---

---

13.03.2025 11:46

Security is just a side quest: Insights from the video game industry

Felix Koltermann Unternehmenskommunikation
CISPA Helmholtz Center for Information Security

The video game industry is a constantly changing market worth billions. In a qualitative interview study with industry experts, CISPA researcher Philip Klostermeyer from the team of CISPA Faculty Prof. Dr. Sascha Fahl investigated the challenges involved in incorporating security considerations into game development. He published the results in the paper “Skipping the Security Side Quests: A Qualitative Study on Security Practices and Challenges in Game Development,” which was presented at the Conference on Computer and Communications Security (CCS) in Salt Lake City in October 2024.

Video games have long fascinated Philip Klostermeyer, CISPA researcher and PhD student at the CISPA site in Hanover. And this not only from the perspective of the player. “I was required to develop a video game as part of my bachelor’s degree. That was the first time I realized how many different elements even a simple game has,” he says in the interview. “I suddenly understood how the different types of software work together.” In principle, a video game is nothing more than very complex software, explains Klostermeyer: “We have source code and data in the background. On the user interface, we then add a complex graphic design and elements such as audio. This is supplemented by the respective game logic. For online games, there is also the connection to servers that handle game logic, manage common security issues like login and authentication, and enable the display of advertisements. This shows that almost all topics that are important in computer security are relevant to video games.”

Aim of the study: Gaining an overview

The complexity of video game development and the significance of security made it an intriguing research topic for Klostermeyer and his colleagues. “We decided to investigate the security topic in video game development with the help of a qualitative interview study,” explains the CISPA researcher. “The method is well suited to gaining an overview of a subject area. After all, there is already a considerable amount of research that thoroughly covers individual topics within the games industry. What has been missing so far is a coherent overview of the entire field.” Another key aspect for Klostermeyer was the desire to apply their findings to the industry: “Our goal was to translate our insights into practical applications for the industry. That’s why we made it a priority to focus our study on the challenges faced by this target group.”

For the study, 20 individuals from 15 countries were interviewed, all of whom hold different positions in the games industry. “We identified the key stakeholders involved in game development and then carefully selected our interviewees,” explains Klostermeyer. “This included game developers, managers, platform publishers, as well as security experts. Our goal was to gain various perspectives on the topic of security. Through the interviews, we aimed to gather first-hand experience regarding awareness, priorities, knowledge, and practices related to security within the industry.”

Security as a secondary factor that depends on many aspects

Analyzing the interviews, the CISPA researchers distilled two key areas that are central to the topic of security in video game development. One of these is the unique circumstances within the games industry that affect game development and, consequently, security. “Factors such as the fast-paced nature of the industry, varying security standards, time and budget constraints, as well as a lack of security consulting are worth mentioning here,” explains Klostermeyer. On the other hand, the researchers identified five security-relevant areas in the game development process. “Specifically, these include measures to prevent in-game cheating, the security of so-called assets like source code or graphics, network security, software stability, and the protection of user data,” he continues. The importance of each area depends on the type of game in question. “For example, network security is of little relevance for games that are not played online,” says the CISPA researcher.

In terms of whether and how studios integrate security into the video game development process, the study identified time, budget and team size as the most important factors. While external players such as publishers provide security-related input, they mainly prioritize security to protect their company’s revenue or public image. Whereas large companies recruit their own security specialists, small studios usually lack the budget for this. And even when developers are aware of security issues, this may be considered less of a priority by management than, for example, the playability of a product. “Basically, it can be said that the games industry is very erratic when it comes to security,” says Klostermeyer. “The fast pace of the industry prevents developers from taking in-depth security measures and developing threat models for video games that are implemented from the start of game development.”

Prospects

For Klostermeyer and his colleagues from the Usable Security research team in Hanover, the current interview study was just the starting point for delving deeper into the subject matter. “The great thing about the study is that we were able to identify these five security-relevant areas in the game development process. With this knowledge, we can start developing proposals for guidelines.” However, there are already some concrete recommendations for the industry that Klostermeyer has derived from the results of the study. The key point is to integrate the aspect of security into game development as early as possible and to consider it at every level. Guidelines that each development studio should develop itself based on the respective requirements and adapted to its own products are helpful here. “This is a crucial cross-sectional task that every studio should take seriously,” says Klostermeyer with conviction.

---

Originalpublikation:

Philip Klostermeyer, Sabrina Klivan, Sandra Höltervennhoff, Alexander Krause, Niklas Busch, and Sascha Fahl. 2024. Skipping the Security Side Quests: A Qualitative Study on Security Practices and Challenges in Game Development. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security (CCS '24). Association for Computing Machinery, New York, NY, USA, 2651–2665. https://doi.org/10.1145/3658644.3690190

---

<
Visualization to the paper "Skipping the Security Side Quests: A Qualitative Study on Security Pract ...

CISPA

---

Merkmale dieser Pressemitteilung:
Journalisten, jedermann
Informationstechnik
überregional
Forschungsergebnisse
Englisch

---