Cybersecurity Games for Secure Programming Education in the Industry: Gameplay Analysis

Authors Tiago Gasiba , Ulrike Lechner , Filip Rezabek , Maria Pinto-Albuquerque

Thumbnail PDF


  • Filesize: 0.57 MB
  • 11 pages

Document Identifiers

Author Details

Tiago Gasiba
  • Siemens AG, München, Germany
  • Universität der Bundeswehr München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Filip Rezabek
  • Siemens AG, München, Germany
Maria Pinto-Albuquerque
  • Instituto Universitário de Lisboa (Iscte), ISTAR, Portugal


We would like to thank the anonymous reviewers for the valuable comments and careful reviews. We would also like to thank all game participants as well as our colleagues Jorge Cuellar, Holger Dreger and Thomas Diefenbach for many fruitful discussions.

Cite AsGet BibTex

Tiago Gasiba, Ulrike Lechner, Filip Rezabek, and Maria Pinto-Albuquerque. Cybersecurity Games for Secure Programming Education in the Industry: Gameplay Analysis. In First International Computer Programming Education Conference (ICPEC 2020). Open Access Series in Informatics (OASIcs), Volume 81, pp. 10:1-10:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)


To minimize the possibility of introducing vulnerabilities in source code, software developers may attend security awareness and secure coding training. From the various approaches of how to raise awareness and adherence to coding standards, one promising novel approach is Cybersecurity Challenges. However, in an industrial setting, time is a precious resource, and, therefore, one needs to understand how to optimize the gaming experience of Cybersecurity Challenges and the effect of this game on secure coding skills. This work identifies the time spent solving challenges of different categories, analyzes gaming strategies in terms of a slow and fast team profile, and relates these profiles to the game success. First results indicate that the slow strategy is more successful than the fast approach. The authors also analyze the possible implications in the design and the training of secure coding in an industrial setting by means of Cybersecurity Challenges. This work concludes with a brief overview of its limitations and next steps in the study.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
  • Security and privacy → Web application security
  • Applied computing → Interactive learning environments
  • Applied computing → E-learning
  • education
  • training
  • secure coding
  • industry
  • cybersecurity
  • capture-the-flag
  • game analysis
  • cybersecurity challenge


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Mauro Andreolini, Vincenzo Giuseppe Colacino, Michele Colajanni, and Mirco Marchetti. A framework for the evaluation of trainee performance in cyber range exercises. In Mobile Networks and Applications, volume 25, pages 236-247, December 2019. URL:
  2. James Barela, Tiago Espinha Gasiba, Santiago Reinhard Suppan, Marc Berges, and Kristian Beckers. When interactive graphic storytelling fails. In 2019 IEEE 27th International Requirements Engineering Conference Workshops (REW), pages 164-169. IEEE, September 2019. URL:
  3. Paul Cairns. Engagement in Digital Games. In Heather O'Brien and Paul Cairns, editors, Why Engagement Matters, pages 81-104. Springer, May 2016. URL:
  4. Kevin Chung. CTFd : The Easiest Capture The Flag Framework. URL:
  5. Ian Cullinane, Catherine Huang, Thomas Sharkey, and Shamsi Moussavi. Cyber Security Education Through Gaming Cybersecurity Games Can Be Interactive, Fun, Educational and Engaging. J. Computing Sciences in Colleges, 30(6):75-81, June 2015. URL:
  6. Ralf Dörner, Stefan Göbel, Wolfgang Effelsberg, and Josef Wiemeyer. Serious Games: Foundations, Concepts and Practice. Springer International Publishing, 1 edition, 2016. URL:
  7. Tiago Gasiba, Kristian Beckers, Santiago Suppan, and Filip Rezabek. On the Requirements for Serious Games geared towards Software Developers in the Industry. In Daniela E. Damian, Anna Perini, and Seok-Won Lee, editors, 27th IEEE International Requirements Engineering Conference, RE 2019, Jeju Island, Korea (South), September 23-27, 2019. IEEE, 2019. URL:
  8. Schoenau-Fog Henrik. The Player Engagement Process - An Exploration of Continuation Desire in Digital Games. In DiGRA - Proceedings of the 2011 DiGRA International Conference: Think Design Play. DiGRA/Utrecht School of the Arts, January 2011. URL:
  9. Norman Hänsch and Zinaida Benenson. Specifying IT security awareness. In 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pages 326-330, September 2014. URL:
  10. Sangkyun Kim, Kibong Song, Barbara Lockee, and John Burton. Engagement and fun. In Gamification in Learning and Education, Advances in Game-Based Learning, pages 7-14. Springer International Publishing, 2018. URL:
  11. Kees Leune and Salvatore Petrilli Jr. Using capture-the-flag to enhance the effectiveness of cybersecurity education. In Proceedings of the 18th Annual Conference on Information Technology Education, pages 47-52. ACM, 2017. Google Scholar
  12. Sten Mäses. Evaluating cybersecurity-related competences through serious games. In Proceedings of the 19th Koli Calling International Conference on Computing Education Research, Koli Calling ’19, New York, NY, USA, 2019. Association for Computing Machinery. Google Scholar
  13. Sten Mäses, Bil Hallaq, and Olaf Maennel. Obtaining better metrics for complex serious games within virtualised simulation environments. In Maja Pivcec and Josef Gründler, editors, The 11th European Conference on Game-Based Learning (ECGBL), Graz, Austria, pages 428-434, October 2017. Google Scholar
  14. Andreas Rieb. IT-Sicherheit: Cyberabwehr mit hohem Spaßfaktor. In kma - Das Gesundheitswirtschaftsmagazin, volume 23, pages 66-69, July 2018. Google Scholar
  15. Andreas Rieb, Tamara Gurschler, and Ulrike Lechner. A gamified approach to explore techniques of neutralization of threat actors in cybercrime. In GDPR & ePrivacy: APF 2017 - Proceedings of the 5th ENISA Annual Privacy Forum, Lecture Notes in Computer Science, pages 87-103. Springer Verlag, June 2017. Google Scholar