Serious Coding: A Game Approach To Security For The New Code-Citizens

The security of software systems is a complex problem impacted by organisation, technology and people. An example of the impact of weak security is shown by the 2019 Cost of a Data Breach report in which the Ponemon Institute for IBM Security estimated that across the United Kingdom, the average cost of a data breach increased from $3.68 million in 2018 to $3.88 million in 2019 (6th highest cost globally when compared to other regions). Software developers are at the forefront of the issue as confirmed by the GitLab's 2019 Global Developer Report released on 15th July 2019 (https://about.gitlab.com/developer-survey/2019/) which surveyed over 4k software professionals and found that while 69% of developers indicate they are expected to write secure code, nearly half said they struggle to get developers to make remediation of vulnerabilities a priority, and 68% of security professionals feel that fewer than half of developers are able to spot security vulnerabilities later in the lifecycle. These dramatic figures are for professionals while the democratisation of software development and deployment enabled by the enormous markets of mobile and Web apps means that many of these apps are not built by professionals.

With the democratisation of software development and deployment, comes the widening of the issues of code security and safety. At the heart of this democratisation are the new code-citizens who are code- literate, able to build and run their own software code. However, they may have had no formal software engineering training and are often outside of the software industry which normally inculcate good practice via house standards. As new citizens, they need to discover, understand, and exercise their rights and duties among a society living with software systems. Their understanding of the security implications of their coding is of fundamental importance to the security of software systems. Recent research (Fischer et al, 2017) revealed that of the 1.3 million Android applications that contained security-related code snippets from Stack Overflow 97.9% contained at least one insecure code snippet.

To assist these code-citizens to become secure code citizens we believe that we can use serious games, which will bring practice and play together to enhance and guide our participants focus. Games are an immersive medium which the project will use to engage code-citizens and deliver an intervention on security matters. Additionally, the process of designing serious games itself elicits the nature of the practice and engages participants in defining how to intervene and act effectively. We propose in this project to put code-citizens at the heart of secure code development by engaging code-citizens in the co-design of serious games for code-citizens. The project will apply an enhanced serious game design for three software security themes that have been informed by industrial practice.

We have identified the following specific outputs that will form the long term impact of our project
1. A framework for creating serious games for secure coding
2. A set of creative components that can be used to create games for secure coding
3. A set of software components that can be used to create series of games for secure coding
4. A series of games that can be used to teach new coders how to securely code.
5. A series of exhibitions to showcase 1-4 above and to advocate for their adoption and for the wider adoption of secure software engineering with public and policy makers.
Pathway 1 People Co-creation and Ownership: The first impact we expect is through the co-creative approach of the project and the open licensing of its productions.
Open Access: all our events will be fully documented, both as an audio visual record (made freely available online).
Open Licensing: All the software and creative components that will be produced by the project will be licensed with permissive copyrights such as MIT Licenses and Creative Commons Licenses.
Lasting Shared Ownership: sustainability of the core network is intrinsic to this proposal and, in addition to the events themselves, appropriate communication systems will be established by PE1 in collaboration with the participants.
Pathway 2: Leveraging Games for Security Collaborations
Its developer-centred security is focused on having an impact on national cyber security.
Cross-Discipline: The core team members' expertise covers all of the disciplines relevant to deliver a new framework, components and games namely: software engineering, software security, human-computer interaction, game design, creative writing, anthropology, visual narratives, serious games and script writing.
Fostering Collaborations: critically, we have budgeted to allow a significant number of and wide range of stakeholders to participate in events. This not only brings fresh perspectives and technical skills but will equip a wide spectrum of code-citizens with the skills needed to be secure coders.
Software Industry: This project aims to impact the industry by providing a framework for structuring and accelerating the building of secure code.
Policy Makers: we have an established relationship with the Scottish Government's resilience unit and will facilitate dissemination to them. The advisory group will also be tasked with identifying a similar key unit at UK level
Pathway 3: Coding Games for Education
Secure Software Education: The games developed will be showcased at the main exhibitions and its repetition. These events and the project itself will be the setting for involving educators in including these games in their teaching.
Software CyBOK documentation: we will base the topics of our future forums on the results of the CyBOK project (Cybersecurity Body of Knowledge).The games we will produce will therefore include links back to these research outputs.
Pathway 4: Journeys and Games Dissemination
Multi-presence and Accessibility: the project will combine online and physical presence during all of the events in order to make all our events truly accessible to all citizens regardless of location or physical ability.
Civic Dimension: The focus of our research project on security for code-citizens resonates with Civic Digits approach to educating in the digital world.

We will set up an Advisory Board, which will be focus on ways to maximise the project's impact. Possible members are: Clare El Azebbi who is the Head of Cyber Resilience Policy in the Scottish Government, Judy Robertson, a leading expert in Computer Science Education from the University of Edinburgh, Simon Peyton-Jones, chair of UK National Centre for Computing Education, Brenda Romero, a leading Serious Games expert with her work "Mechanic Is the Message", Helen Sharp, an expert in the Human Aspect of Software Engineering from Open University, Rod Chapman an industrial expert in Safe and Secure Software.