Data-driven Security Game - STIX and Stones

Abstract

In this day and age, the field of information security is becoming more and more important. Developers need to know how to defend against new threats to their system. Unfortunately, the field of information security is not the most popular among computer science students. To address this is issue, attempts at using gamification and computer games as learning tools have been attempted. Big games like Protection Poker and Elevation of Privilege have attempted to engage and interest students, but have so far not been tremendous successes.

This thesis attempts to identify the requirements for creating such a game, and to implement it as a fun and engaging game that provides its users with up-to-date, real-world knowledge of information security. To ensure that the needs of the users are in focus, they are involved in the process from the very start, and they help shape the development of the game. The game is implemented as a data-driven computer game, meaning it continuously fetches data from online sources to stay up to date with any new information. This is completely autonomous, and requires no manual labour.

To test how well this game is able to solve the problem, a user-testing session is performed. Results showed that the game had great promise. The users liked the concept and perceived that they improved their knowledge of information security after they played it. Though the concept was well received, several issues like information overload and missing features were also discovered.

The game implemented in this thesis is not the next great educational game, but it proves the concept is valid, and that with more development and polish, it could become a success. This thesis outlines what changes could be done to this version of the game to improve it, and outlines suggestions for what features could be implemented in the future, to take the game to the next level.