Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper)

Authors Tiange Zhao , Tiago Espinha Gasiba , Ulrike Lechner , Maria Pinto-Albuquerque

Thumbnail PDF


  • Filesize: 0.65 MB
  • 8 pages

Document Identifiers

Author Details

Tiange Zhao
  • Siemens AG, Munich, Germany
  • Universität der Bundeswehr München, Germany
Tiago Espinha Gasiba
  • Siemens AG, Munich, Germany
  • Universität der Bundeswehr München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Maria Pinto-Albuquerque
  • University Institute of Lisbon (ISCTE-IUL), ISTAR, Portugal

Cite AsGet BibTex

Tiange Zhao, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Exploring a Board Game to Improve Cloud Security Training in Industry (Short Paper). In Second International Computer Programming Education Conference (ICPEC 2021). Open Access Series in Informatics (OASIcs), Volume 91, pp. 11:1-11:8, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021)


Nowadays, companies are increasingly using cloud-based platform for its convenience and flexibility. However, companies still need to protect their assets when deploying their infrastructure in the cloud. Over the last years, the number of cloud-specific vulnerabilities has been increasing. In this work, we introduce a serious game to help participants to understand the inherent risks, understand the different roles, and to encourage proactive defensive thinking. Our game includes an automated evaluator as a novel element. The players are invited to build defense plans and attack plans, which will be checked by the evaluator. We design the game and organize a trial-run in an industrial setting. Our preliminary results bring insight into the design of such a game, and constitute the first step in a research using design science.

Subject Classification

ACM Subject Classification
  • Computer systems organization → Cloud computing
  • Social and professional topics → Computer and information systems training
  • cloud security
  • cloud control matrix
  • shared-responsibility model
  • industry
  • training
  • gamification


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Cloud Security Alliance. Security guidance for critical areas of focus in cloud computing v4.0, 2017. URL: https://cloudsecurityalliance.org/artifacts/security-guidance-v4/.
  2. Cloud Security Alliance. Requirements for bodies providing star certification, 2020. URL: https://cloudsecurityalliance.org/artifacts/requirements-for-bodies-providing-star-certification/.
  3. Cloud Security Alliance. Top threats to cloud computing: Egregious eleven deep dive, 2020. URL: https://cloudsecurityalliance.org/artifacts/top-threats-egregious-11-deep-dive/.
  4. Cloud Security Alliance. Cloud controls matrix v4, 2021. URL: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/.
  5. Michael J Assante and Robert M Lee. The industrial control system cyber kill chain. SANS Institute InfoSec Reading Room, 1, 2015. Google Scholar
  6. MITRE ATT&CK. Tabletop security games & cards, 2020. URL: https://attack.mitre.org/versions/v8/matrices/enterprise/cloud/.
  7. Carlo Di Giulio, Read Sprabery, Charles Kamhoua, Kevin Kwiat, Roy H Campbell, and Masooda N Bashir. Cloud standards in comparison: Are new security frameworks improving cloud security? In 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), pages 50-57. IEEE, 2017. Google Scholar
  8. Sylvain Frey, Awais Rashid, Pauline Anthonysamy, Maria Pinto-Albuquerque, and Syed Asad Naqvi. The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Transactions on Software Engineering, 45(5):521-536, 2017. Google Scholar
  9. Alan Hevner, Salvatore March, and Jinsoo Park. Design science in information systems research. Management Information Systems Quarterly, 2004. Google Scholar
  10. David Kuipers and Mark Fabro. Control systems cyber security: Defense in depth strategies. Technical report, Idaho National Laboratory (INL), 2006. Google Scholar
  11. Dimitri Petrik and Georg Herzwurm. iIoT ecosystem development through boundary resources: a Siemens MindSphere case study. In Proceedings of the 2nd ACM SIGSOFT International Workshop on Software-Intensive Business: Start-ups, Platforms, and Ecosystems, pages 1-6, 2019. Google Scholar
  12. Tiphaine Romand-Latapie. The NeoSens training method: Computer security awareness for a neophyte audience, 2016. URL: https://airbus-seclab.github.io/dnd/us-16-Romand-Latapie-Dungeons-Dragons-And-Security-wp.pdf.
  13. Adam Shostack. Elevation of privilege: Drawing developers into threat modeling. In 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14), 2014. Google Scholar
  14. Adam Shostack. Tabletop security games & cards, 2021. URL: https://adam.shostack.org/games.html.
  15. Dina Simunic, Antun Kerner, and Srecko Gajovic. Digital mediators as key enablers of navigation toward health in knowledge landscapes. Croatian medical journal, 2018. Google Scholar