1109/FIE.2005.1612218
[16] B. D. Cone, C. E. Irvine, M. F. Thompson, and T. D. Nguyen, “A video game for cyber security training and awareness,” Comput. Secur., vol. 26, no. 1, pp. 63–72, 2007. http://dx.doi.org/10.1016/j.cose.2006.10.005
[17] B. D. Cone, M. F. Thompson, C. E. Irvine, and T. D. Nguyen, Cyber Security Training and Awareness Through Game Play. Springer, 2006. http://dx.doi.org/10.1007/0-387-33406-8_37
[18] C. C. Fung, V. Khera, A. Depickere, P. Tantatsanawong, and P. Boonbrahm, “Raising information security awareness in digital ecosystem with games-a pilot study in Thailand,” in Digital Ecosystems and Technologies, 2008. DEST 2008. 2nd IEEE International Conference on, pp. 375–380, 2008. http://dx.doi.org/10.1109/dest.2008.4635145
[19] F. L. Greitzer, O. A. Kuchar, and K. Huston, “Cognitive science implications for enhancing training effectiveness in a serious gaming context,” J. Educ. Resour. Comput. JERIC, vol. 7, no. 3, p. 2, 2007. http://dx.doi.org/10.1145/1281320.1281322
[20] C. E. Irvine, M. F. Thompson, and K. Allen, “CyberCIEGE: an information assurance teaching tool for training and awareness,” DTIC Document, 2005.
[21] C. E. Irvine and M. F. Thompson, “Simulation of PKI-enabled communication for identity management using CyberCIEGE,” in MILITARY COMMUNICATIONS CONFERENCE, 2010-MILCOM 2010, pp. 906–911, 2010. http://dx.doi.org/10.1109/milcom.2010.5679591
[22] M. F. Thompson and C. E. Irvine, “Active Learning with the CyberCIEGE Video Game.,” in CSET, 2011.
[23] P. Chapman, J. Burket, and D. Brumley, “PicoCTF: A Game-Based Computer Security Competition for High School Students,” 2014 USENIX Summit Gaming Games Gamification Secur. Educ. 3GSE 14, 2014.
[24] D. Dasgupta, D. M. Ferebee, and Z. Michalewicz, “Applying puzzle-based learning to cyber-security education,” in Proceedings of the 2013 on InfoSecCD’13: Information Security Curriculum Development Conference, p. 20, 2013. http://dx.doi.org/10.1145/2528908.2528910
[25] M. Gondree, Z. N. Peterson, and T. Denning, “Security through play,” Secur. Priv. IEEE, vol. 11, no. 3, pp. 64–67, 2013. http://dx.doi.org/10.1109/MSP.2013.69
[26] T. Denning, A. Lerner, A. Shostack, and T. Kohno, “Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 915–928, 2013. http://dx.doi.org/10.1145/2508859.2516753
[27] K. Geers, “Live fire exercise: preparing for cyber war,” J. Homel. Secur. Emerg. Manag., vol. 7, no. 1, 2010. http://dx.doi.org/10.2202/1547-7355.1780
[28] M. Grobler, S. Flowerday, R. Von Solms, and H. Venter, “Cyber awareness initiatives in South Africa: a national perspective,” 2011.
[29] C. E. Irvine and M. Thompson, “Teaching objectives of a simulation game for computer security,” DTIC Document, 2003.
[30] F. Kayali, G. Wallner, S. Kriglstein, G. Bauer, D. Martinek, H. Hlavacs, P. Purgathofer, and R. Wölfle, “A Case Study of a Learning Game about the Internet,” in Games for Training, Education, Health and Sports, Springer, pp. 47–58, 2014.
[31] W. A. Labuschagne, N. Veerasamy, I. Burke, and M. M. Eloff, “Design of cyber security awareness game utilizing a social media framework,” in Information Security South Africa (ISSA), 2011, pp. 1–9, 2011.
[32] W. A. Labuschagne and M. Eloff, “The Effectiveness of Online Gaming as Part of a Security Awareness Program,” in 13th European Conference on Cyber Warfare and Security ECCWS-2014 The University of Piraeus Piraeus, Greece, p. 125, 2014.
[33] A. Nagarajan, J. M. Allbeck, A. Sood, and T. L. Janssen, “Exploring game design for cybersecurity training,” in Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), 2012 IEEE International Conference on, pp. 256–262, 2012. http://dx.doi.org/10.1109/cyber.2012.6392562
[34] V. Pastor, G. Díaz, and M. Castro, “State-of-the-art simulation systems for information security education, training and awareness,” in Education Engineering (EDUCON), 2010 IEEE, pp. 1907–1916, 2010.
[35] D. Schweitzer and W. Brown, “Using visualization to teach security,” J. Comput. Sci. Coll., vol. 24, no. 5, pp. 143–150, 2009.
[36] A. J. A. Wang, “Web-based interactive courseware for information security,” in Proceedings of the 6th Conference on information Technology Education, pp. 199–204, 2005. http://dx.doi.org/10.1145/1095714.1095760
[37] “Game of ThreatsTM -- A cyber threat simulation,” PwC. [Online]. Available: http://www.pwc.com/us/en/financial-services/cybersecurity-privacy/game-of-threats.html. [Accessed: 26-Nov-2015].
[38] “Cybersecure Contingency Planning.” [Online]. Available: http://www.healthit.gov/sites/default/files/CyberSecure_103_FINAL/index.html. [Accessed: 20-Oct-2014].
[39] C. McGoogan, “Cyphinx could recruit the cybersecurity experts of the future (Wired UK),” Wired UK. [Online]. Available: http://www.wired.co.uk/news/archive/2015-10/01/cyphinx-cybersecurity-game. [Accessed: 26-Nov-2015].
[40] “Cyber Ciege Educational Video Game.” [Online]. Available: http://cisr.nps.edu/cyberciege/. [Accessed: 20-Oct-2014].
[41] “OnGuardOnline.” [Online]. Available: http://www.onguardonline.gov/media. [Accessed: 20-Oct-2014].
[42] Australian Department of Broadband Communications and the Digital Economy, “Stay Smart Online Cybersecurity Education Modules - Primary.” [Online]. Available: https://budd-e.staysmartonline.gov.au/primary/main.php#. [Accessed: 20-Oct-2014].
[43] “NSteens.” [Online]. Available: http://www.nsteens.org/. [Accessed: 20-Oct-2014].
[44] Carenegie Mellon, “Carnegie Cyber Academy.” [Online]. Available: http://www.carnegiecyberacademy.com/. [Accessed: 25-Nov-2014].
[45] Vermont Department of Information and innovation, “McGruff.” [Online]. Available: http://www.mcgruff.org/#/Games. [Accessed: 25-Nov-2014].
[46] “Kids Games,” FBI. [Online]. Available: https://www.fbi.gov/fun-games/kids/kids-games. [Accessed: 25-Nov-2015].
[47] “Cybersecurity Lab | NOVA Labs | PBS.” [Online]. Available: http://www.pbs.org/wgbh/nova/labs/lab/cyber/. [Accessed: 26-Nov-2015].
[48] “cybersecurity challenge uk.” [Online]. Available: http://cybersecuritychallenge.org.uk/. [Accessed: 26-Nov-2015].
[49] “High School Cyber Security Game,” Global CyberLympics. .
[50] Information Assurane Support Environment, “CyberProtect.” [Online]. Available: http://iase.disa.mil/eta/Lists/IA%20Simulations/AllItems.aspx. [Accessed: 26-Nov-2015].
[51] M.-M. Popescu and F. Bellotti, “Approaches on metrics and taxonomy in serious games,” in Conference proceedings of“ eLearning and Software for Education”(eLSE) pp. 351–358, 2012.
[2] H. Eriksson, R. Kovordányi, and A. Rankin, “CRISIS–Virtual-Reality-Based Training for Emergency Management,” presented at the First National Symposium on Technology and Methodology for Security and Crisis Management (TAMSEC), Linköping, Sweden, 2010.
[3] S. Arnab, I. Dunwell, K. Debattista, and I. G. I. Global, Serious games for healthcare: Applications and implication. Medical Information Science Reference, 2013. http://dx.doi.org/10.4018/978-1-4666-1903-6
[4] B. Cugelman, “Gamification: What It Is and Why It Matters to Digital Health Behavior Change Developers,” JMIR Serious Games, vol. 1, no. 1, p. e3, Dec. 2013. http://dx.doi.org/10.2196/games.3139
[5] V. Cauberghe and P. De Pelsmacker, “Advergames,” J. Advert., vol. 39, no. 1, pp. 5–18, 2010. http://dx.doi.org/10.2753/JOA0091-3367390101
[6] I. Dunwell, P. Petridis, S. Arnab, S. de Freitas, P. Lameras, C. Stewart, and M. Hendrix, “A Game-Based Learning Approach to Road Safety: The Code of Everand,” in CHI’14: Proceedings of the 2014 CHI Conference on Human Factors in Computing Systems, 2014. http://dx.doi.org/10.1145/2556288.2557281
[7] UK Cabinet Office, “The Cost of Cyber Crime.”
[8] “Serious Game Classification,” 2014. [Online]. Available: http://serious.gameclassification.com/.
[9] T. S. Andre, C. M. Fidopiastis, T. R. Ripley, A. L. Oskorus, R. E. Meyer, and R. A. Snyder, “Augmented cognition methods for evaluating serious game based insider cyber threat detection training,” in Foundations of Augmented Cognition. Directing the Future of Adaptive Systems, Springer, pp. 395–403, 2011. http://dx.doi.org/10.1007/978-3-642-21852-1_46
[10] G. Arachchilage and N. Asanka, “Security awareness of computer users: A game based learning approach,” Brunel University, School of Information Systems, Computing and Mathematics, 2012.
[11] N. A. G. Arachchilage and S. Love, “A game design framework for avoiding phishing attacks,” Comput. Hum. Behav., vol. 29, no. 3, pp. 706–714, 2013. http://dx.doi.org/10.1016/j.chb.2012.12.018
[12] N. A. G. Arachchilage and S. Love, “Security awareness of computer users: A phishing threat avoidance perspective,” Comput. Hum. Behav., vol. 38, pp. 304–312, 2014. http://dx.doi.org/10.1016/j.chb.2014.05.046
[13] P. G. Nyeste and C. B. Mayhorn, “Training Users to Counteract Phishing,” in Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 54, pp. 1956–1960, 2010. http://dx.doi.org/10.1177/154193121005402311
[14] S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish,” in Proceedings of the 3rd symposium on Usable privacy and security, pp. 88–99, 2007. http://dx.doi.org/10.1145/1280680.1280692
[15] S. Ariyapperuma and A. Minhas, “Internet security games as a pedagogic tool for teaching network security,” in Frontiers in Education, 2005. FIE’05. Proceedings 35th Annual Conference, p. S2D–1, 2005. http://dx.doi.org/10.1109/FIE.2005.1612218
[16] B. D. Cone, C. E. Irvine, M. F. Thompson, and T. D. Nguyen, “A video game for cyber security training and awareness,” Comput. Secur., vol. 26, no. 1, pp. 63–72, 2007. http://dx.doi.org/10.1016/j.cose.2006.10.005
[17] B. D. Cone, M. F. Thompson, C. E. Irvine, and T. D. Nguyen, Cyber Security Training and Awareness Through Game Play. Springer, 2006. http://dx.doi.org/10.1007/0-387-33406-8_37
[18] C. C. Fung, V. Khera, A. Depickere, P. Tantatsanawong, and P. Boonbrahm, “Raising information security awareness in digital ecosystem with games-a pilot study in Thailand,” in Digital Ecosystems and Technologies, 2008. DEST 2008. 2nd IEEE International Conference on, pp. 375–380, 2008. http://dx.doi.org/10.1109/dest.2008.4635145
[19] F. L. Greitzer, O. A. Kuchar, and K. Huston, “Cognitive science implications for enhancing training effectiveness in a serious gaming context,” J. Educ. Resour. Comput. JERIC, vol. 7, no. 3, p. 2, 2007. http://dx.doi.org/10.1145/1281320.1281322
[20] C. E. Irvine, M. F. Thompson, and K. Allen, “CyberCIEGE: an information assurance teaching tool for training and awareness,” DTIC Document, 2005.
[21] C. E. Irvine and M. F. Thompson, “Simulation of PKI-enabled communication for identity management using CyberCIEGE,” in MILITARY COMMUNICATIONS CONFERENCE, 2010-MILCOM 2010, pp. 906–911, 2010. http://dx.doi.org/10.1109/milcom.2010.5679591
[22] M. F. Thompson and C. E. Irvine, “Active Learning with the CyberCIEGE Video Game.,” in CSET, 2011.
[23] P. Chapman, J. Burket, and D. Brumley, “PicoCTF: A Game-Based Computer Security Competition for High School Students,” 2014 USENIX Summit Gaming Games Gamification Secur. Educ. 3GSE 14, 2014.
[24] D. Dasgupta, D. M. Ferebee, and Z. Michalewicz, “Applying puzzle-based learning to cyber-security education,” in Proceedings of the 2013 on InfoSecCD’13: Information Security Curriculum Development Conference, p. 20, 2013. http://dx.doi.org/10.1145/2528908.2528910
[25] M. Gondree, Z. N. Peterson, and T. Denning, “Security through play,” Secur. Priv. IEEE, vol. 11, no. 3, pp. 64–67, 2013. http://dx.doi.org/10.1109/MSP.2013.69
[26] T. Denning, A. Lerner, A. Shostack, and T. Kohno, “Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 915–928, 2013. http://dx.doi.org/10.1145/2508859.2516753
[27] K. Geers, “Live fire exercise: preparing for cyber war,” J. Homel. Secur. Emerg. Manag., vol. 7, no. 1, 2010. http://dx.doi.org/10.2202/1547-7355.1780
[28] M. Grobler, S. Flowerday, R. Von Solms, and H. Venter, “Cyber awareness initiatives in South Africa: a national perspective,” 2011.
[29] C. E. Irvine and M. Thompson, “Teaching objectives of a simulation game for computer security,” DTIC Document, 2003.
[30] F. Kayali, G. Wallner, S. Kriglstein, G. Bauer, D. Martinek, H. Hlavacs, P. Purgathofer, and R. Wölfle, “A Case Study of a Learning Game about the Internet,” in Games for Training, Education, Health and Sports, Springer, pp. 47–58, 2014.
[31] W. A. Labuschagne, N. Veerasamy, I. Burke, and M. M. Eloff, “Design of cyber security awareness game utilizing a social media framework,” in Information Security South Africa (ISSA), 2011, pp. 1–9, 2011.
[32] W. A. Labuschagne and M. Eloff, “The Effectiveness of Online Gaming as Part of a Security Awareness Program,” in 13th European Conference on Cyber Warfare and Security ECCWS-2014 The University of Piraeus Piraeus, Greece, p. 125, 2014.
[33] A. Nagarajan, J. M. Allbeck, A. Sood, and T. L. Janssen, “Exploring game design for cybersecurity training,” in Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), 2012 IEEE International Conference on, pp. 256–262, 2012. http://dx.doi.org/10.1109/cyber.2012.6392562
[34] V. Pastor, G. Díaz, and M. Castro, “State-of-the-art simulation systems for information security education, training and awareness,” in Education Engineering (EDUCON), 2010 IEEE, pp. 1907–1916, 2010.
[35] D. Schweitzer and W. Brown, “Using visualization to teach security,” J. Comput. Sci. Coll., vol. 24, no. 5, pp. 143–150, 2009.
[36] A. J. A. Wang, “Web-based interactive courseware for information security,” in Proceedings of the 6th Conference on information Technology Education, pp. 199–204, 2005. http://dx.doi.org/10.1145/1095714.1095760
[37] “Game of ThreatsTM -- A cyber threat simulation,” PwC. [Online]. Available: http://www.pwc.com/us/en/financial-services/cybersecurity-privacy/game-of-threats.html. [Accessed: 26-Nov-2015].
[38] “Cybersecure Contingency Planning.” [Online]. Available: http://www.healthit.gov/sites/default/files/CyberSecure_103_FINAL/index.html. [Accessed: 20-Oct-2014].
[39] C. McGoogan, “Cyphinx could recruit the cybersecurity experts of the future (Wired UK),” Wired UK. [Online]. Available: http://www.wired.co.uk/news/archive/2015-10/01/cyphinx-cybersecurity-game. [Accessed: 26-Nov-2015].
[40] “Cyber Ciege Educational Video Game.” [Online]. Available: http://cisr.nps.edu/cyberciege/. [Accessed: 20-Oct-2014].
[41] “OnGuardOnline.” [Online]. Available: http://www.onguardonline.gov/media. [Accessed: 20-Oct-2014].
[42] Australian Department of Broadband Communications and the Digital Economy, “Stay Smart Online Cybersecurity Education Modules - Primary.” [Online]. Available: https://budd-e.staysmartonline.gov.au/primary/main.php#. [Accessed: 20-Oct-2014].
[43] “NSteens.” [Online]. Available: http://www.nsteens.org/. [Accessed: 20-Oct-2014].
[44] Carenegie Mellon, “Carnegie Cyber Academy.” [Online]. Available: http://www.carnegiecyberacademy.com/. [Accessed: 25-Nov-2014].
[45] Vermont Department of Information and innovation, “McGruff.” [Online]. Available: http://www.mcgruff.org/#/Games. [Accessed: 25-Nov-2014].
[46] “Kids Games,” FBI. [Online]. Available: https://www.fbi.gov/fun-games/kids/kids-games. [Accessed: 25-Nov-2015].
[47] “Cybersecurity Lab | NOVA Labs | PBS.” [Online]. Available: http://www.pbs.org/wgbh/nova/labs/lab/cyber/. [Accessed: 26-Nov-2015].
[48] “cybersecurity challenge uk.” [Online]. Available: http://cybersecuritychallenge.org.uk/. [Accessed: 26-Nov-2015].
[49] “High School Cyber Security Game,” Global CyberLympics. .
[50] Information Assurane Support Environment, “CyberProtect.” [Online]. Available: http://iase.disa.mil/eta/Lists/IA%20Simulations/AllItems.aspx. [Accessed: 26-Nov-2015].
[51] M.-M. Popescu and F. Bellotti, “Approaches on metrics and taxonomy in serious games,” in Conference proceedings of“ eLearning and Software for Education”(eLSE) pp. 351–358, 2012.
Downloads
Additional Files
Published
2016-03-01
Issue
Section
Articles
License
IJSG copyright information is provided here.
How to Cite
Game Based Cyber Security Training: are Serious Games suitable for cyber security training?. (2016). International Journal of Serious Games, 3(1). https://doi.org/10.17083/ijsg.v3i1.107
