Cybersecurity Game Research Articles

The Ludo-Learning Matrix: A Framework for Understanding Learning in Games

Games have been widely recognized as methods of making learning more engaging. This has proven to be very attractive to those attempting to get complex fields such as cybersecurity training to a wider audience. Unfortunately, there is a failure to understand that each type of game serves a different educational purpose, leading to the situation where the games are being selected incorrectly and are failing to fulfill their promise. To address this issue, key concepts in learning and games were identified from the literature and then operationalized into an analytical framework. The concepts of player agency, message broadcasting, the transfer of learning and the type of challenges present in the game were selected. This generated a framework that is player-focused rather than content-focused and could be applied to any potential learning game. To validate the framework, three cybersecurity games were selected and analyzed using a ludo-textual approach. Cyberciege, a single player game aimed at university students, Spoofy, a kids’ web browser game and Tallinn Soldier, a seminar wargame, were selected to give as wide a sample as possible. The paper goes on to report on the results of the analysis and discuss how this may be used to examine and design learning games for cybersecurity in the future. Each of the selected games focus on different mechanisms for learning and engagement, highlighting the design tradeoffs that were made in the creation of the game. The proposed analytical framework can be applied not just to cybersecurity training games but theoretically to understanding any game that has learning as its objective.

Evaluation of time-based virtual machine migration as moving target defense against host-based attacks

Moving Target Defense (MTD) consists of applying dynamic reconfiguration in the defensive side of the attack-defense cybersecurity game. Virtual Machine (VM) migration could be used as MTD against specific host-based attacks in the cloud computing environment by remapping the distribution of VMs in the existing physical hosts. This way, when the attacker’s VM is moved to a different machine, the attack has to be restarted. However, one significant gap here is how to select a proper VM migration-based MTD schedule to reach the desired levels of system protection. This paper develops a Stochastic Petri Net (SPN) model to address this issue. The model leverages empirical knowledge about the dynamics of the attack defense in a VM migration-enabled setup. First, we present the results of an experimental campaign to acquire knowledge about the system’s behavior. The experiments provide insights for the model design. Then, based on the model, we propose a tool named PyMTDEvaluator, which provides a graphical interface that serves as a wrapper for the simulation environment of the model. Finally, we exercise the tool using Multi-Criteria Decision-Making methods to aid the MTD policy selection. Hopefully, our results and methods will be helpful for system managers and cybersecurity professionals.

A Review of Attacker–Defender Games and Cyber Security

The focus of this review is the long and broad history of attacker–defender games as a foundation for the narrower and shorter history of cyber security. The purpose is to illustrate the role of game theory in cyber security and which areas have received attention and to indicate future research directions. The methodology uses the search terms game theory, attack, defense, and cyber security in Web of Science, augmented with the authors’ knowledge of the field. Games may involve multiple attackers and defenders over multiple periods. Defense involves security screening and inspection, the detection of invaders, jamming, secrecy, and deception. Incomplete information is reviewed due to its inevitable presence in cyber security. The findings pertain to players sharing information weighted against the security investment, influenced by social planning. Attackers stockpile zero-day cyber vulnerabilities. Defenders build deterrent resilient systems. Stochastic cyber security games play a role due to uncertainty and the need to build probabilistic models. Such games can be further developed. Cyber security games based on traffic and transportation are reviewed; they are influenced by the more extensive communication of GPS data. Such games should be extended to comprise air, land, and sea. Finally, cyber security education and board games are reviewed, which play a prominent role.

Improvise, Adapt, Overcome: Dynamic Resiliency Against Unknown Attack Vectors in Microgrid Cybersecurity Games

Improvise, Adapt, Overcome: Dynamic Resiliency Against Unknown Attack Vectors in Microgrid Cybersecurity Games

Cybersecurity Knowledge Deterioration and the role of Gamification Intervention

Cybersecurity is becoming an overly critical issue in contemporary times. Cyberspace safety is declining, and this covers all categories of persons, businesses, institutions, and even the government. Deterioration in cybersecurity knowledge and awareness has led people to become easy prey/victims of cybercrime. The more novel security systems are being developed, the higher the cyberattacks as hackers, scammers, and cybercriminals are innovative in their techniques to attack cyber-users. It is therefore paramount to investigate the stance of cybersecurity knowledge among the general IT (Information Technology) users, especially in the 21st century. This paper designed a cybersecurity quiz based on adaptations from literature and past cybersecurity quizzes and conducted investigations to test the knowledge of random cyber-users via the cybersecurity quiz. Results from investigations are quite surprising and instructive, thus serving as a propelling motivation to develop a cybersecurity game. Among the 10-questionnaire cybersecurity quiz, it was discovered that most cyber-users lack knowledge about network security. Also, the question on social engineering was not well performed by the respondents. Thus, it is important for upcoming innovations to take into consideration the aspects of network security, social engineering when designing cybersecurity gamification approaches. Gamification has been used as teaching aids for diverse learning fields, however the use of games in cybersecurity is still understudied. Thus, the result of this quiz is intended to be used to further boost the development of a cybersecurity game, which can be age centric, thus developing cybersecurity games that will be suitable for specific user groups. Interestingly, though females were not regular game players, however they were highly interested in playing a cybersecurity game, as majority of cyber-users (males inclusive), believed that a cybersecurity knowledge gamification approach can help enhance their cybersecurity knowledge and awareness. Conclusively, it is obvious that both the young and old still lack basic cybersecurity knowledge, thereby making them easy prey for cyberattacks. Gamification if applied properly into cybersecurity, could be an interactive learning platform that is both enjoyable, produces a high spirit of learning as well as help serve as a strong awareness tool that can boost cybersecurity user’s knowledge.

Strateška odbrana kao igra sajber bezbednosti

Currently, both assaulters and perservers strive to be in a position of access to information, and also control in the field of economics, warfare, and society. Describe in military terms, data has become a virtual 'high ground' from which a more knowledgeable opponent can be influenced. Strategic defence became a cyber security game. However, despite the numerous technological solutions introduced to address system vulnerabilities, the human factor remains the greatest threat to system security. On the example of Ukraine-Russia conflict, this paper promotes the implementation of military strategy concepts to cyberconflict in order to better address the dynamical challenges of continual interaction between conformable and intelligent opponents. It begins by arguing for the adaptability of a military paradigm in cyberspace, though, without a desire for cyberspace's militarization. The conclusion is that the military mindset, which is predicated on clashes with dynamic, adaptable opponents, is a more dependable strategy than the prevalent cyber-hygiene paradigm. Five levels of strategic thought were described in order to connect objectives to policy, strategy, campaigns and operations, tactics, and instruments. Each level of strategic thinking was applied to a hypothetical defence script. Finally, the paper showed a substitute to technocentric strategies that are insufficient to combat the opponent by incorporating strategic thinking into digital defence.

Mandatory Gamified Security Awareness Training Impacts on Texas Public Middle School Students: A Qualitative Study

Aim/Purpose. The problem statement in the proposed study focuses on that, despite the growing recognition that teenagers need to undergo security awareness training, little is known about the impacts security training experts believe implementing a mandatory gamified security awareness training curriculum in public middle schools will have on the long-term security behavior of students in Texas. Background. This study was guided by the research question: What are the impacts security training experts believe implementing a mandatory gamified security aware-ness training curriculum in public middle schools will have on the long-term security behaviors of students in Texas? The study gathers opinions from experts on the impacts of security awareness training on students. Methodology. Our research used semi-structured interviews with twelve experts chosen through the use of purposive sampling. The population for the study consisted of experts in the fields of security awareness training for and teaching middle school-aged children. Candidates were recruited through the Cyber-Texas Foundation and snowball sampling techniques. Contribution. The research contributed to the body of knowledge by using interviews to explore the impacts of security awareness training on middle school students based on the opinions and views of the teachers and instructors who work with middle school students. Findings. The findings of this study demonstrate that middle school is an ideal time to provide cybersecurity training and will impact student behaviors by making them more conscious of cyber threats and preparing them to be more tech-savvy professionals. The research also showed that well-designed cybersecurity games with real-world application combined with traditional teaching techniques can help students develop positive habits. The research also suggests that teachers possess the skills to teach cybersecurity classes and the classes can be integrated into the current school day without the need for any significant changes to existing daily schedules. Recommendations for Practitioners. A well-design gamification-based curriculum implemented in Texas Middle Schools, combined with traditional teaching techniques and repeated over an extended time period, will impact students’ behaviors by making them more able to recognize and respond to cyber risks and will transform them into more secure and tech-savvy members of society. Recommendations for Researchers. The research shows middle school instructors and technology experts believe the implementation of a security awareness training program in middle schools is both possible and practical, while also beneficial to the students. The recommendation is to encourage researchers to explore ways to build curricula and games capable of appealing to students and implementing the instruction into school programs. Impact on Society. Demonstrating that training provided in middle school will make lasting impacts and improvements to student behaviors benefits children and their families in the short-term and workplaces in the long-term. The development of a more security-conscious workforce can reduce the significant number of data breaches and cyber attacks resulting from the poor security habits of companies’ users. Future Research. Future research that will add significant value to the body of knowledge includes testing the effectiveness of habit-shaping games to determine whether existing long-term games maintain student interest. Qualitative studies could interview parents of teenagers using habit-shaping games to determine the effectiveness of the applications. Another qualitative study could interview teachers to determine how teachers’ ages affect their comfort level teaching technology classes. Both studies could provide valuable insights into how to implement security awareness training in schools.

Empirical Study of Adaptive Serious Games in Enhancing Learning Outcome

Use of serious games to teach concepts of various important topics including Cybersecurity is growing. A figure of merit for the serious games could be learning outcome and user experience(UX). With enhanced learning outcome and user experience, the player is likely to favourably rate a game. The organisation supporting such games would also benefit from such efficient training process.We report an empirical comparison of two cybersecurity games namely ; Use of Firewalls for network protection and concepts of Structured Query Language (SQL) injections to get unauthorised access to online databases. We have designed these games in two versions. The version without using adaptive features provide a baseline to compare efficacy of the machine learning based adaptive game while comparing the learning outcomes and user experience (UX). The efficacy of the Machine Learning (ML) agent in providing the adaptability to the game play is based on classification of player to two categories viz. Beginner and Expert using historical player data on three relevant attributes. The game dynamics is modulated based on the player classification to ensure that game challenge is optimally suited to player type and the player continues to experience playful flow in different stages of the game.

Collaboration or separation maximizing the partnership between a “Gray hat” hacker and an organization in a two-stage cybersecurity game

Vulnerability disclosure is a key topic in cybersecurity. It is a practice ensuring that organizations address and fix vulnerabilities before bad actors can find and exploit them. This study focuses on the “disclose or exploit” dilemma. It presents a two-player non-zero-sum simultaneous cyber-security game between a hacker and an organization at multiple rounds. The vulnerabilities classified as high, medium, and low are based on a Common Vulnerability Scoring System (CVSS). The hacker can decide to act separately or to collaborate with the organization. Subsequently, the organization chooses to operate individually or cooperate with the hacker. The organization also has a budget limit to patch the vulnerabilities. The paper developed an algorithm to determine the Nash equilibria of the game and conducted a numerical analysis. It found that maximum cooperation occurred at the beginning of the game when both the organization and the hacker decided to cooperate.

Successful Gamification of Cybersecurity Training.

The behavioral aspect of cybersecurity has gained more attention in recent years. By their actions, people can improve the security of their devices and organizations, but also hinder the successful implementation of security in these areas. As awareness campaigns where information is merely distributed are not effective, we designed a cybersecurity serious game applicable for cybersecurity training. The effectiveness of this game was experimentally tested against a noncybersecurity game that did or did not contain cybersecurity information, through measures of the theory of planned behavior. Results showed that the cybersecurity game resulted in higher self-reported scores on attitudes, perceived behavioral control, intentions, and behavior compared with both noncybersecurity games. For subjective norms, we only found an effect in the comparison between the cybersecurity game and the noncybersecurity game without additional information.

Towards a Cognitive Theory of Cyber Deception.

This work is an initial step toward developing a cognitive theory of cyber deception. While widely studied, the psychology of deception has largely focused on physical cues of deception. Given that present-day communication among humans is largely electronic, we focus on the cyber domain where physical cues are unavailable and for which there is less psychological research. To improve cyber defense, researchers have used signaling theory to extended algorithms developed for the optimal allocation of limited defense resources by using deceptive signals to trick the human mind. However, the algorithms are designed to protect against adversaries that make perfectly rational decisions. In behavioral experiments using an abstract cybersecurity game (i.e., Insider Attack Game), we examined human decision-making when paired against the defense algorithm. We developed an instance-based learning (IBL) model of an attacker using the Adaptive Control of Thought-Rational (ACT-R) cognitive architecture to investigate how humans make decisions under deception in cyber-attack scenarios. Our results show that the defense algorithm is more effective at reducing the probability of attack and protecting assets when using deceptive signaling, compared to no signaling, but is less effective than predicted against a perfectly rational adversary. Also, the IBL model replicates human attack decisions accurately. The IBL model shows how human decisions arise from experience, and how memory retrieval dynamics can give rise to cognitive biases, such as confirmation bias. The implications of these findings are discussed in the perspective of informing theories of deception and designing more effective signaling schemes that consider human bounded rationality.

The industrial Internet of Things: From preventive to reactive systems — redefining your cyber security game plan for the changing world

Information technology (IT) and operational technology (OT) share a common set of technologies, but these platforms differ greatly in operational life cycle requirements, potential life/safety impact, and security assurance requirements for confidentiality versus availability. A new generation of OT platforms, called the Industrial Internet of Things (IIoT), offers both challenges and opportunities to forge new connections between the cyber and physical worlds. The urgency to connect these worlds from a security visibility perspective is high, as attackers can and will attack any connected platform; the classic OT security strategy of air-gapping devices does not adapt well to this new generation of connected devices. As a plethora of devices and systems are connected to allow for IIoT innovation, the increased number of endpoints makes protecting these devices ever more challenging even as they give ample opportunity for attackers. The vital importance of securing devices that run critical infrastructure or life-saving devices is paramount, and proactive and reactive elements must work together to protect, detect and automate response to threats using cloud scale and machine learning to amplify human intelligence. This paper makes suggestions about how to use the power of the cloud, improvements in machine learning and integrated signals in order to detect and remedy security issues. The paper posits that, in order to do that, we must think about where the signal is and how we can aggregate and centralise it to allow machine learning to detect anomalies.

What Attackers Know and What They Have to Lose: Framing Effects on Cyber-attacker Decision Making

Many cybersecurity algorithms assume adversaries make perfectly rational decisions. However, human decisions are only boundedly rational and, according to Instance-Based Learning Theory, are based on the similarity of the present contextual features to past experiences. More must be understood about what available features are represented in the decision and how outcomes are evaluated. To these ends, we examined human behavior in a cybersecurity game designed to simulate an insider attack scenario. In a human-subjects experiment, we manipulated the information made available to participants (concealed or revealed decision probabilities) and the framing of the outcome (as losses or not). An endowment was given to frame negative outcomes as losses, but these were not framed as losses when no endowment was given. The results reveal differences in behavior when some information is concealed, but the framing of outcomes only affects behavior when all information is available. A cognitive model was developed to help understand the cognitive representation of these features and the implications of the behavioral results.

Experiencing Cybersecurity One Game at a Time: A Systematic Review of Cybersecurity Digital Games

Background. Cybersecurity is of increasing importance in our interconnected world, yet the field has a growing workforce deficit and an underrepresentation of women and people of color. In an effort to address these issues, many digital games have been created to teach individuals about cybersecurity and keeping themselves, their data, and their networks safe. Intervention. We present the results of a systematic review of digital games related to cybersecurity as a means to understand how players are being introduced to cybersecurity in game-based contexts. Methods. Using a systematic search, we identified 181 games related to cybersecurity (either through content or aesthetics) by searching the Apple App Store, the Google Play Store, Steam, and the web broadly. Each game was played for up to an hour and characteristics such as the game story, game elements, and presentation of cybersecurity were gathered. Results. We found diverse conceptualizations of cybersecurity and of cybersecurity professionals. Further, the nature of games and the framing of cybersecurity varied by the platform and device on which the game was available (computer, mobile, or web). Web games were most likely to present cybersecurity as cyber safety and were more likely to be a gamified quiz or worksheet. Computer and mobile games tended to present cybersecurity through game aesthetics or deep content engagement. The games mirrored the underrepresentation of women and minoritized individuals in the field. Discussion. With the variety of digital cybersecurity games and the differences in games based on the platform on which the game is available, it is important game developers move beyond presenting cybersecurity through gamification and focusing on cyber safety. The current scope of cybersecurity games leaves room for the development of games focused on deeper content engagement with cybersecurity topics in an environment conducive to the broadening participation goals of the cybersecurity field.

The role of information about opponent’s actions and intrusion-detection alerts on cyber decisions in cyber security games

Cyberspace is becoming increasingly prone to cyberattacks. Cyberattack and cyber-defend decisions may be influenced by the information about actions of adversaries and defenders available to opponents (interdependence information) as well as by alerts from intrusion detection systems (IDSs), which offer recommendations to defenders against cyberattacks. Little is currently known, however, on how interdependence information and IDS alerts would influence the attack-and-defend decisions in cyber security. This paper discusses a laboratory experiment involving participants (N = 140) performing as would-be adversaries (attackers) and defenders (analysts). Participants were randomly assigned to four between-subjects conditions in a cyber security game, where the conditions varied in interdependence information (full-information or no-information) and IDS alerts (present or absent). Results revealed that the proportion of defend (attack) actions were smaller (same) when IDS was present compared to absent. In addition, the proportion of defend (attack) actions were same (smaller) in conditions of full-information about opponents compared to no-information about opponents. Furthermore, to understand the experimental results, the authors calibrated cognitive models based upon instance-based learning theory (IBLT), a theory of decisions from experience. Based upon the experimental conditions, four different variants of a single instance-based learning (IBL) model were developed. Model results revealed excessive reliance on recency and frequency of information and cognitive noise among both attackers and defenders across different experimental conditions. The paper highlights the implications of our results for cyber-decisions in the real world.

Cyber Security: Effects of Penalizing Defenders in Cyber-Security Games via Experimentation and Computational Modeling.

Cyber-attacks are deliberate attempts by adversaries to illegally access online information of other individuals or organizations. There are likely to be severe monetary consequences for organizations and its workers who face cyber-attacks. However, currently, little is known on how monetary consequences of cyber-attacks may influence the decision-making of defenders and adversaries. In this research, using a cyber-security game, we evaluate the influence of monetary penalties on decisions made by people performing in the roles of human defenders and adversaries via experimentation and computational modeling. In a laboratory experiment, participants were randomly assigned to the role of “hackers” (adversaries) or “analysts” (defenders) in a laboratory experiment across three between-subject conditions: Equal payoffs (EQP), penalizing defenders for false alarms (PDF) and penalizing defenders for misses (PDM). The PDF and PDM conditions were 10-times costlier for defender participants compared to the EQP condition, which served as a baseline. Results revealed an increase (decrease) and decrease (increase) in attack (defend) actions in the PDF and PDM conditions, respectively. Also, both attack-and-defend decisions deviated from Nash equilibriums. To understand the reasons for our results, we calibrated a model based on Instance-Based Learning Theory (IBLT) theory to the attack-and-defend decisions collected in the experiment. The model’s parameters revealed an excessive reliance on recency, frequency, and variability mechanisms by both defenders and adversaries. We discuss the implications of our results to different cyber-attack situations where defenders are penalized for their misses and false-alarms.

Analyzing Students’ Self-Perception of Success and Learning Effectiveness Using Gamification in an Online Cybersecurity Course

This paper analyzes students' self-perception of success and learning effectiveness after using non-compulsory gamification in an online Cybcourse. For this purpose, we designed a cybersecurity game based on cognitive constructivism learning theory. We built the game scenes using metaphors to present the main Cybersecurity contents to the students. We delivered the game in a regular course with two objectives: first, to find the primary design factors that affect students' self-perception of success. We propose a structural equation model to find out the elements with the most significant impact on the students' self-perception of success. The results show that the realistic game design and the contextualization of the game do have a notable influence. They are both examples of best practices in game design; second, to evaluate the learning effectiveness of the game. The results suggest a high correlation between playing the game and succeeding in the course. Moreover, chronological analysis of the performance reveals that the intention to play the game could be a simple dropout predictor. Thus, introducing the game in the educational curricula improves student engagement and consolidates their knowledge on cybersecurity.

Understanding Cyber Situational Awareness in a Cyber Security Game involving

Understanding Cyber Situational Awareness in a Cyber Security Game involving

Cyber Security Game for Intelligent Transportation Systems

ITSs are attracting much attention from the industry, academia and government in staging the new generation of transportation. Meanwhile, cyber security concerns are growing since cyber-attacks are prevalent and their behaviors are becoming more complex. Recently, game theory has been used to model the behaviors of these complex attacks and predict their future behaviors. In this article, we present a survey on how game theory can be used to protect ITSs from attacks and assess the pros and cons in terms of security level and required cost. Moreover, we propose a new cyber security Stackelberg game based framework to identify a relevant attack's features and subsequently improve the efficiency of detection.

A game theoretic approach to cyber security risk management

This paper describes the Cyber Security Game (CSG). Cyber Security Game is a method that has been implemented in software that quantitatively identifies cyber security risks and uses this metric to determine the optimal employment of security methods for any given investment level. Cyber Security Game maximizes a system’s ability to operate in today’s contested cyber environment by minimizing its mission risk. The risk score is calculated by using a mission impact model to compute the consequences of cyber incidents and combining that with the likelihood that attacks will succeed. The likelihood of attacks succeeding is computed by applying a threat model to a system topology model and defender model. Cyber Security Game takes into account the widespread interconnectedness of cyber systems, where defenders must defend all multi-step attack paths and an attacker only needs one to succeed. It employs a game theoretic solution using a game formulation that identifies defense strategies to minimize the maximum cyber risk (MiniMax). This paper discusses the methods and models that compose Cyber Security Game . A limited example of a Point of Sale system is used to provide specific demonstrations of Cyber Security Game models and analyses.