Sifu - a cybersecurity awareness platform with challenge assessment and intelligent coach

Software vulnerabilities, when actively exploited by malicious parties, can lead to catastrophic consequences. Proper handling of software vulnerabilities is essential in the industrial context, particularly when the software is deployed in critical infrastructures. Therefore, several industrial standards mandate secure coding guidelines and industrial software developers’ training, as software quality is a significant contributor to secure software. CyberSecurity Challenges (CSC) form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry. These cybersecurity awareness events have been used with success in industrial environments. However, until now, these coached events took place on-site. In the present work, we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online. The introduced cybersecurity awareness platform, which the authors call Sifu, performs automatic assessment of challenges in compliance to secure coding guidelines, and uses an artificial intelligence method to provide players with solution-guiding hints. Furthermore, due to its characteristics, the Sifu platform allows for remote (online) learning, in times of social distancing. The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events. We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.info:eu-repo/semantics/publishedVersio

Cybersecurity challenges: Serious games for awareness training in industrial environments

Awareness of cybersecurity topics, e.g., related to secure coding guidelines, enables software developers to write secure code. This awareness is vital in industrial environments for the products and services in critical infrastructures. In this work, we introduce and discuss a new serious game designed for software developers in the industry. This game addresses software developers’ needs and is shown to be well suited for raising secure coding awareness of software developers in the industry. Our work results from the experience of the authors gained in conducting more than ten CyberSecurity Challenges in the industry. The presented game design, which is shown to be well accepted by software developers, is a novel alternative to traditional classroom training. We hope to make a positive impact in the industry by improving the cybersecurity of products at their early production stages.info:eu-repo/semantics/acceptedVersio

Raising awareness about cloud security in industry through a board game

Today, many products and solutions are provided on the cloud; however, the amount and financial losses due to cloud security incidents illustrate the critical need to do more to protect cloud assets adequately. A gap lies in transferring what cloud and security standards recommend and require to industry practitioners working in the front line. It is of paramount importance to raise awareness about cloud security of these industrial practitioners. Under the guidance of design science paradigm, we introduce a serious game to help participants understand the inherent risks, understand the different roles, and encourage proactive defensive thinking in defending cloud assets. In our game, we designed and implemented an automated evaluator as a novel element. We invite the players to build defense plans and attack plans for which the evaluator calculates success likelihoods. The primary target group is industry practitioners, whereas people with limited background knowledge about cloud security can also participate in and benefit from the game. We design the game and organize several trial runs in an industrial setting. Observations of the trial runs and collected feedback indicate that the game ideas and logic are useful and provide help in raising awareness of cloud security in industry. Our preliminary results share insight into the design of the serious game and are discussed in this paper.info:eu-repo/semantics/publishedVersio

Raising security awareness using cybersecurity challenges in embedded programming courses

Security bugs are errors in code that, when exploited, can lead to serious software vulnerabilities. These bugs could allow an attacker to take over an application and steal information. One of the ways to address this issue is by means of awareness training. The Sifu platform was developed in the industry, for the industry, with the aim to raise software developers' awareness of secure coding. This paper extends the Sifu platform with three challenges that specifically address embedded programming courses, and describes how to implement these challenges, while also evaluating the usefulness of these challenges to raise security awareness in an academic setting. Our work presents technical details on the detection mechanisms for software vulnerabilities and gives practical advice on how to implement them. The evaluation of the challenges is performed through two trial runs with a total of 16 participants. Our preliminary results show that the challenges are suitable for academia, and can even potentially be included in official teaching curricula. One major finding is an indicator of the lack of awareness of secure coding by undergraduates. Finally, we compare our results with previous work done in the industry and extract advice for practitioners.info:eu-repo/semantics/acceptedVersio

Awareness of secure coding guidelines in the industry - A first data analysis

Software needs to be secure, in particular when deployed to critical infrastructures. Secure coding guidelines capture practices in industrial software engineering to ensure the security of code. This study aims at assessing the level of awareness of secure coding in industrial software engineering, the skills of software developers to spot weaknesses in software code, and avoid them, as well as the organizational support to adhere to coding guidelines. The approach draws not only on well-established theories of policy compliance, neutralization theory, and security-related stress but also on the authors’ many years of experience in industrial software engineering and on lessons identified from training secure coding in the industry. The paper presents the design of the questionnaire for the online survey and the first analysis of data from the pilot study.info:eu-repo/semantics/acceptedVersio

CATS: A serious game in industry towards stronger cloud security

Cloud computing has become a widely applied technology in the industry. Broad network access as a characteristic of cloud computing brings business value. It poses threats to cloud assets due to a greater attack surface than on-premises and other service models. Industry standards aim to regulate cloud security by enforcing best practices. To comply with the standards, practitioners in the industry are mandated to be trained to understand basic concepts of attack and defense mechanisms in cloud security to protect assets in the cloud. This work presents a serious game: Cloud of Assets and Threats (CATS), as an enrichment to the traditional training material to raise awareness about the cloud security challenges. In this paper, we introduce the design elements and implementation details of CATS. We organized eight game events with 94 industrial practitioners to validate our design. We applied a questionnaire and conducted semi-structured interviews with the game participants to evaluate the impact of the game and collect feedback. The evaluation indicates that CATS is a promising innovative method for promoting awareness of cloud security issues among practitioners in the industry, regardless of their technical background. Our main contributions are the design of such a game and the understanding of the impact of playing the CATS game in the industry.info:eu-repo/semantics/acceptedVersio

Industry needs in requirements engineering: XXI century challenges for an IT curricula

The Requirements Engineering (RE) community must be prepared for XXI century challenges, such as Industry 4.0. Considering this, we collect the requirements engineering needs and challenges indicated by ten enterprises that operate in the Portuguese information technology (IT) market. We aim to bring to the wider IT academic community, awareness of the challenges the industry is confronted with in the area of RE, to inform IT engineering curricula, and foster industry-academia cooperation. These needs and challenges were collected in a workshop (http://re2017.org/pages/conference/rept/) that brought together academia and industry members of the Portuguese community

A large-scale study on the security vulnerabilities of cloud deployments

As cloud deployments are becoming ubiquitous, the rapid adoption of this new paradigm may potentially bring additional cyber security issues. It is crucial that practitioners and researchers pose questions about the current state of cloud deployment security. By better understanding existing vulnerabilities, progress towards a more secure cloud can be accelerated. This is of paramount importance especially with more and more critical infrastructures moving to the cloud, where the consequences of a security incident can be significantly broader. This study presents a data-centric approach to security research – by using three static code analysis tools and scraping the internet for publicly available codebases, a footprint of the current state of open-source infrastructure-as-code repositories can be achieved. Out of the scraped 44485 repository links, the study is concentrated on 8256 repositories from the same cloud provider, across which 292538 security violations have been collected. Our contributions consist of: understanding on existing security vulnerabilities of cloud deployments, contributing a list of Top Guidelines for practitioners to follow to securely deploy systems in the cloud, and providing the raw data for further studies.info:eu-repo/semantics/acceptedVersio

On the physical interpretation of effective actions using Schwinger's formula

We show explicitly that Schwinger's formula for one-loop effective actions corresponds to the summation of energies associated with the zero-point oscillations of the fields. We begin with a formal proof, and after that we confirm it using a regularization prescription.Comment: 5 p., REVTEX, IF-UFRJ-9

Novel Virtual Environment for Alternative Treatment of Children with Cerebral Palsy

Cerebral palsy is a severe condition usually caused by decreased brain oxygenation during pregnancy, at birth or soon after birth. Conventional treatments for cerebral palsy are often tiresome and expensive, leading patients to quit treatment. In this paper, we describe a virtual environment for patients to engage in a playful therapeutic game for neuropsychomotor rehabilitation, based on the experience of the occupational therapy program of the Nucleus for Integrated Medical Assistance (NAMI) at the University of Fortaleza, Brazil. Integration between patient and virtual environment occurs through the hand motion sensor “Leap Motion,” plus the electroencephalographic sensor “MindWave,” responsible for measuring attention levels during task execution. To evaluate the virtual environment, eight clinical experts on cerebral palsy were subjected to a questionnaire regarding the potential of the experimental virtual environment to promote cognitive and motor rehabilitation, as well as the potential of the treatment to enhance risks and/or negatively influence the patient’s development. Based on the very positive appraisal of the experts, we propose that the experimental virtual environment is a promising alternative tool for the rehabilitation of children with cerebral palsy.Cerebral palsy is a severe condition usually caused by decreased brain oxygenation during pregnancy, at birth or soon after birth. Conventional treatments for cerebral palsy are often tiresome and expensive, leading patients to quit treatment. In this paper, we describe a virtual environment for patients to engage in a playful therapeutic game for neuropsychomotor rehabilitation, based on the experience of the occupational therapy program of the Nucleus for Integrated Medical Assistance (NAMI) at the University of Fortaleza, Brazil. Integration between patient and virtual environment occurs through the hand motion sensor “Leap Motion,” plus the electroencephalographic sensor “MindWave,” responsible for measuring attention levels during task execution. To evaluate the virtual environment, eight clinical experts on cerebral palsy were subjected to a questionnaire regarding the potential of the experimental virtual environment to promote cognitive and motor rehabilitation, as well as the potential of the treatment to enhance risks and/or negatively influence the patient’s development. Based on the very positive appraisal of the experts, we propose that the experimental virtual environment is a promising alternative tool for the rehabilitation of children with cerebral palsy