The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game

Stakeholders’ security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics—security experts, computer scientists and managers—when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players—in some cases, they made very questionable decisions—yet they showed a higher level of confidence in themselves. We classified players’ decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.

[1]  Awais Rashid,et al.  The Shadow Warriors: In the no man's land between industrial control systems and enterprise IT systems , 2017, SOUPS.

[2]  André van der Hoek,et al.  Teaching Software Engineering Using Simulation Games , 2003 .

[3]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[4]  Lawrence Bodin,et al.  Information security and risk management , 2008, CACM.

[5]  Ken Allen,et al.  CyberCIEGE: Gaming for Information Assurance , 2005, IEEE Secur. Priv..

[6]  Linda G. Wallace,et al.  Is Information Security Under Control?: Investigating Quality in Information Security Management , 2007, IEEE Security & Privacy.

[7]  Tadayoshi Kohno,et al.  Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education , 2013, CCS.

[8]  Barry W. Boehm,et al.  SimVBSE: Developing a Game for Value-Based Software Engineering , 2006, 19th Conference on Software Engineering Education & Training (CSEET'06).

[9]  Alicia Anderson Effective Management of Information Security and Privacy. , 2006 .

[10]  Richard E. Overill,et al.  On the role of the Facilitator in information security risk assessment , 2007, Journal in Computer Virology.

[11]  Sylvain Frey,et al.  SimaticScan: Towards A Specialised Vulnerability Scanner for Industrial Control Systems , 2016, ICS-CSR.

[12]  Houston H. Carr,et al.  Risk Analysis for Information Technology , 1991, J. Manag. Inf. Syst..

[13]  Emanuel Donchin,et al.  Video games as research tools: The Space Fortress game , 1995 .

[14]  Olly Gotel,et al.  Gameplay to Introduce and Reinforce Requirements Engineering Practices , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[15]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[16]  Kristian Beckers,et al.  A Serious Game for Eliciting Social Engineering Security Requirements , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[17]  Paul P. Maglio,et al.  On Distinguishing Epistemic from Pragmatic Action , 1994, Cogn. Sci..

[18]  Gil Taran,et al.  Using Games in Software Engineering Education to Teach Risk Management , 2007, 20th Conference on Software Engineering Education & Training (CSEET'07).

[19]  Sylvain Frey,et al.  SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection , 2016, CPS-SPC '16.

[20]  André van der Hoek,et al.  Comprehensive Evaluation of an Educational Software Engineering Simulation Environment , 2007, 20th Conference on Software Engineering Education & Training (CSEET'07).

[21]  Laura Corriss Information security governance: integrating security into the organizational culture , 2010, GTIP '10.

[22]  Sylvain Frey,et al.  On the Role of Latent Design Conditions in Cyber-Physical Systems Security , 2016, 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS).

[23]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[24]  Awais Rashid,et al.  Tackling the requirements jigsaw puzzle , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[25]  D. Francis Review of Basics of Qualitative Research Techniques and Procedures for Developing Grounded Theory (2nd edition) , 1999 .

[26]  Derek Harp,et al.  The State of Security in Control Systems Today , 2015 .