Serious game for industrial cybersecurity: Experiential learning through code review

Abstract

Every stage of the industrial software development process is crucial for ensuring high-quality results in a time of increasing digitalization and complexity. Code review is a method to enhance software quality and also promote knowledge exchange among teams. It is generally accepted that the earlier that software bugs and vulnerabilities are caught during product development, the more costs can be saved. As such, code review can play an important role in industrial software development. However, industry experience showcases that code review can be resource-intensive, and the direct impact on code quality can be hard to quantify. Related work shows that practitioners performing code reviews do not focus specifically on security, partly due to a gap in awareness of the topic. Our research focuses on improving the efficiency and effectiveness of code review practices, particularly in identifying and addressing security issues in an industrial context. The present work showcases results from using a serious game as a means to empower developers, by exhibiting code review best practices and raising awareness of security concerns. We collect results over a series of 11 experiments conducted in an industrial setting together with a total of 175 industrial practitioners, serving as a pilot stage, based on which we discuss and conclude on important aspects of the design of the game.