Skip to main content
SpringerLink
Log in
Book cover

International Conference on Wirtschaftsinformatik

WI 2021: Innovation Through Information Systems pp 370–387Cite as

CyberSecurity Challenges for Software Developer Awareness Training in Industrial Environments

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Information Systems and Organisation ((LNISO,volume 47))

Abstract

Awareness of cybersecurity topics facilitates software developers to produce secure code. This awareness is especially important in industrial environments for the products and services in critical infrastructures. In this work, we address how to raise awareness of software developers on the topic of secure coding. We propose the “CyberSecurity Challenges”, a serious game designed to be used in an industrial environment and address software developers’ needs. Our work distills the experience gained in conducting these CyberSecurity Challenges in an industrial setting. The main contributions are the design of the CyberSecurity Challenges events, the analysis of the perceived benefits, and practical advice for practitioners who wish to design or refine these games.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Adams, W.: Conducting semi-structured interviews. In: Newcomer, K., Hatry, H., Wholey, J. (eds.) Handbook of Practical Program Evaluation, chap. 19, pp. 492–505. Wiley Online Library (2017)

    Google Scholar 

  2. Assal, H., Chiasson, S.: ‘Think secure from the beginning’ a survey with software developers. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–13. CHI’19, Association for Computing Machinery, New York, NY, USA (2019)

    Google Scholar 

  3. Baskerville, R., Pries-Heje, J.: Explanatory design theory. Bus. Inf. Syst. Eng. 2(5), 271–282 (2010)

    Article  Google Scholar 

  4. Beckers, K., Pape, S.: A serious game for eliciting social engineering security requirements. In: 2016 IEEE 24th International Requirements Engineering Conference (RE). IEEE (2016)

    Google Scholar 

  5. Bundesamt für Sicherheit in der Informationstechnik: BSI IT-Grundschutz-Katalog, 2016, 15. ed. (2016). https://tinyurl.com/zkbmfb6

  6. Chung, K.: CTFd: The Easiest Capture The Flag Framework. https://ctfd.io/

  7. Davis, A., Leek, T., Zhivich, M., Gwinnup, K., Leonard, W.: The fun and future of CTF. 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14), pp. 1–9 (2014). https://tinyurl.com/y97enbtr

  8. Department of Homeland Security: Industrial Control Systems - Computer Emergency Response Team. https://us-cert.cisa.gov/ics. Accessed on 26 Aug 2020

  9. Dörner, R., Göbel, S., Effelsberg, W., Wiemeyer, J. (eds.): Serious Games. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40612-1

    Book  Google Scholar 

  10. Frey, S., Rashid, A., Anthonysamy, P., Pinto-Albuquerque, M., Naqvi, S.A.: The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Trans. Software Eng. 45(5), 521–536 (2019)

    Article  Google Scholar 

  11. Gasiba, T., Beckers, K., Suppan, S., Rezabek, F.: On the requirements for serious games geared towards software developers in the industry. In: Damian, D.E., Perini, A., Lee, S. (eds.) Conference on Requirements Engineering Conference, pp. 286–296. IEEE, Jeju, South Korea (2019). https://doi.org/10.1109/re.2019.00038

  12. Gasiba, T., Lechner, U., Cuellar, J., Zouitni, A.: Ranking secure coding guidelines for software developer awareness training in the industry. In: Queirós, R., Portela, F., Pinto, M., Simões, A. (eds.) First International Computer Programming Education Conference (ICPEC 2020). OpenAccess Series in Informatics (OASIcs), vol. 81, p. 11:1–11:11. Schloss Dagstuhl–Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2020)

    Google Scholar 

  13. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Awareness of secure coding guidelines in the industry - a first data analysis. In: The 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, Online (2020)

    Google Scholar 

  14. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Sifu - A cybersecurity awareness platform with challenge assessment and intelligent coach. In: Special Issue on Cyber-Physical System Security of the Cybersecurity Journal. SpringerOpen (2020)

    Google Scholar 

  15. Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Porwal, A.: Cybersecurity awareness platform with virtual coach and automated challenge assessment. In: Katsikas, S., et al. (eds.) CyberICPS/SECPRE/ADIoT -2020. LNCS, vol. 12501, pp. 67–83. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64330-0_5

    Chapter  Google Scholar 

  16. Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Zouitni, A.: Design of secure coding challenges for cybersecurity education in the industry. In: Shepperd, M., Brito e Abreu, F., Rodrigues da Silva, A., Pérez-Castillo, R. (eds.) QUATIC 2020. CCIS, vol. 1266, pp. 223–237. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58793-2_18

    Chapter  Google Scholar 

  17. Gasiba, T., Lechner, U., Rezabek, F., Pinto-Albuquerque, M.: Cybersecurity games for secure programming education in the industry: gameplay analysis. In: Queirós, R., Portela, F., Pinto, M., Simões, A. (eds.) First International Computer Programming Education Conference (ICPEC 2020). OpenAccess Series in Informatics (OASIcs), vol. 81, p. 10:1–10:11. Schloss Dagstuhl–Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2020)

    Google Scholar 

  18. Gasiba, T.: Sifu Platform (2020). https://github.com/saucec0de/sifu

  19. Graziotin, D., Fagerholm, F., Wang, X., Abrahamsson, P.: What happens when software developers are (un)happy. J. Syst. Softw. 140, 32–47 (2018)

    Article  Google Scholar 

  20. Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pp. 326–330. IEEE, Munich, Germany (2014). https://doi.org/10.1109/DEXA.2014.71

  21. Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28(1), 75 (2004)

    Google Scholar 

  22. McIlwraith, A.: Information Security and Employee Behavior: How to Reduce Risk Through Employee Education. Gower Publishing, Ltd, Training and Awareness (2006)

    Google Scholar 

  23. Mirkovic, J., Peterson, P.A.: Class Capture-the-Flag exercises. In: 2014 {USENIX} Summit on Gaming, Games, and Gamification in Security Education (3GSE 14) (2014)

    Google Scholar 

  24. Moody, G.D., Siponen, M., Pahnila, S.: Toward a unified model of information security policy compliance. MIS Q. 42(1), 1–50 (2018)

    Article  Google Scholar 

  25. OWASP Foundation: Open Web Application Security Project. https://owasp.org/

  26. Patel, S.: 2019 Global Developer Report: DevSecOps finds security roadblocks divide teams (2020). https://about.gitlab.com/blog/2019/07/15/globaldeveloper-report/. (Online; posted on July 15, 2019]

  27. Rieb, A.: IT-Security Awareness mit Operation Digitales Chamäleon. Ph.D. thesis, Universität der Bundeswehr München, Neubiberg (2018)

    Google Scholar 

  28. SANS Institute: SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques. https://tinyurl.com/yytoawyn, online, Visited Nov 2020

  29. Schneier, B.: Software Developers and Security. Online (2020). https://www.schneier.com/blog/archives/2019/07/softwaredevelo.html

  30. Stewart, G., Lacey, D.: Death by a thousand facts: criticizing the technocratic approach to information security awareness. Inf. Manag. Comput. Secur. 20(1), 29–38 (2012)

    Article  Google Scholar 

  31. Tahaei, M., Vaniea, K.: A survey on developer-centered security. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 129–138. IEEE (2019)

    Google Scholar 

  32. Xie, J., Lipford, H.R., Chu, B.: Why do programmers make security errors? 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC) pp. 161–164 (2011). https://doi.org/10.1109/VLHCC.2011.6070393

Download references

Acknowledgements

The authors would like to thank the participants of the CyberSecurity Challenges for their time and their valuable answers and comments. Also, the authors would also like to thank Kristian Beckers and Thomas Diefenbach for their helpful, insightful, and constructive comments and discussions.

This work is financed by national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support.

Author information

Authors and Affiliations

  1. Siemens AG, Munich, Germany

    Tiago Gasiba

  2. Universität der Bundeswehr München, Munich, Germany

    Tiago Gasiba & Ulrike Lechner

  3. Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR, Lisbon, Portugal

    Maria Pinto-Albuquerque

Authors
  1. Tiago Gasiba
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ulrike Lechner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Pinto-Albuquerque
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tiago Gasiba .

Editor information

Editors and Affiliations

  1. Faculty of Business Administration and Economics, University of Duisburg-Essen, Essen, Germany

    Frederik Ahlemann

  2. Faculty of Business Administration and Economics, University of Duisburg-Essen, Essen, Germany

    Reinhard Schütte

  3. Department of Computer Science and Applied Cognitive Science, University of Duisburg-Essen, Duisburg, Germany

    Stefan Stieglitz

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gasiba, T., Lechner, U., Pinto-Albuquerque, M. (2021). CyberSecurity Challenges for Software Developer Awareness Training in Industrial Environments. In: Ahlemann, F., Schütte, R., Stieglitz, S. (eds) Innovation Through Information Systems. WI 2021. Lecture Notes in Information Systems and Organisation, vol 47. Springer, Cham. https://doi.org/10.1007/978-3-030-86797-3_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86797-3_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86796-6

  • Online ISBN: 978-3-030-86797-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation