Simulation based learning in critical infrastructure security awareness: an empirical study

Abstract

The digital transformation process that is currently underway is not only associated with benefits; among its downsides, increased cyber risk is mentioned more often than not. Most cyber security breaches are attributed to the human factor, and erring in turn is, more often than not, attributed to lack of awareness and proper training. The problem in fact is that humans lack security awareness, even though they may have been exposed to security related knowledge during their studies or otherwise. This gap between learning in theory and practically applying knowledge can be bridged using simulations. Simulation training is broadly used in a variety of scientific and professional domains such as health, the military or the navy and air forces (pilot simulators). As cybersecurity is an abstract concept, a simulation-based learning process targeting cybersecurity would be more challenging than in the case of other fields of knowledge, because a simulation for cybersecurity training should not only be about executing commands and following standard procedures, but also about making decisions and implementing risk management strategies and scenarios. This thesis investigates how simulation-based learning affects the knowledge of cybersecurity risk management. To this end, an experiment was set up, leveraging the simulation game CyberCIEGE. Thirteen undergraduate IT students were involved in the experiment and took part in the simulation game, by completing two questionnaires, one prior to playing the game and one after having played it. The purpose of the questionnaire was to define how the students self-assess their cybersecurity awareness and if this assessment is in fact reflected in their true knowledge. To do so, the questionnaire did not rely only on oneself’s opinion, but it included technical questions as well. Even though the study we conducted provided preliminary results which, due to limitations, cannot be considered representative of a large population, it can prepare the ground for a longer, tailor-made, structured and well-designed intervention to take place in a larger scale, with more learners participating, more resources and data collection tools and with no time restrictions. The methodology and design employed for the thesis’ purposes can be adapted and used in a larger scale study; given that the intervention was designed to be able to be re-used (be as sustainable as possible for further use), researchers and instructors can implement it to a program to explore the field of cybersecurity education which is currently advancing, and is in need of new challenges and systematic analysis.