@phdthesis{, author = {Gasiba, Tiago José Espinha de Mendonça}, title = {Raising Awareness on Secure Coding in the Industry through CyberSecurity Challenges}, editor = {}, booktitle = {}, series = {}, journal = {}, address = {}, publisher = {}, edition = {}, year = {2021}, isbn = {}, volume = {}, number = {}, pages = {}, url = {}, doi = {}, keywords = {CyberSecurity Challenges; Secure Coding; Industry; Software Developers; Awareness; Serious Game; Action Design Research}, abstract = {Code containing software vulnerabilities can potentially be exploited, and result in a cybersecurity incident. Possible consequences of cybersecurity incidents range from monetary deprivation to loss of life. This work aims to address this problem through the human factor, the software developers, by raising awareness of secure coding guidelines through a serious game -- the CyberSecurity Challenges. CyberSecurity Challenges is a serious game inspired by the capture-the-flag genre, and constitutes the main contribution of the present work. In this game, players are given challenges containing secure coding vulnerabilities. The goal is to solve the challenges, by rewriting the code to be compliant with secure coding guidelines. Players compete against other teams and collect points in the form of flags. The research design consists of a Action-Design Research with three iterations, two empirical studies, and three deep dive studies. Research was conducted at Siemens AG, from 2017 to 2020, in collaboration with the Universität der Bundeswehr München and the Instituto Universitário de Lisboa. More than 200 professional software developers from the industry participated in the design of the CyberSecurity Challenges. A total of thirteen game events were held during the three design cycles. The empirical studies explore the usage and awareness of secure coding guidelines through an industry case study and a large-scale survey. More than 190 industry software developers took part in the large-scale survey. The deep dives provide additional information for practitioners on selecting secure coding guidelines, on how to organize and frame a CyberSecurity Challenges event temporarily, and give insight into different deployment scenarios. We show that software developers lack awareness of secure coding, and that defensive challenges are adequate to raise their awareness. We also provide guidelines for implementing CyberSecurity Challenges. Furthermore, we determine the deterrent factors to the usage of secure coding guidelines, which are lack of time, unreasonable guidelines, and constant technology changes. CyberSecurity Challenges are validated in an industrial environment, and are well received by software developers and by managers. Preliminary versions of this work have been published in well ranked venues, and two papers received the best-paper award.}, note = {}, school = {Universität der Bundeswehr München}, }