Gamified or Glorified? A systematic review of serious games for security & privacy in the SDLC

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-08-19 DOI:10.1016/j.infsof.2025.107850

Jonah Bellemans, Dimitri Van Landuyt, Laurens Sion, Lieven Desmet

{"title":"Gamified or Glorified? A systematic review of serious games for security & privacy in the SDLC","authors":"Jonah Bellemans, Dimitri Van Landuyt, Laurens Sion, Lieven Desmet","doi":"10.1016/j.infsof.2025.107850","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>While security and privacy are playing increasingly important roles in the software development process, the skill shortage for security and privacy keeps growing. To address this, academia and industry alike have proposed game-based approaches, to foster involvement of non-expert stakeholders, and to improve collaboration among the various parties involved. However, research has shown that injudicious implementation of gamification can do more harm than good. Basing the game design on an existing, established methodology is crucial to accomplish the intended goals of the game.</div></div><div><h3>Objective:</h3><div>This paper identifies and compares the different serious games in the space of security and privacy engineering. It highlights the differences between games in goals, intent, form, and approach, and pays particular attention to (1) the specific motivations behind the selected gameful design elements, and (2) the scientific evidence of the benefits of these game-based approaches.</div></div><div><h3>Method:</h3><div>We perform a widely-scoped discovery search for relevant serious games to establish a dataset of relevant games. For each of the in total twelve games, we collect and study the different game artifacts, covered CyBOK knowledge domains, materials, research articles, and practitioner testimonials.</div></div><div><h3>Results:</h3><div>Most games target a multi-stakeholder industry practitioner audience, typically with the goal of providing a first introduction to activities such as Requirements Engineering and Threat Modeling. The majority of games have been designed in an ad-hoc manner, rather than being based on design frameworks or methodologies. Scientific evaluations of these games mostly focus on obtaining participant feedback, experiences and opinions, rather than evaluating the actual outcomes of applying the game.</div></div><div><h3>Conclusions:</h3><div>While game-based approaches for security and privacy in the SDLC are showing promise, many of them have not been designed with proven serious game design frameworks or methodologies. Further empirical evidence is required to confirm the effectiveness of these games.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"188 ","pages":"Article 107850"},"PeriodicalIF":4.3000,"publicationDate":"2025-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925001892","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

While security and privacy are playing increasingly important roles in the software development process, the skill shortage for security and privacy keeps growing. To address this, academia and industry alike have proposed game-based approaches, to foster involvement of non-expert stakeholders, and to improve collaboration among the various parties involved. However, research has shown that injudicious implementation of gamification can do more harm than good. Basing the game design on an existing, established methodology is crucial to accomplish the intended goals of the game.

Objective:

This paper identifies and compares the different serious games in the space of security and privacy engineering. It highlights the differences between games in goals, intent, form, and approach, and pays particular attention to (1) the specific motivations behind the selected gameful design elements, and (2) the scientific evidence of the benefits of these game-based approaches.

Method:

We perform a widely-scoped discovery search for relevant serious games to establish a dataset of relevant games. For each of the in total twelve games, we collect and study the different game artifacts, covered CyBOK knowledge domains, materials, research articles, and practitioner testimonials.

Results:

Most games target a multi-stakeholder industry practitioner audience, typically with the goal of providing a first introduction to activities such as Requirements Engineering and Threat Modeling. The majority of games have been designed in an ad-hoc manner, rather than being based on design frameworks or methodologies. Scientific evaluations of these games mostly focus on obtaining participant feedback, experiences and opinions, rather than evaluating the actual outcomes of applying the game.

Conclusions:

While game-based approaches for security and privacy in the SDLC are showing promise, many of them have not been designed with proven serious game design frameworks or methodologies. Further empirical evidence is required to confirm the effectiveness of these games.

Abstract Image

查看原文本刊更多论文

游戏化还是荣耀化？在SDLC中对严肃游戏的安全性和隐私性进行系统回顾

背景：当安全和隐私在软件开发过程中扮演着越来越重要的角色时，安全和隐私方面的技能短缺也越来越严重。为了解决这个问题，学术界和工业界都提出了基于游戏的方法，以促进非专业利益相关者的参与，并改善各方之间的合作。然而，研究表明，不明智地实施游戏化弊大于利。基于现有的既定方法进行游戏设计对于实现游戏的预期目标至关重要。目的：对安全与隐私工程领域不同的严肃游戏进行识别和比较。它强调了游戏之间在目标、意图、形式和方法上的差异，并特别关注(1)选定的游戏设计元素背后的特定动机，以及(2)这些基于游戏的方法的好处的科学证据。方法：我们对相关的严肃游戏进行大范围的发现搜索，以建立相关游戏的数据集。对于总共12个游戏中的每一个，我们收集和研究了不同的游戏文物，涵盖了CyBOK知识领域，材料，研究文章和从业者的证词。结果：大多数游戏的目标受众是多利益相关者行业从业者，他们的目标通常是首次介绍需求工程和威胁建模等活动。大多数游戏都是以一种特殊的方式设计的，而不是基于设计框架或方法。对这些游戏的科学评估主要侧重于获取参与者的反馈、经验和意见，而不是评估应用游戏的实际结果。结论：虽然SDLC中基于游戏的安全和隐私方法显示出了希望，但其中许多方法并没有采用经过验证的严肃游戏设计框架或方法。需要进一步的经验证据来证实这些游戏的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.