Observations and opportunities in cybersecurity education game design

We identify three challenges in cybersecurity education that could be addressed through game-based learning: conveying cybersecurity fundamentals, assessment of understanding, and recruitment and retention of professionals. By combining established epistemologies for cybersecurity with documented best practices for educational game design, we are able to define four research questions about the state of cybersecurity education games. Our attention is focused on games for ages 12-18 rather than adult learners or professional development. We analyze 21 games through the lens of our four research questions, including games that are explicitly designed to teach cybersecurity concepts as well as commercial titles with cybersecurity themes; in the absence of empirical evidence of these games' efficacy, our analysis frames these games within educational game design theory. This analysis produces a three-tier taxonomy of games: those whose gameplay is not associated with cybersecurity education content (Type 1); those that integrate multiple-choice decisions only (Type 2); and those that integrate cybersecurity objectives into authentic gameplay activity (Type 3). This analysis reveals opportunities for new endeavors to incorporate multiple perspectives and to scaffold learners progression from the simple games to the more complex simulations.