PenQuest: a gamified attacker/defender meta model for cyber security assessment and education
Autor: | Simon Tjoa, Helge Janicke, Marlies Temper, Sebastian Schrittwieser, Robert Luh |
---|---|
Rok vydání: | 2019 |
Předmět: |
business.industry
Computer science Perfect information Information technology Context (language use) 02 engineering and technology Information security Semantic data model Computer security computer.software_genre Computational Theory and Mathematics Hardware and Architecture 020204 information systems Information technology management 0202 electrical engineering electronic engineering information engineering Computer Science (miscellaneous) Information system Attack patterns 020201 artificial intelligence & image processing business computer Software |
Zdroj: | Journal of Computer Virology and Hacking Techniques. 16:19-61 |
ISSN: | 2263-8733 |
DOI: | 10.1007/s11416-019-00342-x |
Popis: | Attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. At the same time, the complex interplay of attack techniques and possible countermeasures makes it difficult to appropriately plan, implement, and evaluate an organization’s defense. More often than not, the worlds of technical threats and organizational controls remain disjunct. In this article, we introduce PenQuest, a meta model designed to present a complete view on information system attacks and their mitigation while providing a tool for both semantic data enrichment and security education. PenQuest simulates time-enabled attacker/defender behavior as part of a dynamic, imperfect information multi-player game that derives significant parts of its ruleset from established information security sources such as STIX, CAPEC, CVE/CWE and NIST SP 800-53. Attack patterns, vulnerabilities, and mitigating controls are mapped to counterpart strategies and concrete actions through practical, data-centric mechanisms. The gamified model considers and defines a wide range of actors, assets, and actions, thereby enabling the assessment of cyber risks while giving technical experts the opportunity to explore specific attack scenarios in the context of an abstracted IT infrastructure. We implemented PenQuest as a physical serious game prototype and successfully tested it in a higher education environment. Additional expert interviews helped evaluate the model’s applicability to information security scenarios. |
Databáze: | OpenAIRE |
Externí odkaz: |