Abstract
Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Brisson, A., et al.: Artificial intelligence and personalization opportunities for serious games. In: 8th Artificial Intelligence and Interactive Digital Entertainment Conference, pp. 51–57 (October 2012)
Davis, A., Leek, T., Zhivich, M., Gwinnup, K., Leonard, W.: The fun and future of CTF. In: 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education, 3GSE 2014, pp. 1–9 (2014). https://www.usenix.org/conference/3gse14/summit-program/presentation/davis
Dobrovsky, A., Borghoff, U.M., Hofmann, M.: An approach to interactive deep reinforcement learning for serious games. In: 2016 7th IEEE International Conference on Cognitive Infocommunications (CogInfoCom), pp. 85–90. IEEE (2016)
Dörner, R., Göbel, S., Effelsberg, W., Wiemeyer, J. (eds.): Serious Games. Foundations, Concepts and Practice, vol. 1, p. 421. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40612-1
Frey, S., Rashid, A., Anthonysamy, P., Pinto-Albuquerque, M., Naqvi, S.A.: The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Trans. Softw. Eng. 45(5), 521–536 (2019)
Gasiba, T., Beckers, K., Suppan, S., Rezabek, F.: On the requirements for serious games geared towards software developers in the industry. In: Damian, D.E., Perini, A., Lee, S. (eds.) 27th IEEE International Requirements Engineering Conference, RE 2019, Jeju Island, South Korea, 23–27 September 2019. IEEE (2019). https://ieeexplore.ieee.org/xpl/conhome/8910334/proceeding
Gasiba, T., Lechner, U., Cuellar, J., Zouitni, A.: Ranking secure coding guidelines for software developer awareness training in the industry (June 2020)
Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Zouitni, A.: Design of secure coding challenges for cybersecurity education in the industry. In: Shepperd, M., Brito e Abreu, F., Rodrigues da Silva, A., Pérez-Castillo, R. (eds.) QUATIC 2020. CCIS, vol. 1266, pp. 223–237. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58793-2_18
Graziotin, D., Fagerholm, F., Wang, X., Abrahamsson, P.: What happens when software developers are (un)happy. J. Syst. Softw. 140, 32–47 (2018)
Groves, R.M., Fowler, F., Couper, M., Lepkowski, J., Singer, E.: Survey Methodology, 2nd edn. Wiley, Hoboken (2009)
Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pp. 326–330 (September 2014). https://doi.org/10.1109/DEXA.2014.71
IEC 62443-4-1: Security for industrial automation and control systems - part 4-1: Secure product development lifecycle requirements. Standard, International Electrotechnical Commission (January 2018)
ISO 27001: Information technology - Security techniques - Information security management systems - Requirements. Standard, International Standard Organization, Geneva, CH (October 2013)
Patel, S.: 2019 Global Developer Report: DevSecOps finds security roadblocks divide teams (July 2020). https://about.gitlab.com/blog/2019/07/15/global-developer-report/ (posted on 15 July 2019)
Rieb, A.: IT-Sicherheit: Cyberabwehr mit hohem Spaßfaktor. In: kma - Das Gesundheitswirtschaftsmagazin, vol. 23, pp. 66–69 (July 2018)
Rieb, A., Gurschler, T., Lechner, U.: A gamified approach to explore techniques of neutralization of threat actors in cybercrime. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) APF 2017. LNCS, vol. 10518, pp. 87–103. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67280-9_5
Rietz, T., Maedche, A.: LadderBot: a requirements self-elicitation system. In: 2019 IEEE 27th International Requirements Engineering Conference (RE), pp. 357–362. IEEE (2019)
Schneier, B.: Software Developers and Security (July 2020). https://www.schneier.com/blog/archives/2019/07/software_develo.html
Siemens AG: Charter of Trust (July 2020). https://www.charteroftrust.com/
Simoes, A., Queirós, R.: On the nature of programming exercises. In: 1st International Computer Programming Education Conference, ICPEC, vol. 81, pp. 251–259 (June 2020). Virtual Conference
Vasconcelos, P., Ribeiro, R.P.: Using property-based testing to generate feedback for C programming exercises. In: 1st International Computer Programming Education Conference, ICPEC, vol. 81, pp. 285–294 (June 2020). Virtual Conference
Votipka, D., Mazurek, M.L., Hu, H., Eastes, B.: Toward a field study on the impact of hacking competitions on secure development. In: Workshop on Security Information Workers (WSIW), Marriott Waterfront, Baltimore, MD, USA (August 2018)
WhiteSource: What are the Most Secure Programming Languages? (March 2019). https://www.whitesourcesoftware.com/most-secure-programming-languages/
Acknowledgments
The authors would like to thank the participants of the survey for their time and their valuable answers. This work is financed by portuguese national funds through FCT - Fundacão para a Ciência e Tecnologia, I.P., under the project FCT UIDB/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR-IUL, for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Gasiba, T., Lechner, U., Pinto-Albuquerque, M., Porwal, A. (2020). Cybersecurity Awareness Platform with Virtual Coach and Automated Challenge Assessment. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE ADIoT 2020 2020 2020. Lecture Notes in Computer Science(), vol 12501. Springer, Cham. https://doi.org/10.1007/978-3-030-64330-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-64330-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64329-4
Online ISBN: 978-3-030-64330-0
eBook Packages: Computer ScienceComputer Science (R0)