Abstract
While academic interest has grown in using gamification in training different aspects of cybersecurity, the research remains sparse on the design and development of games that focus on integrated concepts of security and sustainability. This chapter builds on a previously presented framework for designing serious games and develops and evaluates an instantiation of a game aimed to promote secure and sustainable behavior in digital ecosystems. It describes the theoretical foundation of the game, giving a detailed account of its game design process. Then, it provides the preliminary evaluation in which significant qualitative evidence of security and sustainable behavior is observed regarding progressive system thinking and anticipatory and problem-solving competencies. The results show that gamification facilitated learning the concepts and changing behavior towards sustainability transitions. Further investigation, with larger sample size, is required using other game elements that promote cooperation and critical thinking competencies.
TopIntroduction
Evolving malicious cyber activities and increasing cyber risks to individuals, organizations, and governments have made cybersecurity a significant challenge and core part of societal, political, and economic decisions (Anderson et al., 2019; Geer et al., 2020). The Global Risks Report 2021, published by the World Economic Forum, has categorized cybersecurity failures as clear and present dangers (McLennan, 2021). This category reveals concern about lives and livelihoods – among them infectious diseases, employment crises, digital inequality, and youth disillusionment. Moreover, the increasing value of tangible and intangible assets in cyber-physical systems is becoming more attractive to those who wish to penetrate systems for financial gains, psychological and reputational gains, or to cause instability. Therefore, ensuring cybersecurity through greater awareness, strong multi-stakeholder partnerships, and deep structural changes in key areas of institutional activities are crucial for having secure, sustainable hyper-connected societies that rely on digital infrastructure (Assembly, 2017).
The solution to many cybersecurity problems is to build and develop strong cybersecurity policies that enable the organizations to extend protection against cyber-attacks, and strategies that enable timely detection of risks, threats, and breaches, and allow the organizations to tackle them. Cybersecurity policies and strategies need to be sustainable, measurable, and offer actionable insights. In addition to security, therefore, this work focuses on a hard-to-quantify but vital concept known as sustainability.
Galaitsi et al. define sustainability as the ability to maintain a high level of functionality without inputs from external resources (Galaitsi et al., 2021).1 This definition can be extended through interconnected domains, including society, technology, and economics. Secure, sustainable cybersecurity behavior in the presence of rapid-paced socio-technical changes in today's world compel the organizations and governments to deal with cyber threats potentially affecting them, to prioritize the defense of their digital and physical assets, decide what security measures should be implemented, and what operations need to be integrated into their daily routines.
Both of these concepts, security and sustainability, focus on both ordinary, repetitive threats and those that are extreme and rare. Therefore, consideration of security and sustainability goals together, reflection on current behavior, and engagement in more secure operations that lead to the formation of sustainable behaviors are the challenges that this work tackles. To tackle these challenges, the authors designed and developed a strategic simulation, also known as policy simulation or policy exercise. Strategic simulations are interactive, participatory methods to develop strategic insight that builds on selected representations of real-world structures and processes (Duke & Geurts, 2004). This approach allows individuals to explore real policy issues, using design elements known from serious games to structure communication (Geurts et al., 2007), as well as to include feedback that participants receive based on their decisions.
The current state of the art of gamification studies shows that integrated concepts of security and sustainability are not at the forefront of the design and execution of games initiatives, despite some awareness of security and privacy implications and developing skills. However, the uptake in the field of gamification in cybersecurity dictates a necessary shift from implementing a limited set of security measures to a more mature and holistic conception of security and sustainability as integral parts of digital ecosystems, starting at the very first stages of design. In many current reports on sustainable cybersecurity, these factors are only discussed in a limited fashion. (Sadik et al., 2020; Shackelford et al., 2016; Vasiu & Vasiu, 2018). This chapter does not aim to suggest that these initiatives are necessarily insufficient in this respect, but in general, it appears that the focus on the aspects related to security and sustainability is relatively peripheral.
Key Terms in this Chapter
Influence Diagrams: Are graphical and mathematical representation of a decision situation. By using various shapes, an influence diagram depicts decisions, uncertainties, and objectives.
Security Metrics: Are specific, measurable, repeatable, and time-dependent values and units that demonstrate how well an organization’s cybersecurity plan is accomplishing goals, maintaining compliance, and mitigating risks.
Gamification: Is the application of game elements such as goals, rules, strategies, aesthetics, and rewards to non-game contexts and problems such as cybersecurity, business, and climate change.
Conceptual change: Is the process whereby concepts, ideas, thoughts, and the relationships between them change over the course of a person’s lifetime or over the course of a change in the understanding of a context.
Sustainable Cybersecurity: Is a continuous socio-technical process of implementing, using, managing, and maintaining security resources to ensure a certain level of security, reliability, and resilience in organizations.
Policy Simulations: Are visual tools that enables the users to select initiatives, compare scenarios, analyze outcomes, and share results to understand how policies are enforces on a given context.
Socio-Technical Perspective: Is understanding the importance of the interrelatedness of social and technical aspects of organizations and societies, and how they change and evolve by their interaction.