Abstract
Today’s IT and OT infrastructure is threatened by a plethora of cyber-attacks conducted by actors with different motivations and means. Furthermore, the complexity of these exposed systems as well as the adversaries’ sophisticated technical arsenal makes it increasingly difficult to plan and implement an organization’s defense. Understanding the link between specific attacks and effective mitigating measures is particularly challenging – as is understanding the underlying information security concepts. To support the training of current, and more importantly, nascent security engineers, we propose PenQuest, a digital attack and defense game where an attacker attempts to compromise an abstracted IT infrastructure and the defender works to prevent or mitigate the threat. The game is based on MITRE ATT&CK, D3FEND, and the NIST SP 800-53 security standard and incorporates a multitude of concepts such as cyber kill chains, attack vectors, network segmentation, and more. PenQuest is built to support security education and risk assessment and was evaluated with a class of engineering students as well as independent security experts. Initial results show a significant increase in knowledge retention and attest to the game’s feasibility for educational use.
Originalsprache | Englisch |
---|---|
Titel | Proceedings of the 2022 IEEE Global Engineering Education Conference, EDUCON 2022 |
Redakteure*innen | Mohammed Jemni, Ilhem Kallel, Abdeljalil Akkari |
Erscheinungsort | Piscataway, NJ |
Herausgeber (Verlag) | IEEE |
Seiten | 906-914 |
Seitenumfang | 9 |
ISBN (elektronisch) | 978-1-6654-4434-7 |
ISBN (Print) | 978-1-6654-4435-4 |
DOIs | |
Publikationsstatus | Veröffentlicht - 1 März 2022 |
ÖFOS 2012
- 102013 Human-Computer Interaction
- 102016 IT-Sicherheit