<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Tracking the Students' Learning Behavior for Cybersecurity Scenarios?</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Antonio Uzal</string-name>
          <email>auzal@pas.uned.es</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Llanos Tobarra</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Alejandro Utrilla</string-name>
          <email>autrilla14@alumno.uned.es</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Antonio Robles-Gomez</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Rafael Pastor-Vargas</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Roberto H</string-name>
          <email>robertog@scc.uned.es</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Communication and Control Systems Department, ETSI Informatica Universidad Nacional de Educacion a Distancia (UNED)</institution>
          ,
          <country country="ES">Spain</country>
        </aff>
      </contrib-group>
      <fpage>143</fpage>
      <lpage>155</lpage>
      <abstract>
        <p>The ability to prevent dangerous cyber-threats in critical infrastructures depends on the availability of a security trained workforce and, therefore, an education system that can achieve this capacity. This work presents the key elements of a framework for hosting educative games based on the cybersecurity topics, by tracking the students' performance during learning competitions, further than standard log capabilities. This feature allows faculty to adapt and evolve the learning process to the students' needs. What is more, helping students to learn in an e ective and e cient way with technological resources. Data privacy considerations are also given by adapting regulations to our proposal.</p>
      </abstract>
      <kwd-group>
        <kwd>cybersecurity</kwd>
        <kwd>gami cation</kwd>
        <kwd>learning analytics</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>
        Today's society is purely digital; the use of digital technologies is employed in a
multitude of sectors with non-stop growth. It is evident that it brings signi cant
bene ts, but new problems also appear, as is the case of cyber-security. The need
for professionals in this eld is a challenge, and it is growing at a faster rate than
the training of quali ed professionals [
        <xref ref-type="bibr" rid="ref23">23</xref>
        ]. The ability to prevent successful
cyberattacks against a nation's critical infrastructure depends on the availability of a
skilled cyber-literate workforce and, therefore, on an educational system that can
build such capabilities [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ]. The next generations of engineers must be quali ed to
address technological threats on the Internet both theoretically and practically.
This approach helps to develop critical thinking skills [
        <xref ref-type="bibr" rid="ref11 ref26 ref40">11,26,40</xref>
        ]. Applying the
gami cation of the learning process through case studies achieves improvements
in outcomes [
        <xref ref-type="bibr" rid="ref20 ref3 ref4">20,4,3</xref>
        ].
      </p>
      <p>It is clear that incorporating this type of initiative into our learning
methodology, especially in distance education, can o er signi cant advantages. However,
the deployment of such competencies is often very time consuming for lecturers.
The design of security contests is complicated, as they must be at the appropriate
level of di culty concerning the target audience. If a competition is too di cult,
the participants get frustrated. If a competition is too easy, participants are not
challenged and will lose interest. Ideally, a competition would o er a variety of
challenges of di erent di culties, so that all participants of various skill levels
would be challenged by tasks and grati ed by success.</p>
      <p>In addition to this, when competitions are included as an evaluation element
in the educational curriculum, we may encounter dishonest behavior on the part
of participants. Moreover, of course, it is complex to share this type of experience
with other lecturers. Once the competition has been carried out, it is likely that
the participants will publish their solutions in blogs or forums and therefore, the
competition has already lost its freshness and the possibility of reuse.</p>
      <p>Our project focuses on the idea of developing an approach that exploits
the advantages already presented of such a context and that in turn allows
solving the problems already mentioned. Therefore, the project presents its own
scenario editor and allows the possibility of generating content whose solutions
are di erent for the participants, which would help to solve part of the problem
of honesty. However, it also provides enough tools for tracking and intervenes in
the learning process of the participants during the game.</p>
      <p>This work is organized as follows: Section 2 introduce the related work of the
paper. Section 3 presents the principal objectives of our current work, as well
as the architecture and de nitions of the proposed game platform. The learning
monitor of the game platform is given in Section 4, as well as a set of data privacy
considerations adapted from current regulations. Finally, some conclusions and
future works are speci ed in Section 5.
2</p>
    </sec>
    <sec id="sec-2">
      <title>Related Work</title>
      <p>First, it deserves to distinguish between platforms aimed at hosting competitions
to capture the ag and generation environments for the competition itself. This
work is mainly focused on the second type of frameworks.</p>
      <p>
        To achieve this purpose, meaningful and enriching activities must be o ered.
Currently, the Capture the Flag (CTF) competitions are very popular and
successful [
        <xref ref-type="bibr" rid="ref41">41</xref>
        ]. These competitions can have three di erent game dynamics: quizzes,
hidden elements ( ags) and challenges. Through this type of competition,
participants apply the knowledge they have acquired through theoretical study,
which increases their motivation. Also, another advantage is the need for group
collaboration to solve problems [
        <xref ref-type="bibr" rid="ref24">24</xref>
        ]. Similarly, performing and publishing the
solutions to the challenges, known as write-ups, allows for learning beyond the
competition itself [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ].
      </p>
      <p>
        Deploying CTF competitions is complex and requires valuable lecturer time.
Automated problem generation [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] is applied to Pico-CFT. The work [
        <xref ref-type="bibr" rid="ref38">38</xref>
        ] presents
a solution for the 2017 iCTF competition. It consists of a set of pre-con gured
virtual machines (VMs). On the other hand, the work [
        <xref ref-type="bibr" rid="ref32">32</xref>
        ] introduces a Security
Scenario Generator in order to provide a exible general technique to de ne and
deploy VMs for education and training in security. In this sense, an alternative is
to use personalized Docker containers for speeding the deployment phases of the
infrastructure. Additionally, the platform Git-based CTF [
        <xref ref-type="bibr" rid="ref39">39</xref>
        ] allows lecturers to
deploy a Red/Blue Team challenges with high interactivity among participants.
      </p>
      <p>
        Closer to our approach, the work [
        <xref ref-type="bibr" rid="ref30">30</xref>
        ] presents a formal language oriented to
the de nition of professional cyber-ranges exercises, although it is only oriented
to the validation/veri cation of scenarios. Finally, the work [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ] presents Alpaca,
a novel dynamic cyber range generator, based on a multi-step sequence of exploits
from a vulnerability database and some generation of thinking paths.
      </p>
      <p>
        As a result of this type of competition, the honesty of the students could be
called into question. It is possible that for some of the participants, their main
objective is to achieve the score without making an e ort to learn. Within the
CTFs there have appeared approaches to solve this problem. Some works [
        <xref ref-type="bibr" rid="ref16 ref7 ref8">7,16,8</xref>
        ]
have introduced anti-plagiarisms methods, such as strong encryption randomized
ags.
      </p>
      <p>Most of these platforms are focused on the recreation of realistic
environments. However, they provide very few tools for monitoring the performance of
students. Most of them only provide simple tracking elements, such as the
registry of the awarded ags. This work is focused on increasing those elements into
a real learning analytic system, which will be deployed in an e cient dynamic
infrastructure, based on Docker containers.
3
3.1</p>
    </sec>
    <sec id="sec-3">
      <title>Motivation and Architecture</title>
      <sec id="sec-3-1">
        <title>Contextualization</title>
        <p>
          This work is supported by an innovation educational project at UNED, named
CiberScrath [
          <xref ref-type="bibr" rid="ref9">9</xref>
          ] (In English, CyberScratch). The principal objective of this project
is to innovate in the design of mechanisms for the inclusion of gami cation
techniques within remote and virtual laboratories aimed in the context of
cybersecurity, as well as their integration into the eld of education. The resulting
framework should provide the following features [
          <xref ref-type="bibr" rid="ref12 ref37">12,37</xref>
          ]:
{ Easing the development of CTF competitions, reducing the time invested in
the design of the technical part.
{ Including mechanisms to personalize the context to participants, allowing
for the replication of the process, but not the sharing of the ags.
{ Allowing the creation of motivating games with stories that allow the
bifurcation of the development based on the decisions of the player.
{ Facilitating the monitoring of the players' performance by the teaching team.
        </p>
        <p>
          The research group had previously worked on the creation of remote virtual
laboratories aimed at cybersecurity by using containers [
          <xref ref-type="bibr" rid="ref29 ref35">29,35</xref>
          ]. This approach
seems interesting to generate a customized container for each player. This way,
the students' gaming experience can be adapted to the requirements of the
project. In addition to this, a nal degree project (called Sh3rl0ck H0lm3$),
has been proved to be a suitable option (see Fig. 1). One of its main drawbacks
was the lack of monitoring features or intervention elements further than the
basic log module, although this development is a good starting point for our
CyberScratch project.
        </p>
        <p>
          This work focuses on the de nition of the initial architecture and the
development of a prototype. This prototype includes a graphic editor by adding
monitor tools to analyze the students' learning. In addition to this, some e orts
have initially performed to match the phases of Learning Analytics (LA) [
          <xref ref-type="bibr" rid="ref33">33</xref>
          ]
with current privacy and data control requirements from Spanish and European
guidelines and standards.
3.2
        </p>
      </sec>
      <sec id="sec-3-2">
        <title>The Proposed Platform</title>
        <p>Conceptually, a game consists of one or more cases, as observed in Fig. 2. In
fact, in each case, we can nd one or more mission and some characters. The
development of the missions can be sequential or concurrent. A mission (or a set
of missions) can be available after solving some previous events. There are some
key missions that once they are solved, the rest of active missions are closed.
The mission order is determined using two attributes inside the mission element:
the previous mission and cancel events.</p>
        <p>Each mission is guided by some artifacts and on or more stories. A story
element is composed of one or several messages. A message can be a video, an
audio le, an HTML fragment or a PDF le with the narration of the story,
or a set of messages that are used to train a character bot. This last option
allows players to chat with a bot character. A message can be associated with a
particular character of the case. An example of this chat feature is represented
in Fig. 3.</p>
        <p>
          A preliminary architecture of this game platform is depicted in Fig. 4. The
XML de nition of the game is used to create the game dynamics for each player.
Additionally, the game resources and the game docker template is compiled in
order to create a speci c Docker container [
          <xref ref-type="bibr" rid="ref13">13</xref>
          ] for the player. This container
is remotely accessed utilizing the Apache Guacamole project [
          <xref ref-type="bibr" rid="ref18">18</xref>
          ] for the game
platform. The proposed game platform is being developed using the Django web
framework [
          <xref ref-type="bibr" rid="ref17">17</xref>
          ].
        </p>
        <p>Developing a game platform for learning cybersecurity is challenging because
the competition's execution environment is often hostile and, thus, it is di cult
to monitor and control the game. It is essential to have mechanisms and policies
for the easy diagnosis of possible problems in educational and security terms.
Therefore, it is clear the need for a speci c strategy that allows lecturers to track
the students' performance.</p>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>Game Monitor and Learning Analytics</title>
      <p>
        ISO/IEC TR 20748-1:2016 [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ] is a technical report oriented to describe
conceptually the behavior of all the elements involved in the interoperability of Learning
Analytics (LA). Speci cally, it proposes a reference model in its clause 6 for the
various processes that make up the LA cycle.
      </p>
      <p>According to ISO/IEC TR 20748-1:2016, six phases compose a LA circle:
learning and teaching activity, data collection, data processing and storing,
data analyzing, data visualization, and feedback and recommendation.
Learningteaching activity has been described in the previous section. Thus, the following
subsections are focused on the data collection phase and data processing and
storing phase. The rest of the phases are thought for further work.</p>
      <p>The results of the analysis are intervening in the learning process as an
internal mechanism. On the one hand, the game provides with hints. So, when a
student is stacked, she/he can request a hint. Also, it is automatically detected
that the player does not progress in a prudential time. The hint will be provided
using a chat with a character. On the other hand, students are provided with
several visualizations of their progress through the game in comparison with
other participants. Further analysis of these visualizations will take place in
order to select those more suitable. Finally, lecturers provide with visualizations
to help them to tackle the game. Additionally, the platform will be programmed
with alert messages to report about students at risk or unusual situations.
4.1</p>
      <sec id="sec-4-1">
        <title>Data Collection, Processing and Storing</title>
        <p>
          Many learning tools export their activity registry into a Learning Registry
System (LRS) that implements the xAPI speci cation [
          <xref ref-type="bibr" rid="ref1 ref10 ref25 ref33">10,1,25,33</xref>
          ]. In this case, to
record our students' activity on the platform, we are formatting those events as
xAPI statements. xAPI statements are managed by TinCanPython library [
          <xref ref-type="bibr" rid="ref31">31</xref>
          ]
inside the created framework. One of the main advantages of this approach is
the ability to reuse existing learning analysis techniques and incorporating them
into our gaming platform in a simple way. Another advantage of this solution is
the capability of exporting the activity towards a cloud LRS.
        </p>
        <p>
          xAPI statements are composed of three main elements: actor, verb and
object. In our framework, we have three main actors: students, lecturers and group
of students. Verbs in xAPI are URIs, and they should be paired with a short
display string. In our case, most of the verbs included in the data collection
phase are already described in the xAPI registry [
          <xref ref-type="bibr" rid="ref34">34</xref>
          ], such as accessed
(platform, game, mission . . . ), completed (game, case, mission), found (a ag), and
so on. The third element represents the activity: a game, a mission, a case, a ag,
a reward, etc. Again, xAPI registry provides a vast number of types of activities
that easily t in our statements.
        </p>
        <p>Since 2019, the context element has been added to the xAPI statement to
include some contextual information to a statement. This contextual information
includes the group that students belong to or the course related to the game.
Finally, a statement can also end in some measured outcome by a result element.</p>
        <p>In our case, result statement can be used in conjunction with the resolution of
a case, indicating if it is successfully found or it is a failure.</p>
        <p>Apart from occasional actions, a challenge in data collection is the gathering
of the commands used for solving the challenges. The game provides a
customized docker container with the needed tools to solve missions. Alternative
students can download the artifact associated with the mission and work locally.
To retrieve the session commands, before the player's container is stopped, the
registry of commands is retrieved. The representation of this learning event must
be represented by the use of the result element recording the commands in the
response property.</p>
        <p>
          xAPI statements are stored in a MongoDB NoSQL database [
          <xref ref-type="bibr" rid="ref27">27</xref>
          ]. MongoDB
allows us to create a JSON document-based database that stores the xAPI
statement directly. MongoDB o ers security features, such as encryption at rest,
transport encryption by TLS, authentication, access control and role-based
access control feature, and auditing mechanisms.
4.2
        </p>
      </sec>
      <sec id="sec-4-2">
        <title>Data Privacy Considerations</title>
        <p>
          Automatic learning analyses are increasingly integrated within educational
institutions, training in work environments or platforms oriented to long life learning,
such as our project. It is inevitable concerning about privacy and data
protection. Con rmation of this fact can be found in [
          <xref ref-type="bibr" rid="ref19">19</xref>
          ]. In that work, framed within
the LA Community Exchange (LACE) project and funded by the European
Union, the question of the impact of privacy on the area of the development of
LA was raised. Another project that follows this idea is the Sheila project [
          <xref ref-type="bibr" rid="ref28">28</xref>
          ]
focused on the development of a privacy data framework in educational
institutions. In parallel with the growth of the LA community, there was an enormous
development in data protection regulation, both internationally and nationally.
According to a survey conducted by the United Nations Conference on Trade
and Development [
          <xref ref-type="bibr" rid="ref36">36</xref>
          ], by 2018, 107 countries (58%) had developed data
protection legislation, and 10% were in the process of doing so. As an example,
in Spain, the regulation of data protection is determined by the following laws:
Organic Law 3/2018 of 5 December on the Protection of Personal Data and the
Guarantee of Digital Rights (LOPDGDD) and General Data Protection
Regulation (GDPR), the second one is the general data protection law approved by
the European Union in April 2016.
        </p>
        <p>
          Following this spirit of the regulation, in ISO/IEC TR 20748-1:2016 [
          <xref ref-type="bibr" rid="ref15">15</xref>
          ], the
importance of the user's control of his/her data is highlighted, emphasizing the
need to implement mechanisms that give the student (or his/her legal tutors)
the possibility to avoid monitoring. It also put the focus on the need to
manage data control and user identi cation through a federation of identities. The
detailed correspondence among ISO/IEC TR 20748-1:2016 phases and their
corresponding privacy requirements has been correlated at [
          <xref ref-type="bibr" rid="ref21">21</xref>
          ]. According to this
work, each phase must ful ll the following privacy requirements:
{ Learning and Teaching Activity : Giving information of processing operation
and purpose.
        </p>
        <p>Implementation</p>
        <p>Right related to Analyzing,
automated deci- sualization,
sion making and Feedback and
pro ling Recommendation
Accountability All phases Audit, role-based control access and
authenticaand governance tion based on MongoDB security features.
Breach noti ca- Data Processing Noti cation will follow the procedure determined
tion and Storing by UNED.</p>
        <p>Transfer data Data Processing Data will not be transferred outside UNED.</p>
        <p>and Storing
Data protection All phases Policy of data applying security measures, such as
by design and encryption for data at rest and TLS transport for
default data in communication.
{ Data Collection: A rmative action of consent to data collection.
{ Data Processing and Storing : Access to, and recti cation or erasure of
personal data. Having the right to be forgotten. Pseudonymization and risk
assessment.
{ Analyzing : Meaningful information about the logic involved. Information of
pro ling, e.g., predictive modeling.
{ Visualization: General requirements for transparency and communication.
{ Feedback and Recommendation: Information about the signi cance and
envisaged consequences of data processing.</p>
        <p>
          Thus, we have adapted these recommendations to our framework, as
summarized in Table 1. Additionally, universities must have an active role in the
ethical regulation of the use of educational data. UNED has created a research
ethical committee [
          <xref ref-type="bibr" rid="ref22">22</xref>
          ] to report the results of this framework and the collected
data before to any further research.
5
        </p>
      </sec>
    </sec>
    <sec id="sec-5">
      <title>Conclusions and Further Works</title>
      <p>The current work presents a platform for gami cation and its relevant
characteristics, which will allow us both the monitoring of learning and the lecturers'
intervention when considered convenient. We have also included into the
platform a set of tools to ease the collaborative learning among students (and with
the lecturers), peer recognition, and promote healthy and constructive
competitiveness. Data privacy is also taken into account in this work, by adopting
regulations to the case of UNED and our concrete project. There is still much
work to be done, specially to improve the o ered visualizations to students and
lecturers as well as, adding new elements to our platform, such as characters
with a higher intelligence which allow a more uid interaction with students.</p>
      <p>Although our preliminary results are promising, a rst test full-experience
of the gaming platform in the context of a security degree subject is running at
the moment. Therefore, providing statistical data or analysis for the platform's
satisfaction and acceptance, or analyzing its impact on the learning process, is
planned as future work.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          1.
          <string-name>
            <surname>Berg</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Sche</surname>
            <given-names>el</given-names>
          </string-name>
          , M.,
          <string-name>
            <surname>Drachsler</surname>
            ,
            <given-names>H.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ternier</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Specht</surname>
            ,
            <given-names>M.:</given-names>
          </string-name>
          <article-title>The dutch xapi experience</article-title>
          .
          <source>In: Proceedings of the Sixth International Conference on Learning Analytics &amp; Knowledge</source>
          . p.
          <volume>544</volume>
          {
          <fpage>545</fpage>
          . LAK '
          <volume>16</volume>
          ,
          <string-name>
            <surname>Association</surname>
          </string-name>
          for Computing Machinery, New York, NY, USA (
          <year>2016</year>
          ), https://doi.org/10.1145/2883851.2883968
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          2.
          <string-name>
            <surname>Burket</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Chapman</surname>
            ,
            <given-names>P.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Becker</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ganas</surname>
            ,
            <given-names>C.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Brumley</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          :
          <article-title>Automatic problem generation for capture-the- ag competitions</article-title>
          .
          <source>In: 2015 USENIX Summit on Gaming</source>
          , Games, and
          <article-title>Gami cation in Security Education (3GSE 15)</article-title>
          . USENIX Association, Washington,
          <string-name>
            <surname>D.C.</surname>
          </string-name>
          (Aug
          <year>2015</year>
          ), https://www.usenix.org/conference/ 3gse15/summit-program/presentation/burket
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          3.
          <string-name>
            <surname>Cano</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hernandez</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ros</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Tobarra</surname>
            ,
            <given-names>L.:</given-names>
          </string-name>
          <article-title>A distributed laboratory architecture for game based learning in cybersecurity and critical infrastructures</article-title>
          .
          <source>In: 2016 13th International Conference on Remote Engineering and Virtual Instrumentation (REV)</source>
          . pp.
          <volume>183</volume>
          {
          <issue>185</issue>
          (
          <year>2016</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          4.
          <string-name>
            <surname>Cano</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hernandez</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ros</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          :
          <article-title>Bringing an engineering lab into social sciences: didactic approach and an experiential evaluation</article-title>
          .
          <source>IEEE Communications Magazine</source>
          <volume>52</volume>
          ,
          <issue>101</issue>
          {
          <fpage>107</fpage>
          (
          <year>2014</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          5.
          <string-name>
            <surname>Catota</surname>
            ,
            <given-names>F.E.</given-names>
          </string-name>
          , Morgan,
          <string-name>
            <given-names>M.G.</given-names>
            ,
            <surname>Sicker</surname>
          </string-name>
          ,
          <string-name>
            <surname>D.C.</surname>
          </string-name>
          :
          <article-title>Cybersecurity education in a developing nation: the Ecuadorian environment</article-title>
          .
          <source>Journal of Cybersecurity</source>
          <volume>5</volume>
          (
          <issue>1</issue>
          ) (03
          <year>2019</year>
          ). https://doi.org/10.1093/cybsec/tyz001, https://doi.org/10.1093/cybsec/ tyz001, tyz001
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          6.
          <string-name>
            <surname>Childers</surname>
            ,
            <given-names>N.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Boe</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cavallaro</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cavedon</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cova</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Egele</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Vigna</surname>
          </string-name>
          , G.:
          <article-title>Organizing large scale hacking competitions</article-title>
          . In: Kreibich,
          <string-name>
            <given-names>C.</given-names>
            ,
            <surname>Jahnke</surname>
          </string-name>
          , M. (eds.)
          <article-title>Detection of Intrusions and Malware, and Vulnerability Assessment</article-title>
          . pp.
          <volume>132</volume>
          {
          <fpage>152</fpage>
          . Springer Berlin Heidelberg, Berlin, Heidelberg (
          <year>2010</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          7.
          <string-name>
            <surname>Chothia</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Novakovic</surname>
            ,
            <given-names>C.</given-names>
          </string-name>
          :
          <article-title>An o ine capture the ag-style virtual machine and an assessment of its value for cybersecurity education</article-title>
          .
          <source>In: 2015 USENIX Summit on Gaming</source>
          , Games, and
          <article-title>Gami cation in Security Education (3GSE 15)</article-title>
          . USENIX Association, Washington,
          <string-name>
            <surname>D.C.</surname>
          </string-name>
          (august
          <year>2015</year>
          ), https://www.usenix.org/conference/ 3gse15/summit-program/presentation/chothia
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          8.
          <string-name>
            <surname>Chothia</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Novakovic</surname>
            ,
            <given-names>C.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Radu</surname>
            ,
            <given-names>A.I.</given-names>
          </string-name>
          , Thomas,
          <string-name>
            <surname>R.J.</surname>
          </string-name>
          :
          <article-title>Choose Your Pwn Adventure: Adding Competition and Storytelling to an Introductory Cybersecurity Course</article-title>
          , pp.
          <volume>141</volume>
          {
          <fpage>172</fpage>
          . Springer Berlin Heidelberg, Berlin, Heidelberg (
          <year>2019</year>
          ), https://doi.org/10.1007/978-3-
          <fpage>662</fpage>
          -59351-6 12
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          9. de Innovacion Docente en Ciberseguridad (CiberGid), G.: Ciberscratch. on line at http://casper.scc.uned.es/ciberscratch/index.html (
          <year>2020</year>
          ),
          <article-title>last accesed: 7th april 2020</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          10.
          <string-name>
            <surname>Co-Laboratories</surname>
            ,
            <given-names>A.D.L.A.</given-names>
          </string-name>
          :
          <article-title>Experience api</article-title>
          .
          <source>version: 1.0.2. Tech. rep., Advanced Distributed Learning (ADL) Initiative</source>
          (
          <year>2016</year>
          ), https://github.com/adlnet/ xAPI-Spec/blob/1.0.2/xAPI.md
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          11.
          <string-name>
            <surname>Dasgupta</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ferebee</surname>
            ,
            <given-names>D.M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Michalewicz</surname>
            ,
            <given-names>Z.</given-names>
          </string-name>
          :
          <article-title>Applying puzzle-based learning to cyber-security education</article-title>
          .
          <source>In: Proceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference</source>
          . p.
          <volume>20</volume>
          {
          <fpage>26</fpage>
          . InfoSecCD '13,
          <string-name>
            <surname>Association</surname>
          </string-name>
          for Computing Machinery, New York, NY, USA (
          <year>2013</year>
          ). https://doi.org/10.1145/2528908.2528910, https://doi.org/10.1145/ 2528908.2528910
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          12.
          <string-name>
            <surname>Deterding</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Dixon</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Khaled</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Nacke</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          :
          <article-title>From game design elements to gamefulness: De ning \gami cation"</article-title>
          .
          <source>In: Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments</source>
          . p.
          <volume>9</volume>
          {
          <fpage>15</fpage>
          . MindTrek '11,
          <string-name>
            <surname>Association</surname>
          </string-name>
          for Computing Machinery, New York, NY, USA (
          <year>2011</year>
          ). https://doi.org/10.1145/2181037.2181040, https://doi.org/10.1145/ 2181037.2181040
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          13.
          <string-name>
            <surname>Docker</surname>
          </string-name>
          <article-title>: Docker. debug your app, not your environment</article-title>
          . on line at https://www. docker.com/ (
          <year>2020</year>
          ),
          <article-title>last accesed: 7th april 2020</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          14.
          <string-name>
            <surname>Eckroth</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Chen</surname>
            ,
            <given-names>K.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Gatewood</surname>
            ,
            <given-names>H.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Belna</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          :
          <article-title>Alpaca: Building dynamic cyber ranges with procedurally-generated vulnerability lattices</article-title>
          .
          <source>In: Proceedings of the 2019 ACM Southeast Conference</source>
          . p.
          <volume>78</volume>
          {
          <fpage>85</fpage>
          . ACM SE '
          <volume>19</volume>
          ,
          <string-name>
            <surname>Association</surname>
          </string-name>
          for Computing Machinery, New York, NY, USA (
          <year>2019</year>
          ). https://doi.org/10.1145/3299815.3314438, https://doi.org/10.1145/3299815. 3314438
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          15.
          <string-name>
            <surname>technology</surname>
            <given-names>SC</given-names>
          </string-name>
          36.
          <article-title>Information technology for learning education,</article-title>
          <string-name>
            <surname>I.J.I.</surname>
          </string-name>
          , training.:
          <article-title>Information technology for learning, education and training | learning analytics interoperability |part 1:reference model</article-title>
          .
          <source>Tech. rep., ISO and IEC</source>
          (
          <year>2016</year>
          ), https: //www.iso.org/standard/68976.html
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          16. chang Feng, W.:
          <article-title>A sca olded, metamorphic CTF for reverse engineering</article-title>
          . In: 2015 USENIX Summit on Gaming, Games, and
          <article-title>Gami cation in Security Education (3GSE 15)</article-title>
          . USENIX Association, Washington,
          <string-name>
            <surname>D.C.</surname>
          </string-name>
          (Aug
          <year>2015</year>
          ), https://www. usenix.org/conference/3gse15/summit-program/presentation/feng
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          17.
          <string-name>
            <surname>Foundation</surname>
            ,
            <given-names>D.S.</given-names>
          </string-name>
          : Django.
          <article-title>the web framework for perfectionists with deadlines</article-title>
          . on line at https://www.djangoproject.com/ (
          <year>2020</year>
          ),
          <article-title>last accesed: 7th april 2020</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          18.
          <string-name>
            <surname>Foundation</surname>
            ,
            <given-names>T.A.S.:</given-names>
          </string-name>
          <article-title>Apache guacamole</article-title>
          . on line at https://guacamole.apache.org/ (
          <year>2020</year>
          ),
          <article-title>last accesed: 7th april 2020</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          19. Gri ths, D.,
          <string-name>
            <surname>Drachsler</surname>
            ,
            <given-names>H.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Kickmeier-Rust</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Steiner</surname>
            ,
            <given-names>C.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hoel</surname>
          </string-name>
          , T., W.Greller:
          <article-title>Is Privacy a Show-stopper for Learning Analytics? A Review of Current Issues and Solutions</article-title>
          .
          <source>LACE project</source>
          (
          <year>2016</year>
          ), retrieved from http://www.laceproject.
          <article-title>eu/ learning-analytics-review/is-privacy-a-show-stopper/</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          20.
          <string-name>
            <surname>Hamari</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Koivisto</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Sarsa</surname>
          </string-name>
          , H.:
          <article-title>Does gami cation work? { a literature review of empirical studies on gami cation</article-title>
          .
          <source>In: 2014 47th Hawaii International Conference on System Sciences</source>
          . pp.
          <volume>3025</volume>
          {
          <issue>3034</issue>
          (Jan
          <year>2014</year>
          ). https://doi.org/10.1109/HICSS.
          <year>2014</year>
          .
          <volume>377</volume>
          , http://ieeexplore.ieee.org/xpls/abs all.
          <source>jsp?arnumber=6758978&amp;tag=1</source>
        </mixed-citation>
      </ref>
      <ref id="ref21">
        <mixed-citation>
          21.
          <string-name>
            <surname>Hoel</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Gri ths</surname>
          </string-name>
          , D.,
          <string-name>
            <surname>Chen</surname>
            ,
            <given-names>W.:</given-names>
          </string-name>
          <article-title>The in uence of data protection and privacy frameworks on the design of learning analytics systems</article-title>
          .
          <source>In: Proceedings of the Seventh International Learning Analytics &amp; Knowledge Conference</source>
          . p.
          <volume>243</volume>
          {
          <fpage>252</fpage>
          . LAK '
          <volume>17</volume>
          ,
          <string-name>
            <surname>Association</surname>
          </string-name>
          for Computing Machinery, New York, NY, USA (
          <year>2017</year>
          ). https://doi.org/10.1145/3027385.3027414, https://doi.org/10.1145/ 3027385.3027414
        </mixed-citation>
      </ref>
      <ref id="ref22">
        <mixed-citation>
          22. Vicerrectorado de Investigacion, T.d.C.y.D.C.U.: Comite de Etica de la investigacion. Available at http://portal.uned.es/portal/page? pageid=
          <volume>93</volume>
          ,
          <issue>639534</issue>
          ,
          <fpage>93</fpage>
          <lpage>20530755</lpage>
          &amp;
          <article-title>dad=portal&amp; schema=PORTAL (</article-title>
          <year>2020</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref23">
        <mixed-citation>
          23.
          <article-title>(ISC)2: Strategies for building and growing strong cybersecurity teams</article-title>
          .
          <source>cybersecurity workforce study</source>
          ,
          <year>2019</year>
          . on line at https://www. isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/
          <fpage>ISC2</fpage>
          -Cybersecurity-Workforce-Study-
          <year>2019</year>
          .
          <article-title>ashx?la=en&amp;hash= 1827084508A24DD75C60655E243EAC59ECDD4482 (2019), last accesed: 7th april 2020</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref24">
        <mixed-citation>
          24.
          <string-name>
            <surname>Jariwala</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Champion</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Rajivan</surname>
            ,
            <given-names>P.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cooke</surname>
          </string-name>
          , N.:
          <article-title>In uence of team communication and coordination on the performance of teams at the ictf competition</article-title>
          .
          <source>Proceedings of the Human Factors and Ergonomics Society Annual Meeting</source>
          <volume>56</volume>
          ,
          <issue>458</issue>
          {
          <volume>462</volume>
          (10
          <year>2012</year>
          ). https://doi.org/10.1177/1071181312561044
        </mixed-citation>
      </ref>
      <ref id="ref25">
        <mixed-citation>
          25.
          <string-name>
            <surname>Manso-Vazquez</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Caeiro-Rodr guez</surname>
            ,
            <given-names>M.</given-names>
            , M.
          </string-name>
          <string-name>
            <surname>Llamas-Nistal</surname>
          </string-name>
          :
          <article-title>An xapi application pro le to monitor self-regulated learning strategies</article-title>
          .
          <source>IEEE Access 6</source>
          ,
          <issue>42467</issue>
          {
          <fpage>42481</fpage>
          (
          <year>2018</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref26">
        <mixed-citation>
          26.
          <string-name>
            <surname>Martini</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Choo</surname>
          </string-name>
          ,
          <string-name>
            <surname>K.K.R.:</surname>
          </string-name>
          <article-title>Building the next generation of cyber security professionals</article-title>
          .
          <source>ECIS 2014 Proceedings - 22nd European Conference on Information Systems (01</source>
          <year>2014</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref27">
        <mixed-citation>
          27.
          <string-name>
            <surname>MongoDB</surname>
          </string-name>
          , I.:
          <article-title>Mongdb. the database for modern applications</article-title>
          . Available at https: //www.mongodb.com/ (
          <year>2020</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref28">
        <mixed-citation>
          28.
          <string-name>
            <surname>Project</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          : Sheila.
          <article-title>using data wisely for education futures</article-title>
          . on line at https:// sheilaproject.eu/ (
          <year>2020</year>
          ),
          <article-title>last accesed: 7th april 2020</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref29">
        <mixed-citation>
          29.
          <string-name>
            <surname>Robles-Gomez</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Tobarra</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Pastor</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hernandez</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Duque</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cano</surname>
          </string-name>
          , J.:
          <article-title>Analyzing the students' learning within a container-based virtual laboratory for cybersecurity</article-title>
          .
          <source>In: Proceedings of the Seventh International Conference on Technological Ecosystems for Enhancing Multiculturality</source>
          . p.
          <volume>275</volume>
          {
          <fpage>283</fpage>
          . TEEM'
          <volume>19</volume>
          ,
          <string-name>
            <surname>Association</surname>
          </string-name>
          for Computing Machinery, New York, NY, USA (
          <year>2019</year>
          ). https://doi.org/10.1145/3362789.3362840, https://doi.org/10.1145/ 3362789.3362840
        </mixed-citation>
      </ref>
      <ref id="ref30">
        <mixed-citation>
          30.
          <string-name>
            <surname>Russo</surname>
            ,
            <given-names>E.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Costa</surname>
            ,
            <given-names>G.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Armando</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          :
          <article-title>Scenario design and validation for next generation cyber ranges</article-title>
          .
          <source>In: 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA)</source>
          . pp.
          <volume>1</volume>
          {
          <issue>4</issue>
          (
          <year>2018</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref31">
        <mixed-citation>
          31. RusticiSoftware: Tincanpython library. Available at https://github.com/ RusticiSoftware/TinCanPython (
          <year>2020</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref32">
        <mixed-citation>
          32.
          <string-name>
            <surname>Schreuders</surname>
            ,
            <given-names>Z.C.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Shaw</surname>
            ,
            <given-names>T.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Shan-A-Khuda</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ravichandran</surname>
            ,
            <given-names>G.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Keighley</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ordean</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          :
          <article-title>Security scenario generator (secgen): A framework for generating randomly vulnerable rich-scenario vms for learning computer security and hosting CTF events</article-title>
          .
          <source>In: 2017 USENIX Workshop on Advances in Security Education (ASE 17)</source>
          .
          <source>USENIX Association</source>
          , Vancouver, BC (Aug
          <year>2017</year>
          ), https://www.usenix.org/ conference/ase17/workshop-program/presentation/schreuders
        </mixed-citation>
      </ref>
      <ref id="ref33">
        <mixed-citation>
          33.
          <string-name>
            <surname>Angel</surname>
          </string-name>
          Serrano-Laguna,
          <article-title>Mart nez-</article-title>
          <string-name>
            <surname>Ortiz</surname>
            ,
            <given-names>I.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Haag</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Regan</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Johnson</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Fernandez-Manjon</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          :
          <article-title>Applying standards to systematize learning analytics in serious games</article-title>
          .
          <source>Computer Standards &amp; Interfaces</source>
          <volume>50</volume>
          ,
          <issue>116</issue>
          {
          <fpage>123</fpage>
          (
          <year>2017</year>
          ). https://doi.org/https://doi.org/10.1016/j.csi.
          <year>2016</year>
          .
          <volume>09</volume>
          .014, http://www. sciencedirect.com/science/article/pii/S0920548916301040
        </mixed-citation>
      </ref>
      <ref id="ref34">
        <mixed-citation>
          34.
          <string-name>
            <surname>Software</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          :
          <article-title>Experience api registry</article-title>
          . Available at https://registry.tincanapi.com/ #home/verbs (
          <year>2020</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref35">
        <mixed-citation>
          35.
          <string-name>
            <surname>Tobarra</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Robles-Gomez</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Pastor</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hernandez</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Duque</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cano</surname>
          </string-name>
          , J.:
          <article-title>Students' acceptance and tracking of a new container-based virtual laboratory</article-title>
          .
          <source>Applied Sciences</source>
          <volume>10</volume>
          (
          <issue>3</issue>
          ),
          <volume>1091</volume>
          (Feb
          <year>2020</year>
          ). https://doi.org/10.3390/app10031091, http://dx.doi.org/10.3390/app10031091
        </mixed-citation>
      </ref>
      <ref id="ref36">
        <mixed-citation>
          36. conference on Trade,
          <string-name>
            <surname>U.N.</surname>
          </string-name>
          ,
          <article-title>Development: Data protection and privacy legislation worldwide</article-title>
          . Available at https://unctad.org/en/Pages/DTL/STI and ICTs/ ICT4D-Legislation/
          <article-title>eCom-Data-Protection-Laws.aspx (</article-title>
          <year>2018</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref37">
        <mixed-citation>
          37.
          <string-name>
            <surname>Trapero</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Tobarra</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Pastor</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Robles-Gomez</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Hernandez</surname>
            ,
            <given-names>R.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Duque</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cano</surname>
          </string-name>
          , J.:
          <article-title>Game-based learning approach to cybersecurity</article-title>
          .
          <source>In: 2020 IEEE Global Engineering Education Conference (EDUCON)</source>
          . pp.
          <volume>1125</volume>
          {
          <issue>1132</issue>
          (
          <year>2020</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref38">
        <mixed-citation>
          38.
          <string-name>
            <surname>Trickel</surname>
            ,
            <given-names>E.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Disperati</surname>
            ,
            <given-names>F.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Gustafson</surname>
            ,
            <given-names>E.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Kalantari</surname>
            ,
            <given-names>F.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Mabey</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Tiwari</surname>
            ,
            <given-names>N.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Safaei</surname>
            ,
            <given-names>Y.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Doupe</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Vigna</surname>
          </string-name>
          , G.:
          <article-title>Shell we play a game? ctf-as-a-service for security education</article-title>
          .
          <source>In: 2017 USENIX Workshop on Advances in Security Education (ASE 17)</source>
          .
          <source>USENIX Association</source>
          , Vancouver, BC (Aug
          <year>2017</year>
          ), https://www.usenix.org/ conference/ase17/workshop-program/presentation/trickel
        </mixed-citation>
      </ref>
      <ref id="ref39">
        <mixed-citation>
          39.
          <string-name>
            <surname>Wi</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Choi</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Cha</surname>
            ,
            <given-names>S.K.</given-names>
          </string-name>
          :
          <article-title>Git-based CTF: A simple and e ective approach to organizing in-course attack-and-defense security competition</article-title>
          .
          <source>In: 2018 USENIX Workshop on Advances in Security Education (ASE 18)</source>
          . USENIX Association, Baltimore,
          <string-name>
            <surname>MD</surname>
          </string-name>
          (Aug
          <year>2018</year>
          ), https://www.usenix.org/conference/ase18/presentation/ wi
        </mixed-citation>
      </ref>
      <ref id="ref40">
        <mixed-citation>
          40.
          <string-name>
            <surname>Willingham</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          :
          <article-title>Critical thinking why is it so hard to teach?</article-title>
          <source>Arts Education Policy Review</source>
          <volume>109</volume>
          (08
          <year>2010</year>
          ). https://doi.org/10.3200/AEPR.109.4.
          <fpage>21</fpage>
          -
          <lpage>32</lpage>
        </mixed-citation>
      </ref>
      <ref id="ref41">
        <mixed-citation>
          41.
          <string-name>
            <surname>Zhang</surname>
            ,
            <given-names>X.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Liu</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Gong</surname>
            ,
            <given-names>X.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Song</surname>
            ,
            <given-names>Z.</given-names>
          </string-name>
          :
          <article-title>State-of-the-art: Security competition in talent education</article-title>
          . In: Chen,
          <string-name>
            <given-names>X.</given-names>
            ,
            <surname>Lin</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            ,
            <surname>Yung</surname>
          </string-name>
          , M. (eds.)
          <source>Information Security and Cryptology</source>
          . pp.
          <volume>461</volume>
          {
          <fpage>481</fpage>
          . Springer International Publishing,
          <string-name>
            <surname>Cham</surname>
          </string-name>
          (
          <year>2018</year>
          )
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>