Introduction

Cybersecure is a serious game that has the purpose to raise awareness about how to make better decisions on IT environments, reducing the chances of hacking or leaking of confidential information. The story is told in a Medical Office, and the player needs to make meaningful choices to let the office grow prosper and bigger. All of the decisions are related to digital information safety, which is a specially important thing to care about in a Medical Office.

Below is a detailed analysis of this game roughly following Brian Winn's¹ Design/Play/Experience framework, including:

• Learning
• Storytelling
• Gameplay
• User Experience
• Technology
• Assessment
• Conclusion

Learning

The game's purpose is stated right before the game menu is shown. It says that its purpose is to "raise awareness and increase understanding of common privacy and security issues related to health information technology." The game basically means that it is giving some general cyber security safety tips for workers in health departments about keeping private patient information secure and untampered with.

Here is a list of some specific information that the player would learn through playing the game:

• - Don't send sensitive information to person email accounts. Always send sensitive information over a secure network to a work email account or through a faxing machine.
• - Never give others your password or log in for somebody else using your password. Non-workers should not be allowed to plug any peripheral device into the work computers. The device might contain a virus.
• - If old computers are going to be thrown out make sure to remove their hard drives and either destroy or wipe them permanently.

In a broader sense the game teaches the player to follow safe cyber security advice to minimize the potential of cyber threats to the workplace.

Storytelling

This game is about taking care of a Medical Office's sensitive information. The game uses the metaphor of an office that holds confidential information, so that the player needs to make efforts towards keeping it safe. The main character is a IT technician that needs to give advice to everyone in the office about their decisions involving IT.

A good example of the meaningful decisions the player needs to take is one of the first level's issues, when the doctor asks about sending an email with sensitive information that will be opened by his friend in a public computer in a hotel's lobby. Multiple options of answers are given to the player, from which only one is correct. The correct choice is to advise the doctor to tell his friend not to use logins or passwords of accounts that hold confidential information in public computers, and that finding a personal way of communicating would be better.

Gameplay

The choices in the game are very simple. The game plays out like a multiple choice test with a small storyline connecting between the success and failure of the player. The game is broken down into three levels, spanning over sixteen weeks. Each week the player is confronted with a issue in the office (e.g. forgotten password, sending information through personal emails, unencrypted devices, ect.). After the issue is presented the player has an option of a few choices on how to address the situation (e.g. having IT reset a persons password, sending information only through encrypted devices, having IT encrypt worker's devices, ect.). If the player chooses the right answer they gain ten points and the office is improved in some way (e.g. new children's toys, more offices, bigger parking lot, ect.). If they choose the wrong answer their "cyber security" shield gets a crack in it. If the player chooses enough wrong answers the game will end early and as the player to restart the game.

User Experience

The game's main screen shows a top-down view of the office. Some buttons around the rooms can be clicked to access dialogues about what's going on in the office (the dialogue balloon button), and also to get the opportunity to make a IT decision (the +10 button). By scoring, the user can go to the next levels and expand the office. By answering the questions wrong, the player not only doesn't expand the office, but also breaks the office's cybersecurity (represented by the shield on the top-left corner of the screen). All the buttons need to be pressed, and all the dialogues in a level need to be seen before going to the next level (if the correct choices are made).

Dialogues are shown on different rooms, with 3D models of the characters that work in the office. All the dialogues are dubbed, which makes the experience a lot better for the player, since this game is basically a continuous quiz. While this game's User Interface might not be the most polished, making the screen seem messy at times, the interaction is still very intuitive. The player has a good sense of where to click to do what. That interface helps in making the goal of the game very clear to the user. The visuals also help the learning process, by making the continuous reading less painful and boring.

Technology

This is an in-browser game. Since it was developed using Adobe Flash, it's playable in any device that supports that runtime environment. That probably means the developers had Desktop and Laptop computers in mind while making those decisions. Those choices seem to have been very good choices, since Cybersecurity matters the most for professional shared devices, like Desktop Computers and Laptops that are commonly used in offices. That said, it's a good thing that the game can be played in the same devices main that are targeted and portrayed in the learning purpose of the game itself.

Assessment

Another way to assess the game is to try to see how people behaved before and after the game. A survey could be given out on what kind of cyber security rules the players followed before the game. A few weeks or months after the game another survey could be given to the players asking if they followed any additional cyber security rules. If the players were practicing more cyber security rules after the game than before it, then the game might be correlated in some way to their change in behavior.

Conclusion

The main goal of a serious game is to teach. The game definitely presents the correct information to the player, but it is unclear how much of the information the player is absorbing through the game. A formal assessment of the game would have to be preformed to full understand what kind of impact the game has on the player if any.

References

1. Winn, Brian. The Design, Play and Experience Framework. In R. Ferdig (Ed.), Handbook of Research on Effective Electronic Gaming in Education. Hershey, PA: IGI Global, 2009, pp. 388-401.
2. "HealthIT.gov." Health IT Security Training Games. Office of the National Coordinator for Health Information Technology, 24 Oct. 2013. Web. 12 Feb. 2015. .
3. Cybersecure: Your Medical Practice. HealthIT. Office of the National Coordinator for Health Information Technology, n.d. Web. 12 Feb. 2015. .

Cybersecure: Your Medical Practice

Serious Game Analysis for IMGD 4600

By Jezz Lucena & Yahel Nachum

Developer:	N/A
Publisher:	Office of the National Coordinator for Health Information Technology's (ONC) Office of the Chief Privacy Officer (OCPO)
Released:	Around October

N/A

Play the Game