Collaboration

This game is the direct result of a process of investigation leading to new insights, effectively shared. It is therefore firmly a research output in terms of both methodology and purpose. An extended abstract justifying this follows. Game description Collaboration is a small, provoking game (SPG) for software developers working in larger projects and showcases the importance of teamwork regarding cybersecurity across the whole software development lifecycle. The game was designed and developed by an interdisciplinary research team on the SECRIOUS project. The game addresses three themes: 1) Communication between co-workers, especially the non-technical, human side of communication, as an important parameter in defining the quality of the output and the work efficiency of the team. 2) Resource management, including the distribution of workforce, work hours and assets in relation to the necessary workload for production of safe and functional code. 3) Responsibility of individuals to ensure code security across the lifecycle. Collaboration celebrates the importance of psychology, responsibility, and human relationships in a cybersecurity environment and their impact on the final outcome. After engaging with the game, there is a post-play activity, where players are actively prompted to reflect on their own professional life, their co-workers' needs and values, their own communication skills and its impact on others. The game adopts the same fictional universe with its light-hearted tone and colourful iconography as its sister game (?Protection?, also produced by the SECRIOUS project), but expands the list of in-game metaphors to include concepts for: a publicly-used software application (the RAINBOW) and its cybersecurity requirements (colours/lanes) the team of developers that are tasked with creating it (the protagonist and their associates) a period of development cycles (the monsoon season) data flow and data corruption (pure or acid rain) and the user community and their safety (the digital rainforest trees and the overall health of the ecosystem). The player controls one of the members of the dev team and needs to work with their associates to construct and release the RAINBOW which has seven distinct parts. The RAINBOW is a metaphor for public software infrastructure which serves a need. It contributes to the digital rainforest by creating rain, however ?rain? has variable safety levels, depending on how well the RAINBOW has been constructed, and this can either benefit or potentially harm the ecosystem. Collaboration plays as a turn-based, puzzle game, with each level being a work day. Each team member has their own expertise and personality (behaviour). The player should master the RAINBOW construction manual on the one hand (the technical aspect), and observe and understand their (NPC) colleagues? different personalities on the other (the human aspect), in order to take the appropriate actions each time and make sure that by the end of the day, the rainforest has the safest RAINBOW it can get. Each worker has an action point pool that symbolizes their energy/time during a work shift and can power two types of player actions: either directly constructing a rainbow lane (writing code) or talking to another co-worker (sharing info). Talking can be done with various moods/communication styles which will influence the response of their co-worker. Players are free to revoke their actions with no cost so as to allow for maximum experimentation. Learning outcomes Collaboration was designed to have constructivist learning outcomes by deliberately provoking the player to try to figure out the metaphors inherent in design and gameplay to construct their own understandings. A key outcome was to provoke inquiry-based reflection on players? own coding practice and (hopefully) transformative attitude change towards communication as part of the cybersecurity community into the future. This game was created in response to three identified issues related to cybersecurity: Developers (or teams) working on different parts of the code may operate in an isolated way and cybersecurity issues may creep in as a result of lacking overview and/or communication. Developers may not treat communication as an important part of their job description and consequently may not be willing to devote time and energy away from development to cater to it. Human/?soft? skills are an undervalued and frequently untrained skill set in highly technical work environments, but are crucial for successful project delivery and good/healthy work conditions. The game aims to address these by building counternotions into the game?s foundations. More specifically, the game through its rule system and feedback loops evokes the following key learning outcomes: The security of the product is as good as the security of the weakest link. If one element fails, the whole system is impaired. Security needs to be implemented in multiple aspects and stages, therefore overview and communication throughout the development pipeline is necessary. The quality of communication across teams can affect the quality of the end-product. The human side of communication is as important, energy consuming and skill demanding as the technical content. Others may be very different from you - and from each other. Although there is no manual for how people work, with patience and observation you can understand them. The quality of the end-product will be judged by its performance in the long-term. Releasing unsafe code even once may have an irreversible impact on the user community. Research insights This game, like its sister game (Protection, also from the SECRIOUS research project) uses a ?provoking? game design strategy, which focusses on exploratory gameplay and players actively constructing meaning with the core aim to encourage critical reflection and, ideally, attitude and/or behavioural change in coding practices. As well as functioning as a standalone game, Collaboration was specifically designed to enmesh with a game jam on the Security Lifecycle and was used to provoke critical discussion between jammers as they compared their interpretations. Its purpose in this context was to contribute to the process of serious game design. As such this small provoking game plays a part in wider methodological development for the co-design of serious games. Specifically, the game is unique in its intervention area and modification of commonplace game design strategies. Our intervention steers away from technical matters and is focused on the human aspect of cybersecurity, as indicated by findings that show that the majority of cybersecurity incidents are attributed to human factors. The game abstracts the technical cybersecurity content to the utmost degree, so that the post-play activity is essential to a complete experience, since that is when the game experience is again re-contextualized in the domain of cybersecurity. This choice doubles as an attempt to show the universality of some of the statements that the game aims to make outside of cybersecurity. In terms of game design, the game subverts common player expectations, for example, that every challenge presented is both feasible and perfectable. On the contrary, in real life, many challenges can only be handled with a ?as good as it gets? approach, where others may be simply impossible due to bad management, which can manifest as lacking expertise, overload and/or conflicting priorities. The game deliberately uses ?impossible to perfect? levels within the gameplay to allow players to construct this notion for themselves. Another common concept that is rejected within this game is that of a mandatory ?baseline? of a player?s performance. A player may make progress in the game (complete a level and unlock the next) with even the worst possible performance. Instead of restricting progress, the game represents the detrimental effect on the digital ecosystem instead. This aspect can be explored (and to some extent, mitigated) using player actions within the menu screen (using resources they have earned to improve the digital rainforest.) The gameplay leaves the player as the only person truly responsible to safeguard the quality of their own work, again supporting our goals of reflection rather than instruction. This was also done as an expression of the fact that in real life, given lack of industry standards, each individual?s responsibility over security issues acts as the regulator for the safety of the end-product.