Workshop on Serious Games for Cyber Security

SICSA logo
Cybersecurity Nexus logo

Heriot-Watt University

May 21-22, 2019



This workshop intends to bring together in Scotland people interested in games, serious games and cyber security. It will consists of talks, hands-on workshops, demos, and discussions sessions for researchers, industries, game designers and developers, cyber security enthusiasts.

The workshop is sponsored by SICSA Cybersecurity Nexus.


Here is the list of serious games and cyber security experts who will be giving talks, running hands-on workshops and demos.


The workshops is open to academics, professionals, students, and anyone interested in serious games and cyber security. The workshop will be a platform to share and discuss experiences, perspectives and challenges in deploying serious games for tackling cyber security, for the teaching and training in cyber security. The workshop is multi-disciplinary as it brings together experts in the design and development methods for serious games as well as experts in several domains of cyber security such as privacy and developer-centred security. See registration instructions.

Topics of Discussions

Throughout the two days, there will be allocated times for discussions where we will address issues of:

  • Cyber security and education,
  • serious games design and development in the context of cyber security,
  • Challenges of cyber security that serious games should tackle.


The sessions of the programme are multi disciplinary and bring together expertise from games and cyber security (programme last update on May 10). The programme is available in a PDF version.

Day 1, Tuesday May 21, 2019

9:30-10:00 Welcome, registration PG Centre
10:00-11:00 Keynote 1  
11:00-11:30 Coffee break  
11:30-13:00 Talks session 1  
13:00-14:00 Lunch  
14:00-16:00 Hands-on activity 1 GRID Building
16:00-17:00 Coffee break / demos session  
17:00-18:00 Group discussions  

We will be going to a Akva at the end of the day (at about 7pm): 129 Fountainbridge, Edinburgh EH3 9QG (15 minutes walk to Haymarket Train Station).

Day 2, Wednesday May 22, 2019

10:00-11:00 Keynote 2 PG Centre
11:00-11:30 Coffee break  
11:30-13:00 Talks session 2  
13:00-14:00 Lunch  
14:00-16:00 Hands-on activity 2 GRID Building
16:00-17:00 Coffee break / demos session  
17:00-18:00 Group discussions  

Keynote 1

Clare Duffy, Rupert Goodwins (The Civic Digits)

The Big Data Show: immersive theatre and ethical hacking
Civic Digits is a theatre company set up to explore the use of digital technology in entertaining and educating audiences through drama. Our first production, The Big Data Show, combines digital magic with the story of the first high-profile UK hack - that of Prince Philip's email. It uses the young audience's own mobile phones to deliver the experience not just of becoming part of the show, but of having their own technology slip out of their control. We'll discuss how this works, technically and dramatically, why we're doing it, and the effects it has on enhancing our audience's awareness of cyber-security, privacy and online life. If you would like to take part in the subsequent demo, please download and play our game app, Swipe - The Big Data Show, from the Apple app store or Google Play, in the days before the workshop. It's a lot of fun.

Keynote 2

Theo Lim (Heriot-Watt University)

A Cyber-Physical Gaming System for Vocational Training
Cyber-physical systems enable new digital ecologies in industrial and workplace lifelong learning. This paper reports on early efforts in delivering a virtual environment and system for vocational education and training (VET), in particular targeting the needs of craft and trade skills. The domain of stone masonry is presented herein, where its underpinning activities are learning through virtual environments, simulation and role play. The challenges are not only the synchronicity between physical and software components but also the in-game mechanics that incorporate building blocks of effective training and skills development strategies. A prototype body-area sensor network in a cyber-physical game environment demonstrates the interaction between virtual objects and the player-learner.

Relevant work: Sivanathan, A., Mcgibbon, S., Lim, T., Ritchie, J., Abdel-Wahab, M., 2017. A Cyber-Physical Gaming System for Vocational Training. International Design Engineering Technical Conferences and Computers and Information in Engineering Conference doi:10.1115/DETC2017-67560

Talks session 1

  1. Robin Sloan (Abertay University)
    The Enemy Within: Developing an educational strategy game to raise awareness of the genesis, evolution and progression of cancer
    The design of applied games often relies on the coming together of games professionals and subject experts, with the latter fulfilling a role of advisor. This interdisciplinary working can lead to a number of tensions, not only around understanding of the game development process, but also game design conventions and how digital play can be best utilised as a form of messaging for scientific understanding. This talk will present research that sought to address these tensions by integrating scientific experts directly into the game design and development process as co-designers, with a view towards promoting games as a medium for popular science communication. Four games were produced through this method, including the game The Enemy Within, which will be the focus for discussion in the talk.
  2. Charles Weir (Lancaster University)
    Researchers as Trouble Makers: Using Action Research Methods with Games
    It’s hard to research the effectiveness of serious games on professionals. The difficulty of getting professionals involved, and the variation between participants make A-B testing difficult, and the need for researchers to be involved makes objectivity challenging. So how can one do valid research and get meaningful results?

    Charles’ talk will provide one possible answer to this question. He’ll introduce the Magid project at Lancaster University: the building and testing of a game-based intervention package to help development teams improve security. He’ll discuss two Action Research techniques not usual in software research; how they recruited a dozen different industry teams to trial the package; and some of the results they found.

    Relevant work: Weir C, Becker I, Noble J, Blair L, Sasse MA, Rashid A. Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers. Accepted for: Proceedings of the 41st International Conference on Software Engineering: Software Engineering in Practice. IEEE; 2019. (preprint)

  3. Charles Morisset (Newcastle University)
    An interactive Game for Security Protocol Analysis
    A security protocol enables multiple parties to exchange information in a secure way. Security experts have designed complex protocol analysis tools (e.g., AVISPA, Tamarin), but these tools often require an extensive security protocol knowledge to be usable. This presentation introduces a new interactive Game for Security Protocol Analysis, which targets a novice audience (such as computer science students), and help them understand the basic concepts of security protocols (e.g., nonce, identity, session key), as well as the construction of attack against these protocols. A detailed tutorial for this game is available online.

Talks session 2

  1. Sandy Louchart (Glasgow School of Art), Léon McGregor (Heriot-Watt University)
    Co-created design of a serious game investigation into developer-centred security
    The cyber security context requires to better understand how developers write (in)secure code and to assist them in their software developments. We have developed a secure coding experiment and serious game intervention. We report on the design of a serious game to investigate developer-centred security. We used a combination of approaches to shape discussions and support the serious game co-creation.

    Relevant work: Maarek, M., Louchart, S., McGregor, L., McMenemy, R., 2019. Co-created Design of a Serious Game Investigation into Developer-Centred Security. Games and Learning Alliance 2018. doi:10.1007/978-3-030-11548-7_21

  2. Thomas Hainey (University of the West of Scotland)
    Content Integration for Serious Virtual Reality Games to Teach Rudimentary Programming
    Computer programming is a valuable, transferrable, fundamental skill required by many courses at University level such as software engineering, computer science, computer games development, secure programming and cyber security. Higher Education institutions are constantly striving to find new innovative teaching, learning, assessment and evaluation methods and computer programming has a reputation for being a difficult subject with a high level of attrition. Serious games offer a novel, supplementary teaching and assessment alternative to traditional approaches however there is a lack of research associated with the acceptability of serious games and appropriate pedagogical content integration is a major challenge. This paper will present the findings of a survey performed in HE to ascertain the pedagogical content preferences and requirements for a computer game and a virtual reality application to teach: rudimentary programming concepts, advanced object oriented concepts, data structures and algorithms in introductory programming modules at the University of the West of Scotland. 61 participants responded to the survey and this will ascertain the perceived suitability of a computer game and a virtual reality application for teaching various programming concepts and allow for comparisons between the two approaches.

    Relevant work with G. Baxter, A. Stanton: submitted paper titled A serious game to teach rudimentary programming investigating content integration

  3. Lynsay Shepherd (Abertay University)
    Promoting Cyber Security Awareness via Gamification
    Modern society depends upon the Internet, allowing users access to online services such as social networks, Internet banking applications, and e-commerce websites. To ensure users behave in a safe and secure manner online, it is important for them to have an understanding of basic security measures. However, users often do not know how to make their online interactions secure. This talk will discuss the challenges of improving security awareness and how gamification techniques have the potential to address these issues. An exploratory study will be presented based on research conducted with a role-playing Android application which uses gamification techniques to educate users about password security.

    Relevant paper: Scholefield, S., Shepherd L.A. (2019). Gamification Techniques for Raising Cyber Security Awareness. HCI International 2019. (preprint)

  4. Liz Boyle (University of the West of Scotland)
    RU EU? A game-based Approach to exploring 21st century European Identity and Values
    An important aim of the European Union has been to avoid the conflicts that have devastated Europe during the preceding decades and, to date, the EU has generally been successful in these aims. However differing levels of commitment to the European Union amongst EU citizens and member states have increasingly produced challenges to the European project, most notably the Brexit vote that endorsed the UK leaving the EU. Issues of National and European identity underlie many of the current concerns of European citizens. This presentation will describe the Erasmus + funded RU EU? project which has developed an online game, the RU EU? game, that aims to help students across Europe to develop a better understanding of their own National and European identity and values at a time of political change in Europe. Early design tasks for the project helped to characterise European identity as a multicomponent construct with security recognised as one of these components. We will outline the game design process, explain how the game is grounded in theory and describe the learning outcomes for the game and how these have been implemented in the game tasks and tools.

    Joint work with: Murray Leith, Duncan Sim, Gavin Baxter, Alan Williams (University of the West of Scotland), Hans Hummel, Jeroen Storm (Open Universiteit Nederland), Petar Jandrić (Tehničko veleučilište u Zagrebu), Athanassios Jimoyiannis, (University of Peloponnese), Jannicke Hauge (Bremer Institut Fuer Produktion Und Logistik GMBH)

Hands-on activity 1

Theo Lim (Heriot-Watt University), Sandy Louchart (Glasgow School of Art)

The Learning Mechanics-Game Mechanics (LM-GM) framework
The aim of this workshop is to introduce participants to the LM-GM framework for designing serious games and experience pairing learning mechanics to game mechanics towards a playful educative game. In this workshop, participants will work on developing gaming solutions to established cyber-security processes (good practices) and work on the Meaning and Play phases of the triadic game design workshop developed by Harteveld.

The outcome of the workshop will be for participants to 1) gain confidence in approaching a serious game design problem, 2) understand and experience a relatively simple but structured design approach and 3) interact across discipline in a practical and engaging activity.

Relevant paper: Arnab, S., Lim, T., Carvalho, M. B., Bellotti, F., de Freitas, S., Louchart, S., Suttie, N., Berta, R., De Gloria, A. (2015). Mapping learning and game mechanics for serious games analysis. British Journal of Educational Technology, 46(2). doi:10.1111/bjet.12113

Hands-on activity 2

Charles Weir (Lancaster University)

The Agile Security Game
This session offers a role-playing game to help software developers—programmers, testers, project managers and product owners—to understand software security decisions. In it, you will be given a mobile app product and you’ll work with a team to decide which security functionality to implement. It’s fun to play, and supports learning about security threats, helping participants to share knowledge, and, in the longer term, adopting a mature risk-based approach to software security. Join us to learn, and to find out how to arrange a session yourself.

Demos sessions

  • Swipe - Big Data Show by Rupert Goodwins (The Civic Digits, Orthrus Studios), available on Apple app store or Google Play.
  • The Enemy Within by Robin Sloan (Abertay University)
  • Tower Defence for DCS by Manuel Maarek, Léon McGregor (Heriot-Watt University), Sandy Louchart, Ross McMenemy (Glasgow School of Art)
  • Playground Heroes (game for the EU-funded GATE BULL project for Bullying Prevention) by Thomas Hainey (University of the West of Scotland)
  • RU EU? by Liz Boyle (University of the West of Scotland)

Group discussions

Group discussions will evolve around points raised during the day and the themes of the workshop:

  • Cyber security and education,
  • serious games design and development in the context of cyber security,
  • Challenges of cyber security that serious games should tackle.



Registration is free, please register using the following Eventbrite. Lunch will be provided thanks to our SICSA Cybersecurity Nexus sponsor. Please email Manuel Maarek if you have any dietary requirements, and if you are only able to attend one of the two workshop days.



The workshop will take place at Heriot-Watt University in the Lecture Theatre (PG G.01) of the Postgraduate Centre and in the Creative Studio and Gaming Studio of the new GRID Building of the Riccarton campus. This page gives maps and directions to the campus.

Postgraduate Centre

Lecture Theatre (PG G.01)

View Larger Map

GRID Building

Creative Studio, Gaming Studio

View Larger Map