2021 IEEE International Conference on Cyber Security and Resilience (CSR) Workshops

The THREAT-ARREST Cyber Range Platform

George Hatzivasilis1, Sotiris Ioannidis1, Michail Smyrlis2, George Spanoudakis2, Fulvio Frati3, Chiara Braghin3, Ernesto
Damiani3, Hristo Koshutanski4, George Tsakirakis5, Torsten Hildebrandt6, Ludger Goeke7, Sebastian Pape7, Oleg Blinder8,
2021 IEEE International Conference on Cyber Security and Resilience (CSR) | 978-1-6654-0285-9/21/$31.00 ©2021 IEEE | DOI: 10.1109/CSR51186.2021.9527963

Michael Vinov8, George Leftheriotis9, Martin Kunc10, Fotis Oikonomou11, Giovanni Magilo12, Vito Petrarolo12, Antonio Chieti12,
Robert Bordianu13
1
FORTH-ICS, Greece, 2Sphynx Technology Solutions AG, Switzerland, 3University of Milan, Italy, 4Atos Spain SA, Spain,
5
ITML, Greece, 6SimPlan, Germany, 7Social Engineering Academy GmbH, Germany, 8IBM Israel, Israel, 9TUV Hellas, Greece,
10
Czech National CSIRT, Czech Republic, 11DANAOS Shipping Company, Cyprus, 12ARESS, Italy, 13Lightsource BP, Ireland

Abstract—Emerging technologies are facilitating our daily
activities and drive the digital transformation. The Internet of
Things (IoT) and 5G communications will provide a wide range of
new applications and business opportunities, but with a wide and
quite complex attack surface. Several users are not aware of the
underlying threats and most of them do not possess the knowledge
to set and operate the various digital assets securely. Therefore,
cyber security training is becoming mandatory both for simple
users and security experts. Cyber ranges constitute an advance
training technique where trainees gain hands-on experiences on a
safe virtual environment, which can be a realistic digital twin of
an actual system. This paper presents the cyber ranges platform
THREAT-ARREST. Its design is fully model-driven and offers all
modern training features (i.e. emulation, simulation, serious
games, and fabricated data). The platform has been evaluated
under the smart energy, intelligent transportation, and healthcare
domains.
Keywords—security training, cyber range, security assurance,
learning path, security assessment, smart energy, smart shipping,
healthcare
I. INTRODUCTION
The evolution of the Information and Communications
Technology (ICT) has created a new technological landscape
[1]-[2], exploiting among others high-performance computing,
5G communications, advance machine learning (ML) and
artificial intelligence (AI), augmented and virtual realities (AR
and VR), Big Data analytics, social networking, mobility, and
the Internet of Things (IoT).
The increased systems’ interactions and complexity leave
fruitful space for the currently known security vulnerabilities to
survive and expand, as well as for new threats to emerge [3]. The
market demand for skillful professionals is expected to grow
drastically, and security awareness and training programmes are
going to become a necessity, both for individuals and
organizations.
Cyber ranges (CRs) form a special method of cyber security
training and is considered as a promising solution for the
educational needs of this digital era [4]-[5]. Apart from the
traditional in-class or on-line educational means (e.g. lectures,
tutorials, reading material, etc.), with CRs the learner has the
opportunity to gain hands-on experience on setting, defending,
or even attacking a system by practicing on a legal, safe, and
virtual environment. The trainer creates a virtual lab which may
resemble an actually operational system or subsystem. There,
the trainee can learn how to administrate mainstream and/or
advanced security mechanisms, try different configurations and
settings, and assess the overall results under realistic attack
scenarios. The virtual environment is instantiated or destroyed
on demand for each trainee, and the process can be repeated
again and again. Nevertheless, the design and development of
even a mainstream programme requires significant expertise,
time, and effort by the trainer.
Thereafter, the trainee can follow the defined learning path
to obtain knowledge and acquire new skills, complete a full
programme, and earn a relevant certification [6]. However, the
fact that someone fulfils the training and learning requirements
does not mean that he/she will also adopt automatically his/her
behavior in the digital world accordingly. On the contrary,
several research activities have revealed that only a small
percentage of the learnt concepts (around 10%-40%) is
automatically embraced by individuals. This is an important
problem for organizations, especially those ones that operate
critical infrastructures, as non-compliance of their personnel to
the defined security policies is deriving the deployed protection
mechanisms inadequate and the underlying systems vulnerable
to attacks. Thus, the real efficacy of training itself, even with
advanced CRs, is still a perspective that needs to be significantly
improved.
This paper presents the EU-funded CR, called THREAT-
ARREST (www.threat-arrest.eu). The platform marshals
modern training methods (i.e. emulation, simulation, serious
gaming, and fabrication of realistic synthetic data) to enhance
the learning experience for trainees. The overall process is
fortified with pedagogical methodologies (i.e. Bloom’s revisited
taxonomy and Kolb’s experience gaining life-cycle) to define
the learning path and ensure the learning outcomes. Moreover,
the educational scope can be designed in such a way that it will
cover the requirements and demands for professional
certification schemes from organizations like ISACA and ISC2.
This option will further increase the acceptability of a specific
CR platform in the market.

978-1-6654-0285-9/21/$31.00 ©2021 IEEE

422
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on February 07,2025 at 04:04:13 UTC from IEEE Xplore. Restrictions apply.
 The paper is structured as follows. Section II positions the
THREAT-ARREST CR with respect to the related work.
Section III presents the main CR capabilities and the tools
implementing those capabilities, while Section IV draws
conclusions and future work.
II. RELATED WORKS
A. Cyber Range Platforms
Overviews of cyber security training in critical
infrastructures (e.g. nuclear energy, conventional energy,
healthcare, transportation, and aviation sectors), are documented
in [6]-[7]. Today, the demand for security experts is
continuously increasing [7]. CRs constitute a promising solution
of advanced training, which could fill the gap by enhancing
educational material with hands-on experiences.
The majority of the CR platforms are developing automated
mechanisms to ease the implementation of training scenarios,
virtual labs, and the trainees’ evaluation [6]-[9].
Online platforms, like, edX, Coursera, and Udacity, provide
general-purpose training and offer main cyber security courses
[6]. Specialized platforms, such as SANS [10], Cybrary [11],
StationX [12], CyberInternAcademy [13], and AwareGO [14]
focus on individual learners whose target is to sharpen existing
or develop new skills. Nonetheless, such solutions fail when it
comes to hands-on experiences on actual systems or CRs.
BeOne Development has developed its own platform for
security awareness training [15]. This solution involves
awareness videos, e-learning modules, and simulation modules.
Thereupon, the BePhished simulator is used especially for
training on phishing attacks. To ease the creation of training
exercises, BeOne implements the Security Awareness Library
that includes 28 learning contents. Cultural differences and
multinational working environments are considered, as
education is more effective if the learnt examples are correlated
with the trainees’ daily activities. This platform provides generic
and pre-packaged programmes, organization-specific look and
feel, or customized programmes which are designed in close
collaboration with a client’s experts. The BeOne solution offers
generic teaching procedures for the core training and the
advanced simulation-centric training focuses on phishing
assaults.
ISACA implemented the CyberSecurity Nexus (CSX)
platform [16]. It offers lectures and hands-on lab exercises on
real systems. The learner gains experience by practicing main
concepts and industry-leading methodologies. Capture-the-flag
(CTF) exercises are also provided, improving the learners’
technical capabilities. Trainees are evaluated and the target is to
gain related professional certifications. Thereafter, the chief
information security officer (CISO) for an organization can hire
personnel with the required skills.
Kaspersky provides enhanced computer-based training
programmes for all organizational layers [17]. Apart from online
training, the tool offers benchmarking against industry/world
averages, as well as realistic gamification and simulation. It
implements an internal learning and educational schedule with
constant reinforcement, provided automatically via a mixture of
training formats, involving learning modules, tests, email
This work has received funding from the European Union Horizon’s
2020 research and innovation programme under the grant agreements No.
786890 (THREAT-ARREST) and No. 830927 (CONCORDIA).
423
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on February 07,2025 at 04:04:13 UTC from IEEE Xplore. Restrictions apply.
reinforcement, and/or simulated phishing campaigns. The
platform monitors the learners’ progress through a user-friendly
dashboard, providing also forecasts, trends, and live data
tracking.
CyberBit’s platform offers realistic simulation of cyber-
attacks in a mirror system of a real network with a security
operations center (SOC) [18]. This CR is composed of a virtual
network (digital twin of a real setting), the traffic generator
(benign data), the attack engine (malicious traffic), and the
virtual SOC (learners’ point of view). The target is to simulate
hyper-realistic CRs. This solution offers various training
scenarios, like penetration testing and incident response. The
educators set up the training sessions that include session
monitoring, trainee assessment, debriefing, and scenario
administration. Scenario customizations are also supported
through a graphical interface.
The THREAT-ARREST solution supports training on
known as well as new advanced cyber attack scenarios, taking
different type of actions, such as preparedness, detection and
analysis, incident response, and post incident response.
THREAT-ARREST offers monitoring, assessment, and security
testing for various layers in the implementation stack, like:
• Network layer modules (such as honey pots/honeynet,
firewalls, intrusion detection systems, etc.),
• Infrastructure layer (e.g. passive and active penetration
testing, security monitors, etc.),
• Application layer (like code analysis, security monitors,
and penetration testing).
The overall process starts by assessing the organization’s
security posture. The Assurance Tool estimates the current level
of security and reports the most critical security issues, based on
which the training process is designed. Thereafter, hybrid
training programmes are developed, customized to the
organization’s demands and the underlying trainee groups. This
involves the educational material along with serious games and
the emulation/simulation of the CR system. THREAT-ARREST
also supports continuous evaluation of: (a) the individual
trainees’ performance in specific courses; and (b) the efficacy of
complete programmes across trainees’ groups and the
organization as a whole. Those assessments are utilized for the
customization of programmes to the skills of individual trainees
or adjustment at a more macroscopic perspective.
Table 1 documents a qualitative comparison for the above
mentioned CR platforms. THREAT-ARREST incorporates all
modern training features of serious gaming, simulation, and
emulation in a unified manner, and provides continuous security
assessment and training adaptation based on the trainee’s
capabilities.
 TABLE I. CYBER-SECURITY TRAINING PLATFORMS: A) THREAT-
ARREST, B) BEONE, C) KASPERSKY, D) ISACA CSX, E) CYBERBIT, F)
ONLINE TRAINING PLATFORMS. THE FOLLOWING NOTATIONS ARE UTILIZED
FOR (Y)ES, (N)O, AND (P)ARIAL.
Feature A B C D
Automatic security vulnerability analysis of a Y N N N
pilot system
Multi-layer modelling Y P Y Y
Continuous security assurance Y N N Y
Serious gaming Y N Y Y
Realistic simulation of cyber systems Y P Y Y
Combination of emulated and real equipment Y N P Y
Programme runtime evaluation Y N N Y
Programme runtime adaptation Y N Y Y
B. Adopting Training in the Workplace
Even though there is an increasing need for modern security
training and advance CR platforms (e.g. with serious games,
simulation, emulation, etc.), the transfer of the learned
capabilities from the trainees to their workplace and the
adaptation of the organizational operations have been totally
neglected in almost all cases (e.g. ([7], [8], [9]). Noncompliance
of users with the security policies that the organization has
defined is of main concern ([20], [8], [19]). If the personnel do
not totally follow such policies, the effectiveness of the deployed
defenses is lost. From the different compliance methods,
effectual training is the most widely used one.
Nonetheless, only a few studies are assessing the effects of
professional training to organizations and promote compliance
policies in the workplace ([20], [8]). Also, only in rare cases
theory is used to evaluate the aspects that affect trainees’
compliance with security policies or even present empirical
evidence from actual training. Ordinarily, it is believed that
training programmes have to utilize procedures and material
which can actively engage learners and motivate them to
systematic cognitive processing of the underlying contents ([7],
[6]). Apart from novel technical features (such as serious
gaming and simulation), the continual communication between
the instructor with the trainees is vital for the enhancement of
the individuals security compliance ([7], [20], [6]).
Researchers usually integrate pedagogical principles as the
main approach to advance learners’ compliance ([8], [19], [6]).
In 1998, Baldwin and Ford [21] defined the transfer of learning
to the workplace as “the degree to which trainees effectively
apply the knowledge, skills, and attitudes gained in the training
context to the job”.
However, it is recorded that approximately only 10%-40%
of all training experiences would be transferred to the working
environment ([22], [7], [8]). Furthermore, as time passes from
the programme’s completion, trainees tend to become less
motivated in retaining the obtained operational behaviors (i.e.
after twelve months). Therefore, for the currently supported
technical solutions and methodologies, only a small percent of
the learnt outcomes would be permanently transferred to the
workplace. Thus, improving learning transfer constitutes the
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on February 07,2025 at 04:04:13 UTC from IEEE Xplore. Restrictions apply.
main concern of novel cyber security training platforms. This is
also one of the main THREAT-ARREST goals including the
developed continuous adaptation and assurance mechanisms,
which are presented in the following section.
E F III. THE THREAT-ARREST PLATFORM
A high-level view of the THREAT-ARREST platform is
N N depicted in Fig. 1. The main components are presented in the
subsections below.
Y P
Y N
N P
Y N
N N
Y Y
N P
Fig. 1. The THREAT-ARREST platform
A. The Assurance Tool
The Assurance Tool provides continuous evaluation of the
operational system’s security posture via the integration of
dynamic testing and runtime monitoring [4]. The tool also
gathers system events at runtime and produces notifications
which identifies the basis for designing realistic virtual labs
(with emulated/simulated components and serious games).
The Assurance Tool performs a continuous runtime
evaluation of system aspects that are significant for the
definition of a Cyber Threat and Training Preparation (CTTP)
programme. These features are determined in the CTTP model
(security assurance sub-model). For example, the CTTP model
determines the system components which should be monitored,
the relevant events that are of importance (like user actions,
external service calls, operating system calls, etc.), and the
conditions which they have to satisfy. Moreover, it deploys
dynamic system tests which are performed at runtime and are
incorporated with monitoring to implement hybrid security
evaluations [23], [24]. The gathered monitoring information and
testing results are the operational system evidence. This data is
parsed to simulation components and enables statistical
profiling, as well as the production of realistic simulations.
B. Hybrid Training
The CTTP models can define virtual labs with hybrid
training scenarios by combining emulated and simulated
components. In this case, some of the system components are
emulated (implementation of the full component functionality,
i.e. a VM) while the rest ones are simulated (only deployment of
the main part of the component’s functionality/interactions, e.g.
a simple programme that outputs a temperature value,
representing a sensor of a smart home). Hybrid training becomes
quite useful when the emulation of the entire system is not
feasible or required, and obtaining hands-on experiences is
requested for specific system components. With hybrid
424
 scenarios, learners are expected to monitor, test, and act on
emulated components, while observing the effects to the
remaining cyber system and their propagation through
simulation. In some occasions, simulation may be also preferred
to retain the CR resources, as in practice it will be less
demanding than emulation. The CR platform could also
terminate specific emulated components at some time-point and
continue with their simulated versions (e.g. in case that they
would not be needed for a certain training phase), or decide to
emulate components that were simulated in a previous training
stage. Totally, the training scenarios that can be deployed by
THREAT-ARREST vary based on:
• The system coverage level: With respect to this factor,
scenarios can be distinguished into those engaging
attacks that focus on: (i) single system components, (ii)
clusters (e.g. subsets of interconnected) of system
components, or (iii) all system components.
• The attacks type: With respect to this factor, scenarios
are distinguished into those performing: (i) historic
attacks, or (ii) live attacks that are executed as the
simulated/emulated scenario is propagated by the CR
platform.
• The required response type: With respect to this factor,
scenarios are differentiated based on the required
response to a security incident. Different responses are
determined according to the different training stages.
Such responses include [25]: (i) preparation/preventive
actions, (ii) analysis and detection, (iii) containment,
eradication, and recovery activities, and/or (iv) post-
incident actions.
• The trainee’s profile: With respect to this factor,
scenarios are differentiated based on the cognitive
trainee’s profile, as disclosed by introductory security
games and the trainee’s performance on the training
scenarios where he/she has been exposed so far.
The permitted variability forms based on the criteria above,
are determined as part of scenarios constructing the CTTP
programme. Via an Editor, the Training Tool supports the
definition of CTTP models and programmes, the assignment of
learning exercises/materials for CTTP programmes, allow
trainees’ responses to deployed threats, communication with the
emulated/simulated components, assessment of the trainees’
performance, as well as evaluation and adaptation of a CTTP
programme as a whole.
Except from the CTTP models and programme definitions,
the Training Tool supports a high interactivity level of the
trainee with a training scenario, allowing him/her to respond
and/or send appropriate commands to emulated/simulated
components. Moreover, it continuously collects information
concerning the emulation and simulation status, assesses in real
time the scenario progress based on trainee’s responses and their
effects on components, and calculates the overall trainee’s
performance. The tool also validates the assumptions defined in
the assurance model based on the trainee’s responses to the
instantiated scenario and produces notifications when such
assumptions get violated. The Training Tool evaluates the
trainee’s performance and assesses and adapts the whole CTTP
425
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on February 07,2025 at 04:04:13 UTC from IEEE Xplore. Restrictions apply.
programmes. Finally, this tool interacts with the Visualization
Tool for the effective training delivery.
C. Serious Games
Except from emulation, simulation, and hybrid-based
training, a CTTP model can also configure serious games for
different training modalities. Such training aims to advance
skills to defend against attacks targeting users by exploiting
human weaknesses (e.g. social engineering). By adjusting the
games to the users’ skills serious games can gradually advance
the users’ ability to defend against attacks. On the one hand this
can be done by training the user to react in a certain way, i.e.
following the assumptions from the assurance submodel as also
specified within the security policies (PROTECT [26]). For
example, if the targeted system applies a two-factor user
authentication mechanism, requiring security tokens and
passwords, it is considered that users would alter their
passwords in a frequent basis and refrain from sharing the
tokens. A relevant scenario in the serious game would cover this
topic and aim to train the user to act according to the
assumptions. For instance, trainees can be asked to share their
security tokens to favor another person who gained their trust in
the game (simulating a phishing attempt), but would be
rewarded for the strategy of not sharing their token. On the other
hand, users can learn about recent attacks in a quiz game which
is provided with questions on recent social engineering attacks
(CyberSecurity Awareness Quiz [27]), allowing the users to
keep their knowledge about attacks up to date.
Games are also utilized for the initial profiling of trainees in
order to disclose the trainee’s cyber security skills and determine
the appropriate form of training (and its difficulty) which could
be sufficient for them. For example, an introductory game could
be utilized for the evaluation of the trainee’s familiarity with
access controls, and based on it, drive any follow up training
towards, for instance, emulation for a more hands-on exposure
to access control aspects.
The Gamification Tool hosts various serious games (i.e.
PROTECT [26] and the CyberSecurity Awareness Quiz [27]),
scenarios, and training evaluation mechanisms, which allow a
trainee to develop skills in preventing and being resilient to
social engineering assaults (e.g. phishing campaigns,
impersonation attempts). These games are driven by the
assumptions and threats from the related security assurance
CTTP models.
Finally, this tool can facilitate post training evaluations of
trainees’ awareness (in terms of knowledge and attitudes) for the
trained attack types.
D. Emulation
Based on the CTTP model, the Emulation Tool can emulate
software and hardware components, defined as Software
Architecture Layer (SAL) and Physical Architecture Layer
(PAL) elements [5]. The tool creates live instances of SAL and
PAL components like VMs, performing the available
operations/services for them, and enabling data and stimuli
flows utilizing the deployment and network links connecting
them in the SAL, PAL, and deployment sub-models. Emulation
is utilized when the behavior of specific SAL/PAL components
cannot be sufficiently described in detail to permit the
 simulation of its behavior, or when trainee’s hands-on
experience in controlling and observing these components is
necessary.
With emulations, there are also emulated clients of the cyber
system requesting services from it, and trainees have to interact
with the emulated components (e.g. login a VM) and execute
specified actions to defend the related components, and via
them, wider parts of or even the entire emulated setting. For
instance, after accessing a VM, trainees can make use of
monitoring and testing tools to identify attacks, examine them,
and respond to them in real time (e.g. strengthening access
restrictions, deactivating some functionality, etc.). Learners can
also be assigned to groups with accountability of defending
certain system components or even act as attackers to insight on
how an attack can be performed.
E. Simulation
The CTTP model can deploy the simulation of attacks on
some system components or the propagation of the side-effects
on other parts of this system [5]. For example, the provided
CTTP model information can drive the simulation of distributed
denial of service (DDoS) attack propagation, targeting a smart
home gateway, as well as the effects on the simulated SAL and
PAL components. The propagation of those side-effects is
controlled by simulating the response operations determined for
SAL and PAL elements and enabling data and other stimuli (e.g.
calls) flow across components via the links of the SAL and PAL
sub-models. The attacks’ side-effects might be also propagated
from the PAL to the SAL level (and vice versa) based on
component links determined in the deployment model of the
CTTP model. Simulations can vary based on the difficulty level
which they present to the trainee. This level is controlled by
limiting the degree of information which is available for an
attack, the time when such information becomes available
following the attack, and the consistency of data generated by
the different security mechanisms of the system and the external
utilized assessment tools.
To enable realistic simulations, the THREAT-ARREST
framework is continuously monitoring the real operational
system and logs any significant events related to it. The events
to audit and their analysis type is determined by the assessment
measures of the assurance submodel. Then, the captured
assurance relevant events are statistically profiled. Statistical
profiling covers event metadata (such as the timing of their
happening or other features like their sender and receiver) and –
where allowable by the applicable security policies – the actual
event payload (like data passed among the components,
parameter values for component operation calls, size of files
written or read, etc.).
F. Visualization
The Visualization Tool enables the graphical representation
of emulations and simulations, the effect of training actions on
emulated/simulated components, and the state of the relevant
components.
Utilizing the visualization framework, the THREAT-
ARREST platform’s operator can choose the desired training
scenarios and configure their parameters. Furthermore, the
platform can parse and visualize the CTTP model and the
426
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on February 07,2025 at 04:04:13 UTC from IEEE Xplore. Restrictions apply.
submodels described in the sections above, and present the
relevant graphs to the users. The operator can use those graphs
to pick the system parts that will be emulated or simulated. The
Visualization Tool is also responsible for the representation of
the status of the emulated/simulated components and the effects
of the training actions.
G. Data Fabrication
The Data Fabrication Platform (DFP) [28] is a web-based
platform for generating high-quality structured data for testing,
development, and training. The methodology used is termed
“model-based rule-guided fabrication”. DFP consumes data
declaration directives (data model or metadata) along with user-
defined rules as input, creates a Constraint Satisfaction Problem
(CSP), and solves the problem using a proprietary CSP Solver,
which has been used for verifying IBM hardware systems for
over a decade.
Two types of synthetic data have been used for the THREAT-
ARREST objectives:
(i) Static general-purpose synthetic data, such as health
records, for the needs of setting/performing a given
training scenario;
(ii) Static or dynamic (interactive) security (event) logs for
cybersecurity training in the context of a training
scenario, such as security logs regarding malicious
(anomalous) accesses to a server hosting a database of
health records.
In the first case (i), data is modelled in advance via the DFP
web-based user interface and fabricated off-line, before a
training session starts. Fabricated data is populated in predefined
databases and/or predefined file locations to be deployed and
consumed in a virtual lab environment.
In the second case (ii), a dedicated data fabrication
functionality has been exposed through REST API so that other
platform components can dynamically request data fabrication.
For instance, during scenario initialisation the Training Tool
initialises a data fabrication process while upon successful
confirmation of log fabrication finalisation, the Emulation Tool
fetches the fabricated logs and deploys those in the
corresponding VMs of the Virtual Lab environment.
IV. CONCLUSIONS
This paper described the THREAT-ARREST approach – a
cyber ranges platform for advanced cyber security training for
medium to large organizations. Initially, the organization’s real
system is analyzed, disclosing the most severe vulnerabilities
and threats. Thereupon, a training programme is developed
which adheres to the organization’s specific requirements. The
various elements are defined as CTTP models and the overall
learning processes are assessed and adapted at runtime. Apart
from the typical on-line educational content (e.g. lectures,
videos, tutorials, etc.), the advanced hybrid training incorporates
serious games and emulated/simulated virtual labs. The overall
solution can cover the training against known and new attacks,
and prepares trainees to detect, respond, and mitigate them under
realistic conditions.
 Future work includes extending end user validation of [11] Cybrary: Develop security skills. https://www.cybrary.it/ .
platform capabilities with organizations of different domains [12] StationX: Online cyber security & hacking courses.
(energy, healthcare, smart shipping), extending platform https://www.stationx.net/ .
integration and federation with other Cyber Ranges both on a [13] CYBERINTERNACADEMY: Complete cybersecurity course review on
CYBERINERNACADEMY.
technical level scenario interoperation and on a conceptual https://www.cyberinternacademy.com/complete-cybersecurity-course-
(capability, taxonomy) level to further expand and align with guide-review/ .
end user needs of training. [14] AwareGO: Security awareness training. https://www.awarego.com/ .
[15] BeOne Development: Security Awareness Training.
ACKNOWLEDGMENT https://www.beonedevelopment.com/en/security-awareness/ .
This work has received funding from the European Union [16] ISACA: CyberSecurity Nexus (CSX) training platform.
Horizon’s 2020 research and innovation programme under the https://cybersecurity.isaca.org/csx-certifications/csx-training-platform .
grant agreements No. 786890 (THREAT-ARREST) and No. [17] Kaspersky: Kaspersky security awareness.
830927 (CONCORDIA). https://www.kaspersky.com/enterprise-security/security-awareness .
[18] CyberBit: Cyber Security Training Platform.
REFERENCES https://www.cyberbit.com/blog/security-training/cyber-security-training-
platform/ .
[1] Hatzivasilis, G., et al.: SPD-Safe: Secure administration of railway
intelligent transportation systems. Electronics – Special Issue on [19] Puhakainen, P., Siponen, M.: Improving employees’ compliance through
Advances in Public Transport Platform for the Development of information systems security training: an action research study. MIS
Sustainability Cities, MDPI Open Access Journal, January 2021, vol. 10, Quarterly 2010, 34, 757–778.
issue 1, article 92, pp. 1-26. [20] Abraham, S., Chengalur-Smith, I.: Evaluating the effectiveness of learner
[2] Hatzivasilis, G., et al.: AI-driven composition and security validation of controlled information security training. Computers & Security 2019, 87,
an IoT ecosystem. Applied Sciences – Special Issue on Smart City and 1–12.
Multi-Agent Systems, MDPI Open Access Journal, August 2020, vol. 10, [21] Baldwin, T.T., Ford, J.K.: Transfer of training: a review and directions
issue 14, article 4862, pp. 1-31. for future research. Personnel Psychology 1988, 41, 63–105.
[3] Maghool, S., et al.: The coevolution of contagion and behavior with [22] Velada, R., et al.: The effects of training design, individual characteristics
increasing and decreasing awareness. PLOS ONE, December 2019, vol. and work environment on transfer of training. International Journal of
14, issue 12, article: e0225447, pp. 1-22. Training and Development 2007, 11, 282–294.
[4] Smyrlis, I., et al.: CYRA: A Model-Driven Cyber Range Assurance [23] Katopodis, S., Spanoudakis, G. and Mahbub, K.: Towards hybrid cloud
Platform. Applied Sciences – Special Issue on Security Management of service certification models. International Conference on Services
5G and IoT Ecosystems, MDPI Open Access Journal, June 2021, vol. 11, Computing, June, 2014, pp. 394-399.
issue 11, article 5165, pp. 1-28. [24] Hatzivasilis, G., Papaefstathiou, I., Manifavas, C.: Software Security,
[5] Braghin, C., et al.: Towards the Monitoring and Evaluation of Trainees’ Privacy and Dependability: Metrics and Measurement. IEEE Software,
Activities in Cyber Ranges. 2nd Model-driven Simulation and Training vol. 33, issue 4, 2016, pp. 46-54.
Environments for Cybersecurity (MSTEC), ESORICS, Guildford, UK, [25] Cichonski, P., et al.: Computer security incident handling guide. NIST,
September 2020, Springer, LNCS, vol. 12512, pp. 79-91. Special Publication 800-61 v2, 2012, pp. 1-79.
[6] Hatzivasilis, G., et al.: Modern Aspects of Cyber-Security Training and [26] Goeke, L., et al.: PROTECT – An Easy Configurable Serious Game to
Continuous Adaptation of Programmes to Trainees. Applied Sciences Train Employees Against Social Engineering Attacks. 1st Model-driven
2020, 10, 1–26. Simulation and Training Environments for Cybersecurity (MSTEC),
[7] Chouliaras, N., et al.: Cyber ranges and testbeds for education, training, ESORICS, Luxembourg, September 2019, Springer, LNCS, vol. 11981,
and research. Applied Sciences 2021, 11, 1-23. pp 156-171.
[8] Chowdhury, N., Gkioulos, V.: Cyber security training for critical [27] Pape, S., et al.: Conceptualization of a CyberSecurity Awareness Quiz.
infrastructure protection: A literature review. Computer Science Review 2nd Model-driven Simulation and Training Environments for
2021, 40, 1–20. Cybersecurity (MSTEC), ESORICS, Guildford, UK, September 2020,
[9] Gustafsson, T., Almroth, J.: Cyber range automation overview with a case Springer, LNCS, vol. 12512, pp. 61-76.
study of CRATE. 25th Nordic Conference on Secure IT Systems [28] IBM, “Create high-quality test data while minimizing the risks of using
(NordSec), Springer, LNCS 2021, 12556, 192–209. sensitive production data.” IBM InfoSphere Optim Test Data Fabrication,
[10] SANS: Online cyber security training. https://www.sans.org/online- IBM, 2017, https://www.ibm.com/il-en/marketplace/infosphere-optim-
security-training/ . test-data-fabrication.

427
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on February 07,2025 at 04:04:13 UTC from IEEE Xplore. Restrictions apply.