Abstract
Cloud computing has become a widely applied technology in the industry. Broad network access as a characteristic of cloud computing brings business value. It poses threats to cloud assets due to a greater attack surface than on-premises and other service models. Industry standards aim to regulate cloud security by enforcing best practices. To comply with the standards, practitioners in the industry are mandated to be trained to understand basic concepts of attack and defense mechanisms in cloud security to protect assets in the cloud. This work presents a serious game: Cloud of Assets and Threats (CATS), as an enrichment to the traditional training material to raise awareness about the cloud security challenges. In this paper, we introduce the design elements and implementation details of CATS. We organized eight game events with 94 industrial practitioners to validate our design. We applied a questionnaire and conducted semi-structured interviews with the game participants to evaluate the impact of the game and collect feedback. The evaluation indicates that CATS is a promising innovative method for promoting awareness of cloud security issues among practitioners in the industry, regardless of their technical background. Our main contributions are the design of such a game and the understanding of the impact of playing the CATS game in the industry.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al Nafea, R., Almaiah, M.A.: Cyber security threats in cloud: literature review. In: 2021 International Conference on Information Technology (ICIT), pp. 779–786. IEEE (2021)
Cloud Security Alliance: Cloud controls matrix v4 (2021). https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/
ATT &CK, M.: Techniques, May 2017. https://attack.mitre.org/techniques/
ATT &CK, M.: MITRE ATT &CK Cloud Matrix (2020). https://attack.mitre.org/versions/v8/ matrices/enterprise/cloud/
AWS: Amazon EC2 secure and resizable compute capacity for virtually any workload, May 2022. https://aws.amazon.com/ec2
Casinillo, L., Tavera, G.: On the dark side of learning calculus: evidence from agribusiness students. IJIET (Int. J. Indonesian Educ. Teach.) 5, 52–60 (2021). https://doi.org/10.24071/ijiet.v5i1.2825
CSA: Top threats to cloud computing: The egregious 11. BLACKHAT2019 (2019)
Dörner, R., Göbel, S., Effelsberg, W., Wiemeyer, J. (eds.): Serious Games. Foundations, Concepts and Practice, Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40612-1
ECMA-404: Json format, May 2022. https://www.json.org/json-en.html
Espinha Gasiba, T., Andrei-Cristian, I., Lechner, U., Pinto-Albuquerque, M.: Raising security awareness of cloud deployments using infrastructure as code through cybersecurity challenges. In: The 16th International Conference on Availability, Reliability and Security. ARES 2021, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3465481.3470030
Espinha Gasiba, T., Andrei-Cristian, I., Lechner, U., Pinto-Albuquerque, M.: Raising security awareness of cloud deployments using infrastructure as code through cybersecurity challenges. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–8 (2021)
Ferro, L.S., Marrella, A., Catarci, T., Sapio, F., Parenti, A., De Santis, M.: AWATO: a serious game to improve cybersecurity awareness. In: Fang, X. (ed.) HCI in Games, vol. 13334, pp. 508–529. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-05637-6_33
Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach. Cybersecurity 3(1), 1–23 (2020)
Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: CyberSecurity challenges for software developer awareness training in industrial environments. In: Ahlemann, F., Schütte, R., Stieglitz, S. (eds.) WI 2021. LNISO, vol. 47, pp. 370–387. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86797-3_25
Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Cybersecurity challenges: serious games for awareness training in industrial environments. Federal Office for Information Security (ed.) Germany Digital Secure. 30 Years BSI - Proceedings of the 17th German IT Security Congress 2021, February 2021
Gasiba, T., Hodzic, S., Lechner, U., Albuquerque, M.P.: Raising awareness on secure coding in the industry through CyberSecurity challenges. Ph.D. thesis, Universität der Bundeswehr München (2021)
Gleasure, R.: What is a ‘wicked problem’ for is research? In: SIG Prag Workshop on IT Artefact Design & Workpractice Improvement, 5 June 2013, Tilburg, The Netherlands (2013)
Gleeson, N., Walden, I.: ‘It’s a jungle out there’?: Cloud Computing, Standards and the Law. SSRN Electron. J. (2014). https://doi.org/10.2139/ssrn.2441182
Group, K.: Konva.js - html5 2D canvas js library for desktop and mobile applications, May 2022. https://konvajs.org/
Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications, pp. 326–330. IEEE (2014)
Hart, S., Margheri, A., Paci, F., Sassone, V.: Riskio: a serious game for cyber security awareness and education. Comput. Secur. 95, 101827 (2020). https://doi.org/10.1016/j.cose.2020.101827
Hevner, A.: A three cycle view of design science research. Scand. J. Inf. Syst. 19, 4 (2007)
Hevner, A., March, S., Park, J.: Design science in information systems research. Manage. Inf. Syst. Q. 28, 75–105 (2004)
Iosif, A.C., Gasiba, T.E., Zhao, T., Lechner, U., Pinto-Albuquerque, M.: A large-scale study on the security vulnerabilities of cloud deployments. In: Wang, G., Choo, K.K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) Ubiquitous Security (UbiSec 2021), pp. 171–188. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-0468-4_13
ISO27002: ISO/IEC 27002:2013 information technology - security techniques - code of practice for information security controls (2013). https://www.iso.org/standard/54533.html
ISO27017: ISO/IEC 27017:2015 information technology - security techniques - code of practice for information security controls based on ISO/IEC 27002 for cloud services (2015). https://www.iso.org/standard/43757.html
Jakóbik, A.: Stackelberg game modeling of cloud security defending strategy in the case of information leaks and corruption. Simul. Model. Pract. Theory 103, 102071 (2020)
Jakóbik, A., Palmieri, F., Kołodziej, J.: Stackelberg games for modeling defense scenarios against cloud security threats. J. Netw. Comput. Appl. 110, 99–107 (2018)
Koay, A.M.Y., Xie, M., Ko, R.K.L., Sterner, C., Choi, T., Dong, N.: SDGen: a scalable, reproducible and flexible approach to generate real world cyber security datasets. In: Wang, G., Choo, K.K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) Ubiquitous Security (UbiSec 2021), pp. 102–115. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-0468-4_8
Landers, R.N.: Developing a theory of gamified learning: linking serious games and gamification of learning. Simul. Gaming 45(6), 752–768 (2014)
Landers, R.N.: Gamification misunderstood: how badly executed and rhetorical gamification obscures its transformative potential. J. Manag. Inq. 28(2), 137–140 (2019)
NIST: National institute of standards and technology (2022). https://www.nist.gov/
Peter Mell (NIST), T.G.N.: SP 800–145 the NIST definition of cloud computing, September 2011. https://csrc.nist.gov/publications/detail/sp/800-145/final
Python3: Python is a programming language that lets you work quickly and integrate systems more effectively, May 2022. https://www.python.org/
Shostack, A.: Tabletop security games & cards (2021). https://shostack.org/games.html
Švábenskỳ, V., Vykopal, J., Cermak, M., Laštovička, M.: Enhancing cybersecurity skills by creating serious games. In: Proceedings of the 23rd Annual ACM Conference on Innovation and Technology in Computer Science Education, pp. 194–199 (2018)
Tang, Y., Zhang, D., Liang, W., Li, K.C., Sukhija, N.: Active malicious accounts detection with multimodal fusion machine learning algorithm. In: Wang, G., Choo, K.K.R., Ko, R.K.L., Xu, Y., Crispo, B. (eds.) Ubiquitous Security (UbiSec 2021), vol. 1557, pp. 38–52. Springer, Singapore (2022). https://doi.org/10.1007/978-981-19-0468-4_4
Wiki, E.: Spearman’s rank correlation coefficient (1988). https://www.viewer.vn/wiki
Zhao, T., Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Raising awareness about cloud security in industry through a board game. Information 12(11), 482 (2021). https://doi.org/10.3390/info12110482
Zhao, T., Gasiba, T.E., Lechner, U., Pinto-Albuquerque, M.: Exploring a board game to improve cloud security training in industry. In: Henriques, P.R., Portela, F., Queirós, R., Simões, A. (eds.) Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), vol. 91, pp. 11:1–11:8. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2021). https://doi.org/10.4230/OASIcs.ICPEC.2021.11, https://drops.dagstuhl.de/opus/volltexte/2021/14227
Zhao, T., Lechner, U., Pinto-Albuquerque, M., Ata, E.: Cloud of assets and threats: a playful method to raise awareness for cloud security in industry. In: Simões, A., Silva, J.A.C. (eds.) Third International Computer Programming Education Conference (ICPEC 2022). Open Access Series in Informatics (OASIcs), vol. 102, pp. 6:1–6:13. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany (2022). https://doi.org/10.4230/OASIcs.ICPEC.2022.6, https://drops.dagstuhl.de/opus/volltexte/2022/16610
Acknowledgements
This work is partially financed by Portuguese national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and FCT UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support. We acknowledge funding for project LIONS by dtec.bw.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhao, T., Lechner, U., Pinto-Albuquerque, M., Ata, E., Gasiba, T. (2023). CATS: A Serious Game in Industry Towards Stronger Cloud Security. In: Wang, G., Choo, KK.R., Wu, J., Damiani, E. (eds) Ubiquitous Security. UbiSec 2022. Communications in Computer and Information Science, vol 1768. Springer, Singapore. https://doi.org/10.1007/978-981-99-0272-9_5
Download citation
DOI: https://doi.org/10.1007/978-981-99-0272-9_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-0271-2
Online ISBN: 978-981-99-0272-9
eBook Packages: Computer ScienceComputer Science (R0)