Article Preview
Top1. Introduction
Today Cyber Security is at the top of many government’s agendas and extensive research is conducted (Ayres et al., 2016) with the aim of designing solutions that protect against or mitigate cyber attacks (Nicholson et al., 2012). To evaluate such solutions and to increase understanding of how cyber-attacks against organisations evolve and propagate, the replication of realistic attack and defence scenarios is paramount (Hahn et al., 2013). Technical solutions which implement low-level controls such as VPN deployment, data-diodes to ensure unidirectional information flows to the deployment of complex role-based access control mechanisms and federated identity management all serve the purpose of preventing attackers from penetrating the organisation defences (Cook, 2017). However, the development of security solutions without understanding the concrete threat or the organisations’ security behaviour when faced with an incident is lacking a holistic approach to security that must bring together infrastructure, software and human variables (Evans et al, 2019). Additionally, incident response teams cannot prepare for every situation, or predict every crisis.
Following this increase on cyber-attacks, the need for professionals will also continue to increase on the upcoming years. According to predictions from Cybersecurity Ventures an estimated of 3.5 million cybersecurity jobs will be available and eventually unfilled by 2021. While global Cybercrime damages are predicted to reach $6 Trillion annually by 2021 (Chung, 2020), 61% of companies find most of the cybersecurity applicants unqualified (Crumpler, 2019). The majority of chief information security officers around the world are worried about the cybersecurity skills gap, with 58% of CISOs believing the problem of not having an expert cyber staff will worsen (Angafor et al, 2020).
As a result, training activities and environments need to be provided to support operating in challenging situations, to develop concrete guidance, procedures and tools to help individuals to collectively react in different, unpredictable situations (Koskinen-Kannisto et al, 2015). In order to produce the level of team cohesion and adaptability required to respond to the variety of incidents an organisation might face, the training environment should include simulations to contribute to the progressive, cost-effective establishment and maintenance of situational awareness and skills proficiency (Johnston et al. 2003).
Experiential learning (Kolb, 1984) is an educational technique based on the assumed importance of experimenting and involvement, proposing that active engagement in a scenario develops personal experiences that form the basis of understanding, and the construction of mental models on which subsequent decisions can be based. Iterations of game experiences, followed by periods of reflection, promotes the formation of ideas, with the testing of these ideas solidifying the understanding in the mind of the participant (Gouveia et al., 2011). Serious Games are a form of experiential learning in which a mental contest is played in accordance with specific rules to deliver specific learning objectives (Zyda, 2005) (Crookall, 2010), encouraging the player to decide, choose, define priorities and to solve problems (Gouveia et al., 2011).
Exercises are a form of serious game that are a proven method of delivering experiential learning (Patriciu & Furtuna, 2009). The advantage of serious games is in the provision of a safe training environment, where users are able to play, test and reflect without serious consequences, in a motivating, challenging environment, where the player acquires skills and knowledge that are transferable to real world tasks (Lukosch et al., 2012) (Wilhelmson & Svensson, 2014) (Cook, 2016). The term ‘exercise’ is fairly broad, however, and represents many different types of activities from individual training through to large-scale, multi-team events, where teams can familiarise themselves with tools, procedures, and rehearse working together as a unit (Kim & Goodall, 2016). Cyber ranges (Wilhelmson & Svensson, 2014) (Kim & Goodall, 2016) (Brynielsson et al., 2016) (Brangetto et al., 2015) (Sommestad & Hallberg, 2012) are representative exercising environments containing physical and virtual elements, where a variety of scenarios and forms of gameplay can be executed (Patriciu & Furtuna, 2009). A cyber range is used to present a real-life situation or hypothetical security problem staged in a realistic manner, although typically in a condensed timeframe (Brynielsson et al., 2016) (Sommestad & Hallberg, 2012) (Papaspirou, 2020).