Toward Guidelines for Designing Cybersecurity Serious Games
Miriam Galikova, Valdemar Svabensky, Jan Vykopal
Faculty of Informatics, Masaryk University, Czech Republic
r i Motivation		
<£*		*£•©
Hands-on practical training	No standardized methodology	Creative and engaging
enables deep understanding	for creating cybersecurity serious games	learning approach
		
Game Example Task
Learning by solving realistic tasks in a game-like structure
Goals of the Guidelines
Based on proven teaching     Practical guide for game creators methods that is easy to follow
Level: Looking for the server's IP address
You managed to guess the password on a Wi-Fi router, so you have already accessed the local network of one institution. You also saw the other machines' IP addresses in the router's web Ul. There are two machines with IP addresses 172.18.1.5 and 172.18.1.6. Now, your your goal is to gain access to the server. Since there are two machines in the network, scan the hosts and recognize the server's IP address. You can recognize the server by its running services.
The answer is the port number on which the file sharing service is running on the server's machine.
Game Example Topology
Challenge Design
Using the methods, we create games in which the players proceed in steps of the Mandiant's attack lifecycle [1].
Maintain Presence ■		Move Laterally
		
Initial
Compromise
Escalate Privileges
Outside network (Internet)
Network of a fictitious institution
Learning Objectives
Game Example Environment
State of the Art
Cybersecurity serious games combine proven teaching methods and creative means of cybersecurity education [2].
Games aim to effectively reproduce real-world security situations that require strategic and adversarial thinking [3].
While playing the game, players can acquire knowledge from various areas, such as penetration testing, network forensics, or secure coding [4].
Guidelines Aspects
Learning objectives
Design of challenges/tasks and their solutions Hints and suitable scaffolding
Gamification elements, such as narrative, players' game identity, injects, special rewards
Technical environment, testing, and troubleshooting
Data gathering, privacy, and ethical considerations
Evaluation and final documentation
Copyright and game licences
Rules and anti-cheating policies
References
2 of China's cyber espionage units". I
Mandian. com (2013). pdf.
i: 2010 Third IEEE
[1] Mandiant Intelligence Center. "APT1: Exposin;
urlt h.ttps://www.f ireeye.com/content/dam/f ireeye-ww/services/pdf s/mandiant-aptl-rep< [2] V. Aleven et al. "Toward a Framework for the Analysis and Design of Educati
International Conference on Digital Game and Intelligent Toy Enhanced Learning. 2010, pp. 69-76. [3] N. M. Katsantonis et al. "Conceptual Framework for Developing Cyber Security Serious Games". In: 201g IEEE
Global Engineering Education Conference (EDUCON). 2019, pp. 872-881.
[4] L. A. Annetta. "The Ts" Have It: A Framework for Serious Educational Game Design". In: Review of General Psychology 14.2 (2010), pp. 105-113. doi: 10.1037/a0018985. url: https://doi.org/10.1037/a0018985.
If you are interested in playing the example cybersecurity game, please contact the author at galikova@mail.muni.cz. We would also love to hear your feedback and comments!