Cloud of Assets and Threats: A Playful Method to Raise Awareness for Cloud Security in Industry

Authors Tiange Zhao , Ulrike Lechner , Maria Pinto-Albuquerque , Ece Ata



PDF
Thumbnail PDF

File

OASIcs.ICPEC.2022.6.pdf
  • Filesize: 0.58 MB
  • 13 pages

Document Identifiers

Author Details

Tiange Zhao
  • Siemens AG, München, Germany
  • Universität der Bundeswehr München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Maria Pinto-Albuquerque
  • Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR, Portugal
Ece Ata
  • Siemens AG, München, Germany
  • Technische Universität München, Germany

Cite AsGet BibTex

Tiange Zhao, Ulrike Lechner, Maria Pinto-Albuquerque, and Ece Ata. Cloud of Assets and Threats: A Playful Method to Raise Awareness for Cloud Security in Industry. In Third International Computer Programming Education Conference (ICPEC 2022). Open Access Series in Informatics (OASIcs), Volume 102, pp. 6:1-6:13, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)
https://doi.org/10.4230/OASIcs.ICPEC.2022.6

Abstract

Cloud computing has become a convenient technology widely used in industry, providing profit and flexibility to companies. Many enterprises embrace cloud service by migrating their products and solutions from on-premise to cloud environments. Cloud assets and applications are vulnerable to security challenges if not adequately protected. Regulations, standards and guidelines aim to enforce cloud security controls in the industry and practitioners need training to raise awareness of cloud security issues and learn about the defense mechanisms and controls. We propose a serious game Cloud of Assets and Threats (CAT) for enhancing cloud security awareness of industrial practitioners. This study extends first results of applying such a serious game in industry [Zhao et al., 2021] and refines its design in two iterations. In the first design iteration, we implemented a digital game platform with six attack scenarios and developed a new player versus environment gaming mode. In the second design iteration, we adjusted the attack scenarios and introduced different difficulty levels for the scenarios. We present, analyse, and discuss the game events. We conclude that CAT is a promising method to raise awareness for cloud security in the industry.

Subject Classification

ACM Subject Classification
  • Computer systems organization → Cloud computing
  • Social and professional topics → Computer and information systems training
Keywords
  • Cloud security
  • Cloud control matrix
  • Shared-responsibility model
  • Industry
  • Training
  • Gamification

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Cloud Security Alliance. Cloud controls matrix v4. https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/, 2021.
  2. Michael J Assante and Robert M Lee. The industrial control system cyber kill chain. SANS Institute InfoSec Reading Room, 1, 2015. Google Scholar
  3. MITRE ATT&CK. Hacking group. https://attack.mitre.org/groups/, May 2017.
  4. MITRE ATT&CK. Techniques. https://attack.mitre.org/techniques/, May 2017.
  5. MITRE ATT&CK. Mitre att&ck cloud matrix. https://attack.mitre.org/versions/v8/matrices/enterprise/cloud/, 2020.
  6. Richard L. Baskerville and Jan Pries-Heje. Explanatory design theory. Business & Information Systems Engineering, 2:271-282, 2010. URL: https://aisel.aisnet.org/bise/vol2/iss5/2.
  7. Ralf Dörner, Stefan Göbel, Wolfgang Effelsberg, and Josef Wiemeyer. Serious Games: Foundations, Concepts and Practice. Springer, 2016. Google Scholar
  8. International Organization for Standardization. Iso/iec 27001 information security management. https://www.iso.org/isoiec-27001-information-security.html, 2017.
  9. Sylvain Frey, Awais Rashid, Pauline Anthonysamy, Maria Pinto-Albuquerque, and Syed Asad Naqvi. The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Transactions on Software Engineering, 2017. Google Scholar
  10. Tiago Espinha Gasiba, Kristian Beckers, Santiago Suppan, and Filip Rezabek. On the requirements for serious games geared towards software developers in the industry. In 2019 IEEE 27th International Requirements Engineering Conference (RE), pages 286-296. IEEE, 2019. Google Scholar
  11. Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach. Cybersecurity, 3(1):1-23, 2020. Google Scholar
  12. Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Cybersecurity challenges for software developer awareness training in industrial environments. Innovation Through Information Systems. WI 2021. Lecture Notes in Information Systems and Organisation, 47, 2021. URL: https://doi.org/https://doi.org/10.1007/978-3-030-86797-3_25.
  13. Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Cybersecurity challenges: Serious games for awareness training in industrial environments. Federal Office for Information Security (ed.): Germany. Digital. Secure. 30 Years BSI - Proceedings of the 17th German IT Security Congress 2021, February 2021. Google Scholar
  14. Stephen Hart, Andrea Margheri, Federica Paci, and Vladimiro Sassone. Riskio: A serious game for cyber security awareness and education. Computers & Security, 95:101827, 2020. URL: https://doi.org/10.1016/j.cose.2020.101827.
  15. Alan Hevner. A three cycle view of design science research. Scandinavian Journal of Information Systems, 19:4, January 2007. Google Scholar
  16. Alan Hevner, Salvatore March, and Jinsoo Park. Design science in information systems research. Management Information Systems Quarterly, 28:75-105, 2004. Google Scholar
  17. IEEE. IEEE standard glossary of software engineering terminology. IEEE Std 610.12-1990, pages 1-84, 1990. URL: https://doi.org/10.1109/IEEESTD.1990.101064.
  18. ISO27002. Iso/iec 27002:2013information technology - security techniques - code of practice for information security controls. https://www.iso.org/standard/54533.html, 2013.
  19. ISO27017. Iso/iec 27017:2015 information technology - security techniques - code of practice for information security controls based on iso/iec 27002 for cloud services. https://www.iso.org/standard/43757.html, 2015.
  20. ISO27018. Iso/iec 27018:2019information technology - security techniques - code of practice for protection of personally identifiable information (pii) in public clouds acting as pii processors. https://www.iso.org/standard/76559.html, 2019.
  21. konva. Konva.js - html5 2d canvas js library for desktop and mobile applications. https://konvajs.org/, May 2022.
  22. Kimberly Mlitz. Size of the cloud computing and hosting market market worldwide from 2010 to 2020 (in billion u.s. dollars). https://www.statista.com/statistics/500541/worldwide-hosting-and-cloud-computing-market/, January 2021. Accessed: 2021-05-08.
  23. Adam Shostack. Tabletop security games & cards. https://shostack.org/games.html, 2021.
  24. Tiange Zhao, Tiago Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Raising awareness about cloud security in industry through a board game. Information, 12(11), 2021. URL: https://doi.org/10.3390/info12110482.
  25. Tiange Zhao, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. Exploring a Board Game to Improve Cloud Security Training in Industry. In Pedro Rangel Henriques, Filipe Portela, Ricardo Queirós, and Alberto Simões, editors, Second International Computer Programming Education Conference (ICPEC 2021), volume 91 of Open Access Series in Informatics (OASIcs), pages 11:1-11:8, Dagstuhl, Germany, 2021. Schloss Dagstuhl - Leibniz-Zentrum für Informatik. URL: https://drops.dagstuhl.de/opus/volltexte/2021/14227, URL: https://doi.org/10.4230/OASIcs.ICPEC.2021.11.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail