G. Pappas1, P. Peratikou2, J. Siegel3, K. Politopoulos4, C. Christodoulides2, S. Stavrou2

1Open University of Cyprus / National Technical University of Athens (CYPRUS)
2Open University of Cyprus (CYPRUS)
3Michigan State University (UNITED STATES)
4National Technical University of Athens (GREECE)
Serious games can be robust and rigorous learning tools. Gamification serves as motivation to increase participation during in-class activities and encourages diverse students to cooperate within a safe and goal-oriented learning environment. Instructors can engage with their students and provide feedback using in-game scoring or other mechanisms. Thoughtful level design can create scaffolded learning opportunities for students to build upon foundational knowledge in order to reach new heights.

Drawing upon the concept of serious games, we develop a cybersecurity-centric, virtual “escape room,” in which students must complete tasks of increasing difficulty in order to exit. The game is built atop a cyber range called a “Threat Realm,” a virtualized ICT environment comprising simulated digital and physical systems. In the Threat Realm, students may explore and exploit systems and their weaknesses without fear of consequence or retribution, allowing for the creation of individual or team-based “red team” activities for students to complete. The game is designed so as to provide an easy-to-use environment for participants from a range of technical and non-technical backgrounds, increasing it’s reach. Envisioned exercises target general cybersecurity awareness, penetration testing, vulnerability exploitation, social engineering, and more.

“Cyber Escape Room” is a first-person 3D video game developed in Unity Game Engine. The game loads into a camera view emulating the player’s viewpoint, placing them inside a building with physical and digital security infrastructure based on a realistic system. The user must find and interact with a workstation using traditional security tools and techniques to meet objectives of increasing difficulty in order to test their previously-learned cybersecurity training. This requires collecting items and information.

Player actions are split into physical and digital tasks. Physical tasks include item collection (flash drives) to motivate the need to guard data in the physical realm. These drives contain information necessary to solve riddles and open doors. Digital tasks involve the use of the workstations inside the cyber range.
Completing each task successfully provides students with “decryption codes” necessary to continue their quest, e.g. by providing additional information, items, or access. Gameplay-motivating elements include timers, goal-completion achievements, and leaderboards, both in singleplayer and multiplayer modes. Singleplayer games follow a particular sequence; multiplayer games may be competitive (1 vs. 1) or cooperative.

The game stands out for its tutor-friendly design, customizability, and extensibility. There are tools for the instructor to change passwords, in-game links to web content, embed external videos or information feeds, and more, to provide clues, notifications, or false leads. The ability for instructors to reengineer the game without changing source code is a significant advantage that will make this a highly-effective teaching tool.

In conclusion, this game has the potential to change cybersecurity education by creating an easily-accessible and extensible tool that allows students to experiment and receive feedback in a safe and controlled environment.