Teamwork in Cybersecurity: Evaluating the Cooperative Board Game [d0x3d!] as an Experimental Testbed

It is crucial to identify the knowledge, skills, and attitudes (KSAs) that contribute to success in cybersecurity teams. We introduce a board game, [d0x3d!], as an experimental testbed designed to create a controlled environment and set of manageable tasks aimed at exploring teamwork competencies that may be relevant to the cybersecurity workforce. [d0x3d!] requires players to work together and share information to retrieve stolen digital assets. The authors aim to improve the efficacy of cybersecurity team training by incorporating modern teamwork theory and measurement. This testbed provides a low-cost and user-friendly platform for training, evaluation, and research

Game based cyber security training: are serious games suitable for cyber security training?

Security research and training is attracting a lot of investment and interest from governments and the private sector. Most efforts have focused on physical security, while cyber security or digital security has been given less importance. With recent high-profile attacks it has become clear that training in cyber security is needed. Serious Games have the capability to be effective tools for public engagement and behavioural change and role play games, are already used by security professionals. Thus cyber security seems especially well-suited to Serious Games. This paper investigates whether games can be effective cyber security training tools. The study is conducted by means of a structured literature review supplemented with a general web search. While there are early positive indications there is not yet enough evidence to draw any definite conclusions. There is a clear gap in target audience with almost all products and studies targeting the general public and very little attention given to IT professionals and managers. The products and studies also mostly work over a short period, while it is known that short-term interventions are not particularly effective at affecting behavioural change

Talking about Security with Professional Developers

This paper describes materials developed to engage professional developers in discussions about security. First, the work is framed in the context of ethnographic studies of software development, highlighting how the method is used to explore and investigate research aims for the Motivating Jenny research project. A description is given of a series of practitioner engagements, that were used to develop a reflection and discussion tool using security stories taken from media and internet sources. An explanation is given for how the tool has been used to collect data within field sites, offering a way to clarify and member check findings, and to provide a different view on practice and process. The report concludes with observations and notes about future aims for supporting and encouraging professionals to engage with security in practice

An e-ADR (elaborated Action Design Research) Approach Towards Game-based Learning in Cybersecurity Incident Detection and Handling

The growth of internet has significantly increased the cybersecurity threat instances. Therefore to equip people with skills to mitigate such attacks, this paper provides a Cybersecurity game-based learning artefact designed using the e-ADR approach. The artefact teaches the Incident Detection and Handling procedures that need to be undertaken in the event of a cybersecurity threat. As per NIST’s guide to malware incident prevention and handling, an incident response process has four major phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. Our gaming artefact delves into the detection and containment phase to design a game that teaches users to detect and then perform containment actions on the cybersecurity threat

Aligning Security Practice with Policy: Guiding and Nudging towards Better Behavior

Despite an abundance of policies being directed towards them, users often struggle to follow good cybersecurity practice. Recognizing that such behaviors do not come naturally, a logical approach is to ensure that users are guided and supported in knowing what to do and how to do it. Unfortunately, such support is often lacking. The paper uses the example of password authentication as a specific context in which cybersecurity behavior is frequently criticized, but where users are often left to manage without sufficient support (as evidenced by examining the lack of related guidance and enforcement of good practice on leading websites). The discussion then proceeds to look at the effect of actively supporting the user, drawing upon the results from two experimental studies (one looking at the practical impact of guidance and feedback upon users’ password choices, and the other examining the effect of gamifying the password selection experience). The results collectively show that such efforts can have tangible positive effects upon user behaviors. While the specific findings are focused upon passwords, similar principles could also be applied to other aspects of user-facing security

Using Offline Activities to Enhance Online Cybersecurity Education

Since the beginning of the 21st century, the United States has experienced the impact of a technological revolution. One effect of this technological revolution is the creation of entirely new careers related to the field of technology, including cybersecurity. Continued growth in the cybersecurity industry means a greater number of jobs will be created, adding to the existing number of jobs that are challenging an under-educated and under-trained workforce. The goal of this thesis is to increase the effectiveness of cybersecurity education. This thesis studies whether an online course in cybersecurity can be enhanced by offline, in-person activities that mirror traditional classroom methods. To validate the research, two groups of high school students participated in an online course with only one group participating in offline activities. The results showed that the group that participated in both the online and offline portions of the course had a higher percentage of student retention, a more positive mindset towards cybersecurity, and an improved performance in the course

Puzzle-Based Learning for Cyber Security Education

Puzzle-based learning has proven to result in a better STEM learning environment in mathematics, physics, and computer science. However, no significant work has been done in computer and cyber security, only the idea of using puzzles to teach cyber security has only been introduced very recently. We introduce two different puzzle designs, truth table based and decision tree based. In both cases participants have to make decisions according to their knowledge and scenario. We conducted some informal surveys and believe that such interactive learning will help students to understand complex cyber-attack paths and countermeasures for fraud detection, cybercrime, and advanced persistent threats (APTs). Participants will learn not only to protect a specific system but also an entire class of systems with different hardware/software components and architectures, providing similar service. The survey result shows that the puzzle-based learning method has been beneficial for the students towards their learning

The Future of Digital Forensics, A Gamified Approach for Education.

Digital Forensics is a 21st-century emerging field that has taken more roots than ever before in the field of information security. The growth of digital forensics can be attributed to the need for expert digital forensics analysts to respond to the increased cybercrimes currently pillaging through the Internet and its environs. Without a doubt, the field of digital forensics is by far more complex. It requires extensive knowledge of new trends and legacy systems and the extensive use of specialized tools tailored in securing convictions through properly acquired evidence that can be used in a courtroom or thereof. Due to the numerous demands of individuals in the field, it is quite shocking that the number of experts is low hence a considerable backlog of cases in law enforcement. This study\u27s abstract is to tentatively study and meticulously understand the many reasons for the decline in the growth of Digital Forensics and Cyber Security experts in the field. The project will also provide a method to combat this problem through a gamified approach targeting high school students with the sole benefit of creating awareness about this technical field from a young age to probably foster new ideologies and critical thinkers that would see a rise in the number of experts in this field as a result of keen interest and not just for a means to ensure basic needs are met. Also, to achieve this goal, this project will provide students with an awareness of what Digital Forensics is all about at that early stage in their lives through a gaming tool that will be interactive and fun

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology