Skip to main content
SpringerLink
Log in

CATS: A Serious Game in Industry Towards Stronger Cloud Security

  • Conference paper
  • First Online:
Ubiquitous Security (UbiSec 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1768))

Included in the following conference series:

Abstract

Cloud computing has become a widely applied technology in the industry. Broad network access as a characteristic of cloud computing brings business value. It poses threats to cloud assets due to a greater attack surface than on-premises and other service models. Industry standards aim to regulate cloud security by enforcing best practices. To comply with the standards, practitioners in the industry are mandated to be trained to understand basic concepts of attack and defense mechanisms in cloud security to protect assets in the cloud. This work presents a serious game: Cloud of Assets and Threats (CATS), as an enrichment to the traditional training material to raise awareness about the cloud security challenges. In this paper, we introduce the design elements and implementation details of CATS. We organized eight game events with 94 industrial practitioners to validate our design. We applied a questionnaire and conducted semi-structured interviews with the game participants to evaluate the impact of the game and collect feedback. The evaluation indicates that CATS is a promising innovative method for promoting awareness of cloud security issues among practitioners in the industry, regardless of their technical background. Our main contributions are the design of such a game and the understanding of the impact of playing the CATS game in the industry.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://cloudsecurityalliance.org/.

  2. 2.

    https://www.terraform.io/.

References

  1. Al Nafea, R., Almaiah, M.A.: Cyber security threats in cloud: literature review. In: 2021 International Conference on Information Technology (ICIT), pp. 779–786. IEEE (2021)

    Google Scholar 

  2. Cloud Security Alliance: Cloud controls matrix v4 (2021). https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

  3. ATT &CK, M.: Techniques, May 2017. https://attack.mitre.org/techniques/

  4. ATT &CK, M.: MITRE ATT &CK Cloud Matrix (2020). https://attack.mitre.org/versions/v8/ matrices/enterprise/cloud/

  5. AWS: Amazon EC2 secure and resizable compute capacity for virtually any workload, May 2022. https://aws.amazon.com/ec2

  6. Casinillo, L., Tavera, G.: On the dark side of learning calculus: evidence from agribusiness students. IJIET (Int. J. Indonesian Educ. Teach.) 5, 52–60 (2021). https://doi.org/10.24071/ijiet.v5i1.2825

  7. CSA: Top threats to cloud computing: The egregious 11. BLACKHAT2019 (2019)

    Google Scholar 

  8. Dörner, R., Göbel, S., Effelsberg, W., Wiemeyer, J. (eds.): Serious Games. Foundations, Concepts and Practice, Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40612-1

    Book  Google Scholar 

  9. ECMA-404: Json format, May 2022. https://www.json.org/json-en.html

  10. Espinha Gasiba, T., Andrei-Cristian, I., Lechner, U., Pinto-Albuquerque, M.: Raising security awareness of cloud deployments using infrastructure as code through cybersecurity challenges. In: The 16th International Conference on Availability, Reliability and Security. ARES 2021, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3465481.3470030

  11. Espinha Gasiba, T., Andrei-Cristian, I., Lechner, U., Pinto-Albuquerque, M.: Raising security awareness of cloud deployments using infrastructure as code through cybersecurity challenges. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–8 (2021)

    Google Scholar 

  12. Ferro, L.S., Marrella, A., Catarci, T., Sapio, F., Parenti, A., De Santis, M.: AWATO: a serious game to improve cybersecurity awareness. In: Fang, X. (ed.) HCI in Games, vol. 13334, pp. 508–529. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-05637-6_33

  13. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach. Cybersecurity 3(1), 1–23 (2020)

    Google Scholar 

  14. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: CyberSecurity challenges for software developer awareness training in industrial environments. In: Ahlemann, F., Schütte, R., Stieglitz, S. (eds.) WI 2021. LNISO, vol. 47, pp. 370–387. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86797-3_25

    Chapter  Google Scholar 

  15. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Cybersecurity challenges: serious games for awareness training in industrial environments. Federal Office for Information Security (ed.) Germany Digital Secure. 30 Years BSI - Proceedings of the 17th German IT Security Congress 2021, February 2021

    Google Scholar 

  16. Gasiba, T., Hodzic, S., Lechner, U., Albuquerque, M.P.: Raising awareness on secure coding in the industry through CyberSecurity challenges. Ph.D. thesis, Universität der Bundeswehr München (2021)

    Google Scholar 

  17. Gleasure, R.: What is a ‘wicked problem’ for is research? In: SIG Prag Workshop on IT Artefact Design & Workpractice Improvement, 5 June 2013, Tilburg, The Netherlands (2013)

    Google Scholar 

  18. Gleeson, N., Walden, I.: ‘It’s a jungle out there’?: Cloud Computing, Standards and the Law. SSRN Electron. J. (2014). https://doi.org/10.2139/ssrn.2441182

  19. Group, K.: Konva.js - html5 2D canvas js library for desktop and mobile applications, May 2022. https://konvajs.org/

  20. Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications, pp. 326–330. IEEE (2014)

    Google Scholar 

  21. Hart, S., Margheri, A., Paci, F., Sassone, V.: Riskio: a serious game for cyber security awareness and education. Comput. Secur. 95, 101827 (2020). https://doi.org/10.1016/j.cose.2020.101827

    Article  Google Scholar 

  22. Hevner, A.: A three cycle view of design science research. Scand. J. Inf. Syst. 19, 4 (2007)

    Google Scholar 

  23. Hevner, A., March, S., Park, J.: Design science in information systems research. Manage. Inf. Syst. Q. 28, 75–105 (2004)

    Article  Google Scholar 

  24. Iosif, A.C., Gasiba, T.E., Zhao, T., Lechner, U., Pinto-Albuquerque, M.: A large-scale study on the security vulnerabilities of cloud deployments. In: Wang, G., Choo, K.K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) Ubiquitous Security (UbiSec 2021), pp. 171–188. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-0468-4_13

    Chapter  Google Scholar 

  25. ISO27002: ISO/IEC 27002:2013 information technology - security techniques - code of practice for information security controls (2013). https://www.iso.org/standard/54533.html

  26. ISO27017: ISO/IEC 27017:2015 information technology - security techniques - code of practice for information security controls based on ISO/IEC 27002 for cloud services (2015). https://www.iso.org/standard/43757.html

  27. Jakóbik, A.: Stackelberg game modeling of cloud security defending strategy in the case of information leaks and corruption. Simul. Model. Pract. Theory 103, 102071 (2020)

    Google Scholar 

  28. Jakóbik, A., Palmieri, F., Kołodziej, J.: Stackelberg games for modeling defense scenarios against cloud security threats. J. Netw. Comput. Appl. 110, 99–107 (2018)

    Article  Google Scholar 

  29. Koay, A.M.Y., Xie, M., Ko, R.K.L., Sterner, C., Choi, T., Dong, N.: SDGen: a scalable, reproducible and flexible approach to generate real world cyber security datasets. In: Wang, G., Choo, K.K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) Ubiquitous Security (UbiSec 2021), pp. 102–115. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-0468-4_8

    Chapter  Google Scholar 

  30. Landers, R.N.: Developing a theory of gamified learning: linking serious games and gamification of learning. Simul. Gaming 45(6), 752–768 (2014)

    Article  Google Scholar 

  31. Landers, R.N.: Gamification misunderstood: how badly executed and rhetorical gamification obscures its transformative potential. J. Manag. Inq. 28(2), 137–140 (2019)

    Article  Google Scholar 

  32. NIST: National institute of standards and technology (2022). https://www.nist.gov/

  33. Peter Mell (NIST), T.G.N.: SP 800–145 the NIST definition of cloud computing, September 2011. https://csrc.nist.gov/publications/detail/sp/800-145/final

  34. Python3: Python is a programming language that lets you work quickly and integrate systems more effectively, May 2022. https://www.python.org/

  35. Shostack, A.: Tabletop security games & cards (2021). https://shostack.org/games.html

  36. Švábenskỳ, V., Vykopal, J., Cermak, M., Laštovička, M.: Enhancing cybersecurity skills by creating serious games. In: Proceedings of the 23rd Annual ACM Conference on Innovation and Technology in Computer Science Education, pp. 194–199 (2018)

    Google Scholar 

  37. Tang, Y., Zhang, D., Liang, W., Li, K.C., Sukhija, N.: Active malicious accounts detection with multimodal fusion machine learning algorithm. In: Wang, G., Choo, K.K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) Ubiquitous Security (UbiSec 2021), vol. 1557, pp. 38–52. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-0468-4_4

  38. Wiki, E.: Spearman’s rank correlation coefficient (1988). https://www.viewer.vn/wiki

  39. Zhao, T., Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Raising awareness about cloud security in industry through a board game. Information 12(11), 482 (2021). https://doi.org/10.3390/info12110482

  40. Zhao, T., Gasiba, T.E., Lechner, U., Pinto-Albuquerque, M.: Exploring a board game to improve cloud security training in industry. In: Henriques, P.R., Portela, F., Queirós, R., Simões, A. (eds.) Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), vol. 91, pp. 11:1–11:8. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2021). https://doi.org/10.4230/OASIcs.ICPEC.2021.11, https://drops.dagstuhl.de/opus/volltexte/2021/14227

  41. Zhao, T., Lechner, U., Pinto-Albuquerque, M., Ata, E.: Cloud of assets and threats: a playful method to raise awareness for cloud security in industry. In: Simões, A., Silva, J.A.C. (eds.) Third International Computer Programming Education Conference (ICPEC 2022). Open Access Series in Informatics (OASIcs), vol. 102, pp. 6:1–6:13. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2022). https://doi.org/10.4230/OASIcs.ICPEC.2022.6, https://drops.dagstuhl.de/opus/volltexte/2022/16610

Download references

Acknowledgements

This work is partially financed by Portuguese national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and FCT UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support. We acknowledge funding for project LIONS by dtec.bw.

Author information

Authors and Affiliations

  1. Siemens AG, 81739, Munich, Germany

    Tiange Zhao & Tiago Gasiba

  2. Universität der Bundeswehr München, 85579, Munich, Germany

    Tiange Zhao

  3. Technische Universität München, 80333, Munich, Germany

    Ulrike Lechner & Ece Ata

  4. (ISCTE-IUL), ISTAR, University Institute of Lisbon, 1649-026, Lisbon, Portugal

    Maria Pinto-Albuquerque

Authors
  1. Tiange Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ulrike Lechner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Pinto-Albuquerque
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ece Ata
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tiago Gasiba
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tiange Zhao .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Temple University, Philadelphia, PA, USA

    Jie Wu

  4. Khalifa University of Science and Technology, Abu Dhabi, United Arab Emirates

    Ernesto Damiani

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhao, T., Lechner, U., Pinto-Albuquerque, M., Ata, E., Gasiba, T. (2023). CATS: A Serious Game in Industry Towards Stronger Cloud Security. In: Wang, G., Choo, KK.R., Wu, J., Damiani, E. (eds) Ubiquitous Security. UbiSec 2022. Communications in Computer and Information Science, vol 1768. Springer, Singapore. https://doi.org/10.1007/978-981-99-0272-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-0272-9_5

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-0271-2

  • Online ISBN: 978-981-99-0272-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation