Document Open Access Logo

Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper)

Authors Tiange Zhao , Tiago Espinha Gasiba , Ulrike Lechner , Maria Pinto-Albuquerque

PDF
Thumbnail PDF

File

OASIcs.ICPEC.2021.11.pdf
  • Filesize: 0.65 MB
  • 8 pages

Document Identifiers

Author Details

Tiange Zhao
  • Siemens AG, Munich, Germany
  • Universität der Bundeswehr München, Germany
Tiago Espinha Gasiba
  • Siemens AG, Munich, Germany
  • Universität der Bundeswehr München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Maria Pinto-Albuquerque
  • University Institute of Lisbon (ISCTE-IUL), ISTAR, Portugal

Funding

This work is partially financed by Portuguese national funds through FCT - Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and FCT UIDP/04466/2020. Furthermore, the fourth author thanks the Instituto Universitário de Lisboa and ISTAR, for their support.

Cite AsGet BibTex

Tiange Zhao, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper). In Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), Volume 91, pp. 11:1-11:8, Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2021)
https://doi.org/10.4230/OASIcs.ICPEC.2021.11

Abstract

Nowadays, companies are increasingly using cloud-based platform for its convenience and flexibility. However, companies still need to protect their assets when deploying their infrastructure in the cloud. Over the last years, the number of cloud-specific vulnerabilities has been increasing. In this work, we introduce a serious game to help participants to understand the inherent risks, understand the different roles, and to encourage proactive defensive thinking. Our game includes an automated evaluator as a novel element. The players are invited to build defense plans and attack plans, which will be checked by the evaluator. We design the game and organize a trial-run in an industrial setting. Our preliminary results bring insight into the design of such a game, and constitute the first step in a research using design science.

Subject Classification

ACM Subject Classification
  • Computer systems organization → Cloud computing
  • Social and professional topics → Computer and information systems training
Keywords
  • cloud security
  • cloud control matrix
  • shared-responsibility model
  • industry
  • training
  • gamification

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

References

  1. Cloud Security Alliance. Security guidance for critical areas of focus in cloud computing v4.0, 2017. URL: https://cloudsecurityalliance.org/artifacts/security-guidance-v4/.
  2. Cloud Security Alliance. Requirements for bodies providing star certification, 2020. URL: https://cloudsecurityalliance.org/artifacts/requirements-for-bodies-providing-star-certification/.
  3. Cloud Security Alliance. Top threats to cloud computing: Egregious eleven deep dive, 2020. URL: https://cloudsecurityalliance.org/artifacts/top-threats-egregious-11-deep-dive/.
  4. Cloud Security Alliance. Cloud controls matrix v4, 2021. URL: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/.
  5. Michael J Assante and Robert M Lee. The industrial control system cyber kill chain. SANS Institute InfoSec Reading Room, 1, 2015. Google Scholar
  6. MITRE ATT&CK. Tabletop security games & cards, 2020. URL: https://attack.mitre.org/versions/v8/matrices/enterprise/cloud/.
  7. Carlo Di Giulio, Read Sprabery, Charles Kamhoua, Kevin Kwiat, Roy H Campbell, and Masooda N Bashir. Cloud standards in comparison: Are new security frameworks improving cloud security? In 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), pages 50-57. IEEE, 2017. Google Scholar
  8. Sylvain Frey, Awais Rashid, Pauline Anthonysamy, Maria Pinto-Albuquerque, and Syed Asad Naqvi. The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Transactions on Software Engineering, 45(5):521-536, 2017. Google Scholar
  9. Alan Hevner, Salvatore March, and Jinsoo Park. Design science in information systems research. Management Information Systems Quarterly, 2004. Google Scholar
  10. David Kuipers and Mark Fabro. Control systems cyber security: Defense in depth strategies. Technical report, Idaho National Laboratory (INL), 2006. Google Scholar
  11. Dimitri Petrik and Georg Herzwurm. iIoT ecosystem development through boundary resources: a Siemens MindSphere case study. In Proceedings of the 2nd ACM SIGSOFT International Workshop on Software-Intensive Business: Start-ups, Platforms, and Ecosystems, pages 1-6, 2019. Google Scholar
  12. Tiphaine Romand-Latapie. The NeoSens training method: Computer security awareness for a neophyte audience, 2016. URL: https://airbus-seclab.github.io/dnd/us-16-Romand-Latapie-Dungeons-Dragons-And-Security-wp.pdf.
  13. Adam Shostack. Elevation of privilege: Drawing developers into threat modeling. In 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14), 2014. Google Scholar
  14. Adam Shostack. Tabletop security games & cards, 2021. URL: https://adam.shostack.org/games.html.
  15. Dina Simunic, Antun Kerner, and Srecko Gajovic. Digital mediators as key enablers of navigation toward health in knowledge landscapes. Croatian medical journal, 2018. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023 Schloss Dagstuhl - LZI GmbH Imprint Privacy Contact