CyberSecurity Challenges: Serious Games for Awareness Training in Industrial Environments
Tiago Espinha Gasiba, Ulrike Lechner, Maria Pinto-Albuquerque
CCyberSecurity Challenges: Serious Games forAwareness Training in Industrial Environments
Tiago Gasiba , , Ulrike Lechner , and Maria Pinto-Albuquerque Siemens AG, Munich, Germany [email protected] Universit¨at der Bundeswehr M¨unchen, Munich, Germany [email protected] [email protected] Instituto Universit´ario de Lisboa (ISCTE-IUL), ISTAR, Lisboa, Portugal [email protected]
Abstract.
Awareness of cybersecurity topics, e.g., related to secure cod-ing guidelines, enables software developers to write secure code. Thisawareness is vital in industrial environments for the products and ser-vices in critical infrastructures. In this work, we introduce and discuss anew serious game designed for software developers in the industry. Thisgame addresses software developers’ needs and is shown to be well suitedfor raising secure coding awareness of software developers in the industry.Our work results from the experience of the authors gained in conductingmore than ten CyberSecurity Challenges in the industry. The presentedgame design, which is shown to be well accepted by software develop-ers, is a novel alternative to traditional classroom training. We hope tomake a positive impact in the industry by improving the cybersecurityof products at their early production stages.
Keywords:
IT Security · Cybersecurity · Awareness · Secure SoftwareDevelopment · Industry · Critical Infrastructures · Serious Game
If not addressed during the early stages of software design and implementation,software development errors and security vulnerabilities can end up in a finalproduct or service. Security vulnerabilities can result in serious negative conse-quences for society, the customer, and the company that produced the software.Think, e.g., of critical infrastructures as the grid, transportation, or productionlines: a security vulnerability in the code may cause interruptions in servicequality for individual customers when critical machinery or information systemsfail or even for society when critical infrastructure fails. Over the last years, thenumber of industrial security-related incidents has been increasing, which hasresulted in severe incidents, leading to a substantial financial impact, reachingup to 1.6% of GDP in some EU countries [7].To address these issues, products and services provided by the industry mustfollow IT security standards. These standards mandate the implementation of a r X i v : . [ c s . S E ] F e b T. Gasiba et al. a secure software development lifecycle and secure coding guidelines that mustbe followed to write secure code. Prominent examples of these standards forindustrial environments are the IEC 62443 [23], ISO 27001 [24], and the Grund-schutzkatalog from the Bundesamt f¨ur Sicherheit in der Informationstechnik(BSI) [4]. Examples of secure coding guidelines widely used in the industry arethe SEI-CERT Java Secure Coding Guidelines and SEI-CERT C/C++ SecureCoding Guidelines, both from Carnegie Mellon [5]. The Open Web ApplicationSecurity Project (OWASP, [27]) and the BSI (BSI 5.21, [3]) provide secure cod-ing guidelines which are specific for web application development and widelyused in the industry.These standards provide a much-needed basis that establishes ground rulesrequired to produce secure products and services. The effectiveness of thesestandards is related to the level of awareness and understanding of the standardsby the persons directly affected by them: software developers. However, a recentstudy by Patel et al. [28] has shown that more than 50% of software developerscannot spot software vulnerabilities in source code. This lack of awareness aboutsecure coding is a problem that needs to be addressed.Among others, a possible way to address this issue is to provide trainingto software developers on secure coding. We present a new serious games de-signed to raise awareness and train software developers in secure coding in thiswork. The serious game, named CyberSecurity Challenges, is an adaption of thecapture-the-flag game genre. Capture-the-flag was initially developed in the pen-etration testing community to practice and train offensive IT-security skills. Theidea is that by attacking a system, well-trained penetration testers can discovervulnerabilities in products and services that can be fixed before final shipment tothe customer. However, since these activities require a full or partially developedproject, they often occur late in the software development stages. We proposeusing an adapted version of the game, which targets software developers, focuseson the defensive perspective, and has the primary goal of increasing awarenessof secure coding guidelines and secure coding best practices. Furthermore, weshow how our concept can be used for onsite IT-Security Awareness Workshopsand how it can be adapted for online training.This work is organized as follows: in section 2, the authors briefly discussprevious work related to the cybersecurity challenges. Section 3 introduces theCyberSecurity Challenges and discusses challenges based on open-source com-ponents and the Sifu platform. Section 4 discusses the games’ evaluation inan industrial context through survey results, participant feedback, and lessonslearned. Finally, section 5 summarizes and concludes the paper.
Although several methods exist to deal with software vulnerabilities, e.g., re-quirements engineering and code reviews, we focus on awareness training forsoftware developers. Several previous studies indicate that software developerslack secure programming awareness and skills [1,28,32]. In 2020, Bruce Schneier, itle Suppressed Due to Excessive Length 3 a well-known security researcher, and evangelist stated that less than 50% of soft-ware developers can spot security vulnerabilities in software [30]. His commentadds to a discussion on secure coding skills: In 2011, Xie et al. [33] did severalinterviews with 15 senior professional software developers in the industry with anaverage of 12 years of experience. Their study has shown a disconnect betweensoftware security concepts and their role in their jobs. Awareness training on In-formation security is addressed in McIlwraith [25], which provides a systematicmethodology and a baseline for implementing awareness training.There is a stream of literature on compliance with security policies, whichdeals with general employees, not with software developers specifically. Thisstream of literature explores many reasons why people do not comply with IT-security policies. The unified framework by Moody et al. [26] summarizes the aca-demic discussion on compliance with IT-security policies. Empirical findings con-clude that neither deterrence nor punishment, such as, e.g., public blame, worksto increase compliance. However, increasing IT-security awareness increases thelevel of compliance [31]. In their seminal review article, H¨ansch et al. [22] de-fine IT-security awareness in the three dimensions:
Perception , Protection , and
Behavior . The concept of IT-security awareness is typically used in IT securitymanagement contexts. We adapt these concepts to software developers as fol-lows [16]: perception - knowledge of existing software vulnerabilities, protection- knowing the existing mechanisms, e.g., secure coding guidelines and softwaredevelopment best practices, that avoid software vulnerabilities, and behavior -knowledge and intention to write secure code.Graziotin et al. [21] show that happy developers are better coders , i.e., pro-duce higher quality code and software. Their work suggests that by keepingdevelopers happy, we can expect that the code they write has a better qualityand, by implication, be more secure. Davis et al. [6] show, in their construct,that cybersecurity games have the potential to increase the overall happinessof software developers. Their conclusions support our approach to use a seriousgame to train software developers in secure coding. Awareness games are a well-established instrument in information security. They are discussed in de-factostandards as the BSI Grundschutz-Katalog [4] (M 3.47, Planspiele) as one meansto raise awareness and increase the level of security. Frey et al. [8] show both thepotential impact of playing cybersecurity games on the participants and showthe importance of playing games as a means of cybersecurity awareness. Theyconclude that cybersecurity games can be a useful means to build a common un-derstanding of security issues. Rieb et al. [29] provide a review of serious gamesin cybersecurity and conclude that there are many approaches. The games listedmainly address information security rather than secure coding. Documented andevaluated games are [2] and [29].Capture-the-flag is one particular genre of serious games in the domain ofCybersecurity [6]. Game participants win flags when they manage to solve a task.Forensics, cryptography, and penetration testings are skills necessary for solvingtasks and capturing flags. The present work uses serious games to achieve thegoal of raising secure coding awareness of software developers in the industry . T. Gasiba et al.
Previous work on selected design aspects and a smaller empirical basis on theCSC includes [10, 13–15, 18–20].
In this section, we introduce the CyberSecurity Challenges (CSC), which weredeveloped to raise awareness on secure coding. We also present a detailed dis-cussion on creating these games (1) by using existing open-source components,and (2) using the open-source Cybersecurity Challenge platform developed bythe authors - the Sifu platform.
Fig. 1.
CyberSecurity Events - On-site Events
CyberSecurity Challenges (CSC) are a genre of serious games developed withthe specific purpose of raising awareness of industrial software developers in thetopic of secure coding and secure coding guidelines. Figure 1 shows two examplesof CSC events in the industry.The game consists of a platform where several participants (i.e., softwaredevelopers) form teams that compete against each other in solving secure codingchallenges. The challenges consist of exercises that are developed primarily toaddress software development vulnerabilities. Solving the challenges requires theparticipants to know and follow secure coding guidelines. Figure 2 depicts thegeneral architecture of CyberSecurity Challenges (CSC), which consists of thefollowing components: Challenges, Dashboard, and Countdown.The challenges represent the individual exercises that the participants mustsolve to gain points. The dashboard displays the available challenges and is usedto control each team’s current status regarding the number of gathered points.Figure 3 shows an example of a dashboard based on the open-source CTFdplatform. Upon solving a challenge, the participants receive a flag. This flagis represented by a random-like string that can be redeemed for points in thedashboard. The reward on the number of points is related to the difficulty level ofthe challenge. The countdown component consists of a timer that, when expired, itle Suppressed Due to Excessive Length 5
Participant1
Internet
Challenges Dashboard Countdown
Server
Participant n Fig. 2.
Architecture of CyberSecurity Challenges infrastructure automatically locks the dashboard, preventing further submission of flags. Thecountdown timer is also used to incentivize the competitiveness of the playerson solving the challenges. One or more coaches take part in the game by aidingevery team and every participant during the gameplay, such that no one getsstuck or lost while solving the exercises. The coaches also supervise the gameplayto ensure that the desired game objectives, e.g., learning goals, are achieved.In the end, the team with the highest amount of points wins the challenge.Nevertheless, all teams and players are winners since, by participating in thegame, awareness of secure coding is stimulated. The game’s competitive natureincreases the fun, contributes to the overall awareness level of every player, andensures a memorable event that can have long-lasting impressions.The different CSC challenges can be implemented in two ways: 1) usingopen-source components or 2) using self-developed components. In the first case,the challenges are implemented through adaptation, re-use, and re-purposingexisting open-source projects and components. This method’s main advantageis the reduced cost of implementation of individual challenges while outsourcingtheir maintenance. In the second case, the challenges can be better adapted tointernal company policies while also focusing more on the defensive perspective.The architecture shown in Figure 2 was initially developed for onsite events.A recent installment of the game [15] allows the game not only to be playedremotely but also to include an intelligent coach based on artificial intelligencetechniques. In the following, we present a more detailed introduction of the CSCgame implementation based on open-source components and the Sifu platform.
The CSC game was developed in the industry, focusing on Web and C/C++developers. In contrast to C/C++, for the web challenges, it was decided notto focus on a single programming language or framework since many of theseprogramming languages and frameworks are in everyday use in the companywhere the CSC game was developed. In this case, we chose a generic approach
T. Gasiba et al. based on the Open Web Application Security Project - OWASP [27]. The chal-lenges’ design took two approaches: 1) based on open-source components and 2)design of own challenges. A common approach to the design of the challengesis given in [19]. Each challenge is presented to the participants according to thefollowing phases:
Phase 1 - introduction,
Phase 2 - challenge, and
Phase 3 -conclusion. Phase 1 presents an introduction to the challenge and sets up thescenario; the core part of the challenge is phase 2; phase 3 concludes the chal-lenge by adding additional text related to secure coding guidelines or furtherquestions related to phase 2. The types of challenges are Single-Choice Ques-tions, Multiple-Choice Questions, Text-Entry Questions, Associate-Left-Right,Code-Snippet Challenge, and Code-Entry Challenge.
Fig. 3.
Dashboard
User Data SQL Query
An SQL Injection happens when untrusted user data ismixed together with trusted data (e.g. written by theprogrammer). If you can manipulate the SQL query, youcan change its logic. Instead of doing what it is supposedto do, it will do what the attacker wants to do. A typicalways to test for an SQL injection is by trying to errors inthe backend. This can be achieved with the characters ‘and “ , which are typical string quotes.
Introduction
Fig. 4.
Web Challenge: Phase 1
Try to cause an SQL error in the website
Hint: you might want to try special characters that can turn an SQL query into an invalid query
Challenge
Fig. 5.
Web Challenge: Phase 2 ▢ IDS00-J. Prevent SQL . . . . . . . .injection ▢ IDS14-J. Do not trust the . . . . . contents of hidden . . . . .form fields ▢ STR03-J. Do not encode . . .. . . . .noncharacter data . . . . . .as a string
The following picture shows a possible consequence of exploiting the vulnerability you just discovered.
An attacker can read the entire database. Assume that passwords are stored in plain text. This can lead to disclosure of confidential information , and even out-of-business . Q: Which guidelines might have not been followed by the programmer when developing the website?User Data SQL QueryPasswords
Conclusion
Fig. 6.
Web Challenge: Phase 3
Challenges using Open-Source Components
Challenges on secure codingfor software developers can be implemented by using and adapting existing opensource components. Since most of the available projects focus on the offensiveperspective, the following adaptations are suggested: 1) include an incompletedescription on how to solve the challenge, and 2) provide follow-up questionsrelated to secure coding guidelines. Fig. 4-6 shows an example of a challenge itle Suppressed Due to Excessive Length 7 for Web developers using OWASP JuiceShop. The challenge’s learning goal isto understand what SQL injections are and how to identify an SQL injectionquickly. Phase 1 sets the stage for the challenge (Fig. 4). In Phase 2, the playeris assisted with how to find the vulnerability, through the textual description,as in Fig 5, or also directed by the game coaches. The last phase consists of anadditional question related to the exercise, as shown in Fig 6, which enquiresand directs the player to corresponding secure coding guidelines.Table 1 shows the open-source projects and components which have beenused to design CSC challenges for Web and C/C++, along with the expectedeffort required to modify them. Note that the design of these challenges is basedon open source components that include an offensive perspective. Therefore,after the components’ adaptation, it is more natural and accurate to describethese types of challenges as defensive/offensive (D/O).
Table 1.
Open-Source Tools used for Cybersecurity Challenges
Type Project Effort Description
Web/Java Juice Shop Minimal Insecure web application for training purposes from theOWASP project.Web/Java Java Medium Secure coding guidelines dedicated to Java from Carnegie Mel-lon UniversitySEI-CERTWeb Vulnerable Medium REST API containing several vulnerabilitiesAPIC/C++ MBE Small Vulnerable code from RPISEC course at Rensselaer Polytech-nic InstituteC/C++ C/C++ Medium Secure coding guidelines dedicated to C/C++ from CarnegieMellon UniversitySEI-CERTC/C++ Vulnerable High Vulnerable C/C++ code from NIST (Juliet Set)code snippets
Defensive Challenges using Sifu Platform
The Sifu platform hosts codeprojects containing vulnerabilities in a web application. A web interface is cho-sen to avoid the players’ need to install software on their machines, which mightbe difficult or impossible in an industrial setting. The players’ task is to fix theproject’s source code to bring it to an acceptable solution (therefore focusingon the defensive perspective). An acceptable solution is when the source code iscompliant to secure coding guidelines and does not have known vulnerabilities.The Sifu platform contains two main components: 1) challenge assessment and2) an automatic coach. The challenge assessment component analyses the pro-posed solution submitted by a player and determines if it is acceptable. Analysisis based on several tools, e.g., compiler output, static code analysis, and dy-namic code analysis. The automatic coach component is implemented throughan artificial intelligence technique that provides hints to the participant whenthe solution is not acceptable, with the intent to guide the participant to anacceptable solution. Figure 7 shows the web user interface of the Sifu platform.Note that only phase 2 is shown in the figure. The player can browse the differentfiles of the project. All the hints issued by the automatic coach are available onthe right-hand side. If the player experiences errors when using the platform,
T. Gasiba et al.
Challenge HintsFeedbackProjectFiles PlayerInteraction PlatformButtons
Fig. 7.
Sifu Platform - User Interface these can be reported for later analysis and improvement. Since untrusted andpotentially malicious code will be executed in the platform during the analysisstage, several security mechanisms need to be implemented to guarantee thatthe players cannot hack it. Further detailed information on the implementationis available in [15, 18]. The open-source Sifu platform can be downloaded fromGithub [9].
Table 2.
CyberSecurity Challenge Events
No.
Type
D/O D/O D/O D/O D/O D/O D/O D/O D/O D D D D A A
Date NP
11 12 6 30 16 14 15 7 23 15 21 20 15 12 4
Where
DE DE DE DE DE CH CH DE TK OL OL OL OL OL OL
D/O : Defensive/Offensive, D : Defensive, NP : Number of participants, DE : Germany, CH : China, TK : Turkey, OL : Online The authors have implemented the CSC game and have held a total of thir-teen CSC events in the industry: nine onsite events (from November 2017 toOctober 2019) and four CSC online events (from June 2020 to July 2020). Fur-thermore, two events in November 2020 were held in the academia. Table 2 sum-marizes all the events. To evaluate and refine the CSC game, we have performed itle Suppressed Due to Excessive Length 9 empirical studies together the CSC events. The results presented in this worksummarize our empirical studies by focusing on the following six dimensions: – Know-how - evaluate if the CSC game contributes to learning new tech-niques and principles to be used during software development – Significance - evaluate if the CSC game contributes to understanding theimportance of secure coding guidelines – Skills - evaluate if the CSC game contributes to improve the participants’secure coding skills – Clarity - evaluate if the challenges in the CSC game are clearly presented – Coaching - evaluate if the help provided by coaches is adequate duringgameplay – Behavior - evaluate if the participants, after playing the CSC game, feelprepared to write secure codeThe answers to the survey questions were based on a 5-point Likert scale onagreement and are summarized through negative (-) answers (strongly disagreeand disagree), neutral (N), and positive (+) answers (agree and strongly agree).Answering the survey was not mandatory, and the participants that took part inthe study have given their consent; additionally, their answers were anonymized.Although the total number of participants to the CSC events exceeded 200,the total number of participants that answered the survey were: 56 - for defen-sive/offensive (D/O) events 1-9, 25 - for defensive (D) events 10-13, and 14 -for defensive challenges in the academia (A) in events 14-15. Additional resultswere captured through open feedback, questions, and discussions with the par-ticipants. The main positive and negative quotes from the participants were alsocollected. In the following sub-sections, we present a brief overview and discus-sion of the survey’s main results, participant feedback, and an overview of thelessons learned on the design of CSC games and events. For a more in-depthoverview of the empirical studies, we refer the reader to the work published bythe same authors in [10–20].
Table 3 shows a summary of the results for the different six questions, bothfor the industry (81 participants) and the academia (14 participants). The twohighest-ranked questions are: Defensive/Offensive Challenges - Q2, Q5; OffensiveChallenges - Q2+Q3+Q5, Q1; Offensive Challenges - Q3, Q4+Q5. The resultsin this table leads to the following conclusions: (1) defensive challenges have ahigher level of agreement than defensive/offensive challenges, (2) there is a higheramount of neutral answers in defensive/offensive than in purely defensive chal-lenges, (3) nevertheless both defensive/offensive and defensive challenges showa high level of agreement on the suitability as an method to increase awareness.These results mean that, while there are good indicators that both challengetypes be suitable to raise secure coding awareness on software developers, theindicators for defensive challenges show a higher adequacy. The presented results
Table 3.
CyberSecurity Challenge - Empirical Results
Question Industry Academia DescriptionD/O D - N + - N + - N + Q1 Q2 Q3 Q4 Q5 Q6 - : Negative agreement, N : Neutral answers, + : Positive agreement D/O : Defensive/Offensive, D : Defensive also show promising results for the three awareness constructs as introduced byH¨ansch et al. [22] - perception (Q2), protection (Q1), and behavior (Q3). Anextended experiment, using the same artifact but in an academic setting, alsoshows good indicators of its suitability to train future generations of junior in-dustrial software developers. For a more in-depth discussion on the presentedresults, we refer the reader to the literature by the same authors [10–20]. Table 4 shows the main positive and negative quotes from participants to theCSC games. Most of the collected feedback was positive and indicated that theCSC game is suitable for raising secure coding awareness. The feedback obtainedby the authors, during all the events that took place in the industry, has alsoshown that the software developers highly appreciate playing the CSC game.For one of the groups that participated in the CSC event, the players havejoined forces together after the event and searched the internet for further sim-ilar games, thus giving a good indicator of possible long-term effects. Anothersuccess factor was the positive feedback from management, leading to recur-ring CSC events and establishing good impression managers. Nevertheless, wecollected some negative feedback related to the user interface and the hints’ pre-cision. Additional negative feedback is related to the fact that defensive/offensivechallenges still include an offensive part. The offensive part’s presence can leadto difficulty in understanding what to do in the challenge due to the partici-pants’ background (i.e., software developers). In a separate discussion, we couldconclude that coaches’ help can positively improve the game experience.
Figure 8 shows an overview of the lessons learned on the different aspects re-lated with the design, deployment and refinement of CyberSecurity Challenges.These have resulted from all the thirteen deployments that were performed in itle Suppressed Due to Excessive Length 11
Table 4.
Quotes from CSC Participants
Quotes from Participants
Positive I really enjoyed participating in the challenges.I am well excited in trying to crack the answers to the challengesEnjoyed the challenges, different topics and how competitive we becameIt was lots of fun. Questions inbetween were nice.Enjoyed and lots of fun. I’ve learned many interesting thingsQuite fun and nice to work, especially work in teamEnjoyed and learned very muchIt was really funny and I leaned a lotFunny and interesting; learned a lot - hope to remember and use in practiceReally liked and enjoyed the exercisesEnjoyable to try everything and very funNegative Hints not always accurate or precisely leading to the problem in the codeWe do not perform attacks on systemsCould not understand what to do in the challengeSome hints are very genericThe user interface is very minimalistUser interface could be improved the industry. The five top-level design aspects are: 1 - learning goals, 2 - timemanagement, 3 - game roles, 4 - game components, and 5 - challenges. Learninggoals (L) are related to the game’s content and adaptation to the target group ofsoftware developers and considers programming language, secure coding guide-lines, alignment with management, and the current status quo of know-how.Time management is an essential aspect of deploying and using games in theindustry. This aspect includes the agenda of the event and the temporal dimen-sioning of the challenges. A clear definition of roles in a serious game is also acritical aspect of such a game’s design. The CyberSecurity Challenges game de-fines three roles: individual player, team, and coach. These games are typicallydeployed in a computer network. Therefore, the different components presentin the network and their management are also essential aspects of the game.Finally, the aspect challenges (CH) looks at the different categories of challenges(as introduced before), challenge types suitable for the industry, the differentphases of a challenge, and tools to create the challenges. Detailed discussions oneach of these aspects can be found in [10–20].
If not addressed appropriately, software vulnerabilities can result in serious neg-ative consequences. A good time to address these issues is in the early stages ofsoftware development by raising the awareness of software developers on securecoding. This paper presents CyberSecurity Challenges (CSC) as a possible solu-tion. CyberSecurity Challenges is a genre of serious games developed to raise theawareness of industrial software developers on secure coding and secure codingguidelines. CSC games have been developed since 2017 in the industry. Theywere extensively studied as part of the Ph.D. research by the first author, result-ing in more than ten publications. The CSC game can be used both for onsite training and remote training, thus easily adapting to possible travel restrictionsimposed by the current COVID-19 situation.Our results through empirical studies show that this game is adequate to raisesecure coding awareness, both when using defensive/offensive challenges andpurely defensive challenges. Furthermore, preliminary results indicate that thesame artifact could be used in academia to prepare the future industry workforce.Feedback obtained from software developers in the industry also indicates thiscommunity’s acceptance and welcoming of the game. During gameplay, softwaredevelopers have fun and practice the usage secure coding guidelines for securesoftware development. Furthermore, CSC games found additional success bybeing well accepted by management. Therefore, we think that this type of gameis a viable approach to tackle possible software vulnerabilities due to bad codequality in terms of security.
Acknowledgements
The authors would like to thank the participants of the CyberSecurity Challengesfor their time and their valuable answers and comments. The authors wouldalso like to thank Kristian Beckers and Thomas Diefenbach for their helpful,insightful, and constructive comments and discussions.This resaerch is partly financed by national funds through FCT - Funda¸c˜aopara a Ciˆencia e Tecnologia, I.P., under the projects FCT UIDB/04466/2020and UIDP/04466/2020. Furthermore, the third author thanks the Instituto Uni-versit´ario de Lisboa and ISTAR, for their support.
References
1. Assal, H., Chiasson, S.: ’Think secure from the beginning’ A Survey with SoftwareDevelopers. In: Proceedings of the 2019 CHI Conference on Human Factors inComputing Systems. pp. 1–13. CHI ’19, Association for Computing Machinery,New York, NY, USA (2019)2. Beckers, K., Pape, S.: A Serious Game for Eliciting Social Engineering SecurityRequirements. In: 2016 IEEE 24th International Requirements Engineering Con-ference (RE). IEEE (08 2016)3. Bundesamt f¨ur Sicherheit in der Informationstechnik: Baustein B 5.21 - Weban-wendungen (2014), https://tinyurl.com/y25m2kxl
4. Bundesamt f¨ur Sicherheit in der Informationstechnik: BSI IT-Grundschutz-Katalog, 2016, 15. ed. (2016), https://download.gsb.bund.de/BSI/ITGSK/IT-Grundschutz-Kataloge_2016_EL15_DE.pdf
5. Carnegie Mellon University: Secure Coding Standards (2019), https://tinyurl.com/y29mwsyj , online6. Davis, A., Leek, T., Zhivich, M., Gwinnup, K., Leonard, W.: The fun and futureof CTF. 2014 USENIX Summit on Gaming, Games, and Gamification in Secu-rity Education (3GSE 14) pp. 1–9 (2014),
7. ENISA: The cost of incidents affecting CIIs (8 2016), https://tinyurl.com/y3v4rv8x itle Suppressed Due to Excessive Length 138. Frey, S., Rashid, A., Anthonysamy, P., Pinto-Albuquerque, M., Naqvi, S.A.: TheGood, the Bad and the Ugly: A Study of Security Decisions in a Cyber-PhysicalSystems Game. IEEE Transactions on Software Engineering (5), 521–536 (2019)9. Gasiba, T.: Sifu Platform (12 2020), https://github.com/saucec0de/sifu ,Siemens AG, MIT License10. Gasiba, T., Beckers, K., Suppan, S., Rezabek, F.: On the Requirementsfor Serious Games Geared Towards Software Developers in the Industry.In: Damian, D.E., Perini, A., Lee, S. (eds.) Conference on RequirementsEngineering Conference. pp. 286–296. IEEE, Jeju, South Korea (09 2019).https://doi.org/10.1109/re.2019.0003811. Gasiba, T., Hodzic, S., Lechner, U., Pinto-Albuquerque, M.: Raising SecurityAwareness using CybersecurityChallenges in Embedded Programming Courses. In:forthcoming (2021), in preparation12. Gasiba, T., Lechner, U.: Raising secure coding awareness for software develop-ers in the industry. In: 2019 IEEE 27th International Requirements EngineeringConference Workshops (REW). pp. 141–143. IEEE, Jeju, South Korea (09 2019).https://doi.org/10.1109/REW.2019.0003013. Gasiba, T., Lechner, U., Cuellar, J., Zouitni, A.: Ranking Secure Coding Guide-lines for Software Developer Awareness Training in the Industry. In: Queir´os, R.,Portela, F., Pinto, M., Sim˜oes, A. (eds.) First International Computer Program-ming Education Conference (ICPEC 2020). OpenAccess Series in Informatics (OA-SIcs), vol. 81, pp. 11:1–11:11. Schloss Dagstuhl–Leibniz-Zentrum f¨ur Informatik,Dagstuhl, Germany (2020)14. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Awareness of Secure CodingGuidelines in the Industry - A first data analysis. In: The 19th IEEE InternationalConference on Trust, Security and Privacy in Computing and Communications.IEEE, Online (12 2020), to appear15. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Sifu - A CyberSecurity Aware-ness Platform with Challenge Assessment and Intelligent Coach. In: CybersecurityJournal, Special Issue on Cyber-Physical System Security. SpringerOpen (12 2020).https://doi.org/10.1186/s42400-020-00064-416. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: CyberSecurity Challenges forSoftware Developer Awareness Training in Industrial Environments. In: 16th In-ternational Conference on Wirtschaftsinformatik (2021), to appear17. Gasiba, T., Lechner, U., Pinto-Albuquerque, M.: Is Secure Coding Education inthe Industry Needed? An Investigation Through a Large Scale Survey. In: 43rdInternational Conference on Software Engineering (2021), to appear18. Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Porwal, A.: Cybersecurity Aware-ness Platform with Virtual Coach and Automated Challenge Assessment. In:6th Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems (CyberICPS). pp. 67–83. Springer, Cham, Online (12 2020).https://doi.org/978-3-030-64330-0 519. Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Zouitni, A.: Design of SecureCoding Challenges for Cybersecurity Education in the Industry. In: 13th Interna-tional Conference on the Quality of Information and Communications Technology.pp. 223–237. Springer, Online (09 2020). https://doi.org/978-3-030-58793-2 1820. Gasiba, T., Lechner, U., Rezabek, F., Pinto-Albuquerque, M.: CybersecurityGames for Secure Programming Education in the Industry: Gameplay Analysis.In: Queir´os, R., Portela, F., Pinto, M., Sim˜oes, A. (eds.) First International Com-puter Programming Education Conference (ICPEC 2020). OpenAccess Series in4 T. Gasiba et al.Informatics (OASIcs), vol. 81, pp. 10:1–10:11. Schloss Dagstuhl–Leibniz-Zentrumf¨ur Informatik, Dagstuhl, Germany (2020)21. Graziotin, D., Fagerholm, F., Wang, X., Abrahamsson, P.: What happens whensoftware developers are (un)happy. Journal of Systems and Software , 32–47(2018)22. H¨ansch, N., Benenson, Z.: Specifying IT security awareness. In: 25thInternational Workshop on Database and Expert Systems Applications,Munich, Germany. pp. 326–330. IEEE, Munich, Germany (Sep 2014).https://doi.org/10.1109/DEXA.2014.7123. IEC 62443-4-1: Security for industrial automation and control systems - part 4-1:Secure product development lifecycle requirements. Standard, International Elec-trotechnical Commission (01 2018)24. ISO 27001: Information technology – Security techniques – Information securitymanagement systems – Requirements. Standard, International Standard Organi-zation, Geneva, CH (10 2013)25. McIlwraith, A.: Information Security and Employee Behaviour: How to ReduceRisk Through Employee Education, Training and Awareness. Gower Publishing,Ltd. (2006)26. Moody, G.D., Siponen, M., Pahnila, S.: Toward a Unified Model of InformationSecurity Policy Compliance. MIS quarterly (1), 1–50 (2018)27. OWASP Foundation: Open Web Application Security Project, https://owasp.org/
28. Patel, S.: 2019 Global Developer Report: DevSecOps finds security road-blocks divide teams (July 2020), https://about.gitlab.com/blog/2019/07/15/global-developer-report/ (1), 29–38 (2012)32. Tahaei, M., Vaniea, K.: A Survey on Developer-Centred Security. In: 2019 IEEEEuropean Symposium on Security and Privacy Workshops (EuroS&PW). pp. 129–138. IEEE (2019)33. Xie, J., Lipford, H.R., Chu, B.: Why do Programmers Make Security Errors? 2011IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC)pp. 161–164 (09 2011). https://doi.org/10.1109/VLHCC.2011.6070393itle Suppressed Due to Excessive Length 15 Time Management (T)Roles (R)Challenges (CH)
Content (C)Alignment (A)Survey (S)
Awareness Status-QuoSecure Coding GuidelinesIndustry Best PracticesInternal GuidelinesPrevious IncidentsManagementSenior Architects
Agenda (A)
WelcomeForming TeamsIntroductionMain EventWinner AnnouncementFeedbackWalkthrough
Dimensioning (D)
Challenge Solve TimePlayerTeamCoach
Components (CO)
Server (S)
DashboardCountdownChallenges
Client (C)
ChallengesWeb Browser
Categories (C)
Defensive/OffensiveDefensive
Types (TY)
Single ChoiceMultiple-ChoiceText-Entry QuestionCode-Snippet QuestionAssociate Left-RightCode-Entry Challenge
Phases (P)
IntroductionChallengeConclusion
Tools (TO)
Open-SourceSifu Platform
CyberSecurity Challenges
C/C++WebJavaPythonQuestions
Learning Goals (L)
Programming Language (P)Others (O)
WifiInternet