This game is the direct result of a process of investigation leading to new insights, effectively shared. It is therefore firmly a research output in terms of both methodology and purpose. An extended abstract justifying this follows.

Game description
Protection is a small, provoking game (SPG) for software developers and amateur coders aimed at challenging commonly-held false preconceptions about cybersecurity. The game was designed and developed by an interdisciplinary research team on the SECRIOUS project to fit into the overarching topic of Code Security and the theme of Coder Practices. The game designers converted basic cybersecurity concepts, principles and practices into game objects, rules, and player actions respectively, and the gameplay situates the player in this challenging environment with minimal guidance. By exploring and experimenting, players are expected to piece together their personal interpretation of what ‘protection’ is and how to achieve it. The game has a post-play activity where players are prompted to actively compare their in-game mental model with their real-life coding practices and to reflect on any consequent shifts in their perspective. The game has a light-hearted tone with unconventional iconography to convey cybersecurity issues in a more accessible manner.

Gameplay
Protection is a short, 2d, side-scrolling, single-player game with elements from action (move/avoid/collect), strategy (manage/select) and puzzle (choose/combine) genres. The game features a main character that navigates a landscape of risk, constantly trying to survive against various threats by using a diverse range of defence systems. The game design, though, removes common gaming tropes associated with these genres (e.g. score, time pressure, boosters, lifecount) in order to support the free experimentation attitude that the designers considered as conducive to critical thinking. Productive failure is a core concept and the player is expected to ‘die’ at least once as part of exploratory gameplay. Reducing the demand for gameplay skills (e.g. high reaction speed, complex input controls, sensory overload, etc.) served to make the game more accessible and to provide players with cognitive space to focus and critically explore the underlying rule system instead.

The player needs to observe and analyse the feedback loops to reverse engineer the game’s rules and create appropriate defence responses. Feedback is frequently counterintuitive or surprising, subverting players’ expectations. The three main in-game actions are moving, collecting, and installing (or uninstalling) defence systems.

Premise
The game’s premise is a fictional universe where entities are composed of biological, electronic and mechanical components with the intention to be ambiguous as to their nature. No other information is explicitly presented to the player, allowing them to make their own interpretations. The main character could be a robot, an alien, a computer system, a human coder, or anything that matches the metaphor, showcasing the universal nature of the concept of security.

Story
The story takes the protagonist on a journey of natural evolution and intentional change e.g. becoming aware of their existence, movement, and developing a metabolic cycle (input/output), then ensuring survival by installing combinations of defence systems. The character has no explicit purpose, other than surviving in its harsh, native environment. The story concludes with the protagonist symbolically mastering these conditions and breaking the boundaries of their environment to access new dimensions (flying away).

Learning outcomes
Protection was designed to have highly constructivist learning outcomes by deliberately provoking the player to try to figure out the metaphors inherent in design and gameplay to construct their own understandings. A key outcome was to provoke inquiry-based reflection on players’ own coding practice and (hopefully) transformative attitude change towards cybersecurity into the future.

This game drew on observations from the wider research project in which it was created. Previous results note that:
cybersecurity is seen by coders as an obscure domain, exclusive to dedicated experts (whereas it should be viewed as an essential aspect of any application.)
even when possessing technical skills at implementing cybersecurity measures, coders face difficulties with risk assessment and defensive planning.
cybersecurity needs constant adapting strategies and/or updating of knowledge to be effective.

Key learning outcomes for Protection are:
Absolute security is not possible. At the very least, the inability to be aware of all threats in an environment is in itself a source of risk.
The assessment of risk for the same threat (and, therefore, the sense of security) fluctuates over time and is influenced by a multitude of factors, such as contextual threats, environmental conditions, system state, etc.
Security comes with a trade-off on usability: balance is necessary to ensure functionality, since overloading a system with security systems can become a liability.
There can be various defence strategies towards the same threat. Defence strategies may have varying degrees of efficiency and side-effects, and different degrees of compatibility with each other.
As a result of all of the above, the appropriate defence plan is contextual and subject to change at any point, therefore one must remain constantly aware.

The game aims to achieve these outcomes by exposing players to metaphors of the following, and encouraging active interpretation:
different threat types: weathering conditions, harmful objects and malicious agents
different risk types: e.g. data corruption, data/resource theft, functionality impairment, loss of control
different attack methods: e.g. DDoS, viruses, worms, malware, control/process hi-jacking
a variety of cybersecurity defence strategies: prevention, detection, in-place defence, live defence, contingency/resilience.

Research insights
Unlike other educational games on cybersecurity for coders, our game aims not to inform its players about cybersecurity algorithms or train them in their technical implementations. The game relies on a pre-existing familiarity with the above (even if only at novice level), so that the players may identify the real life counterparts of the various game entities based on their behaviour in the game. Instead, the game serves as a medium to abstract those concepts, model their relationships in a transparent manner and to relate to them in an experiential way. Furthermore, the game does not dictate its teaching content, but allows players to explore and take away their own messages based on their background and experience. It is not a game to ‘educate’ but rather to encourage critical reflection and, ideally, attitude and/or behavioural change in coding practices.

In terms of gameplay, this game differentiates from conventional approaches within its genre as it does not include instructional elements (e.g. tutorial or providing explicit goals), competitive elements (e.g. score/leaderboard), or motivational rewards. The challenge of the game is to reverse-engineer its rules and achieve a series of moments of realisation, rather than developing a competence in mastering them. Failure, frustration, and surprise are all used to encourage players to construct their own meanings from the game. It is also deliberately short (c. 15-20 minutes’ play) as this was felt to be long enough to achieve the hoped-for reflection without risking losing player engagement.

Finally, our approach innovates in the fact that the game is linked with unique post-play activities, which helps carry and translate the in-game messages to real-world coding practices. As well as functioning as a standalone game, Protection was specifically designed to enmesh with a game jam on Code Security and was used to provoke critical discussion between jammers as they compared their different interpretations and to offer a platform for cybersecurity experts to impart knowledge. Its purpose in this context was to contribute to the process of serious game design of new games arising out of the game jam. As such this small provoking game plays a part in wider methodological development for the co-design of serious games.