key: cord-0478921-wqkt17bq authors: Gasiba, Tiago Espinha; Lechner, Ulrike; Pinto-Albuquerque, Maria title: CyberSecurity Challenges: Serious Games for Awareness Training in Industrial Environments date: 2021-02-20 journal: nan DOI: nan sha: ef4381b97f4525bf7025249dbb1db940d1e9d88b doc_id: 478921 cord_uid: wqkt17bq Awareness of cybersecurity topics, e.g., related to secure coding guidelines, enables software developers to write secure code. This awareness is vital in industrial environments for the products and services in critical infrastructures. In this work, we introduce and discuss a new serious game designed for software developers in the industry. This game addresses software developers' needs and is shown to be well suited for raising secure coding awareness of software developers in the industry. Our work results from the experience of the authors gained in conducting more than ten CyberSecurity Challenges in the industry. The presented game design, which is shown to be well accepted by software developers, is a novel alternative to traditional classroom training. We hope to make a positive impact in the industry by improving the cybersecurity of products at their early production stages. If not addressed during the early stages of software design and implementation, software development errors and security vulnerabilities can end up in a final product or service. Security vulnerabilities can result in serious negative consequences for society, the customer, and the company that produced the software. Think, e.g., of critical infrastructures as the grid, transportation, or production lines: a security vulnerability in the code may cause interruptions in service quality for individual customers when critical machinery or information systems fail or even for society when critical infrastructure fails. Over the last years, the number of industrial security-related incidents has been increasing, which has resulted in severe incidents, leading to a substantial financial impact, reaching up to 1.6% of GDP in some EU countries [7] . To address these issues, products and services provided by the industry must follow IT security standards. These standards mandate the implementation of a secure software development lifecycle and secure coding guidelines that must be followed to write secure code. Prominent examples of these standards for industrial environments are the IEC 62443 [23], ISO 27001 [24] , and the Grundschutzkatalog from the Bundesamt für Sicherheit in der Informationstechnik (BSI) [4] . Examples of secure coding guidelines widely used in the industry are the SEI-CERT Java Secure Coding Guidelines and SEI-CERT C/C++ Secure Coding Guidelines, both from Carnegie Mellon [5] . The Open Web Application Security Project (OWASP, [27] ) and the BSI (BSI 5.21, [3] ) provide secure coding guidelines which are specific for web application development and widely used in the industry. These standards provide a much-needed basis that establishes ground rules required to produce secure products and services. The effectiveness of these standards is related to the level of awareness and understanding of the standards by the persons directly affected by them: software developers. However, a recent study by Patel et al. [28] has shown that more than 50% of software developers cannot spot software vulnerabilities in source code. This lack of awareness about secure coding is a problem that needs to be addressed. Among others, a possible way to address this issue is to provide training to software developers on secure coding. We present a new serious games designed to raise awareness and train software developers in secure coding in this work. The serious game, named CyberSecurity Challenges, is an adaption of the capture-the-flag game genre. Capture-the-flag was initially developed in the penetration testing community to practice and train offensive IT-security skills. The idea is that by attacking a system, well-trained penetration testers can discover vulnerabilities in products and services that can be fixed before final shipment to the customer. However, since these activities require a full or partially developed project, they often occur late in the software development stages. We propose using an adapted version of the game, which targets software developers, focuses on the defensive perspective, and has the primary goal of increasing awareness of secure coding guidelines and secure coding best practices. Furthermore, we show how our concept can be used for onsite IT-Security Awareness Workshops and how it can be adapted for online training. This work is organized as follows: in section 2, the authors briefly discuss previous work related to the cybersecurity challenges. Section 3 introduces the CyberSecurity Challenges and discusses challenges based on open-source components and the Sifu platform. Section 4 discusses the games' evaluation in an industrial context through survey results, participant feedback, and lessons learned. Finally, section 5 summarizes and concludes the paper. Although several methods exist to deal with software vulnerabilities, e.g., requirements engineering and code reviews, we focus on awareness training for software developers. Several previous studies indicate that software developers lack secure programming awareness and skills [1, 28, 32] . In 2020, Bruce Schneier, a well-known security researcher, and evangelist stated that less than 50% of software developers can spot security vulnerabilities in software [30] . His comment adds to a discussion on secure coding skills: In 2011, Xie et al. [33] did several interviews with 15 senior professional software developers in the industry with an average of 12 years of experience. Their study has shown a disconnect between software security concepts and their role in their jobs. Awareness training on Information security is addressed in McIlwraith [25] , which provides a systematic methodology and a baseline for implementing awareness training. There is a stream of literature on compliance with security policies, which deals with general employees, not with software developers specifically. This stream of literature explores many reasons why people do not comply with ITsecurity policies. The unified framework by Moody et al. [26] summarizes the academic discussion on compliance with IT-security policies. Empirical findings conclude that neither deterrence nor punishment, such as, e.g., public blame, works to increase compliance. However, increasing IT-security awareness increases the level of compliance [31] . In their seminal review article, Hänsch et al. [22] define IT-security awareness in the three dimensions: Perception, Protection, and Behavior. The concept of IT-security awareness is typically used in IT security management contexts. We adapt these concepts to software developers as follows [16] : perception -knowledge of existing software vulnerabilities, protection -knowing the existing mechanisms, e.g., secure coding guidelines and software development best practices, that avoid software vulnerabilities, and behaviorknowledge and intention to write secure code. Graziotin et al. [21] show that happy developers are better coders, i.e., produce higher quality code and software. Their work suggests that by keeping developers happy, we can expect that the code they write has a better quality and, by implication, be more secure. Davis et al. [6] show, in their construct, that cybersecurity games have the potential to increase the overall happiness of software developers. Their conclusions support our approach to use a serious game to train software developers in secure coding. Awareness games are a wellestablished instrument in information security. They are discussed in de-facto standards as the BSI Grundschutz-Katalog [4] (M 3.47, Planspiele) as one means to raise awareness and increase the level of security. Frey et al. [8] show both the potential impact of playing cybersecurity games on the participants and show the importance of playing games as a means of cybersecurity awareness. They conclude that cybersecurity games can be a useful means to build a common understanding of security issues. Rieb et al. [29] provide a review of serious games in cybersecurity and conclude that there are many approaches. The games listed mainly address information security rather than secure coding. Documented and evaluated games are [2] and [29] . Capture-the-flag is one particular genre of serious games in the domain of Cybersecurity [6] . Game participants win flags when they manage to solve a task. Forensics, cryptography, and penetration testings are skills necessary for solving tasks and capturing flags. The present work uses serious games to achieve the goal of raising secure coding awareness of software developers in the industry. Previous work on selected design aspects and a smaller empirical basis on the CSC includes [10, [13] [14] [15] [18] [19] [20] . In this section, we introduce the CyberSecurity Challenges (CSC), which were developed to raise awareness on secure coding. We also present a detailed discussion on creating these games (1) by using existing open-source components, and (2) using the open-source Cybersecurity Challenge platform developed by the authors -the Sifu platform. CyberSecurity Challenges (CSC) are a genre of serious games developed with the specific purpose of raising awareness of industrial software developers in the topic of secure coding and secure coding guidelines. Figure 1 shows two examples of CSC events in the industry. The game consists of a platform where several participants (i.e., software developers) form teams that compete against each other in solving secure coding challenges. The challenges consist of exercises that are developed primarily to address software development vulnerabilities. Solving the challenges requires the participants to know and follow secure coding guidelines. Figure 2 depicts the general architecture of CyberSecurity Challenges (CSC), which consists of the following components: Challenges, Dashboard, and Countdown. The challenges represent the individual exercises that the participants must solve to gain points. The dashboard displays the available challenges and is used to control each team's current status regarding the number of gathered points. Figure 3 shows an example of a dashboard based on the open-source CTFd platform. Upon solving a challenge, the participants receive a flag. This flag is represented by a random-like string that can be redeemed for points in the dashboard. The reward on the number of points is related to the difficulty level of the challenge. The countdown component consists of a timer that, when expired, automatically locks the dashboard, preventing further submission of flags. The countdown timer is also used to incentivize the competitiveness of the players on solving the challenges. One or more coaches take part in the game by aiding every team and every participant during the gameplay, such that no one gets stuck or lost while solving the exercises. The coaches also supervise the gameplay to ensure that the desired game objectives, e.g., learning goals, are achieved. In the end, the team with the highest amount of points wins the challenge. Nevertheless, all teams and players are winners since, by participating in the game, awareness of secure coding is stimulated. The game's competitive nature increases the fun, contributes to the overall awareness level of every player, and ensures a memorable event that can have long-lasting impressions. The different CSC challenges can be implemented in two ways: 1) using open-source components or 2) using self-developed components. In the first case, the challenges are implemented through adaptation, re-use, and re-purposing existing open-source projects and components. This method's main advantage is the reduced cost of implementation of individual challenges while outsourcing their maintenance. In the second case, the challenges can be better adapted to internal company policies while also focusing more on the defensive perspective. The architecture shown in Figure 2 was initially developed for onsite events. A recent installment of the game [15] allows the game not only to be played remotely but also to include an intelligent coach based on artificial intelligence techniques. In the following, we present a more detailed introduction of the CSC game implementation based on open-source components and the Sifu platform. The CSC game was developed in the industry, focusing on Web and C/C++ developers. In contrast to C/C++, for the web challenges, it was decided not to focus on a single programming language or framework since many of these programming languages and frameworks are in everyday use in the company where the CSC game was developed. In this case, we chose a generic approach based on the Open Web Application Security Project -OWASP [27] . The challenges' design took two approaches: 1) based on open-source components and 2) design of own challenges. A common approach to the design of the challenges is given in [19] . Each challenge is presented to the participants according to the following phases: Phase 1 -introduction, Phase 2 -challenge, and Phase 3conclusion. Phase 1 presents an introduction to the challenge and sets up the scenario; the core part of the challenge is phase 2; phase 3 concludes the challenge by adding additional text related to secure coding guidelines or further questions related to phase 2. The types of challenges are Single-Choice Questions, Multiple-Choice Questions, Text-Entry Questions, Associate-Left-Right, Code-Snippet Challenge, and Code-Entry Challenge. Challenges using Open-Source Components Challenges on secure coding for software developers can be implemented by using and adapting existing open source components. Since most of the available projects focus on the offensive perspective, the following adaptations are suggested: 1) include an incomplete description on how to solve the challenge, and 2) provide follow-up questions related to secure coding guidelines. Fig. 4-6 shows an example of a challenge for Web developers using OWASP JuiceShop. The challenge's learning goal is to understand what SQL injections are and how to identify an SQL injection quickly. Phase 1 sets the stage for the challenge (Fig. 4) . In Phase 2, the player is assisted with how to find the vulnerability, through the textual description, as in Fig 5, or also directed by the game coaches. The last phase consists of an additional question related to the exercise, as shown in Fig 6, which enquires and directs the player to corresponding secure coding guidelines. Table 1 shows the open-source projects and components which have been used to design CSC challenges for Web and C/C++, along with the expected effort required to modify them. Note that the design of these challenges is based on open source components that include an offensive perspective. Therefore, after the components' adaptation, it is more natural and accurate to describe these types of challenges as defensive/offensive (D/O). Defensive Challenges using Sifu Platform The Sifu platform hosts code projects containing vulnerabilities in a web application. A web interface is chosen to avoid the players' need to install software on their machines, which might be difficult or impossible in an industrial setting. The players' task is to fix the project's source code to bring it to an acceptable solution (therefore focusing on the defensive perspective). An acceptable solution is when the source code is compliant to secure coding guidelines and does not have known vulnerabilities. The Sifu platform contains two main components: 1) challenge assessment and 2) an automatic coach. The challenge assessment component analyses the proposed solution submitted by a player and determines if it is acceptable. Analysis is based on several tools, e.g., compiler output, static code analysis, and dynamic code analysis. The automatic coach component is implemented through an artificial intelligence technique that provides hints to the participant when the solution is not acceptable, with the intent to guide the participant to an acceptable solution. Figure 7 shows the web user interface of the Sifu platform. Note that only phase 2 is shown in the figure. The player can browse the different files of the project. All the hints issued by the automatic coach are available on the right-hand side. If the player experiences errors when using the platform, these can be reported for later analysis and improvement. Since untrusted and potentially malicious code will be executed in the platform during the analysis stage, several security mechanisms need to be implemented to guarantee that the players cannot hack it. Further detailed information on the implementation is available in [15, 18] . The open-source Sifu platform can be downloaded from Github [9] . The authors have implemented the CSC game and have held a total of thirteen CSC events in the industry: nine onsite events (from November 2017 to October 2019) and four CSC online events (from June 2020 to July 2020). Furthermore, two events in November 2020 were held in the academia. Table 2 summarizes all the events. To evaluate and refine the CSC game, we have performed empirical studies together the CSC events. The results presented in this work summarize our empirical studies by focusing on the following six dimensions: -Know-how -evaluate if the CSC game contributes to learning new techniques and principles to be used during software development -Significance -evaluate if the CSC game contributes to understanding the importance of secure coding guidelines -Skills -evaluate if the CSC game contributes to improve the participants' secure coding skills -Clarity -evaluate if the challenges in the CSC game are clearly presented -Coaching -evaluate if the help provided by coaches is adequate during gameplay -Behavior -evaluate if the participants, after playing the CSC game, feel prepared to write secure code The answers to the survey questions were based on a 5-point Likert scale on agreement and are summarized through negative (-) answers (strongly disagree and disagree), neutral (N), and positive (+) answers (agree and strongly agree). Answering the survey was not mandatory, and the participants that took part in the study have given their consent; additionally, their answers were anonymized. Although the total number of participants to the CSC events exceeded 200, the total number of participants that answered the survey were: 56 -for defensive/offensive (D/O) events 1-9, 25 -for defensive (D) events 10-13, and 14for defensive challenges in the academia (A) in events 14-15. Additional results were captured through open feedback, questions, and discussions with the participants. The main positive and negative quotes from the participants were also collected. In the following sub-sections, we present a brief overview and discussion of the survey's main results, participant feedback, and an overview of the lessons learned on the design of CSC games and events. For a more in-depth overview of the empirical studies, we refer the reader to the work published by the same authors in [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] . Table 3 shows a summary of the results for the different six questions, both for the industry (81 participants) and the academia (14 participants). The two highest-ranked questions are: Defensive/Offensive Challenges -Q2, Q5; Offensive Challenges -Q2+Q3+Q5, Q1; Offensive Challenges -Q3, Q4+Q5. The results in this table leads to the following conclusions: (1) defensive challenges have a higher level of agreement than defensive/offensive challenges, (2) there is a higher amount of neutral answers in defensive/offensive than in purely defensive challenges, (3) nevertheless both defensive/offensive and defensive challenges show a high level of agreement on the suitability as an method to increase awareness. These results mean that, while there are good indicators that both challenge types be suitable to raise secure coding awareness on software developers, the indicators for defensive challenges show a higher adequacy. The presented results Table 3 . CyberSecurity Challenge -Empirical Results Table 4 shows the main positive and negative quotes from participants to the CSC games. Most of the collected feedback was positive and indicated that the CSC game is suitable for raising secure coding awareness. The feedback obtained by the authors, during all the events that took place in the industry, has also shown that the software developers highly appreciate playing the CSC game. For one of the groups that participated in the CSC event, the players have joined forces together after the event and searched the internet for further similar games, thus giving a good indicator of possible long-term effects. Another success factor was the positive feedback from management, leading to recurring CSC events and establishing good impression managers. Nevertheless, we collected some negative feedback related to the user interface and the hints' precision. Additional negative feedback is related to the fact that defensive/offensive challenges still include an offensive part. The offensive part's presence can lead to difficulty in understanding what to do in the challenge due to the participants' background (i.e., software developers). In a separate discussion, we could conclude that coaches' help can positively improve the game experience. Figure 8 shows an overview of the lessons learned on the different aspects related with the design, deployment and refinement of CyberSecurity Challenges. These have resulted from all the thirteen deployments that were performed in Time management is an essential aspect of deploying and using games in the industry. This aspect includes the agenda of the event and the temporal dimensioning of the challenges. A clear definition of roles in a serious game is also a critical aspect of such a game's design. The CyberSecurity Challenges game defines three roles: individual player, team, and coach. These games are typically deployed in a computer network. Therefore, the different components present in the network and their management are also essential aspects of the game. Finally, the aspect challenges (CH) looks at the different categories of challenges (as introduced before), challenge types suitable for the industry, the different phases of a challenge, and tools to create the challenges. Detailed discussions on each of these aspects can be found in [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] . If not addressed appropriately, software vulnerabilities can result in serious negative consequences. A good time to address these issues is in the early stages of software development by raising the awareness of software developers on secure coding. This paper presents CyberSecurity Challenges (CSC) as a possible solution. CyberSecurity Challenges is a genre of serious games developed to raise the awareness of industrial software developers on secure coding and secure coding guidelines. CSC games have been developed since 2017 in the industry. They were extensively studied as part of the Ph.D. research by the first author, resulting in more than ten publications. The CSC game can be used both for onsite training and remote training, thus easily adapting to possible travel restrictions imposed by the current COVID-19 situation. Our results through empirical studies show that this game is adequate to raise secure coding awareness, both when using defensive/offensive challenges and purely defensive challenges. Furthermore, preliminary results indicate that the same artifact could be used in academia to prepare the future industry workforce. Feedback obtained from software developers in the industry also indicates this community's acceptance and welcoming of the game. During gameplay, software developers have fun and practice the usage secure coding guidelines for secure software development. Furthermore, CSC games found additional success by being well accepted by management. Therefore, we think that this type of game is a viable approach to tackle possible software vulnerabilities due to bad code quality in terms of security. Think secure from the beginning' A Survey with Software Developers A Serious Game for Eliciting Social Engineering Security Requirements Bundesamt für Sicherheit in der Informationstechnik: BSI IT-Grundschutz-Katalog Secure Coding Standards The fun and future of CTF. 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education ENISA: The cost of incidents affecting CIIs The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game Sifu Platform On the Requirements for Serious Games Geared Towards Software Developers in the Industry Raising Security Awareness using CybersecurityChallenges in Embedded Programming Courses Raising secure coding awareness for software developers in the industry Ranking Secure Coding Guidelines for Software Developer Awareness Training in the Industry Awareness of Secure Coding Guidelines in the Industry -A first data analysis Sifu -A CyberSecurity Awareness Platform with CyberSecurity Challenges for Software Developer Awareness Training in Industrial Environments. In: 16th International Conference on Wirtschaftsinformatik Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey Cybersecurity Awareness Platform with Virtual Coach and Automated Challenge Assessment Design of Secure Coding Challenges for Cybersecurity Education in the Industry Cybersecurity Games for Secure Programming Education in the Industry: Gameplay Analysis What happens when software developers are (un)happy Specifying IT security awareness IEC 62443-4-1: Security for industrial automation and control systems -part 4-1: Secure product development lifecycle requirements. Standard, International Electrotechnical Commission Information technology -Security techniques -Information security management systems -Requirements. Standard, International Standard Organization Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness Toward a Unified Model of Information Security Policy Compliance Global Developer Report: DevSecOps finds security roadblocks divide teams IT-Security Awareness mit Operation Digitales Chamäleon Software Developers and Security Death by a Thousand Facts: Criticizing the Technocratic Approach to Information Security Awareness A Survey on Developer-Centred Security Why do Programmers Make Security Errors? The authors would like to thank the participants of the CyberSecurity Challenges for their time and their valuable answers and comments. The authors would also like to thank Kristian Beckers and Thomas Diefenbach for their helpful, insightful, and constructive comments and discussions.This resaerch is partly financed by national funds through FCT -Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support.