Serious Coding: A Game Approach To Security For The New Code-Citizens

严肃的编码：新代码公民的安全游戏方法

• 批准号: EP/T017511/1
• 负责人: Lynne Baillie
• 金额: $ 127.2万
• 依托单位: Heriot-Watt University
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2020
• 资助国家: 英国
• 起止时间: 2020 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FT017511%2F1
• 关键词: Serious; Coding; Game; Approach; Security

The security of software systems is a complex problem impacted by organisation, technology and people. An example of the impact of weak security is shown by the 2019 Cost of a Data Breach report in which the Ponemon Institute for IBM Security estimated that across the United Kingdom, the average cost of a data breach increased from $3.68 million in 2018 to $3.88 million in 2019 (6th highest cost globally when compared to other regions). Software developers are at the forefront of the issue as confirmed by the GitLab's 2019 Global Developer Report released on 15th July 2019 (https://about.gitlab.com/developer-survey/2019/) which surveyed over 4k software professionals and found that while 69% of developers indicate they are expected to write secure code, nearly half said they struggle to get developers to make remediation of vulnerabilities a priority, and 68% of security professionals feel that fewer than half of developers are able to spot security vulnerabilities later in the lifecycle. These dramatic figures are for professionals while the democratisation of software development and deployment enabled by the enormous markets of mobile and Web apps means that many of these apps are not built by professionals. With the democratisation of software development and deployment, comes the widening of the issues of code security and safety. At the heart of this democratisation are the new code-citizens who are code- literate, able to build and run their own software code. However, they may have had no formal software engineering training and are often outside of the software industry which normally inculcate good practice via house standards. As new citizens, they need to discover, understand, and exercise their rights and duties among a society living with software systems. Their understanding of the security implications of their coding is of fundamental importance to the security of software systems. Recent research (Fischer et al, 2017) revealed that of the 1.3 million Android applications that contained security-related code snippets from Stack Overflow 97.9% contained at least one insecure code snippet. To assist these code-citizens to become secure code citizens we believe that we can use serious games, which will bring practice and play together to enhance and guide our participants focus. Games are an immersive medium which the project will use to engage code-citizens and deliver an intervention on security matters. Additionally, the process of designing serious games itself elicits the nature of the practice and engages participants in defining how to intervene and act effectively. We propose in this project to put code-citizens at the heart of secure code development by engaging code-citizens in the co-design of serious games for code-citizens. The project will apply an enhanced serious game design for three software security themes that have been informed by industrial practice.

软件系统的安全性是一个复杂的问题，受到组织、技术和人员的影响。2019年数据泄露成本报告显示了弱安全性影响的一个例子，其中Ponemon Institute for IBM Security估计，在整个英国，数据泄露的平均成本从2018年的368万美元增加到2019年的388万美元（与其他地区相比，全球第六高成本）。软件开发人员处于这个问题的最前沿，GitLab于2019年7月15日发布的《2019年全球开发人员报告》（https：//about.gitlab.com/developer-survey/2019/）证实了这一点，该报告调查了4000多名软件专业人员，发现虽然69%的开发人员表示他们有望编写安全代码，但近一半的开发人员表示他们很难让开发人员将漏洞修复作为优先事项，68%的安全专业人员认为只有不到一半的开发人员能够在生命周期后期发现安全漏洞。这些引人注目的数字是针对专业人士的，而由移动的和Web应用程序的巨大市场所实现的软件开发和部署的民主化意味着这些应用程序中的许多应用程序不是由专业人士构建的。随着软件开发和部署的民主化，代码安全性和安全性问题也随之扩大。这种民主化的核心是新的代码公民，他们懂代码，能够构建和运行自己的软件代码。然而，他们可能没有接受过正式的软件工程培训，并且通常不属于软件行业，而软件行业通常通过内部标准灌输良好的实践。作为新公民，他们需要发现、理解并在一个使用软件系统的社会中行使自己的权利和义务。他们对编码的安全含义的理解对软件系统的安全性至关重要。最近的研究（Fischer et al，2017）显示，在130万个包含来自Stack Overflow的安全相关代码片段的Android应用程序中，97.9%包含至少一个不安全的代码片段。为了帮助这些代码公民成为安全的代码公民，我们相信我们可以使用严肃的游戏，这将把实践和游戏结合在一起，以提高和引导我们的参与者的注意力。游戏是一种沉浸式的媒介，该项目将用于吸引代码公民并对安全问题进行干预。此外，设计严肃游戏的过程本身就体现了实践的本质，并使参与者参与定义如何有效地干预和行动。在这个项目中，我们建议将代码公民置于安全代码开发的核心，让代码公民参与为代码公民共同设计严肃游戏。该项目将为三个软件安全主题应用增强的严肃游戏设计，这些主题已被工业实践所告知。

项目成果

Future forums: A methodology for exploring, gamifying, and raising security awareness of code-citizens

未来的论坛：探索、游戏化和提高代码公民安全意识的方法

• DOI: 10.1016/j.ijhcs.2022.102930
• 发表时间: 2023
• 期刊: International Journal of Human-Computer Studies
• 影响因子: 5.4
• 作者: Georgiou T

Serious 'Slow' Game Jam - A Game Jam Model for Serious Game Design

Serious Slow Game Jam - 用于严肃游戏设计的 Game Jam 模型

• DOI: 10.1145/3610602.3610604
• 发表时间: 2023
• 作者: Abbott D

Serious Games - 9th Joint International Conference, JCSG 2023, Dublin, Ireland, October 26-27, 2023, Proceedings

Serious Games - 第九届联合国际会议，JCSG 2023，爱尔兰都柏林，2023 年 10 月 26-27 日，会议记录

• DOI: 10.1007/978-3-031-44751-8_5
• 发表时间: 2023
• 作者: Ferguson J

Games and Learning Alliance - 10th International Conference, GALA 2021, La Spezia, Italy, December 1-2, 2021, Proceedings

游戏与学习联盟 - 第十届国际会议，GALA 2021，意大利拉斯佩齐亚，2021 年 12 月 1-2 日，会议记录

• DOI: 10.1007/978-3-030-92182-8_1
• 发表时间: 2021
• 作者: Murray C

Aligning a Serious Game, Secure Programming and CyBOK-Linked Learning Outcomes

协调严肃游戏、安全编程和与 CyBOK 相关的学习成果

• DOI: 10.1109/eurospw55150.2022.00058
• 发表时间: 2022
• 作者: McGregor L