Abstract
Awareness of cybersecurity topics facilitates software developers to produce secure code. This awareness is especially important in industrial environments for the products and services in critical infrastructures. In this work, we address how to raise awareness of software developers on the topic of secure coding. We propose the “CyberSecurity Challenges”, a serious game designed to be used in an industrial environment and address software developers’ needs. Our work distills the experience gained in conducting these CyberSecurity Challenges in an industrial setting. The main contributions are the design of the CyberSecurity Challenges events, the analysis of the perceived benefits, and practical advice for practitioners who wish to design or refine these games.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Adams, W.: Conducting semi-structured interviews. In: Newcomer, K., Hatry, H., Wholey, J. (eds.) Handbook of Practical Program Evaluation, chap. 19, pp. 492–505. Wiley Online Library (2017)
Assal, H., Chiasson, S.: ‘Think secure from the beginning’ a survey with software developers. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–13. CHI’19, Association for Computing Machinery, New York, NY, USA (2019)
Baskerville, R., Pries-Heje, J.: Explanatory design theory. Bus. Inf. Syst. Eng. 2(5), 271–282 (2010)
Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: 2016 IEEE 24th International Requirements Engineering Conference (RE). IEEE (2016)
Bundesamt für Sicherheit in der Informationstechnik: BSI IT-Grundschutz-Katalog, 2016, 15. ed. (2016). https://tinyurl.com/zkbmfb6
Chung, K.: CTFd: The Easiest Capture The Flag Framework. https://ctfd.io/
Davis, A., Leek, T., Zhivich, M., Gwinnup, K., Leonard, W.: The fun and future of CTF. 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14), pp. 1–9 (2014). https://tinyurl.com/y97enbtr
Department of Homeland Security: Industrial Control Systems - Computer Emergency Response Team. https://us-cert.cisa.gov/ics. Accessed on 26 Aug 2020
Dörner, R., Göbel, S., Effelsberg, W., Wiemeyer, J. (eds.): Serious Games. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40612-1
Frey, S., Rashid, A., Anthonysamy, P., Pinto-Albuquerque, M., Naqvi, S.A.: The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Trans. Software Eng. 45(5), 521–536 (2019)
Gasiba, T., Beckers, K., Suppan, S., Rezabek, F.: On the requirements for serious games geared towards software developers in the industry. In: Damian, D.E., Perini, A., Lee, S. (eds.) Conference on Requirements Engineering Conference, pp. 286–296. IEEE, Jeju, South Korea (2019). https://doi.org/10.1109/re.2019.00038
Gasiba, T., Lechner, U., Cuellar, J., Zouitni, A.: Ranking secure coding guidelines for software developer awareness training in the industry. In: Queirós, R., Portela, F., Pinto, M., Simões, A. (eds.) First International Computer Programming Education Conference (ICPEC 2020). OpenAccess Series in Informatics (OASIcs), vol. 81, p. 11:1–11:11. Schloss Dagstuhl–Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2020)
Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Awareness of secure coding guidelines in the industry - a first data analysis. In: The 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, Online (2020)
Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Sifu - A cybersecurity awareness platform with challenge assessment and intelligent coach. In: Special Issue on Cyber-Physical System Security of the Cybersecurity Journal. SpringerOpen (2020)
Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Porwal, A.: Cybersecurity awareness platform with virtual coach and automated challenge assessment. In: Katsikas, S., et al. (eds.) CyberICPS/SECPRE/ADIoT -2020. LNCS, vol. 12501, pp. 67–83. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64330-0_5
Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Zouitni, A.: Design of secure coding challenges for cybersecurity education in the industry. In: Shepperd, M., Brito e Abreu, F., Rodrigues da Silva, A., Pérez-Castillo, R. (eds.) QUATIC 2020. CCIS, vol. 1266, pp. 223–237. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58793-2_18
Gasiba, T., Lechner, U., Rezabek, F., Pinto-Albuquerque, M.: Cybersecurity games for secure programming education in the industry: gameplay analysis. In: Queirós, R., Portela, F., Pinto, M., Simões, A. (eds.) First International Computer Programming Education Conference (ICPEC 2020). OpenAccess Series in Informatics (OASIcs), vol. 81, p. 10:1–10:11. Schloss Dagstuhl–Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2020)
Gasiba, T.: Sifu Platform (2020). https://github.com/saucec0de/sifu
Graziotin, D., Fagerholm, F., Wang, X., Abrahamsson, P.: What happens when software developers are (un)happy. J. Syst. Softw. 140, 32–47 (2018)
Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pp. 326–330. IEEE, Munich, Germany (2014). https://doi.org/10.1109/DEXA.2014.71
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75 (2004)
McIlwraith, A.: Information Security and Employee Behavior: How to Reduce Risk Through Employee Education. Gower Publishing, Ltd, Training and Awareness (2006)
Mirkovic, J., Peterson, P.A.: Class Capture-the-Flag exercises. In: 2014 {USENIX} Summit on Gaming, Games, and Gamification in Security Education (3GSE 14) (2014)
Moody, G.D., Siponen, M., Pahnila, S.: Toward a unified model of information security policy compliance. MIS Q. 42(1), 1–50 (2018)
OWASP Foundation: Open Web Application Security Project. https://owasp.org/
Patel, S.: 2019 Global Developer Report: DevSecOps finds security roadblocks divide teams (2020). https://about.gitlab.com/blog/2019/07/15/globaldeveloper-report/. (Online; posted on July 15, 2019]
Rieb, A.: IT-Security Awareness mit Operation Digitales Chamäleon. Ph.D. thesis, Universität der Bundeswehr München, Neubiberg (2018)
SANS Institute: SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques. https://tinyurl.com/yytoawyn, online, Visited Nov 2020
Schneier, B.: Software Developers and Security. Online (2020). https://www.schneier.com/blog/archives/2019/07/softwaredevelo.html
Stewart, G., Lacey, D.: Death by a thousand facts: criticizing the technocratic approach to information security awareness. Inf. Manag. Comput. Secur. 20(1), 29–38 (2012)
Tahaei, M., Vaniea, K.: A survey on developer-centered security. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 129–138. IEEE (2019)
Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC) pp. 161–164 (2011). https://doi.org/10.1109/VLHCC.2011.6070393
Acknowledgements
The authors would like to thank the participants of the CyberSecurity Challenges for their time and their valuable answers and comments. Also, the authors would also like to thank Kristian Beckers and Thomas Diefenbach for their helpful, insightful, and constructive comments and discussions.
This work is financed by national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gasiba, T., Lechner, U., Pinto-Albuquerque, M. (2021). CyberSecurity Challenges for Software Developer Awareness Training in Industrial Environments. In: Ahlemann, F., Schütte, R., Stieglitz, S. (eds) Innovation Through Information Systems. WI 2021. Lecture Notes in Information Systems and Organisation, vol 47. Springer, Cham. https://doi.org/10.1007/978-3-030-86797-3_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-86797-3_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86796-6
Online ISBN: 978-3-030-86797-3
eBook Packages: Computer ScienceComputer Science (R0)