Thriving in the era of hybrid work: Raising cybersecurity awareness using serious games in industry trainings
Tiange Zhao,Tiago Gasiba,Ulrike Lechner,Maria Pinto-Albuquerque
DOI: https://doi.org/10.1016/j.jss.2023.111946
IF: 3.5
2024-01-04
Journal of Systems and Software
Abstract:The important missions of modern software engineering education are to prepare software engineers to work in a hybrid mode and to address the need to enable them to write secure code and deliver secure products and services to the customer. Providing training akin to an authentic experience poses several challenges, such as hybrid infrastructures, lack of engagement, and interactions. Cybersecurity and cybersecurity awareness have also gained importance due to the shift towards work-from-home (WFH) or work-from-anywhere (WFA): The work environment is forced to be distributed across large heterogeneous networks with different security levels. We perceive hybrid work as a work mode where the team members follow WFH or WFA and work from the office. Therefore various security levels at the workplace and restrictions on informal team communications need to be taken into account. We report on experiences from an industrial company producing software and cyber–physical systems. Initially set to update the existing secure code guidelines, the study lead to the discovery that it is crucial to go beyond an up-to-date set of security guidelines: it is mandatory to raise the cybersecurity awareness of those who are to follow the guidelines. We present a novel approach, via serious games, to train software engineers working in the industry, which is delivered in a hybrid mode and equips practitioners to face the challenges of hybrid work. Serious games have more than just entertainment purposes. They have proven effective ways to maintain engagement and boost training, particularly in cybersecurity. We developed and used two innovative serious games to raise cybersecurity awareness: (1) CyberSecurity Challenges (CSC), about how to develop secure software; and (2) Cloud of Assets and Threats (CATS), about cloud security, including its shared responsibility model. It is decisive for the industry that the software is written, developed, and deployed securely. The cloud service has replaced many on-premises deployments. It is essential to enable hybrid work, turning knowledge and practice about cloud security into essential capacities for professional hybrid work. We provide the theoretical foundations for the two serious games and the overall approach. We also report and analyze more than 300 industry practitioners' training experiences from 2017 to 2023 and use this to evaluate the games. By applying serious games in the industry, among practitioners, we gain valuable experience in combining the advantage of different training modes and mitigating the disadvantage of online training. We observe the impact of serious games through a scientifically-sound approach based on the data and feedback we collected systematically from the trainers', trainees', and organization's perspectives. We show through empirical evidence that serious games are a successful approach for training conducted in hybrid work mode while providing authentic and immersed experiences that empower and raise cybersecurity awareness of current and future software professionals.
computer science, theory & methods, software engineering