=Paper=
{{Paper
|id=Vol-3700/paper2
|storemode=property
|title=Blue and Red team quiz game to train high school students
|pdfUrl=https://ceur-ws.org/Vol-3700/paper2.pdf
|volume=Vol-3700
|authors=Giuseppe Alemanno,Daniele Semeraro, Veronica Rossano
|dblpUrl=https://dblp.org/rec/conf/cse4ia/AlemannoSR24
}}
==Blue and Red team quiz game to train high school students==
https://ceur-ws.org/Vol-3700/paper2.pdf
Blue and Red team quiz game to train high school
students
Giuseppe, Alemanno, Daniele, Semeraro and Veronica, Rossano
Department of Computer Science, University of Bari, via Orabona, 4 - 70125 Bari - Italy
Abstract
In the ever-evolving landscape of cybersecurity, human factors play a pivotal role in determining system
vulnerabilities. This article introduces CyberDuel, a serious game designed to educate high school
students on cybersecurity through an interactive card-based gameplay. Drawing inspiration from the
inherent human inclination towards play, CyberDuel engages users in defending against cyber threats
while fostering awareness and decision-making skills. The game’s design offers a non-threatening
environment for users to experiment with cybersecurity scenarios. Through a detailed planning and
design process, CyberDuel integrates elements to create an immersive educational experience. A user
study employing the GAMEX test demonstrates the game’s effectiveness in enhancing cognitive skills
and learning outcomes. CyberDuel represents a promising approach to cybersecurity education, with the
possibility of future development and refinement.
Keywords
Cybersecurity, Serious Games, Cybergames,
1. Introduction
In the cybersecurity landscape, the human factor stands out as a crucial determinant of system
vulnerabilities, often overshadowing the effectiveness of technical defenses alone. Human
errors, such as lack of awareness, negligence in adopting secure practices and falling into social
engineering traps, can be significant openings for cyber attacks [1] [2] [3] [4]. Consequently, in
addition to investments in cutting-edge technology solutions, it is critical to place an emphasis on
educating end users about cybersecurity. However, effectively raising awareness of cybersecurity
among individuals is a significant challenge, requiring the implementation of appropriate
educational strategies.
One of the highly effective is game-based learning, which allows people to experiment in
nonthreatening scenarios and acquire knowledge through practice and social interaction both
with the environment and their peers [5].
Games have long been studied by experts across various disciplines, leading to the emergence
of the research field known as game studies, revealing a fundamental connection between
humans and games throughout history. Scholars such as Johan Huizinga and Eugen Fink have
emphasized the innate human tendency to play, which coexists with our rational and creative
2nd International Workshop on CyberSecurity Education for Industry and Academia (CSE4IA 2024)
$ g.alemanno11@studenti.uniba.it (G. Alemanno); d.semeraro25@studenti.uniba.it (D. Semeraro);
veronica.rossano@uniba.it (V. Rossano)
� 0000-0002-4079-9641 (V. Rossano)
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�faculties [6] [7]. This innate aspect of human nature underscores the effectiveness of games
as educational tools that through their ability to incorporate competition, engagement and
immediate feedback, motivate participants and facilitate learning and development.
As technology has advanced, traditional games have evolved into educational digital games,
often referred to as serious games or applied games. Unlike pure videogames, serious games are
designed with primary purposes such as education, training, and information dissemination
[8]. They cover a wide range of fields, including defense, education, scientific exploration,
healthcare, emergency management, city planning, engineering, and politics [9][10][11][12].
In the context of Cybersecurity, Serious games are pivotal for educating individuals on best
practices, recognizing threats, and handling cyber incidents. By allowing learners to explore
diverse scenarios beforehand, they can make informed decisions when using the Internet or
computers in their daily activities. For example, the The Weakest Link 1 [13] is a game where
players take on the role of a security expert within a company. Its primary objective is to
maintain high levels of security within the organization by addressing the various security
challenges that arise every day, in the form of multiple variable questions and answers. The
uniqueness of the game consists in the fact that the challenges are generated by the choices
of the company’s employees, where the player cannot choose the difficulty level. Also, the
decisions made by the player (the security expert) during the game can change the company’s
destiny very quickly, which is why the game is very dynamic, making the employee "the weak
link in the company". The key components of the game include:
• Security Score: this metric quantifies the player’s effectiveness in safeguarding the com-
pany against potential threats.
• Daily Challenges: each day presents new security scenarios, accompanied by questions
and multiple solutions for the player to consider.
• Workdays: these represent the progression through different levels of the game, with each
workday indicating the challenges faced and those remaining to be addressed.
In the game Keep Tradition Secure2 [14] players are immersed in a college campus. His main
goal is to defend the students and catch the hacker called "Bad Bull" who threatens the campus
through a series of questions with three multiple answers. The peculiarity of the game is that it
has a large game space (the entire campus map), but remains static in story and challenges. The
main parts of the game include:
• Map: used to navigate the campus in search of the hacker.
• Challenge: once you reach the point indicated on the map, a question appears with related
answer options.
In the [15] Riskio is presented, a classic serious board game designed to increase awareness
and knowledge about cyber attacks. Riskio addresses the limitations of existing cybersecurity
awareness games by offering an active learning environment where players can learn about
different attacks and countermeasures while playing the role of both the attacker and defender
of critical assets in a fictional organization. The main components of the Riskio game are: Card
Decks and the Game Board. The Card Decks are:
1
https://www.isdecisions.com/user-security-awareness-game/
2
https://keeptraditionsecure.tamu.edu/
� • Attack deck: contains the most common threats and attack vectors identified in cyberse-
curity reports;
• Defense deck: presents possible countermeasures and defenses against attacks;
• Information deck: provides additional details and useful information for the game.
The Game Boards represents a fictional organization and provides context for the game, allow-
ing players to view and interact with attacks and defenses. The paper identifies three main
limitations of existing games:
• Lack of exposure to a wide range of cyber attacks and possible countermeasures;
• Lack of opportunity for players to practice both offensive and defensive skills;
• Difficulty easily adapting or modifying the game for different training needs and contexts.
This research is motivated by the fact that there are no serious games on cybersecurity in
the Italian language intended for a teen audience, with the possibility of choosing the level of
difficulty based on their knowledge and skills and the possibility of adding new topics easily.
The rest of this paper is organized as follows. Section 2 begins with an overview of the game,
followed by a discussion of its conception, unique features, and design methodology. In Section
3, we delve into the analysis of a user study conducted to evaluate the game’s effectiveness.
Finally, Section 4 concludes by presenting potential avenues for future research.
2. The serious game CyberDuel
CyberDuel combines a card game with a quiz game to introduce young students to the topic
of computer security in an interactive way. The approach used is the one commonly used
in cybersecurity contexts, a competition between the red and blue team. Users are actively
involved in the process of defending themselves against threats posed in the form of hackers.
Users assume the role of the "blue team" and must defend themselves against cyber threats
represented by the "red team" (hackers). The game is a card battle where players must select
cards in response to the hacker’s moves, make strategic decisions based on the analysis of card
attributes, and predict their opponent’s actions to maximize their chances of success based on
card scores. cards. The player who loses all his life points loses the game.
In the preliminary stages of game conceptualization, we set ourselves the goal of creating
an engaging and innovative experience. We found inspiration from the basic idea of the game
Hacket, which under GPL-3.0 license control, provided us with an exciting starting point.
One of the main focuses was to understand how to transform the basic idea of the game Hacket
into something new and distinctive. Hacket is a static game with a single level and with few and
very generic questions about cybersecurity, but with a very clear and explicit aesthetic, regarding
the player’s roles and the purpose of the game. CyberDuel is based on Hacket’s aesthetic, using
their patterns, colors, incorporating dynamics such as multiple difficulty levels and more diverse
content. Specifically, the game’s content has been expanded to cover important topics such
as cyberbullying, password security, data privacy, phishing attacks, social engineering tactics,
and GDPR regulations. A key aspect highlighted in CyberDuel is its accessibility to a broader
audience, in particular that of being able to change the language of the game and propose the
�game to an audience of Italian teenagers. Finally, to facilitate understanding of these concepts,
the game offers feedback after each round to help players better understand the material.
In the development of CyberDuel, we followed an iterative design process [16] to refine and
improve the game mechanics and user experience iteratively based on testing and feedback. In
the following sections, we delineate certain facets of the planning and design phases.
2.1. Planning
During the planning phase, we outlined a number of specific objectives that we wanted to
achieve in our project, integrating and expanding on the basic idea to fit our original concept,
respecting the guidelines for creating a serious game, described later in the design section.
An in-depth analysis of the game planning was conducted, carefully considering:
• Primary goal: educate players about cybersecurity in an interactive way, addressing the
critical need for awareness and knowledge in digital security.
• Secondary goals:
1. Enhance understanding of cybersecurity principles through practical application:
reinforce cybersecurity concepts through practical application within the game
environment.
2. Improve decision-making skills in a simulated environment to be ready for a possible
real case of hacking: the game aims to sharpen their ability to assess risks, devise
effective countermeasures, and respond swiftly to cyber threats.
• Target Audience: individuals who are interested in learning about cybersecurity, with
the properties describe in table 1.
• Game Genre(s):
1. card game: choose cards that represent different countermeasures to attacks;
2. quiz game: make informed decisions in response to evolving scenarios.
Table 1
Target audience
Item Learner
Age 14 years and older
Educational level High school and above
Motivation Individuals interested in cybersecurity and online safety
Prerequisite knowledge Basic understanding of computer systems and the internet
Prerequisite skills Fundamental problem-solving skills
Facility with a computer Basic computer literacy
Familiarity with web Moderate familiarity with web browsers and online interactions
Typing ability Basic typing skills
Access to computers Required
Access to web Required
Time availability 5/30 minutes
� • Platform: the game is developed as a browser-based application using HTML, CSS and
TypeScript, ensuring accessibility on a wide range of devices and exploiting the Angular
framework to simplify development and improve code organisation.
• Look and Feel: the main colours of the game are blue and red, in different shades, mixing
cold and warm tones, symbolising the ongoing battle between the blue team (i.e. the
player) and the red team (i.e. the hacker).
2.2. Design
The design of a game includes the delineation of various elements according to the requirements
and resources specified during the planning phase. To enhance the design process, we have
adopted the Elemental Tetrad framework [17]. This framework was chosen for its comprehensive
coverage and proven effectiveness in guiding game design, ensuring thorough consideration of
essential game elements delineated into four distinct categories:
• Mechanics:
1. Space: the game is confined to digital space, divided horizontally into two conceptual
areas: one belongs to the player and the other to the hacker, following the typical
standard of digital card games (Figure 1) . In this representation, the duelists are
arranged facing each other in a top-down perspective, similar to the layout on a real
card table.
2. Objects: cards serve as interactive objects characterized by two static attributes:
a description detailing the available counter moves for the player in response to
the opponent’s actions, and power, which indicates the effectiveness of the action
represented by the card. Additionally, life points serve as dynamic attributes in the
game, representing the quantitative measure of health of the duelists. These life
points decrease over the course of the game according to the results of each turn.
Figure 1: Space of the game divided in two area
� 3. Actions: throughout gameplay, the player is involved in each round in the strategic
action of deciding which card maximizes their chances of success by analyzing and
comparing card descriptions. The player then performs the basic action of selecting
the card that will face the opponent’s card, initiating the clash.
4. Rules: the outcome of clashes between the player’s chosen card and the opposing
card is determined by their respective powers. If one card has greater power than
the other, it inflicts damage equal to the difference in points to the duelist who chose
the less powerful card. However, if the powers are equal, no damage is dealt. The
duel concludes in one of two ways: either when one side loses all its life points,
resulting in defeat, or when the predetermined number of rounds for the level has
ended, leading to a draw.
5. Skills: a crucial skill we expect players to possess is the mental aptitude for decision-
making, as the game requires a thorough understanding of card details.
6. Chance: Hacket is a very static game lacking of chance elements, consequently to
create an experience that is always full of challenging decisions and that prioritizes
player engagement in scenarios rather than rote memorization of moves, we intro-
duce two unpredictable elements. The first element is that the scenarios encountered
during the levels may change each time, the second element the cards presented
to the player for each scenario are randomly ordered, intensifying the demand on
players to remain attentive and responsive during the duel.
• Story: the narrative is implicit, revolving around a virtual battlefield where two characters,
the blue team member (i.e. the player) and the red team member (i.e. the hacker), engage
in an ongoing conflict. Each round represents a distinct scenario or event that the player
must navigate, contributing to an embedded narrative that evolves as players progress
through the game.
• Aesthetics: based on the Hacket game, some patterns were reused regarding the aesthet-
ics, but new prototypes and storyboards of the game were also defined and generated. The
mission and the challenges structure are defined in terms of:
1. mission design: the game has different levels and for each level is structured around
a series of cybersecurity rounds;
2. progressive complexity: the levels gradually increase in complexity, introducing new
cybersecurity threats and tactics as players advance.This structure ensures a steady
learning curve, allowing players to build upon their knowledge and skills;
A crucial point of this game, that differs from the Hacket game, is the concept of levels.
The game consists of a training level. Within this stage, the game unfolds the goal and all
its mechanisms (Figure 2), providing detailed insights and invites the player to select a
card from the hand. The instruction section can be called up from any level. Afterwards,
the player receives constructive feedback on the chosen card. Once the tutorial level
is successfully completed, an ending screen of the game is presented, taking the player
back to the home page for further exploration. The player, from the main menu, can
choose a new game with different difficulty levels (Figure 3). The challenges escalate
progressively, the player’s life points decrease, shifting the balance in favor of the hacker’s
life, transitioning from easy to medium to difficult level.
� Figure 2: Game instructions explaining the purpose and mechanics
Figure 3: Menu of difficulties and the settings section to change the language
• Technology: CyberDuel it was completely rewritten from scratch using Angular (v17), a
TypeScript-based framework, along with HTML and CSS. In the development process,
we were inspired by the aesthetics and movements of the Hacket game. The difficulties
encountered in the porting were recreating the animations of card selection and the
different dynamics on the players’ scores.
�3. User Study
In this section, we present the methodology and results of our user study, which was designed to
test the effectiveness of ‘CyberDuel’ game. We conducted a beta test involving a diverse group of
participants, assessing their cognitive skills and learning outcomes using the Gameful Experience
Scale (GAMEX) [18]. The GAMEX serves as a tool to measure users’ gameful experiences in
gamified contexts. The decision to employ the GAMEX stems from its adaptability across
various contexts and its simplicity in pinpointing specific experiential qualities that must be
refined to improve the gamified application, by-passing risky trial-and-error adjustments [18].
3.1. Questionnaires
After the beta test session, participants were given a questionnaire. The first part was made
up of socio-demographic data. This included age, gender, and their experience in the field of
cybersecurity (i.e. "weak", "average" and "high"). The second part was based on the GAMEX test,
comprising 27 items across six dimensions: Entertainment (Enj 1-6), Absorption (Ab 1-6), Creative
thinking (CT 1-4), Activation (Act 1-4), Absence of negative affects (ANA 1-3) and Dominance
(Dom 1-4). Participants rated their level of agreement on a 7-point Likert scale (1 = “strongly
disagree”, 7 = “strongly agree”, except for the question “Absence of negative affects” where the
values were reversed) for each question of each dimension.
3.2. Sample and Procedure
The beta testing phase of our study was designed to simulate real-world usage scenarios,
providing participants with an authentic experience of the system’s capabilities. The test
involved a carefully selected group of 12 participants, including 6 males and 6 females, aged
between 15 and 25 (average 21 years old) and with different experiences in the cybersecurity
field (4 people for each type of experience). Participant recruitment used convenience sampling,
prioritizing availability and proximity to the authors for selection.
3.3. Results and Discussion
After obtaining the results of the questionnaire, the mathematical average of the scores for each
question of each dimension was calculated. Subsequently, to report them on a centesimal scale
in order to define a graph, the average score of each dimension was calculated, then divided by
the total number of responses and multiplied by 100. The results of the user test are shown in
the table 2 where zero is the lowest value and 100 is the highest value.
As visible from the Figure 4,
some interesting and encouraging results were obtained:
• Enjoyment: the participants demonstrated a high level of enjoyment while engaging with
the serious game, scoring an impressive 82,36. This suggests that the game successfully
captivated their interest and provided an enjoyable experience.
• Absorption: the level of absorption among the participants was notable, with a score of
66,86. This indicates that the game was effective in immersing the players in its content,
fostering deep engagement and concentration.
�Table 2
Questionnaire Result
Enj 1 5,67 Ab 1 5,17 CT 1 5,08 Act 1 6,08 ANA 1 5,33 Dom 1 5,42
Enj 2 6,17 Ab 2 4,33 CT 2 5,42 Act 2 4,42 ANA 2 6 Dom 2 5,25
Enj 3 5,92 Ab 3 4,83 CT 3 5,58 Act 3 4,42 ANA 3 5,67 Dom 3 6,42
Enj 4 5,75 Ab 4 4,83 CT 4 5,42 Act 4 5,08 Dom 4 6
Enj 5 5,5 Ab 5 4,17
Enj 6 5,58 Ab 6 4,75
Avg 5,77 4,68 5,38 5 5,67 5,77
Perc. 82,36 66,86 76,79 71,43 80,95 82,46
Figure 4: Chart of questionnaire results
• Creative Thinking: The serious game elicited a strong response in terms of creative
thinking, scoring 76,79. This suggests that it stimulated participants’ imagination and
encouraged them to explore innovative solutions within the game’s context.
• Activation: the score of 71,43 for activation indicates that the game effectively prompted
participants to become actively involved in its challenges and tasks. This suggests that it
succeeded in motivating them to participate and interact with its content.
• Absence of Negative Affect: with a score of 80,95, the game demonstrated a notable
absence of negative affect among the participants. These findings align with those of the
original researchers, suggesting that the absence of negative emotions is crucial for the
genuine emergence of the gaming experience [18].
• Dominance: the high score of 82.46 for dominance suggests that the game effectively
� empowered participants and allowed them to feel in control of their actions within the
game environment. This indicates a positive user experience, where players felt confident
and competent in navigating the challenges presented.
4. Conclusion and Future works
CyberDuel educates players on cybersecurity, leveraging game-based learning to enhance
awareness and decision-making skills. The innovative design, incorporating elements like card
strategies and dynamic scenarios, engages players in a non-threatening environment.
Some possible future works could include:
• Enhancing User Engagement: further research could focus on increasing user engage-
ment by incorporating more interactive elements, personalized feedback, or gamification
techniques to make the learning experience more immersive and enjoyable and to be able
to have greater user absorption while playing the game.
• Expanding Content and Scenarios: to develop additional levels, challenges, and sce-
narios within the game to cover a broader range of cybersecurity topics and real-world
situations, catering to different skill levels and learning preferences of users.
• Integration of Advanced Technologies: to explore integrating emerging technologies
like virtual reality (VR) or augmented reality (AR) to enhance the gaming experience and
provide a more realistic and interactive learning environment.
• Long-term Impact Assessment: to conduct longitudinal studies to evaluate the game’s
long-term impact on users’ cybersecurity knowledge, skills, and behaviors, tracking
progress and retention of information over time.
• Collaboration and Partnerships: to collaborate with cybersecurity experts, educational
institutions, and industry partners to gather feedback, validate effectiveness, and ensure
alignment with current cybersecurity practices and trends.
• Accessibility and Localization: to adapt the game to be accessible to a wider audience
by translating it into multiple languages, optimizing for different devices, and ensuring
inclusivity for users with diverse learning needs.
• Larger Participant Pool: to obtain a larger range of feedback and different perspectives
for a more comprehensive understanding of the game’s impact.
By exploring these avenues for future research and development, the CyberDuel project can
continue to evolve and make a significant impact in educating individuals about cybersecurity
through innovative and engaging game-based learning experiences.
5. Acknowledgement
This work has been partially funded by the OSCAR project, number 101132432, funded by
the European Union. Views and opinions expressed are however those of the author(s) only
and do not necessarily reflect those of the European Union. Neither the European Union nor
the granting authority can be held responsible for them. The research activities has been
�developed within the National Laboratory “Informatica e Scuola” constituted under CINI, the
Italian inter-university consortium on Informatics. The authors wish to express their gratitude
to the student Fabio Caiulo who designed and developed the game together with Giuseppe
Alemanno and Daniele Semeraro.
References
[1] A. Chrysanthou, Y. Pantis, C. Patsakis, The anatomy of deception: Measuring technical and
human factors of a large-scale phishing campaign, Computers & Security (2024) 103780.
[2] A. Pollini, T. C. Callari, A. Tedeschi, D. Ruscio, L. Save, F. Chiarugi, D. Guerri, Leveraging
human factors in cybersecurity: an integrated methodological approach, Cognition,
Technology & Work 24 (2022) 371–390.
[3] A. Joinson, T. van Steen, Human aspects of cyber security: Behaviour or culture change?,
Cyber Security: A Peer-Reviewed Journal 1 (2018) 351–360.
[4] V. Zimmermann, K. Renaud, Moving from a ‘human-as-problem” to a ‘human-as-solution”
cybersecurity mindset, International Journal of Human-Computer Studies 131 (2019)
169–187.
[5] M. Prensky, Digital game-based learning, Comput. Entertain. 1 (2000) 21. URL: https:
//api.semanticscholar.org/CorpusID:207742354.
[6] K. Salen, E. Zimmerman, The Game Design Reader: A Rules of Play Anthology, Chapter 3:
Interstital: Urban Invasion : Nature and Significance of Play as a Cultural Phenomenon,
The Definition of Play and The Classification of Games, The MIT Press, 2006.
[7] I. Schousboe, D. Winther-Lindqvist, Children’s Play and Development: Cultural-Historical
Perspectives, Chapter 15: Play, But Not Simply Play: The Anthropology of Play, 2013.
doi:10.1007/978-94-007-6579-5.
[8] D. Michael, S. Chen, Serious games: Games that educate, train, and inform (2006).
[9] Y. M. Arif, N. Ayunda, N. M. Diah, M. B. Garcia, A systematic review of serious games
for health education: Technology, challenges, and future directions, Transformative
Approaches to Patient Literacy and Healthcare Innovation (2024) 20–45.
[10] Z. Feng, V. A. González, C. Mutch, R. Amor, G. Cabrera-Guerrero, Exploring spiral narra-
tives with immediate feedback in immersive virtual reality serious games for earthquake
emergency training, Multimedia Tools and Applications 82 (2023) 125–147.
[11] N. Stathakarou, A. A. Kononowicz, C. Swain, K. Karlgren, et al., Game elements in the
design of simulations in military trauma management training: Protocol for a systematic
review, JMIR Research Protocols 12 (2023) e45969.
[12] V. Rossano, G. Calvano, Promoting sustainable behavior using serious games: Seadventure
for ocean literacy, IEEE Access 8 (2020) 196931–196939.
[13] W. Hill, M. Fanuel, X. Yuan, Comparing serious games for cyber security education, in:
Proceedings of the 2020 ASEE Southeastern Section Conference, Auburn, AL, USA, 2020,
pp. 8–9.
[14] M. Calvano, F. Caruso, A. Curci, A. Piccinno, V. Rossano, et al., A rapid review on serious
games for cybersecurity education: Are" serious" and gaming aspects well balanced?, in:
IS-EUD Workshops, 2023.
�[15] S. Hart, A. Margheri, F. Paci, V. Sassone, Riskio: A serious game for cyber security
awareness and education, Computers & Security 95 (2020) 101827.
[16] C. Larman, V. R. Basili, Iterative and incremental developments. a brief history, Computer
36 (2003) 47–56.
[17] J. Schell, The Art of Game Design: A Book of Lenses, Chapter 5: The Game Consists of
Elements, 3rd ed., A K Peters/CRC Press, 2019.
[18] R. Eppmann, M. Bekk, K. Klein, Gameful experience in gamification: Construction and
validation of a gameful experience scale [gamex], Journal of interactive marketing 43
(2018) 98–115.
6. Online Resources
• The sources for the original idea of the games is available on this GitHub (Hacket), under
GPL-3.0 license control.
• The sources for CyberDuel game is is available on this GitHub (CyberDuel), under GPL-3.0
license control.
�