Cybersecurity Awareness Training for Industrial Software Developers via a Serious Game for Code Review

Authors

Andrei Cristian Iosif, Siemens AG, Germany; Universität der Bundeswehr MünchenFollow
Ulrike Lechner, Universität der Bundeswehr München, Munich, GermanyFollow
Maria Pinto-Albuquerque, Instituto Universitário de Lisboa (ISCTE-IUL), Lisbon, PortugalFollow
Tiago Espinha Gasiba, Siemens AG, GermanyFollow

Abstract

Software developers must not only be capable of producing secure code, but must also possess the ability to identify security vulnerabilities when evaluating their peers' work. The necessary awareness of this is crucial in industrial environments that handle critical infrastructure. The present work explores a method to empower software developers on the topic of secure coding, through the practice of code review. We propose a serious game, called the “DuckDebugger”, specifically designed for use in industrial settings and to address the needs of software developers, and implement it across 13 events together with over 200 industrial developers. Our research is based on insights gained from deploying this game in an industrial context. The contributions of this work include the design of the serious game and the context in which it is deployed, an analysis of the perceived benefits, and practical recommendations for practitioners seeking to bridge code review and cybersecurity together.

Recommended Citation

Iosif, Andrei Cristian; Lechner, Ulrike; Pinto-Albuquerque, Maria; and Espinha Gasiba, Tiago, "Cybersecurity Awareness Training for Industrial Software Developers via a Serious Game for Code Review" (2024). Wirtschaftsinformatik 2024 Proceedings. 60.
https://aisel.aisnet.org/wi2024/60