Enhancing Cybersecurity Education Through Multi-Opposing-Role Gameplay and Simulations

Abstract

This paper presents the development, implementation, and evaluation of The XSS Game (TXG), a game-based educational tool designed to teach Cross-Site Scripting (XSS) attacks through a multi-opposing-role-playing game. Inspired by cognitive concepts like Transfer Learning, previous cybersecurity educational games have incorporated techniques such as adversarial thinking and role-switching. In many such games, the playable roles are often limited to attacker and defender. Building upon these, TXG was developed with an approach where players can take on three distinct roles: Attacker, Defender, as well as User, each providing players with a different perspective on XSS attacks. This approach aims to deepen students’ understanding of XSS attacks by allowing them to experience multiple perspectives, enhancing their ability to identify, prevent, and respond to such threats. In addition, simulations are often used in cybersecurity educational games to provide learners with practical, hands-on experiences that are crucial for understanding complex cybersecurity concepts. While the main gameplay in TXG centres on role-based narratives drawn from real-life cybersecurity scenarios, requiring players to answer questions based on those narratives, the game also includes a Simulation Zone. This zone offers an immersive environment where players can perform various actions and observe their outcomes, enhancing experiential learning. Even though quiz-based and simulation-based cybersecurity educational games exist separately, the combination of the two has not been widely studied. By integrating both narrative-driven quizzes and interactive simulations, TXG aims to enhance students' learning by reinforcing theoretical knowledge with practical, hands-on experience, leading to a deeper and more applied understanding of XSS concepts. TXG was evaluated within a computer science course with 162 students through pre- and post-game surveys. Student feedback indicated that the multi-opposing-roleplaying with real-life scenarios approach had a modest but meaningful and practical impact on their learning to understand XSS attacks holistically. The Simulator Zone showed promise as an immersive and reinforcing learning tool, but low engagement limited its impact, and future improvements, such as more varied tasks, additional game elements, enhanced interactivity, and better UI/UX, are planned to boost engagement and better assess its educational value. Several players highlighted the game’s effective learning format, which combines immediate in-game feedback with reflective pre- and post-game surveys, which holds promise for broader applications in cybersecurity education and beyond.