gamifi cation security and privacy healthcare · 2019-02-07 · deep-learning processor with...

> Software > Gamifi cation> Security and Privacy> Healthcare

DECEMBER 2018 www.computer.org

STAFF

EditorCathy Martin

Publications Operations Project SpecialistChristine Anthony

Publications Marketing Project SpecialistMeghan O’Dell

Production & DesignCarmen Flores-Garvey

Publications Portfolio ManagersCarrie Clark, Kimberly Sperka

PublisherRobin Baldwin

Senior Advertising CoordinatorDebbie Sims

Circulation: ComputingEdge (ISSN 2469-7087) is published monthly by the IEEE Computer Society. IEEE Headquarters, Three Park Avenue, 17th Floor, New York, NY 10016-5997; IEEE Computer Society Publications Office, 10662 Los Vaqueros Circle, Los Alamitos, CA 90720; voice +1 714 821 8380; fax +1 714 821 4010; IEEE Computer Society Headquarters, 2001 L Street NW, Suite 700, Washington, DC 20036.

Postmaster: Send address changes to ComputingEdge-IEEE Membership Processing Dept., 445 Hoes Lane, Piscataway, NJ 08855. Periodicals Postage Paid at New York, New York, and at additional mailing offices. Printed in USA.

Editorial: Unless otherwise stated, bylined articles, as well as product and service descriptions, reflect the author’s or firm’s opinion. Inclusion in ComputingEdge does not necessarily constitute endorsement by the IEEE or the Computer Society. All submissions are subject to editing for style, clarity, and space.

Reuse Rights and Reprint Permissions: Educational or personal use of this material is permitted without fee, provided such use: 1) is not made for profit; 2) includes this notice and a full citation to the original work on the first page of the copy; and 3) does not imply IEEE endorsement of any third-party products or services. Authors and their companies are permitted to post the accepted version of IEEE-copyrighted material on their own Web servers without permission, provided that the IEEE copyright notice and a full citation to the original work appear on the first screen of the posted copy. An accepted manuscript is a version which has been revised by the author to incorporate review suggestions, but not the published version with copy-editing, proofreading, and formatting added by IEEE. For more information, please go to: http://www.ieee.org/publications_standards/publications/rights/paperversionpolicy.html. Permission to reprint/republish this material for commercial, advertising, or promotional purposes or for creating new collective works for resale or redistribution must be obtained from IEEE by writing to the IEEE Intellectual Property Rights Office, 445 Hoes Lane, Piscataway, NJ 08854-4141 or [email protected]. Copyright © 2018 IEEE. All rights reserved.

Abstracting and Library Use: Abstracting is permitted with credit to the source. Libraries are permitted to photocopy for private use of patrons, provided the per-copy fee indicated in the code at the bottom of the first page is paid through the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923.

Unsubscribe: If you no longer wish to receive this ComputingEdge mailing, please email IEEE Computer Society Customer Service at [email protected] and type “unsubscribe ComputingEdge” in your subject line.

IEEE prohibits discrimination, harassment, and bullying. For more information, visit www.ieee.org/web/aboutus/whatis/policies/p9-26.html.

IEEE COMPUTER SOCIETY computer.org • +1 714 821 8380

www.computer.org/computingedge 1

IEEE Computer Society Magazine Editors in Chief

ComputerSumi Helal, Lancaster University

IEEE SoftwareDiomidis Spinellis, Athens University of Economics and Business

IEEE Internet ComputingM. Brian Blake, Drexel University

IT ProfessionalIrena Bojanova, NIST

IEEE Security & PrivacyDavid M. Nicol, University of Illinois at Urbana-Champaign

IEEE MicroLieven Eeckhout, Ghent University

IEEE Computer Graphics and ApplicationsTorsten Möller, University of Vienna

IEEE Pervasive ComputingMarc Langheinrich, Università della Svizzera Italiana

Computing in Science & EngineeringJim X. Chen, George Mason University

IEEE Intelligent SystemsV.S. Subrahmanian, Dartmouth College

IEEE MultiMediaShu-Ching Chen, Florida International University

IEEE Annals of the History of ComputingNathan Ensmenger, Indiana University Bloomington

IEEE Cloud ComputingMazin Yousif, T-Systems International

DECEMBER 2018 • VOLUME 4, NUMBER 12

THEME HERE

24Make Learning

Fun and Get Out of the Way of

the Smartphone Generation

28Hello,

World!—Code Responsibly

31Do Crypto-

Currencies Fuel Ransomware?

41Experiencing

the Sights, Smells, Sounds,

and Climate of Southern Italy

in VRSubscribe to ComputingEdge for free at www.computer.org/computingedge.

Software

10 Digital Transformation through SaaS Multiclouds BRAD POWER

14 A Software Epiphany by the US Defense Community Might Provide an Unexpected Boost for Agile Software Development

DOUGLASS POST AND RICHARD KENDALL

Gamification

18 Gamification DIRK BASTEN

24 Make Learning Fun and Get Out of the Way of the Smartphone Generation

SCOOTER WILLIS

Security and Privacy

28 Hello, World!—Code Responsibly SIDDHARTH KAZA, BLAIR TAYLOR, AND KYLE SHERBERT

31 Do Crypto-Currencies Fuel Ransomware? NIR KSHETRI AND JEFFREY VOAS

Healthcare

36 Semantic Activity Analytics for Healthy Aging: Challenges and Opportunities

MIKE MARTIN, ROBERT WEIBEL, CHRISTINA RÖCKE, AND STEVEN M. BOKER

Virtual/Augmented Reality

41 Experiencing the Sights, Smells, Sounds, and Climate of Southern Italy in VR

VITO M. MANGHISI, MICHELE FIORENTINO, MICHELE GATTULLO, ANTONIO BOCCACCIO, VITOANTONIO BEVILACQUA, GIUSEPPE L. CASCELLA, MICHELE DASSISTI, AND ANTONIO E. UVA

Departments 4 Magazine Roundup 8 Editor’s Note: Superior Software

4 December 2018 Published by the IEEE Computer Society 2469-7087/18/$33.00 © 2018 IEEE

CS FOCUS

T he IEEE Computer Society’s lineup of 13 peer-reviewed techni-

cal magazines covers cutting-edge topics ranging from soft-ware design and computer graphics to Internet comput-ing and security, from scien-tifi c applications and machine intelligence to cloud migration and microchip design. Here are highlights from recent issues.

Computer

Bringing Citizens and Policymakers Together Online: Imagining the Possibilities and Taking Stock of Privacy and Transparency HazardsIn this article from the June 2018 issue of Computer, the authors make the case for cre-ating a common architecture

that interconnects otherwise disparate civic portals. They distinguish among core func-tions, complementary tools, and future features that could go into such a system, as well as consider its potential to cre-ate positive feedback loops that boost civic capacity and public legitimacy.

Computing in Science & Engineering

Simulating Stellar Hydrodynamics at Extreme ScaleThis article, from the Sep-tember/October 2018 issue of Computing in Science & Engi-neering, discusses simulating the hydrogen ingestion fl ash in

Magazine RoundupEditor: Lori Cameron


asymptotic giant branch stars as an illustration of a computational science research problem demand-ing high-performance computation at scale. The project’s relationship to the National Strategic Comput-ing Initiative’s objectives is also discussed.

IEEE Annals of the History of Computing

Rocappi: Computerizing the Publishing IndustryIn 1963, John Seybold started the company Rocappi to use computer technology to produce and type-set complex, high-quality books, catalogs, directories, manuals, magazines, and other typeset doc-uments. Over the next seven years, with the participation of his son, Jonathan W. Seybold, Rocappi pioneered the use of computers for publishing. Read more in the July–September 2018 issue of IEEE Annals of the History of Computing.

IEEE Cloud Computing

Emergent Failures: Rethinking Cloud Reliability at ScaleSince the conception of cloud com-puting, highly reliable service has been of the upmost importance to providers and their customers. Thus, considerable eff ort has been exerted toward enhancing the reliability of system components against various software and hard-ware failures. However, as these systems have continued to grow in scale, with heterogeneity and complexity resulting in the mani-festation of emergent behavior, so

too have their respective failures. Recent studies of production cloud datacenters indicate the existence of complex failure manifestations that existing fault tolerance and recovery strategies are ill-equipped to eff ectively handle. These emer-gent failures represent a signifi -cant threat to designing reliable cloud systems. This article, which appears in the September/October 2018 issue of IEEE Cloud Comput-ing, identifi es the challenges of emergent failures in cloud data-centers at scale and their impact on system resource management.

IEEE Computer Graphics and Applications

Mapping and Visualizing Deep-Learning Urban Beautifi cationInformation visualization has great potential to make sense of the increasing amount of data generated by complex machine-learning algorithms. The authors of this article from the September/October 2018 issue of IEEE Com-puter Graphics and Applicationsdesigned a set of visualizations for a new deep-learning algo-rithm called FaceLift (goodcitylife.org/facelift). This algorithm gen-erates a beautifi ed version of a given urban image (such as from Google Street View), and the visu-alizations compare pairs of origi-nal and beautifi ed images. The visualizations help practitioners understand what happened dur-ing the algorithmic beautifi ca-tion without requiring them to be machine-learning experts. A prac-titioner survey led to the derivation

of general design guidelines for making complex machine-learning algorithms more understandable to a general audience with infor-mation visualization.

IEEE Intelligent Systems

Camera Placement Based on Vehicle Traffi c for Better City Security SurveillanceSecurity surveillance is impor-tant in smart cities. Deploying numerous cameras is a common approach. Given the importance of vehicles in a metropolis, using vehicle traffi c patterns to stra-tegically place cameras could potentially facilitate security sur-veillance. This article, from the July/August 2018 issue of IEEE Intelligent Systems, constitutes the fi rst eff ort toward building the link between vehicle traffi c and cam-era placement for better security surveillance.

IEEE Internet Computing

To Follow or Not to Follow: A Study of User Motivations around Cybersecurity AdviceUsable security researchers have long pondered what motivates some users to ignore advice and make decisions that appear to put their security and privacy at risk. This study, which appears in the September/October 2018 issue of IEEE Internet Computing, specifi -cally investigates user motivations to follow or not follow computer security advice through a sur-vey distributed through Amazon Mechanical Turk. The authors used a rational decision model to

6 ComputingEdge December 2018

MAGAZINE ROUNDUP

guide the study design, as well as current thought on human moti-vation. The data shows key gaps in perception between those who follow the tested pieces of advice (such as updating software, using a password manager, using two-factor authentication, and chang-ing passwords) and those who do not. It also helps explain par-ticipants’ motivations behind their decisions. Notably, the results show that social considerations are broadly trumped by individual-ized rationales.

IEEE Micro

DNPU: An Energy-Effi cient Deep-Learning Processor with Heterogeneous Multi-Core ArchitectureIn the September/October 2018 issue of IEEE Micro, an energy-effi cient deep-learning processor called DNPU is proposed for the embedded processing of convolu-tional neural networks (CNNs) and

recurrent neural networks (RNNs) in mobile platforms. DNPU uses a heterogeneous multi-core architec-ture to maximize energy effi ciency in both CNNs and RNNs. In each core, a memory architecture, data paths, and processing elements are optimized depending on the characteristics of each network. Also, a mixed workload division method is proposed to minimize off -chip memory access in CNNs, and a quantization table-based matrix multiplier is proposed to remove duplicated multiplications in RNNs.

IEEE MultiMedia

Integrating Vision and Language for First-Impression Personality AnalysisIntegration of visual and language data in decision-making plays an important role in many human–robot and human–machine interaction systems. Video data multiprocessing is emerging as a promising application for analyz-ing fi rst impressions of people. First impressions infl uence many everyday judgments—for example, in choosing a job candidate with the right professional skills. These skills can be assessed with a set of test assignments, but because it is time-consuming and requires con-siderable resources to interview each candidate in person, research-ers have explored automatic per-sonality analysis using diff erent input data, such as human speech. Read more in the April–June 2018 issue of IEEE MultiMedia.

IEEE Pervasive Computing

Personalized Privacy Assistants for the Internet of Things: Providing Users with Notice and ChoiceAs we interact with an increasingly diverse set of sensing technolo-gies, it becomes diffi cult to keep up with the many ways in which data about ourselves is collected and used. Study after study has shown that while people generally care about their privacy, they feel they have little awareness of—let alone control over—the collection and use of their data. This article, from the July–September 2018 issue of IEEE Pervasive Comput-ing, summarizes ongoing research to develop and fi eld privacy assis-tants designed to empower people to regain control over their privacy in the Internet of Things (IoT) era. Specifi cally, the authors focus on the infrastructure needed to sup-port privacy assistants for the IoT, which enables the assistants to discover IoT resources (sensors, apps, services, devices, and so on) in the vicinity of their users, selectively inform users about the data practices associated with these resources, and discover user-confi gurable settings (opt in, opt out, erase data, and so on) for the IoT resources if there are any.

IEEE Security & Privacy

Cybersecurity in an Era with Quantum Computers: Will We Be Ready?Organizations must understand their specifi c risks and plan for

WWW.COMPUTER.ORG

/COMPUTINGEDGE


Advertising Personnel

Debbie Sims: Advertising CoordinatorEmail: [email protected]: +1 714 816 2138 | Fax: +1 714 821 4010

Advertising Sales Representatives (display)

Central, Northwest, Southeast, Far East: Eric KincaidEmail: [email protected]: +1 214 673 3742Fax: +1 888 886 8599

Northeast, Midwest, Europe, Middle East: David SchisslerEmail: [email protected] Phone: +1 508 394 4026Fax: +1 508 394 1707

Southwest, California: Mike HughesEmail: [email protected]: +1 805 529 6790

Advertising Sales Representative (Classifieds & Jobs Board)

Heather BuonadiesEmail: [email protected]: +1 201 887 1703

Advertising Sales Representative (Jobs Board)

Marie ThompsonEmail: [email protected]: 714-813-5094

ADVERTISER INFORMATION

their systems to be resilient to quantum attacks. Assessment is based on three quantities: the security shelf life of the informa-tion assets, the migration time to systems designed to resist quan-tum attacks, and the time remain-ing before quantum computers break the security. Read more in the September/October 2018 issue of IEEE Security & Privacy.

IEEE Software

Software Engineering for Machine-Learning Applications: The Road AheadThe first Symposium on Software

Engineering for Machine-Learning Applications (SEMLA) aimed to create a space in which machine learning (ML) and software engi-neering (SE) experts could come together to discuss challenges, new insights, and practical ideas regarding the engineering of ML and AI-based systems. Key chal-lenges discussed included the accuracy of systems built using ML and AI models, the testing of those systems, industrial applica-tions of AI, and the rift between the ML and SE communities. This article is part of the September/October 2018 issue of IEEE Soft-ware on software engineering’s 50th anniversary.

IT Professional

The 2018 Winter Olympics: A Showcase of Technological AdvancementThe 2018 Winter Olympics in Pyeongchang was a showcase of South Korea’s technological advancement and sophistication. Read more in the March/April 2018 issue of IT Professional.

@s e cur it ypr ivac yFOLLOW US


EDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTEEDITOR’S NOTE

I n a software-dependent world, fi rst-rate pro-gramming and products are highly valued. From usability and performance to main-

tenance and security, many factors contribute to software quality. Developing or leveraging high-quality software is essential to the success of gov-ernments, businesses, and individuals.

This issue of ComputingEdge features two arti-cles that discuss how diff erent organizations uti-lize software and modernize their processes to adapt to an evolving software landscape. From IEEE Cloud Computing, “Digital Transformation through SaaS Multiclouds” reveals how compa-nies are diversifying the cloud software they use with the goal of improving fl exibility and lowering IT costs. In Computing in Science & Engineering’s “A Software Epiphany by the US Defense Commu-nity Might Provide an Unexpected Boost for Agile Software Development,” the authors describe how the massive US defense industry is embracing agile software development methods and the impact this will have on computer scientists in all industries.

Organizations are also employing the latest software innovations to improve collaboration and education. One example is through gamifi cation. IEEE Software’s “Gamifi cation” highlights how businesses integrate game elements into their systems to foster knowledge sharing and meet

training requirements. The author of Computer’s “Make Learning Fun and Get Out of the Way of the Smartphone Generation” argues that gamifi -cation can improve technology and engineering education by motivating students to learn coding, robotics, and more.

The pervasive presence of software in our society makes its security critically important. IEEE Security & Privacy’s “Hello, World!—Code Responsibly” makes the case for teaching secure coding techniques in introductory programming courses. IT Professional’s “Do Crypto-Currencies Fuel Ransomware?” shines a light on crypto-cur-rency’s potential eff ect on the prevalence of ran-somware attacks.

Additional topics in this issue are healthcare and virtual/augmented reality. In IEEE Pervasive Computing’s “Semantic Activity Analytics for Healthy Aging: Challenges and Opportunities,” the authors posit that analyzing real-time mobility and activity data from elderly people can lead to insights on healthy aging.

Finally, IEEE Computer Graphics and Applications’ “Experiencing the Sights, Smells, Sounds, and Climate of Southern Italy in VR” explores virtual reality in the tourism industry, focusing on a case study in which a multisensory, immersive system introduces tourists to the Italian region of Apulia.

Superior Software

PURPOSE: The IEEE Computer Society is the world’s largest association of computing professionals and is the leading provider of technical information in the field.MEMBERSHIP: Members receive the monthly magazine Computer, discounts, and opportunities to serve (all activities are led by volunteer members). Membership is open to all IEEE members, affiliate society members, and others interested in the computer field.COMPUTER SOCIETY WEBSITE: www.computer.orgOMBUDSMAN: Direct unresolved complaints to [email protected]: Regular and student chapters worldwide provide the opportunity to interact with colleagues, hear technical experts, and serve the local professional community.AVAILABLE INFORMATION: To check membership status, report an address change, or obtain more information on any of the following, email Customer Service at [email protected] or call +1 714 821 8380 (international) or our toll-free number, +1 800 272 6657 (US):

• Membership applications• Publications catalog• Draft standards and order forms• Technical committee list• Technical committee application• Chapter start-up procedures• Student scholarship information• Volunteer leaders/staff directory• IEEE senior member grade application (requires 10 years

practice and significant performance in five of those 10)

PUBLICATIONS AND ACTIVITIESComputer: The flagship publication of the IEEE Computer Society, Computer, publishes peer-reviewed technical content that covers all aspects of computer science, computer engineering, technology, and applications.Periodicals: The society publishes 13 magazines, 19 transactions, and one letters. Refer to membership application or request information as noted above.Conference Proceedings & Books: Conference Publishing Services publishes more than 275 titles every year.Standards Working Groups: More than 150 groups produce IEEE standards used throughout the world.Technical Committees: TCs provide professional interaction in more than 30 technical areas and directly influence computer engineering conferences and publications.Conferences/Education: The society holds about 200 conferences each year and sponsors many educational activities, including computing science accreditation.Certifications: The society offers two software developer credentials. For more information, visit www.computer.org/certification.

revised 03 July 201�

EXECUTIVE COMMITTEEPresident: �i��i �asa�a�aPresident-Elect: �e�ilia Me��a; Past President: Jea��u� �au�i��; First VP, ��: ��e��y �� y��; Second VP, �� e��is J� ��ailey; VP, Member & Geographic Activities: �� ; VP, Professional & Educational Activities: �� ; VP, Standards Activities: J�� R�s�a�l; VP, Technical & Conference Activities: �ausi Mulle�; 201�� IEEE Division V ��: �� ; 201��201� IEEE Division V�� : �e�a� Mil��i�i�� 201� IEEE Division V�� -Elect: �li�a�e�� u��

BOARD OF GOVERNORSTerm Expiring 201�: �� eMa�le� ��e� �ie��i�� e� ��u�lis� �la�i�i� �e�� u�e M� M�Milli�� u�i� ��iya�a� ��e�a�� a�e��Term Expiring 201�: �au�a�� a��i� �eila �e�l��ia�i� �a�i� �� e�� Jill �� s�i�� illia� �� u�i �elal� ��i Me��els��Term Expiring 20��: ��y ��e�� J�� J��s�� y��e� �u�� a�i� ��e�� i�i��i�s �e��a��s� ��es� ��ull� �aya�� a�a�a

EXECUTIVE STAFFExecutive Director: Melissa RussellDirector, Governance & Associate Executive Director: Anne Marie Kelly Director, Finance & Accounting: Sunny HwangDirector, Information Technology & Services: Sumit Kacker Director, Membership Development: Eric Berkowitz

COMPUTER SOCIETY OFFICESWashington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928 Phone: +1 202 371 0101 • Fax: +1 202 728 9614Email: [email protected] Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720 Phone: +1 714 821 8380Email: [email protected]

MEMBERSHIP & PUBLICATION ORDERSPhone: +1 800 272 6657 • Fax: +1 714 821 4641 • Email: [email protected] Asia/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo 107-0062, JapanPhone: +81 3 3408 3118 • Fax: +81 3 3408 3553Email: [email protected]

IEEE BOARD OF DIRECTORSPresident & CEO: Ja�es Je��e�iesPresident-Elect: J�se M�� M�u�aPast President: �a�e� �a��les��Secretary: �illia� �� als�Treasurer: J�se�� illieDirector & President, IEEE-USA: �a��a ��a��y� R��i�s��Director & President, Standards Association: ��es� �� i��Director & VP, Educational Activities: �i��l� M� �i�s�e�Director & VP, Membership and Geographic Activities: Ma��i� �as�iaa�s Director & VP, Publication Services and Products: �a�i� M� �l��a�aly Director & VP, Technical Activities: �usa� ��a��y� �a��Director & Delegate Division V: J�� al�Director & Delegate Division VIII: �e�a�


COLUMN: Cloud Economics

Digital Transformation Through SaaS Multiclouds

There are lots of big companies that would love to switch

from their big legacy systems to avoid compromises in

functionality, make them more agile, lower IT costs, and

help them to become faster to market. This article

describes how they can make the move.

Many executives are frustrated by their rigid IT systems (ERP suites and packaged software) which can force compromises on functionality, may make them slow to respond to market changes, and can be expensive to support and maintain. In the 1990s and early 2000s, the golden age of ERP, many companies followed the conventional wisdom that they needed a “single source of truth.” They believed the only way to achieve that was to buy a big, comprehensive suite of software applications from one vendor, such as SAP, Oracle, JD Edwards, or PeopleSoft. Today, pioneering companies are choosing instead to free managers to choose multiple “best of breed” cloud applications to assemble a SaaS multicloud. These early adopters are typically more agile and have lower IT costs than their competitors.

Cloud software has been around for a long time—for example, Salesforce, a pioneer of cloud software, is 20 years old. However, it’s only recently that leading companies are shifting from tactically acquiring one or two cloud services on a piecemeal basis to strategically exploiting a SaaS multicloud strategy: accessing most of their software from cloud providers, assembling them like Lego blocks, and swapping them in and out of their IT architecture as needed. Instead of having one monolithic database, when a manager needs information, the source for the rele-vant data is clear, and a layer of reporting software seamlessly integrates heterogeneous data from the different sources.

GETTING SOFTWARE FROM MULTIPLE CLOUD PROVIDERS CAN ENABLE DRAMATIC COST REDUCTION Allan Farrell, CIO at FCR Media Belgium, was being challenged by his new boss: Reduce an-nual IT spending from €14M to €5M. In 2016, FCR had acquired Farrell’s company, Truvo, which had been based on the printed Yellow Pages directories that advertised small and medium businesses, and everyone could see that was a dying business model. Headcount in Belgium was slated to be reduced from 600 to 300. So, Farrell devised a strategy to achieve his aggressive IT

Brad Power MAXOS

Editor: Joe Weinman, [email protected]

27IEEE Cloud Computing Copublished by the IEEE CS and IEEE ComSoc

2325-6095/18/$33.00 USD ©2018 IEEEMay/June 2018


CLOUD ECONOMICS

budget reduction target without degrading the company’s capabilities by relying on three princi-ples: Cloud first; buy, don’t build; and configure, don’t customize. Software services were switched from a standard industry software package for billing, operations, and customer service, and another package for accounting and finance to 10 cloud applications acquired on the Salesforce AppExchange. In less than five months, he reduced IT costs from €14M to €6M and IT headcount from 75 to 20. Customer satisfaction improved by 50 percent. And in the latest list of the top digital marketing agencies in Belgium, FCR was ranked number two, even though it only launched in 2016.

GETTING SOFTWARE FROM MULTIPLE CLOUD PROVIDERS CAN ENABLE GROWTH More than 30,000 small- and medium-sized businesses trust Paycor to deliver their payroll and human resources services. For its first 20 years, Paycor grew in the single digits every year, but about five years ago the company decided to accelerate its annual growth to 20-25 percent. To grow that fast, it needed to upgrade its systems for marketing, sales, and customer service. Brian Vass, vice president of sales and marketing technology, told me that its IT organization is good at building payroll and human resources systems, but “it isn’t good at these other systems, and even if they wanted to develop them, progress would move at a snail’s pace.” Paycor decided to make a fundamental shift from inhouse to SaaS for its new software. It selected two major cloud products—Salesforce and Marketo—and added 40 compatible apps from the app store of its ma-jor provider—Salesforce AppExchange.

Vass said, “We wouldn’t be able to move this fast without a SaaS model. We can find a product that meets our needs, and with one click we’re up and running in minutes.”

And everything works together. Paycor is growing at a pace that would have been impossible without leveraging multiple cloud services.

THE NEW MULTICLOUD ARCHITECTURE In my interviews with 10 companies that have chosen a “plug and play” applications architecture utilizing multiple cloud software providers, a few key design principles emerged:

Process First Switch from being forced to follow the practices embedded in one big software package to shop-ping for smaller software modules that fit your ideal process, and if none are available due to unique process requirements, then build your own. For example, Joe Cardella, senior vice presi-dent of sales at waste removal company Cardella Waste Services, switched from a standard in-dustry software package that didn’t quite fit the company’s needs to six cloud apps, including a real-time operations management system, to get software services that fit better with its unique business needs—tracking trucks and dumpsters.

Multiple Databases Shift from a “single source of truth” in a monolithic database to multiple “master databases”, e.g., one each for customers, human resources, finance, and operations, sourced from clearly des-ignated applications. For example, Erik den Ouden, the director of global IT for JF Hillebrand, a logistics company, pointed out that the company uses one cloud application as the source for customer management, sales, and marketing data; another for finance; and a third for human re-sources. It also has a homegrown system for order management because no products meet the unique needs of its business. Each application is the source for data in that function (“system of record”). An integration layer facilitates customer and employee interactions. When a manager needs information, the source for the relevant data is clear, and a layer of reporting software brings the data together seamlessly from the different sources.

28May/June 2018 www.computer.org/cloud


CLOUD ECONOMICS

Experiment and Swap Continuously run experiments to find better solutions. For example, Charlie Merrow, CEO of Merrow Manufacturing, a high-tech sewing machine and soft goods manufacturer, told me they selected a shipping application that was the best on the market, then they switched to a UPS product, then, when their original provider upgraded, returned to the original application. This was made possible by having small, independent applications that easily communicate with the other applications.

STRATEGIES FOR DIGITAL TRANSFORMATION TO SAAS MULTICLOUD There are lots of companies that would love to transition from their legacy, monolithic ERP sys-tems to a SaaS multicloud approach to avoid compromises in functionality, increase business agility, lower IT costs, and reduce time to market. But there’s not much guidance on how to move from legacy suites to multiple cloud applications. However, key lessons have emerged to help manage such digital transformations:

Starve the Beast Mike Gibbons, CIO of Aggregate Industries, a producer of asphalt, aggregates, and ready-mixed concrete, gradually replaced parts of its ERP solution with multiple cloud solutions. The ERP system was close to their needs with some customization, but as their business evolved and each set of new requirements emerged they first looked for a cloud solution that at least met their cus-tom internal requirements. Over time, they introduced Anaplan for forecasting, ServiceNow for IT services, Salesforce for customer management, Workday for HR, Coupa for procurement, Qlik for business intelligence, and Google Enterprise for office productivity—which saved them thousands of dollars. While ERP implementations typically take years, these smaller cloud appli-cation implementations were much faster. For example, the Coupa replacement of all the pro-curement functionality took less than three months. They could do it that fast because they worked out the simplest process first, and it was in a bite-sized chunk. Gibbon said, “We got bet-ter technology and better results.”

Spin It up Fast, Throw It Away Merrow Manufacturing’s technology strategy is to be iterative, be fast, and eliminate things that don’t work. They leverage technology to grow and empower everyone to be more commercially successful. Sometimes they find a cloud application that meets their needs, but they also aren’t afraid to develop and implement their own technology to do what they need. For example, their phone system had issues, so they developed one themselves. It’s not just about cost savings: Merrow can now customize and tune it to meet their own requirements and align with their pro-cesses. Adjusting technology to fit their processes is something they’ve become good at. They minimize the number of times that data needs to be entered, or that someone needs to remember something that needs to be done. Their software is running at a low cost and with little time in-vested, so they can discard an application if it doesn’t fit and develop their own using platform services. For example, they needed an application for managing sewing machine repairs. There was nothing like this on the Salesforce AppExchange. So, they documented their requirements, including the reports they wanted to run. Then they built the system on the Lightning Platform and were up and running in two days. It wasn’t exactly right, but they used an agile approach and with business meetings every day providing feedback on reporting data and formats, they itera-tively made it better. Then they moved to workloads. “What do we want to remind people about? How do we reduce the information flows to customers?” It fundamentally changed the way they delivered customer service around repairs. In very short order, this process went from taking too long to completely changing a part of their business that added net-new revenue. Gibbon said, “It didn’t take a big investment in software. But it warranted enough investment to do it well.”



CLOUD ECONOMICS

Standardize Selectively Christine Ashton, Global Chief Digital Officer at SAP in the Digital Office ERP Cloud, pointed out that the kind of agile development that Charlie Merrow advocates has its place, yet some-times commoditization and standardization can be useful. For example, payments and compli-ance can be purchased from a provider of an industry standard, yielding services at competitive parity and making it easier for ecosystem partners to connect. For example, all the companies I interviewed had purchased software applications for finance and accounting, which represented up to 50 percent of their software. This selective use of commodity software requires a decompo-sition of work into a services and data architecture and a “heat map” of what needs to be com-modity vs. distinctive.

THE ROLE OF SYSTEMS INTEGRATOR Despite the benefits, a multicloud architecture means that a company must be its own systems integrator, rather than relying on the monolithic software package provider. As described by Erik den Ouden of JF Hillebrand, a company with a multicloud architecture needs to integrate data across applications, often using middleware or reporting software, instead of having most of the data in one database. Dependencies need to be more closely watched to ensure that compatibility and compliance are maintained. Rather than negotiating with just one or two cloud infrastructure, platform, and/or service providers, there now may be dozens. Different interfaces may create challenges for user training or usage.

Allan Farrell of FCR Media Belgium focuses his IT staff on architecture and vendor manage-ment, while relying on high quality partners for the rest of their IT services, such as IT opera-tions out of India, a big systems integrator for Salesforce configuration, and another partner for media content. One of his challenges was finding the right kind of business architect to work with the business. He found an excellent one who did a great job of solving the pain points on the customer journey by mapping to capabilities. It took some time to shift the business manag-ers from seeing everything as an IT problem to start with business capabilities and business pro-cesses. The business architect now reports to the CEO on strategy and innovation.

CONCLUSION The multicloud software architectures of the companies profiled in this article using more, smaller applications have many advantages: lower cost, growth, and best-of-breed services. Yet these companies are a rare breed. Allan Farrell of FCR Media said that he hasn’t come across anybody else who has done what they’ve done in the time they’ve done it, and Salesforce and Deloitte haven’t either. Chris Meyerpeter, CIO at Ardent Mills, a $4 billion flour supplier, which has had a “Velcro” architecture of over 40 cloud applications for four years, said he hasn’t seen anyone else doing this at their scale. It is clear, however, that as companies in all industries un-dergo digital transformation, a SaaS multicloud approach has numerous benefits.

ABOUT THE AUTHOR Brad Power is a consultant who helps organizations that must make faster changes to their products, services, and systems to compete with start-ups and leading software companies. He is a principal at MAXOS, a partner at FCB Partners, a Questrom Digital Fellow at Bos-ton University, an advisor to the Innovation Scout, and a frequent contributor to the Harvard Business Review. He received a BS in Mathematical Sciences from Stanford University and an MBA from UCLA. Contact him at [email protected].

Contact department editor Joe Weinman at [email protected].


This article originally appeared in IEEE Cloud Computing, vol. 5, no. 3, 2018.


COLUMN: FROM THE EDITORS

A Software Epiphany by the US Defense Community Might Provide an Unexpected Boost for Agile Software Development

Recent events in the US defense community hold the promise of a major boost in the use of agile software devel-opment methods and a concomitant improvement in the ef-fectiveness of defense software procurement and development. Software has become a critical component of major systems. Airplanes are being characterized as “flying computers.” Automotive systems have hundreds of thou-sands of lines of code. Software for virtual prototyping is

being used to design next-generation systems, reducing their development time, risks, and costs. Software is a major component of defense programs for autonomous vehicles, artificial intelli-gence, and data analytics—including machine learning.

The present defense procurement process starts with the prospective user community drafting a set of detailed, rigid requirements, and specifications for the product of interest. Proposals are then solicited and a contract awarded to the lowest credible bidder. The contractor next develops a detailed, long-term plan, executes the plan, tests the final product, and delivers it for final test-ing to the user community. This is all closely supervised by a government contracting office. The same process is generally used for both software and hardware. Few CiSE readers will be sur-prised to hear that this process doesn’t work very well for developing complex software. Fred Brooks pointed this out over 30 years ago in his classic paper, “No Silver Bullet.”1 It’s very hard for users to draft valid, detailed requirements for complex software, and harder yet to deliver software that meets them. If the first time the users see the software is when the final version is delivered to them, it’s highly likely that the software won’t meet their initial requirements. It’s virtually guaranteed that the software won’t meet their current needs, which will have evolved

Douglass Post Carnegie Mellon University Software Engineering Institute

Richard Kendall Consultant

5Computing in Science & Engineering Copublished by the IEEE CS and the AIP

1521-9615/18/$33July/August 2018


COMPUTING IN SCIENCE & ENGINEERING

during the contract in response to external events. The defense community needs software that enables rapid development of innovative products, and it’s not getting it.

Recognizing this, the US defense community asked several advisory groups—including the De-fense Science Board (DSB),2 the Defense Innovation Board (DIB)3,4 and the Intelligence and Na-tional Security Alliance (INSA)5—to analyze the problems and recommend solutions. These advisory groups strongly engaged commercial high tech industries such as Google, Facebook, IBM, Microsoft, and others. The advice from the advisory groups is very similar. They all recog-nized that software development is different from hardware procurement, and that software is never finished. They strongly recommend replacing the traditional software acquisition process with variants of disciplined agile6 methods that emphasize

• requirements based on “goals and outcomes and use cases” rather than long lists of de-tailed, rigid specifications; and

• small development teams (~10–15 professionals), who develop and deliver workable software iteratively in short sessions (2–4 weeks), and continual or continuous software builds and tests.

The DSB refers to development teams with these attributes as “software factories.” Senior gov-ernment officials are now beating the drums to help accelerate the paradigm transition from rigid “waterfall” methodologies to agile methodologies.7,8

Why should this be of interest to the computational science community? After all, almost anyone who isn’t being funded by the defense community, and who depends on developing working software for a living, probably is already using some type of agile process. At one level, agile methods are common sense because they involve continual evaluation of what has been accom-plished and what next steps are needed to meet the project goals. The reason that this potential paradigm shift is important to the CiSE community is that the paradigm shift described above will affect a large portion of the scientists, engineers, and computer scientists engaged in compu-ting of any kind in the US and abroad. The US defense budget is approximately $700 billion. If the defense community adopts agile methods, major parts of the rest of US government will likely follow, as will parts of the international computing community that look to the US defense community as a model system. The defense community supports a significant fraction of US sci-entific research, engineering, and product development, with applications ranging from machine learning to engineering design. It’s one of the major supporters of commercial and academic computer science and software engineering. If agile methods are fully adopted by the defense community, a working knowledge of the new paradigm will be required by a significant portion of computational science, computational engineering, and computer science graduates and un-dergraduates. They’ll need formal training and credentials in agile methodologies if they expect to work in the defense community. In addition, there will be research opportunities in computer science and computer engineering to improve software productivity. In the past, defense soft-ware development methods were pretty inflexible. There wasn’t much room for developing soft-ware except by the book (such as rigid waterfall methodologies). Now, a potential revolution is growing in a large portion of the federal software development community, and that can’t help but open up many new opportunities for innovation.

REFERENCES 1. F.P. Brooks, “No Silver Bullet—Essence and Accident in Software Engineering” IEEE

Computer, vol. 20, no. 4, 1987, pp. 17-18. 2. Design and Acquisition of Software for Defense Systems, report, Defense Science

Board, Department of Defense, Feb. 2018; https://www.acq.osd.mil/dsb/reports/2010s/DSB_SWA_Report_FINALdelivered2-21-2018.pdf.

3. “Defense Innovation Board,” Department of Defense; http://innovation.defense.gov/.

6July/August 2018 www.computer.org/cise

COLUMN: FROM THE EDITORS

A Software Epiphany by the US Defense Community Might Provide an Unexpected Boost for Agile Software Development

Recent events in the US defense community hold the promise of a major boost in the use of agile software devel-opment methods and a concomitant improvement in the ef-fectiveness of defense software procurement and development. Software has become a critical component of major systems. Airplanes are being characterized as “flying computers.” Automotive systems have hundreds of thou-sands of lines of code. Software for virtual prototyping is

being used to design next-generation systems, reducing their development time, risks, and costs. Software is a major component of defense programs for autonomous vehicles, artificial intelli-gence, and data analytics—including machine learning.

The present defense procurement process starts with the prospective user community drafting a set of detailed, rigid requirements, and specifications for the product of interest. Proposals are then solicited and a contract awarded to the lowest credible bidder. The contractor next develops a detailed, long-term plan, executes the plan, tests the final product, and delivers it for final test-ing to the user community. This is all closely supervised by a government contracting office. The same process is generally used for both software and hardware. Few CiSE readers will be sur-prised to hear that this process doesn’t work very well for developing complex software. Fred Brooks pointed this out over 30 years ago in his classic paper, “No Silver Bullet.”1 It’s very hard for users to draft valid, detailed requirements for complex software, and harder yet to deliver software that meets them. If the first time the users see the software is when the final version is delivered to them, it’s highly likely that the software won’t meet their initial requirements. It’s virtually guaranteed that the software won’t meet their current needs, which will have evolved

Douglass Post Carnegie Mellon University Software Engineering Institute

Richard Kendall Consultant

5Computing in Science & Engineering Copublished by the IEEE CS and the AIP

1521-9615/18/$33July/August 2018


FROM THE EDITORS

4. T. Chappallet-Lanier, “Defense Innovation Board Unveils ‘Ten Commandments of Software,’” Fedscoop, 27 Apr. 2018; https://www.fedscoop.com/defense-innovation-board-unveils-ten-commandments-software/.

5. “Improving the Acquisition of Services in the Intelligence Community,” Intelligence and National Security Alliance, Apr. 2017; www.insaonline.org/improving-the-acquisition-of-services-in-the-intelligence-community/.

6. “Disciplined Agile Delivery,” Wikipedia; https://en.wikipedia.org/wiki/Disciplined_agile_delivery.

7. W. Roper, “Fixing Software Development Necessary for Future Success,” Air Force Mag., 29 Apr. 29 2018; http://www.airforcemag.com/Features/Pages/2018/April%202018/Roper-Fixing-Software-Development-Necessary-For-Future-Success.aspx.

8. K. Owens, “Agility is the Future of Software Development, Says Air Force General” Defense Systems, 14 July 2017; https://defensesystems.com/articles/2017/07/14/air-force-cybersecurity.aspx.

ABOUT THE AUTHORS Douglass Post is a principal researcher at the Carnegie Mellon University Software Engi-neering Institute, and an associate editor in chief of CiSE. Contact him at [email protected] or [email protected].

Richard Kendall is a consultant for the US Department of Defense High Performance Computing Modernization Program. Contact him at [email protected].

7July/August 2018 www.computer.org/cise

This article originally appeared in Computing in Science & Engineering, vol. 20, no. 4, 2018.

CALL FOR PAPERS 2019 IEEE World Congress on ServicesBigData/CLOUD/EDGE/ICCC/ICIOT/ICWS/SCCJuly 8-13, 2019 Milan, Italyhttp://conferences.computer.org/services/2019/

2019 IEEE World Congress on Services (SERVICES) will be held on July 8-13, 2019 in Milan, Italy. The Congress is solely sponsored by the IEEE Computer Society under the auspice of the Technical Committee on Services Computing (TCSVC). The scope of the Congress will cover all aspects of services computing and applications, current or emerging. It covers various systems and networking research pertaining to cloud, edge and Internet-of-Things (IoT), as well as technologies for intelligent computing, learning, big data and blockchain applications, while addressing critical issues such as high performance, security, privacy, dependability, trustworthiness, and cost-effectiveness. Authors are invited to prepare early and submit original papers to any of these conferences at www.easychair.org. All submitted manuscripts will be peer-reviewed by at least 3 reviewers. Accepted and presented papers will appear in the conference proceedings published by the IEEE Computer Society Press. The Congress will be organized with the following seven affiliated conferences/congresses:

2019 Congress General Chair Peter Chen, Carnegie Mellon University, USA

2019 Congress Program Chair-in-Chief Elisa Bertino, Purdue University, USA

2019 Congress Vice Program Chair-in-Chief Ernesto Damiani, University of Milan, Italy

Workshop ChairsShangguang Wang, BUPT

Stephan Reiff-Marganiec, University of Leicester

Steering CommitteeElisa Bertino, Purdue University, USA

Carl K. Chang, Chair, Iowa State University, USA, Rong N. Chang, TCSVC Chair, IBM, USA

Peter Chen, Carnegie Mellon University USAErnesto Damiani, University of Milan, Italy

Ian Foster, University of Chicago & Argonne National Lab, USA

Dennis Gannon, Indiana University, USAMichael Goul, Arizona State University, USA

Frank Leymann, University of Stuttgart, GermanyHong Mei, Beijing Institute of Technology, China

Stephen S. Yau, Arizona State University, USA

IEEE International Congress on Big Data (BigData Congress) Big data acquisitions, analyses, storage, and mining for various services and applications

IEEE International Conference on Cloud Computing (CLOUD) Innovative cloud computing for both high quality infrastructure and mobile services

IEEE International Conference on Edge Computing (EDGE) High quality services computing between cloud systems and Iot devices

IEEE International Conference on Web Services (ICWS)Innovative web services for various effective applications

IEEE International Conference on Cognitive Computing (ICCC) Cognitive computing, learning algorithms for intelligent services and applications

IEEE International Congress on Internet of Things (ICIOT) Innovative IoT technology for digital world services

IEEE International Conference on Services Computing (SCC) Intelligent services computing, lifecycles, infrastructure and mobile environments

Key DatesEarly Paper submission due: December 1, 2018Review comments to authors of early-submission papers: January 15, 2019Normal Paper submission due: February 4, 2019Final notification to authors: March 15, 2019.Camera-ready manuscripts due: April 1, 2019Congress Date: July 8 – 13, 2019

CALL FOR WORKSHOP PROPOSALS: See http://conferences.computer.org/services/2019/ for more information.Send inquiries to: [email protected]

18 December 2018 Published by the IEEE Computer Society 2469-7087/18/$33.00 © 2018 IEEE76 IEEE SOFTWARE | PUBLISHED BY THE IEEE COMPUTER SOCIETY 0 7 4 0 - 7 4 5 9 / 1 7 / $ 3 3 . 0 0 © 2 0 1 7 I E E E

Editor: Christof EbertVector Consulting [email protected]

SOFTWARE TECHNOLOGY

Gamifi cationDirk Basten

Games can help motivate people in otherwise nongame scenarios and engage users in high interaction. For decades, animated strategy games have helped introduce MBA students to complex economic scenarios. More recently, marketing has been using gami� cation to connect users with products and sales channels. Software teams use gami� cation for collaborative experiences, learning, and knowledge sharing. Here, Dirk Basten explores gami� cation applications and underlying technologies. I look forward to hearing from both readers and prospective column authors about this column and the technologies you want to know more about. —Christof Ebert

GAMIFICATION, which applies game-related elements to nongame contexts,1 has generated a high level of interest (see Figure 1) and is popular in many business domains. Examples include the star ratings for eBay sellers and buyers and progress bars that companies such as PayPal use to motivate users to complete their profi les. For repetitive, monotonous tasks, gamifi ca-tion can be particularly benefi cial because playful experiences help make nongame scenarios more motivating and engaging.

By seeking to change how people behave, gamifi cation creates value for companies in diverse ways:

• Usability. Game levels of increasing diffi culty help new users of complex software platforms. As users com-plete higher levels, they get to know more and more features.

• Trust. Badges that users achieve for conjointly solving a task cre-ate a feeling of shared ownership. Enabling users to share or give

virtual goods to others can fur-ther increase social interaction. As interaction among users improves, a climate of trust will likely emerge.

• Motivation. Because intrinsic motivation is a central idea of gamifi cation, users will likely put considerable effort into gathering information and developing new ways to use the system.

Originating from the digital-media domain, gamifi cation has experienced widespread adoption2,3 (for some exam-ples, see the sidebar “Real-World Gami-fi cation”). Because of gamifi cation’s benefi ts, most organizations are likely to use it in the near future.4

Gamifi cation DesignCompanies interested in gamifi cation should consider these questions:

• What systems and respective pro-cesses should be gamifi ed?


SOFTWARE TECHNOLOGY

SEPTEMBER/OCTOBER 2017 | IEEE SOFTWARE 77

0

10

20

30

40

50

60

70

80

90

100

2009 2010 2011 2012 2013 2014 2015 2016 2017Year

Perc

enta

ge o

f tot

al s

earc

hes

FIGURE 1. Google’s normalized trend data for the topic “gamification.” The percentage indicates the proportion of searches for that

topic to all searches on all topics.

• What user behavior is desired?• What game elements should be

used?

Regarding the alignment of the desired behavior and game elements, companies can rely on a framework5 that distinguishes between three aspects of gamification design:

• Mechanics. Game components concerning data representation and algorithms (for example, points and badges).

• Dynamics. Runtime behavior of mechanics concerning players’ inputs and outputs over time (for example, completion and choices).

• Aesthetics. The desirable emotional responses evoked in users when they interact with the gamified system (for example, the feeling of being challenged and the feeling of community).

Concerning mechanics, Table 1 shows game elements commonly used for gamification of software systems. (The literature describes such elements in more detail.6) However, dynamics and aesthet-ics are subject to the context and

the company’s objectives and must be derived by key stakeholders. Fig-ure 2 illustrates an example interac-tion between a user and a gamified customer relationship management (CRM) system. It makes a difference whether M&Ms uses gamification

TAB

LE

1 Common game elements.3

Game element Definition

Feedback Immediate notification that keep users constantly aware of progress or failures

Goals Activity goals that are adapted as challenges for the user

Badges Optional rewards and goals outside the scope of a service’s core activities

Point system Reward for completing actions (that is, a numeric value that’s added to the total points)

Leaderboard Tracking and displaying desired actions to drive desired behavior through competition

User levels Indication of the user’s proficiency in the overall gaming experience over time

76 IEEE SOFTWARE | PUBLISHED BY THE IEEE COMPUTER SOCIETY 0 7 4 0 - 7 4 5 9 / 1 7 / $ 3 3 . 0 0 © 2 0 1 7 I E E E

Editor: Christof EbertVector Consulting [email protected]

SOFTWARE TECHNOLOGY

Gamifi cationDirk Basten

Games can help motivate people in otherwise nongame scenarios and engage users in high interaction. For decades, animated strategy games have helped introduce MBA students to complex economic scenarios. More recently, marketing has been using gami� cation to connect users with products and sales channels. Software teams use gami� cation for collaborative experiences, learning, and knowledge sharing. Here, Dirk Basten explores gami� cation applications and underlying technologies. I look forward to hearing from both readers and prospective column authors about this column and the technologies you want to know more about. —Christof Ebert

GAMIFICATION, which applies game-related elements to nongame contexts,1 has generated a high level of interest (see Figure 1) and is popular in many business domains. Examples include the star ratings for eBay sellers and buyers and progress bars that companies such as PayPal use to motivate users to complete their profi les. For repetitive, monotonous tasks, gamifi ca-tion can be particularly benefi cial because playful experiences help make nongame scenarios more motivating and engaging.

By seeking to change how people behave, gamifi cation creates value for companies in diverse ways:

• Usability. Game levels of increasing diffi culty help new users of complex software platforms. As users com-plete higher levels, they get to know more and more features.

• Trust. Badges that users achieve for conjointly solving a task cre-ate a feeling of shared ownership. Enabling users to share or give

virtual goods to others can fur-ther increase social interaction. As interaction among users improves, a climate of trust will likely emerge.

• Motivation. Because intrinsic motivation is a central idea of gamifi cation, users will likely put considerable effort into gathering information and developing new ways to use the system.

Originating from the digital-media domain, gamifi cation has experienced widespread adoption2,3 (for some exam-ples, see the sidebar “Real-World Gami-fi cation”). Because of gamifi cation’s benefi ts, most organizations are likely to use it in the near future.4

Gamifi cation DesignCompanies interested in gamifi cation should consider these questions:

• What systems and respective pro-cesses should be gamifi ed?


SOFTWARE TECHNOLOGY

78 IEEE SOFTWARE | W W W.COMPUTER.ORG/SOFT WARE | @IEEESOFT WARE

for a marketing campaign7 or Ford aims to engage its staff in using a learning platform (see the sidebar “Real-World Gamification”).

Companies must be aware that a one-size-fits-all approach is unlikely to work. Users’ personalities affect how they perceive gamification. For instance, explorers strive to find hid-den items they can likely collect by exploring a software system’s differ-ent areas, whereas achievers are eager to complete the many challenges with which they’re confronted.

Also, organizations should be cautious in providing monetary or other concrete rewards. Such approaches conflict with the aim of fostering intrinsic rather than extrin-sic motivation.

Available TechnologiesTable 2 provides an overview of some prominent gamification technolo-gies. Technologies come from both established software companies such as SAP and companies that focus on gamification, such as Bunchball. (A

broader overview of gamification technologies is at technologyadvice .com/gamification/products.)

Gamification technologies work with software ranging from Micro-soft Office to CRM systems and enterprise systems. Except for gami-fication technology explicitly for Microsoft Office and SharePoint, these technologies are applicable across diverse platforms owing to their web-based accessibility. The technologies don’t differ regarding common game elements (see Table 1)

REAL-WORLD GAMIFICATION

Here I discuss several companies that have successfully used gamification. I focus particularly on the Ford Profes-sional Performance Program (p2p) Cup.1,2

Cisco uses gamification for social-media training. It provides courses for different business contexts and links training to three certification levels (specialist, strategist, and master). Thousands of courses have been taken.

Relying on Badgeville technology (see Table 2 in the main article), Deloitte gamified its executive training and obtained benefits such as faster course completion and easier identi-fication of experts. The system includes missions with clear goals to guide users through various tutorials.

Cigna, an early adopter of gamification, reported a consid-erable increase in the completion rate of its health assess-ments after it gamified them. Users earn rewards by interact-ing with the gamified app. In the healthcare industry, tracking activities with the help of wearables can support gamification.

The Ford p2p Cup is a platform for sales and service personnel that aims to increase content use, accelerate cer-tification, and motivate learning. To implement the p2p Cup, Ford relied on the Nitro gamification platform (see Table 2 in the main article).

The p2p Cup uses a car-racing analogy and employs these elements:

• Players receive points and badges for activities such as watching videos, consuming the latest

product information, and participating in webinars.

• Badges are issued in a virtual trophy cabinet. • Users with sufficient points rise to higher levels. • Leaderboards compare employees. • Team goals for car dealerships promote a sense of

community and foster competition.

Gamifying the learning platform has provided several benefits.3 In the year after Ford introduced the p2p Cup, visits to the platform increased by more than 400 percent. More than 7,000 training plans were created, and almost 175,000 web courses were completed. Furthermore, the share of staff members certified in areas such as sales and parts and service exceeded 80 percent; such growth typi-cally leads to increased sales and more satisfied customers.

References1. R. Paharia, Loyalty 3.0: How to Revolutionize Customer and

Employee Engagement with Big Data and Gamification, McGraw-

Hill Education, 2013.

2. K. Augustin et al., “Are We Playing Yet? A Review of Gamified

Enterprise Systems,” Proc. 2016 Pacific Asia Conf. Information

Systems (PACIS 16), 2016; aisel.aisnet.org/pacis2016/2.

3. “Ford Professional Performance Program (p2p),” Bond

Brand Loyalty, 2015; bondbrandloyalty.com/our-work

/ford-professional-performance-program.


SOFTWARE TECHNOLOGY


and typically can be used by any size company. Free trials or demos are usually available. The tech-nologies differ primarily in their application domain and pricing models.

Zurmo (zurmo.org) focuses on CRM and provides rewards for all types of actions in the system. It’s an open source technology that also can be obtained through sub-scription. Zoho (www.zoho.eu/crm) also focuses on CRM; it’s available through subscription, and there’s a freemium version. As standalone solutions for gamified CRM, Zurmo and Zoho don’t offer APIs.

SAP Cloud Platform Gamification (cloudplatform.sap.com/capabilities /collaboration/gamification.html) offers diverse licensing models, an API for including gamification in existing enterprise applications, and SAP Single Sign-On. So, it can be applied in diverse contexts.

Badgeville Enterprise Plus (badgeville.com/products/badgeville -enterprise-plus) works in con-texts such as online communities, sales, learning, training, and cus-tomer support. It offers APIs for applications such as Salesforce, IBM Connections, and Microsoft SharePoint.

The CROWN SharePoint Learn-ing Management System (www . m e s s a g e o p s . c o m / s h a r e p o i n t -gamification-learning-management -system) gamifies Microsoft Office and SharePoint. Through Active Directory, it can be linked to exist-ing applications.

Nitro (www.bunchball.com /products/nitro) gamifies enterprise apps, websites, and social networks and is thus broadly applicable to different domains. It works with a variety of software systems such as Salesforce and SAP.

Jive’s Advanced Gamification Module (www.jivesoftware.com) focuses on social software and offers integration for Outlook, Office, SharePoint, Salesforce, and others.

Hints for PractitionersCritics say that gamification is a buzzword organizations use as a mere marketing tool to which many people won’t respond. They also argue that gamification might induce unwanted behavior if game ele-ments become more important than the core function. However, gami-fication can help organizations seek desired behavior when they use it as a supporting feature rather than

building their business exclusively on gamified processes. To reduce the likelihood of gamification failure, companies must be aware of the fol-lowing risks.

If gamified elements distract users from the task’s main purpose, the quality of work tasks might suffer and productivity might decrease. So, software systems must provide appropriate levels of gamification.

Also, productivity will likely decrease if users feel a disadvantage due to other users cheating the sys-tem. If users can easily gain rewards by cheating (for example, owing to unclear rules), some users might reject gamification.

Gamified CRMsystem

User

Login

Create new product

New-product badge

Points

User input

System responseRepetition

Improvement of leaderboard rank

…

Level up (based on points gathered)

Customer communication and sale

25th-login badge

FIGURE 2. Interaction between a user and a gamified customer relationship

management (CRM) system. The interplay of mechanics and dynamics during system

use is meant to evoke the desired aesthetics.

SOFTWARE TECHNOLOGY


for a marketing campaign7 or Ford aims to engage its staff in using a learning platform (see the sidebar “Real-World Gamification”).

Companies must be aware that a one-size-fits-all approach is unlikely to work. Users’ personalities affect how they perceive gamification. For instance, explorers strive to find hid-den items they can likely collect by exploring a software system’s differ-ent areas, whereas achievers are eager to complete the many challenges with which they’re confronted.

Also, organizations should be cautious in providing monetary or other concrete rewards. Such approaches conflict with the aim of fostering intrinsic rather than extrin-sic motivation.

Available TechnologiesTable 2 provides an overview of some prominent gamification technolo-gies. Technologies come from both established software companies such as SAP and companies that focus on gamification, such as Bunchball. (A

broader overview of gamification technologies is at technologyadvice .com/gamification/products.)

Gamification technologies work with software ranging from Micro-soft Office to CRM systems and enterprise systems. Except for gami-fication technology explicitly for Microsoft Office and SharePoint, these technologies are applicable across diverse platforms owing to their web-based accessibility. The technologies don’t differ regarding common game elements (see Table 1)

REAL-WORLD GAMIFICATION

Here I discuss several companies that have successfully used gamification. I focus particularly on the Ford Profes-sional Performance Program (p2p) Cup.1,2

Cisco uses gamification for social-media training. It provides courses for different business contexts and links training to three certification levels (specialist, strategist, and master). Thousands of courses have been taken.

Relying on Badgeville technology (see Table 2 in the main article), Deloitte gamified its executive training and obtained benefits such as faster course completion and easier identi-fication of experts. The system includes missions with clear goals to guide users through various tutorials.

Cigna, an early adopter of gamification, reported a consid-erable increase in the completion rate of its health assess-ments after it gamified them. Users earn rewards by interact-ing with the gamified app. In the healthcare industry, tracking activities with the help of wearables can support gamification.

The Ford p2p Cup is a platform for sales and service personnel that aims to increase content use, accelerate cer-tification, and motivate learning. To implement the p2p Cup, Ford relied on the Nitro gamification platform (see Table 2 in the main article).

The p2p Cup uses a car-racing analogy and employs these elements:

• Players receive points and badges for activities such as watching videos, consuming the latest

product information, and participating in webinars.

• Badges are issued in a virtual trophy cabinet. • Users with sufficient points rise to higher levels. • Leaderboards compare employees. • Team goals for car dealerships promote a sense of

community and foster competition.

Gamifying the learning platform has provided several benefits.3 In the year after Ford introduced the p2p Cup, visits to the platform increased by more than 400 percent. More than 7,000 training plans were created, and almost 175,000 web courses were completed. Furthermore, the share of staff members certified in areas such as sales and parts and service exceeded 80 percent; such growth typi-cally leads to increased sales and more satisfied customers.

References1. R. Paharia, Loyalty 3.0: How to Revolutionize Customer and

Employee Engagement with Big Data and Gamification, McGraw-

Hill Education, 2013.

2. K. Augustin et al., “Are We Playing Yet? A Review of Gamified

Enterprise Systems,” Proc. 2016 Pacific Asia Conf. Information

Systems (PACIS 16), 2016; aisel.aisnet.org/pacis2016/2.

3. “Ford Professional Performance Program (p2p),” Bond

Brand Loyalty, 2015; bondbrandloyalty.com/our-work

/ford-professional-performance-program.


SOFTWARE TECHNOLOGY


TAB

LE

2 Selected gamification technologies.

Technology

Zurmo Zoho CRM*

SAP Cloud Platform Gamification

Badgeville Enterprise Plus

CROWN SharePoint LMS* Nitro

Advanced Gamification Module

Provider Zurmo Zoho SAP Badgeville CROWN SharePoint

Bunchball Jive

Domains CRM CRM SAP Enterprise Platform

• Online community engagement

• Sales performance

• Learning management

• Compliance training

• Customer support

• Office 365• SharePoint

• Enterprise apps

• Websites• Social

networks

Social software

Enterprises Small to large Small to large Medium to large Small to large Small to large Small to large Small to large

Platforms • Web-based• Mobile

• Web-based• Mobile

Web-based • Web-based• Mobile



Profiles Yes Yes Yes Yes Yes Yes Yes

Feedback Yes Yes Yes Yes Yes Yes Yes

Goals Yes Yes Yes Yes Yes Yes Yes

Badges Yes Yes Yes Yes Yes Yes Yes

Point system Yes Yes Yes Yes Yes Yes Yes

Leaderboards Yes Yes Yes Yes Yes Yes Yes

User levels Yes Yes Yes Yes Yes Yes Yes

Analytics Yes Yes Yes Yes Yes Yes Yes

Free trial or demo

Yes Yes Yes No Yes Yes Yes

Pricing • Open source (AGPL ver. 3*)

• Subscription

• Freemium• Subscription

• License• Subscription

Upon request Upon request Subscription Upon request

API N/A N/A • Gamification service API

• SAP Single Sign-On

Feature connectors for Jive, Jammer, Salesforce, SharePoint, IBM Connections, and other APIs

Microsoft ActiveDirectory

• Salesforce• BMC

Remedyforce• IBM

Connections• Jive• NICE Systems• SAP• Others

Integration for selected apps (for example, Outlook, Office, SharePoint, Salesforce, Box, and Evernote)

* CRM = customer relationship management, LMS = learning management system, and AGPL = GNU Affero General Public License.


SOFTWARE TECHNOLOGY


In addition, applying gamifica-tion to systems to make system usage more enjoyable requires a mean-ingful design. Organizations must avoid reducing gamification to sim-ple “pointification” (the awarding of points only) and seeing gamification as a magic bullet for increasing user acceptance.

Privacy must also be consid-ered because electronic monitoring and surveillance accompany gami-fication. Data can be collected for both the activity performed and the user performing it. Gamification thus requires clear differentiation between private and public data, and users should be allowed to decide whether to publish private data. To avoid a feeling of heavy-handed organizational control and lack of trust, data should be used only in an aggregated form.

Gamification’s positive effects can decrease when its novelty has worn off. In the long term, gamifi-cation requires expenditures—for instance, to create new challenges. Otherwise, users might perceive tasks as too simple when their skills improve. Also, if game elements are removed, user performance might decline, even below the level before gamification was introduced.

Gamification is more than a buzzword (for further information on its applica-

bility and potential, see the sidebar “Resources”). As a way to engage users, it will likely become even more important for future genera-tions, who will likely have an increased affinity with video games. With the main focus on the support-ing business processes (and with the core business processes being less of a focus), organizations seem to favor

gamification of less critical areas. Although gamification’s success depends on several design choices, gamifying software systems is a promising way to more productive sociotechnical systems.

References 1. S. Deterding et al., “From Game

Design Elements to Gamefulness:

Defining ‘Gamification,’” Proc. 15th

Int’l Academic MindTrek Conf.:

Envisioning Future Media Environ-

ments (MindTrek 11), ACM, 2011,

pp. 9–15.

2. R. Paharia, Loyalty 3.0: How

to Revolutionize Customer and

Employee Engagement with Big Data

and Gamification, McGraw-Hill

Education, 2013.

3. K. Augustin et al., “Are We Playing

Yet? A Review of Gamified Enter-

prise Systems,” Proc. 2016 Pacific

Asia Conf. Information Systems

(PACIS 16), 2016; aisel.aisnet.org

/pacis2016/2.

4. M. Fuchs et al., Rethinking Gamifi-

cation, Meson Press, 2014.

5. R. Hunicke, M. LeBlanc, and R.

Zubek, “MDA: A Formal Approach

to Game Design and Games

Research,” Proc. Challenges in

Games AI Workshop—2004 Nat’l

Conf. Artificial Intelligence, 2004,

pp. 1–5.

6. S. Thiebes, S. Lins, and D. Basten,

“Gamifying Information Systems—a

Synthesis of Gamification Mechan-

ics and Dynamics,” Proc. 2014

European Conf. Information Systems

(ECIS 14), 2014, pp. 1–17.

7. H.W. Mak, “The Sweet Way That

Gamification Helps M&M’s Boost

Consumer Engagement,” blog, 6 Dec.

2016; www.gamification.co.

DIRK BASTEN is an assistant professor in the

University of Cologne’s Department of Informa-

tion Systems and Systems Development. Contact

him at [email protected].

Read your subscriptions through the myCS publications portal at

http://mycs.computer.org

RESOURCES

To keep updated on gamification of software systems, access these resources:

• Bunchball is a provider of cloud-based software-as-a-service gamifica-tion. Its website (www.bunchball.com) includes a blog with news, case studies, and more.

• The Gamification Research Network (gamification-research.org) is a com-munication hub that includes information about ongoing research activities and conferences.

• The Gameworks Blog (www.gameffective.com/blog) discusses workplace applications of gamification.

SOFTWARE TECHNOLOGY


TAB

LE

2 Selected gamification technologies.

Technology

Zurmo Zoho CRM*

SAP Cloud Platform Gamification

Badgeville Enterprise Plus

CROWN SharePoint LMS* Nitro

Advanced Gamification Module

Provider Zurmo Zoho SAP Badgeville CROWN SharePoint

Bunchball Jive

Domains CRM CRM SAP Enterprise Platform

• Online community engagement

• Sales performance

• Learning management

• Compliance training

• Customer support

• Office 365• SharePoint

• Enterprise apps

• Websites• Social

networks

Social software

Enterprises Small to large Small to large Medium to large Small to large Small to large Small to large Small to large

Platforms • Web-based• Mobile





Profiles Yes Yes Yes Yes Yes Yes Yes

Feedback Yes Yes Yes Yes Yes Yes Yes

Goals Yes Yes Yes Yes Yes Yes Yes

Badges Yes Yes Yes Yes Yes Yes Yes

Point system Yes Yes Yes Yes Yes Yes Yes

Leaderboards Yes Yes Yes Yes Yes Yes Yes

User levels Yes Yes Yes Yes Yes Yes Yes

Analytics Yes Yes Yes Yes Yes Yes Yes

Free trial or demo

Yes Yes Yes No Yes Yes Yes

Pricing • Open source (AGPL ver. 3*)

• Subscription

• Freemium• Subscription

• License• Subscription

Upon request Upon request Subscription Upon request

API N/A N/A • Gamification service API

• SAP Single Sign-On

Feature connectors for Jive, Jammer, Salesforce, SharePoint, IBM Connections, and other APIs

Microsoft ActiveDirectory

• Salesforce• BMC

Remedyforce• IBM

Connections• Jive• NICE Systems• SAP• Others

Integration for selected apps (for example, Outlook, Office, SharePoint, Salesforce, Box, and Evernote)

* CRM = customer relationship management, LMS = learning management system, and AGPL = GNU Affero General Public License.

This article originally appeared in IEEE Software, vol. 34, no. 5, 2017.

24 December 2018 Published by the IEEE Computer Society 2469-7087/18/$33.00 © 2018 IEEE90 C O M P U T E R P U B L I S H E D B Y T H E I E E E C O M P U T E R S O C I E T Y 0 0 1 8 - 9 1 6 2 / 1 8 / $ 3 3 . 0 0 © 2 0 1 8 I E E E

CHALLENGE-BASED LEARNING

Do you remember when you wrote your � rst computer program? I was in the eighth grade, at the Radio Shack in the mall. At the back of the store, TRS-80 computers, as well as books

on BASIC programming, had been made available for customers to tinker with. And I was hooked. My par-ents didn’t understand my obsession with computers at the time, and I must admit that today, as the parent of a teenager, I often � nd it hard to accept the amount of time

my son spends on his smartphone using social media. The di� erence is that, in the 80s, if you wanted to do something fun on a computer, you had to write code. Today, smart-phone apps and video games have perfected the art of entertainment to the point that all free technology time is spent having fun—you can’t program on a smartphone, Xbox, or PlayStation. In fact, most teenag-ers have no idea what a commend prompt is or what “IDE” stands for. But the smartphone generation is poised to become expert at commu-nicating and sharing with others.

Minecraft, which became a huge hit 10 years ago, was bought by Mi-crosoft for $2.5 billion in 2014. The

game’s developers recognized that users would have just as much fun building their worlds as they did interacting with others. Minecraft o� ers an in-game programming experience through Redstone that allows using visual components for player interaction. Minecraft also has a Lua programming language plug-in to interact with game elements via an in-game command prompt. For the typi-cal Minecrafter, game building is why you play; very little time is spent on programming. At TechGarage, the large

Make Learning Fun and Get Out of the Way of the Smartphone GenerationScooter Willis, TechGarage

Students are ready to embrace the technology-

driven 21st century. If we make learning fun

and challenging—and then get out of the way—

they will readily learn the skills needed to

succeed in the future.

r10cbl.indd 90 10/5/18 2:36 PM

www.computer.org/computingedge 25O C T O B E R 2 0 1 8 91

EDITOR SCOOTER WILLIS F1 Oncology;

[email protected]

after-school robotics program I run, the quickest way to � nd out whether fourth graders are going to love build-ing robots is by asking whether they play Minecraft and seeing if they smile. Minecraft will be responsible for an in-creased number of architects and civil and mechanical engineers, because building a virtual city in the fourth grade puts a young mind on the path toward a love of building.

TechGarage o� ers a comprehensive four-week summer camp program in which we’re constantly looking for ways to make learning core engineer-ing skills fun. By helping students � nd their technology passion at a young enough age, we hope to make a posi-tive impact on their schooling by giv-ing learning a purpose.

Five years ago, we introduced Rob-oCode , a Java-based tank game devel-oped by IBM in 2001 to teach program-ming (Figure 1). The game consists of a Java-based tank API that controls all

elements of the tank and a collection of tanks with a range of features. The tanks—with names such as Crazy, Corner, Fire, and Walls—come com-plete with source code, which facili-tates student learning because they have to study the code for each robot. Each week, a new group of 15 stu-dents was tasked with writing code for their tank, which would compete against the tanks in the game and, more importantly, the tanks of other students in the class. There was no in-struction in Java—we simply directed students to the “video game” and let them � gure out how to program. Over the years, we introduced hundreds of students to Java by using Robo-Code, and were consistently amazed at how quickly they learned to pro-gram when faced with the knowl-edge that they had a competition at 3:00 against their peers. The � nal double-elimination tournament be-tween student tanks often resembled

a Superbowl-watching party, with everyone cheering for their favorite team. If you make learning fun, all you need to do is get out of the way and let the fun begin.

Two years ago, we started using CodeCombat.com, a multilevel video game that doesn’t require a keyboard and mouse to compete; instead, play-ers are required to write code in either Python or Java Script to navigate their characters through increasingly com-plex game levels. These novice pro-grammers are challenged to install and write their � rst program without a system administrator. CodeCombat.com is web-browser-based, and the only di� culty is when parents try to set up accounts for their sons or daughters. The solution is to have par-ents let their sons or daughters sign up for the account. CodeCombat.com o� ers six levels of computer science, game development, and website de-sign, and is recognized by the College

Figure 1. RoboCode, a Java-based tank game developed by IBM in 2001 to teach programming (https://sourceforge.net/projects/robocode).

r10cbl.indd 91 10/5/18 2:36 PM

90 C O M P U T E R P U B L I S H E D B Y T H E I E E E C O M P U T E R S O C I E T Y 0 0 1 8 - 9 1 6 2 / 1 8 / $ 3 3 . 0 0 © 2 0 1 8 I E E E


Do you remember when you wrote your � rst computer program? I was in the eighth grade, at the Radio Shack in the mall. At the back of the store, TRS-80 computers, as well as books

on BASIC programming, had been made available for customers to tinker with. And I was hooked. My par-ents didn’t understand my obsession with computers at the time, and I must admit that today, as the parent of a teenager, I often � nd it hard to accept the amount of time

my son spends on his smartphone using social media. The di� erence is that, in the 80s, if you wanted to do something fun on a computer, you had to write code. Today, smart-phone apps and video games have perfected the art of entertainment to the point that all free technology time is spent having fun—you can’t program on a smartphone, Xbox, or PlayStation. In fact, most teenag-ers have no idea what a commend prompt is or what “IDE” stands for. But the smartphone generation is poised to become expert at commu-nicating and sharing with others.

Minecraft, which became a huge hit 10 years ago, was bought by Mi-crosoft for $2.5 billion in 2014. The

game’s developers recognized that users would have just as much fun building their worlds as they did interacting with others. Minecraft o� ers an in-game programming experience through Redstone that allows using visual components for player interaction. Minecraft also has a Lua programming language plug-in to interact with game elements via an in-game command prompt. For the typi-cal Minecrafter, game building is why you play; very little time is spent on programming. At TechGarage, the large

Make Learning Fun and Get Out of the Way of the Smartphone GenerationScooter Willis, TechGarage

Students are ready to embrace the technology-

driven 21st century. If we make learning fun

and challenging—and then get out of the way—

they will readily learn the skills needed to

succeed in the future.

r10cbl.indd 90 10/5/18 2:36 PM

26 ComputingEdge December 201892 C O M P U T E R W W W . C O M P U T E R . O R G / C O M P U T E R


Board as an endorsed provider of curriculum and professional develop-ment for AP Computer Science Princi-ples (AP CSP). It epitomizes the idea of making learning fun and getting out of the way.

Technology is causing evolution-ary change in all aspects of society. Discovering optimal ways to edu-cate and prepare our children for a technology-driven future is para-mount. Of potential concern is how to enable students from varying so-cioeconomic backgrounds to par-ticipate and work in an increasingly technology-driven world. At Tech-Garage, we’ve been working on at-risk engagement models to bridge the dig-ital divide by partnering with commu-nity centers that support after-school and summer camp programs in at-risk neighborhoods.

At the end of the 2018 school year, TechGarage, together with its com-munity center partners, hosted three 2-week robotics summer camp pro-grams to expose elementary and mid-dle school students to challenge-based learning and robotics. Before and after these camps, a STEM assessment sur-vey was given to 40 students with no prior participation in the TechGarage program.

In the informal survey results from the Boys and Girls Club of Riv-iera Beach and the Delray Achieve-ment Center, where the self-selected students were new to the TechGarage program, 90 percent of students re-ported that they liked figuring out why something didn’t work and fix-ing it—which are core attributes for engineers. Eighty-eight percent said that they like electronics, which was most likely driven by their exposure to smartphones at a young age. It’s our assessment that a smartphone represents a small learning box that presents problems to be solved on a daily basis. In the survey at the start of camp, 30 percent of the participants said they were interested in what makes machines work, and 50 percent responded that they were sometimes

interested in this. After two weeks of robotics camp, 70 percent re-sponded that they were interested in what makes machines work; this significant increase drew from the “sometimes interested” group, which dropped to 15 percent, and the “not in-terested” group, which dropped from 20 to 12 percent. A similar response was seen for soldering circuit boards: wherein, in the initial survey, 30 per-cent said that they liked soldering circuit boards, this number jumped to 62 percent after the students were given electronic circuit board proj-ect kits to solder/make during the two-week robotics camp. Clearly, the additional exposure to technology us-ing an engaging, challenge-based ap-proach generated significant interest in learning more.

For survey questions that focused on interest in programming, we did not expect strong initial interest. Thirty percent of students responded “yes” when asked whether they wanted to program and develop video games. An-other 30 percent responded “yes” when asked whether they wanted to become robotics engineers; in the post-survey, this increased to 45 percent. When initially asked whether they wanted a job that makes lots of money, 95 per-cent responded “yes,” and 5 percent “maybe.” Students were also asked whether they liked programming in Python: 30 percent responded “yes,” despite the fact that informal ques-tioning of the groups found no prior experience programming in Python. More importantly, “yes” responses jumped to 62 percent after two weeks of exposure to CodeCombat.com (which teaches Python in a video game frame-work), with the change coming from a drop—from 42 to 14 percent—in those initially responding “no.” Similarly, in the pre-survey, 62 percent responded affirmatively to the question “I like programming a robot”; this group increased to 78 percent in the post- survey. These results largely sup-port the premise that students have a strong interest in technology and that

exposure to technology learning mod-els increases their enthusiasm and interest.

Teacher-centric methods that emphasize rote learning and memorization run the risk of

marginalizing students who don’t per-form well in traditional schools, set-ting them on the path to a minimum- wage future. With the recent passage of the Carl D. Perkins Career and Tech-nical Education Improvement Act of 2018, which received near-unanimous support from Congress and $1.8 billion in funding, we must take a hard look at the optimal ways to prepare students for technology careers.

At TechGarage, we’re convinced that the smartphone generation knows no socioeconomic boundaries—the playing field has been effectively lev-eled. Students are hooked on technol-ogy: they are conditioned to fail early and often from playing video games, learn quickly by watching YouTube videos, and have very little interest in memorizing their way to straight As. Challenge-based learning in the con-text of technology education presents real-world challenges through collab-orative and hands-on programs that develop much-needed skills. Students are ready to embrace the technology- driven 21st century, whereas many schools are still using teaching mod-els developed for 20th-century re-quirements. If we can make learning fun and challenging—and then get out of the way—students will readily embrace their future.

SCOOTER WILLIS is a founder of

TechGarage, a centralized robotics

workspace for middle- and high-

school students in Palm Beach

County, Florida. Willis is also the se-

nior director of R&D Bioinformatics

at F1 Oncology. Contact him at

[email protected].

r10cbl.indd 92 10/5/18 2:36 PM

This article originally appeared in Computer, vol. 51, no. 10, 2018.

SUBSCRIBE AND SUBMITFor more information on paper submission, featured articles, calls for papers, and subscription links visit:

www.computer.org/tbd

IEEE TRANSACTIONS ON

BIG DATASUBMITTODAY

The IEEE Transactions on Big Data (TBD) publishes peer reviewed articles with big data as the main focus. The articles provide cross disciplinary innovative research ideas and applications results for big data including novel theory, algorithms and applications. Research areas for big data include, but are not restricted to, big data analytics, big data visualization, big data curation and management, big data semantics, big data infrastructure, big data standards, big data performance analyses, intelligence from big data, scientific discovery from big data security, privacy, and legal issues specific to big data. Applications of big data in the fields of endeavor where massive data is generated are of particular interest.

SCOPE

28 December 2018 Published by the IEEE Computer Society 2469-7087/18/$33.00 © 2018 IEEE98 January/February 2018 Copublished by the IEEE Computer and Reliability Societies 1540-7993/18/$33.00 © 2018 IEEE

Editors: Melissa Dark, [email protected] | Jelena Mirkovic, [email protected] | Bill Newhouse, [email protected]

EDUCATION

T he digital landscape has changed dramatically since

the first “hello, world” program. With software pervasive to every facet of our lives, writing secure code has never been more impor-tant. Many security exploits target vulnerabilities that are a result of poorly designed and implemented software. Despite its critical impor-tance, secure coding is primarily taught in upper-level elective com-puter science (CS) classes. As a result, most students graduate with little or no exposure to secure cod-ing techniques. We believe that it is important to teach responsible coding early, starting in the first programming course, and often, by repeating and reinforcing security concepts in advanced courses.

Towards this end, some schools are working to incorporate secure coding into the CS curriculum. Researchers at Stanford University and Purdue University have devel-oped a game for teaching secure coding;1 faculty at the University of North Carolina, Charlotte (UNCC) have built an interactive integrated development environment (IDE) to detect vulnerabilities;2 and the University of California, Davis, has teamed up with researchers at Pur-due to create a secure programming clinic to assist programming stu-dents in writing robust programs.3 At Towson University, we have developed modules that teach stu-dents to code securely and respon-sibly from the first class.

The Security Injections @Towson ProjectStarted in 2006, the Security Injec-tions @Towson project includes

over 50 learning objects (Table 1). The Security Injection nano- modules target important security concepts that can be addressed effec-tively in introductory CS courses (CS0, CS1, CS2), including integer error, buffer overflow, input valida-tion, and data hiding. Individual mod-ules were developed for languages commonly used in these courses— C11, Java, and Python. Each module requires minimal instructor intervention, is auto-graded, and has been shown to be effective in both classroom and online courses.4–6

Due to the nature of the field, many CS and cybersecurity labs are developed rapidly in an ad hoc fash-ion and lead to a “run-and-submit” mentality in students without encouraging reflection. The Security Injection nano-modules (Figure 1) follow a consistent format grounded in the learning sciences and include the following sections:

■ Background—This section pro-vides context for the security vulnerability, activates back-ground knowledge, and stimu-lates learning.

■ Code Responsibly—This section contains strategies that program-mers should employ to avoid these vulnerabilities. At the end of both this section and the Back-ground, we pose multiple-choice comprehension questions to encourage students to thoroughly read the material and to think about what they have just learned.

■ Lab Assignment—In this sec-tion, students write programs that demonstrate the vulnerabilities and apply the strategies from the previous section.

■ Security Checklist—This section encourages students to analyze blocks of code, allowing them to interactively trace the source of vulnerabilities and highlight potential areas of concern (see Figure 2). Our project’s approach is to reinforce concepts at increas-ing levels of learning; for instance, the checklists teach students to identify buffer overflows in CS1 and techniques for mitigation in CS2. In addition, repeated expo-sure to the checklists or code reviews allows students to become skilled in self-checking their code.

■ Discussion—This section includes questions that require further research and reflection. The ques-tions are open-ended, and their answers are recorded on a comple-tion certificate.

It Takes a VillageThe Security Injections project has been collaborative since the start, including faculty from community colleges and an HBCU (Historically Black College or University) to design, pilot, develop, and assess the learning objects. This allowed a continuous improvement process based on faculty feedback. Involving faculty through-out the process also increased instruc-tor buy-in and adoption of materials.

Building effective materials is not enough; outreach is crucial to sustainability. We conducted over 50 faculty workshops, pan-els and birds-of-a-feather groups, a Build-A-Lab program, and a Security Ambassador program reach-ing over 400 faculty across 221 institutions, including more than 90 community colleges and several high schools (Figure 3). The goal

Hello, World!—Code ResponsiblySiddharth Kaza, Blair Taylor, and Kyle Sherbert | Towson University


of each workshop was to increase faculty interest in our project and encourage them to include the Secu-rity Injections in their classes. The agenda included open discussions and breakout groups to promote feedback, reflection, and sharing of teaching strategies. Our workshops are designed to be as modular as our Security Injections: flexible enough to fit into various time allotments and comprehensive enough to be easily shared. We have a growing base of “security ambassadors” who conduct workshops on Security Injections at conferences and at local institutions across the country.

Tips to Introduce Responsible Coding in Your First Course ■ Emphasize the importance of

security in the software develop-ment lifecycle. Instead of using the traditional “hello, world!,” try the following as your first pro-gramming lab:

print (‘The Software Development Lifecycle’)print (‘1: Analysis: Define the problem’)print (‘2: Design: Plan the solution’)print (‘3: Implement: Code the solution’)print (‘4: Test and debug’)print (‘5: Maintain and document’)print (‘6: Add security features’)

As a follow-up, students must remove step 6 and integrate secu-rity into each step. It’s a very simple exercise—not much harder than printing “hello world”—that intro-duces responsible coding. ■ Include secure programming as a

course objective in your syllabus. Including objectives and learn-ing outcomes like those in the ACM/IEEE CS 2013 (https://www .acm.org/education/curricula

-recommendations), NSA/DHS Center of Academic Excellence (CAE) knowledge units (https://www.nsa.gov/resources/educators /centers-academic-excellence /cyber-defense), and Joint Task Force on Cybersecurity Edu cation guidelines (https://www.csec2017 .org) will facilitate accreditation and designation processes. To reiterate the importance of secure coding, include the Code Responsibly icon

(Figure 4), or a similar mantra, on the syllabus.

■ Capitalize on students’ interest in security. Our experience indicates that most students, including females and minorities, have high interest in cybersecurity. This inherent interest in security can be used to motivate students to learn, for example, teaching binary in the context of integer errors. Think outside the box for your

Table 1. Security Injections @Towson—learning object taxonomy.

Learning object Completion time

Nano-module Less than 1 hour

Micro-module 1 to 4 hours

Module Between 4 hours and two weeks (6 hours)

Unit Between 2 weeks and 15 weeks (45 hours)

Course 15 weeks (45 hours)

Figure 1. The Integer-error nano-module in Java for CS0.

www.computer.org/security 9998 January/February 2018 Copublished by the IEEE Computer and Reliability Societies 1540-7993/18/$33.00 © 2018 IEEE

Editors: Melissa Dark, [email protected] | Jelena Mirkovic, [email protected] | Bill Newhouse, [email protected]

EDUCATION

T he digital landscape has changed dramatically since

the first “hello, world” program. With software pervasive to every facet of our lives, writing secure code has never been more impor-tant. Many security exploits target vulnerabilities that are a result of poorly designed and implemented software. Despite its critical impor-tance, secure coding is primarily taught in upper-level elective com-puter science (CS) classes. As a result, most students graduate with little or no exposure to secure cod-ing techniques. We believe that it is important to teach responsible coding early, starting in the first programming course, and often, by repeating and reinforcing security concepts in advanced courses.

Towards this end, some schools are working to incorporate secure coding into the CS curriculum. Researchers at Stanford University and Purdue University have devel-oped a game for teaching secure coding;1 faculty at the University of North Carolina, Charlotte (UNCC) have built an interactive integrated development environment (IDE) to detect vulnerabilities;2 and the University of California, Davis, has teamed up with researchers at Pur-due to create a secure programming clinic to assist programming stu-dents in writing robust programs.3 At Towson University, we have developed modules that teach stu-dents to code securely and respon-sibly from the first class.

The Security Injections @Towson ProjectStarted in 2006, the Security Injec-tions @Towson project includes

over 50 learning objects (Table 1). The Security Injection nano- modules target important security concepts that can be addressed effec-tively in introductory CS courses (CS0, CS1, CS2), including integer error, buffer overflow, input valida-tion, and data hiding. Individual mod-ules were developed for languages commonly used in these courses— C11, Java, and Python. Each module requires minimal instructor intervention, is auto-graded, and has been shown to be effective in both classroom and online courses.4–6

Due to the nature of the field, many CS and cybersecurity labs are developed rapidly in an ad hoc fash-ion and lead to a “run-and-submit” mentality in students without encouraging reflection. The Security Injection nano-modules (Figure 1) follow a consistent format grounded in the learning sciences and include the following sections:

■ Background—This section pro-vides context for the security vulnerability, activates back-ground knowledge, and stimu-lates learning.

■ Code Responsibly—This section contains strategies that program-mers should employ to avoid these vulnerabilities. At the end of both this section and the Back-ground, we pose multiple-choice comprehension questions to encourage students to thoroughly read the material and to think about what they have just learned.

■ Lab Assignment—In this sec-tion, students write programs that demonstrate the vulnerabilities and apply the strategies from the previous section.

■ Security Checklist—This section encourages students to analyze blocks of code, allowing them to interactively trace the source of vulnerabilities and highlight potential areas of concern (see Figure 2). Our project’s approach is to reinforce concepts at increas-ing levels of learning; for instance, the checklists teach students to identify buffer overflows in CS1 and techniques for mitigation in CS2. In addition, repeated expo-sure to the checklists or code reviews allows students to become skilled in self-checking their code.

■ Discussion—This section includes questions that require further research and reflection. The ques-tions are open-ended, and their answers are recorded on a comple-tion certificate.

It Takes a VillageThe Security Injections project has been collaborative since the start, including faculty from community colleges and an HBCU (Historically Black College or University) to design, pilot, develop, and assess the learning objects. This allowed a continuous improvement process based on faculty feedback. Involving faculty through-out the process also increased instruc-tor buy-in and adoption of materials.

Building effective materials is not enough; outreach is crucial to sustainability. We conducted over 50 faculty workshops, pan-els and birds-of-a-feather groups, a Build-A-Lab program, and a Security Ambassador program reach-ing over 400 faculty across 221 institutions, including more than 90 community colleges and several high schools (Figure 3). The goal

Hello, World!—Code ResponsiblySiddharth Kaza, Blair Taylor, and Kyle Sherbert | Towson University


assignments—a creative project can effectively demonstrate stu-dent knowledge. Below is the final stanza from a poem written by a CS0 student:

When I fixed my program, a thought came to me,

Input Validation is all about security,

If used correctly it makes my pro-grams robust,

So I can be a programmer you trust.

T he Security Injections learn-ing objects are interactive,

auto-graded, and freely available at www.towson.edu/securityinjections.

Code responsibly!

AcknowledgmentsThe Security Injections @Towson and its ancillary projects are supported by the National Science Foundation under grants NSF DUE-1241738, NSF DUE-0817267,

NSF DGE-1516113, NSF DGE-1516113, NSF DGE-1241649, the National Secu-rity Agency, and the Intel Corporation.

References1. N. Adamo-Villani, M. Oania, and

S. Cooper, “Using a Serious Game Approach to Teach Secure Coding in Introductory Programming: Devel-opment and Initial Findings,” Journal of Educational Technology Systems, vol. 41, no. 2, 2012–2013, pp. 107–131.

2. J. Xie, B. Chu, and H.R. Lipford, “Idea: Interactive Support for Secure Software Development,” Proceedings of the Third International Conference on Engineering Secure Software and Sys-tems (ESSoS 11), 2001, pp. 248–255.

3. I. Ngambeki et al., “Teach the Hands, Train the Mind … A Secure Program-ming Clinic!,” Proceedings of the 19th Colloquium for Information Systems Security Education, 2015, pp. 119–133.

4. B. Taylor and S. Kaza, “Security Injec-tions: Modules to Help Students Remember, Understand, and Apply Secure Coding Techniques,” Proceed-ings of the 16th Annual Conference on Innovation and Technology in Computer Science Education (ITICSE 11), 2011.

5. B. Taylor and S. Kaza, “Security Injections @Towson: Integrating Secure Coding into Introductory Computer Science Courses,” ACM Transactions on Computing Educa-tion, vol. 16, no. 4, 2016.

6. S. Raina, S. Kaza, and B. Taylor, “Security Injections 2.0: Increas-ing Ability to Apply Secure Coding Knowledge Using Segmented and Interactive Modules in CS0,” SIG-SCE, 2016, pp. 144–149.

Siddharth Kaza is an associate pro-fessor at Towson University. Con-tact at [email protected].

Blair Taylor is a clinical associate professor at Towson University. Contact at [email protected].

Kyle Sherbert is a graduate student at Towson University. Contact at [email protected].

Figure 2. The buffer overflow Security Checklist in CS0—C11. Students begin by clicking each vulnerable array wherever it appears; they must then specify the legal index range for that array, and trace changes to any variable used as its index.

Figure 3. Security Injections workshop participants.

CODERESPONSIBLY

Figure 4. The Code Responsibly button.

100 IEEE Security & Privacy January/February 2018

EDUCATIONThis article originally appeared in IEEE Security & Privacy, vol. 16, no. 1, 2018.

2469-7087/18/$33.00 © 2018 IEEE Published by the IEEE Computer Society December 2018 311520-9202/17/$33.00 © 2017 IEEE P u b l i s h e d b y t h e I E E E C o m p u t e r S o c i e t y computer.org/ITPro 11

IT TRENDSEDITOR: Irena Bojanova, NIST, [email protected]

Do Crypto-Currencies Fuel Ransomware?

Nir Kshetri, University of North Carolina at Greensboro

Jeffrey Voas, IEEE Fellow

As ransomware spreads, victimization rates es-calate. A Finnish cyber-security firm’s F-Secure

State of Cyber Security 2017 report stated that there was only one ran-somware “variant” in 2012. This increased to 35 in 2015 and 193 in 2016.1 Individuals, corporations, banks, educational establishments, hospitals, and government agen-cies have all been held hostage by ransomware and blackmailed into paying out in crypto-currency— typically, bitcoin—to retrieve their data.2

As a recent example, the Wanna-Cry ransomware started on 12 May 2017. It infected about 300,000 computers in 150 coun-tries3 and cost computer users thousands of dollars in ransom money and billions in lost pro-ductivity.4 Hospitals in the UK’s National Health Service were forced to cancel surgeries. Ambu-lances were diverted, and patient records were inaccessible. Wanna-Cry used 28 languages to release ransom messages, including Eu-ropean and Asian dialects.5 The

extortionists demanded that vic-tims pay US$300–$600 in bitcoin (about 0.17–0.34 BTC based on the price of bitcoin at that time). WannaCry extortionists relied on three bitcoin wallet addresses, yet they still needed to perform manual decryption of victims’ files after receiving payment. In other attacks, more sophisticated ransomware programs were em-ployed. These attacks dynamical-ly generated a new bitcoin address for each infected machine, and a smart contract governed the pro-cess of decrypting victims’ com-puters: if ransom money is paid to X address, the files in victim Y’s computers get decrypted.6

The escalation of ransomware could be fueled in part by the diffusion of crypto-currencies. Without crypto-currencies, the creation of ransomware such as WannaCry would not be as de-sirable because other forms of payment have greater “criminal” traceability. Surveys have revealed that some companies hold sup-plies of bitcoins so that they can pay extortionists if ever necessary.7

In this article, we examine crypto-currencies’ effects on ransomware and look at what might influence a victim’s decision to pay.

Crypto-Currency Ransomware: How It WorksBefore crypto-currencies, extor-tionists usually asked victims to send money via money transfer agencies or deposit directly to bank accounts. However, such transfers had more traceability if law enforcement got involved. Crypto-currencies are somewhat of an online extortionists’ dream come true. For instance, it is al-most impossible to pinpoint the perpetrators based on bitcoin addresses.

Bitcoins can be converted into cash secretively through third parties. Pinpointing the extor-tionist is of little value if that per-son is in a jurisdiction that does not cooperate in detection. For in-stance, cybersecurity researchers at Google, Symantec, FireEye, and others reportedly found evidence linking WannaCry ransomware

32 ComputingEdge December 201812 IT Pro September/October 2017

IT TRENDS

attacks to North Korea.8 Given that North Korea maintains few diplomatic ties, it is difficult to take actions against such an iso-lated country.

Ransomware involving crypto-currencies might increase because such currencies are becoming more widely adopted. According to the World Economic Forum (WEF), 10 percent of global GDP will be stored on blockchain by 20279 compared to 0.025 percent in 2016.10

While bitcoin transactions are difficult to track, they are not completely anonymous. All trans-actions are recorded in a per-manent public ledger. After the bitcoins are moved from that ad-dress, financial movements can be traced. Users can be traced through IP addresses and money flows. Elliptic, a blockchain intel-ligence company, uses artificial in-telligence to scan and analyze the bitcoin network to identify suspi-cious behavior patterns in bitcoin transactions. It can trace transac-tions to individuals or groups. El-liptic’s services are used by online exchanges and law enforcement to detect money laundering.11

Extortionists can further reduce the probability of detection using next-generation crypto-currencies

such as Monero, Dash, and Z-Cash. These have built-in ano-nymity features. For instance, Monero is arguably the most anonymous crypto-currency. In 2016, AlphaBay, which might be the most widely used darknet mar-ket, started accepting Monero.12 Monero is less widespread than bitcoin—for instance, as of May 2017, Monero’s total value was around $425 million, or about 1 percent of bitcoin’s.13 Moreover, converting Monero into real-world cash is more difficult than with bit-coin. However, this problem might not be as significant in the future if there is more diffusion and compe-tition in crypto-currencies.

Factors Affecting the Propensity to Pay RansomAccording to Elliptic, as of 16 May 2017, four days after Wanna-Cry spread, the amount of ran-som paid out by victims to the bitcoin wallet addresses was about $86,000 (46.4 BTC). If everyone infected had paid, the criminals would have received at least $60 million. What they did receive translated to a payout rate of about 0.14 percent.14 Even after more than a week, the amount paid out did not increase much. Data from Elliptic indicated that,

as of 23 May 2017, WannaCry vic-tims had paid less than $120,000 to three bitcoin wallets (www .elliptic.co/wannacry).

Another estimate of the Wanna-Cry impact suggested that as of 15 May 2017, payments had been made by about 190 computers out of approximately 300,000 computers that were believed to be infected.15 This put the num-ber of computers complying with the extortionists’ demands at 0.06 percent.

So, what factors are associated with this low payout ratio? We summarize some of these key fac-tors in Table 1 and discuss them in detail next.

Complexity of Complying with Extortionists’ DemandsFirst, the amount of money the WannaCry extortionists asked their victims to pay—$300 to $600—is not high. Rather, one key reason why victims do not pay is that complying with the extortionists’ demands can be complicated. This is because the idea of crypto-currency is a new concept for many victims. Fur-thermore, attaining bitcoins is not easy. It can take days to cre-ate an account by registering with a bitcoin brokerage or exchange.

Table 1. Victim characteristics and situational factors affecting propensity to pay ransom.

Gravity and urgency of the problem (relative to the ransom demanded)

Low High

Complexity of complying with demands or perceived degree of uncertainty about outcome

Low 1

Likely to have backup and data-retrieval plans in place

More likely to use available fixes

Unaffordable ransom (as with students in China)

2

High degree of readiness to pay ransom (mission-critical digital data is threatened)

High 4

Often new users

Might use older technologies and pirated software (for example, most computer users in India and China)

Low degree of digitization of values and economic activities

3

Follow detailed step-by-step instructions provided by extortionists

Consult with cybersecurity firms and experts regarding the process and appropriateness of complying with extortionists demands

www.computer.org/computingedge 33 computer.org/ITPro 13

Users are required to go through a verification process. The ac-count then needs to be connected to a bank account able to receive bitcoins.16

Second, consider this problem for non-US countries. In some countries, exchanges that handle bitcoin transactions are licensed and regulated like traditional money transfer businesses. It is reported that as of May 2016, there were around 44 exchanges worldwide for bitcoins.17 The first Malaysian Bitcoin Exchange, Xbit Asia, was opened in September 2016 (bit.ly/2v8clcs). Before that, most Malaysians who wanted bit-coins got them through exchanges in Singapore.17 Likewise, to pur-chase bitcoins in India, a buyer needed to provide a permanent account number (or PAN, a unique, 10-digit alphanumeric identity assigned to a taxpayer by the Income Tax Department) and know-your-customer (KYC) details.18 Loading a bitcoin wallet through startups such as Zebpay, Coinsecure, and Unocoin can take 48 hours. Bitcoin transactions are currently a regulatory grey area of economic activity in India and are also considered taboo. The three-day deadline for the WannaCry ransom payments was thus too short for most Indian victims.

Countries that do not have bit-coin brokerages or exchanges add further complexity. As was the case with Malaysian consum-ers before 2016, money had to be converted into another currency before being deposited into a bit-coin wallet.

Still another source of com-plexity is that victims lack control over the extortionists’ guarantees. There is no guarantee of data unlock even if victims pay.19 Ac-cording to a 2016 Fortinet report, about a quarter of organizations that paid ransoms were not able

to recover their data.18 Recent WannaCry victims are believed to be in a worse situation. According to the Israeli computer security consultancy Check Point, due to a fault in WannaCry’s encryption software, it is almost impossible to decrypt a user’s data after pay-ment has been made.20

A further complexity arises from the fact that most cyber-liability insurance policies have exclusion and cooperation clauses that prohibit businesses from pay-ing ransoms without pre-approval. If a victim fails to comply and pays the ransom, insurers might cancel the insurance coverage, includ-ing the costs of disruptions to the business, remediation expenses, and costs associated with notify-ing customers.21

Gravity of the ProblemExtortionists might threaten that if victims fail to pay after a specified time interval, their files will be per-manently locked—that is, the data is not coming back. This becomes a terrible problem for those who do not back up their data. If one victim faces more severe consequences than others, they might be more likely to pay out. For instance, it was reported that extortionists held an Austrian hotel network for ransom, demanding $1,800 in bit-coin. The gravity of the situation became clearer when the guests could not check in and out and were locked out of their rooms. The hotel complied, and paid.22

Combined FactorsWe now look at each of Table 1’s four cells in detail.

Cell 1. Larger organizations will likely have data retrieval plans in place.23 Ransomware attacks should have smaller impacts on them, so ransom payments might not occur. Furthermore, follow-ing the WannaCry ransomware attack, Microsoft published a patch for operating systems for which it was no longer providing support. They included Windows XP, Windows Server 2003, and Windows 8.24 Larger organiza-tions should be technically savvy enough to implement these avail-able fixes quickly.

Cell 2. If critical data is at risk, organizations in this situation should realize that they require a higher degree of immediate re-sponse. One study reported that

33 percent of UK corporations had bought bitcoins so that they would be prepared to pay ran-soms. More than 35 percent of large firms (with more than 2,000 employees) were willing to pay as much as £50,000 (US$65,000) to unlock files containing critical data, such as intellectual prop-erty.25 And a university in the US reportedly created an account to be prepared for ransomware attacks.7

Cell 3. Extortionists might oper-ate call centers to offer technical support to simplify the payout process for victims.2 There are reports that when victims call, extortionists will walk them through the process of getting their files back.20 Criminals can provide detailed explanations

Another source of complexity is that victims lack control over the extortionists’ guarantees.

12 IT Pro September/October 2017

IT TRENDS

attacks to North Korea.8 Given that North Korea maintains few diplomatic ties, it is difficult to take actions against such an iso-lated country.

Ransomware involving crypto-currencies might increase because such currencies are becoming more widely adopted. According to the World Economic Forum (WEF), 10 percent of global GDP will be stored on blockchain by 20279 compared to 0.025 percent in 2016.10

While bitcoin transactions are difficult to track, they are not completely anonymous. All trans-actions are recorded in a per-manent public ledger. After the bitcoins are moved from that ad-dress, financial movements can be traced. Users can be traced through IP addresses and money flows. Elliptic, a blockchain intel-ligence company, uses artificial in-telligence to scan and analyze the bitcoin network to identify suspi-cious behavior patterns in bitcoin transactions. It can trace transac-tions to individuals or groups. El-liptic’s services are used by online exchanges and law enforcement to detect money laundering.11

Extortionists can further reduce the probability of detection using next-generation crypto-currencies

such as Monero, Dash, and Z-Cash. These have built-in ano-nymity features. For instance, Monero is arguably the most anonymous crypto-currency. In 2016, AlphaBay, which might be the most widely used darknet mar-ket, started accepting Monero.12 Monero is less widespread than bitcoin—for instance, as of May 2017, Monero’s total value was around $425 million, or about 1 percent of bitcoin’s.13 Moreover, converting Monero into real-world cash is more difficult than with bit-coin. However, this problem might not be as significant in the future if there is more diffusion and compe-tition in crypto-currencies.

Factors Affecting the Propensity to Pay RansomAccording to Elliptic, as of 16 May 2017, four days after Wanna-Cry spread, the amount of ran-som paid out by victims to the bitcoin wallet addresses was about $86,000 (46.4 BTC). If everyone infected had paid, the criminals would have received at least $60 million. What they did receive translated to a payout rate of about 0.14 percent.14 Even after more than a week, the amount paid out did not increase much. Data from Elliptic indicated that,

as of 23 May 2017, WannaCry vic-tims had paid less than $120,000 to three bitcoin wallets (www .elliptic.co/wannacry).

Another estimate of the Wanna-Cry impact suggested that as of 15 May 2017, payments had been made by about 190 computers out of approximately 300,000 computers that were believed to be infected.15 This put the num-ber of computers complying with the extortionists’ demands at 0.06 percent.

So, what factors are associated with this low payout ratio? We summarize some of these key fac-tors in Table 1 and discuss them in detail next.

Complexity of Complying with Extortionists’ DemandsFirst, the amount of money the WannaCry extortionists asked their victims to pay—$300 to $600—is not high. Rather, one key reason why victims do not pay is that complying with the extortionists’ demands can be complicated. This is because the idea of crypto-currency is a new concept for many victims. Fur-thermore, attaining bitcoins is not easy. It can take days to cre-ate an account by registering with a bitcoin brokerage or exchange.

Table 1. Victim characteristics and situational factors affecting propensity to pay ransom.

Gravity and urgency of the problem (relative to the ransom demanded)

Low High

Complexity of complying with demands or perceived degree of uncertainty about outcome

Low 1

Likely to have backup and data-retrieval plans in place

More likely to use available fixes

Unaffordable ransom (as with students in China)

2

High degree of readiness to pay ransom (mission-critical digital data is threatened)

High 4

Often new users

Might use older technologies and pirated software (for example, most computer users in India and China)

Low degree of digitization of values and economic activities

3

Follow detailed step-by-step instructions provided by extortionists

Consult with cybersecurity firms and experts regarding the process and appropriateness of complying with extortionists demands

34 ComputingEdge December 201814 IT Pro September/October 2017

IT TRENDS

about attaining bitcoins and then transferring them. From the ex-tortionists’ standpoint, such ser-vices are likely to be effective for situations represented by cell 3, which have both high complexity and high gravity.

However, some organizations might lack cybersecurity expertise and experience in dealing with cy-berattacks such as those involving ransomware. It is suggested that 85 percent of US medical institu-tions lack qualified personnel to perform basic cybersecurity tasks, such as patching software and monitoring threats.26

Cell 4. Most users from developing countries belong to cell 4. Pirated software in developing countries arguably accelerates the spread of ransomware.27 About 4,000 of the 40,000 institutions affected by WannaCry in China were univer-sities. Concerns were raised about students being unable to access their work.19 However, the amount asked by the extortionists—$300 to $600—was too expensive for most students.23

A t the time of this writing, another attack, known as Petya, occurred, impacting

the Ukraine government’s banks and electricity grid, as well as other countries and corporations (bit .ly/2uec6t0). One frightening as-pect here is that these attacks are mainly on computers, not devices. It is not far-fetched to imagine fu-ture scenarios in which devices such as pacemakers and infusion pumps become targets—for exam-ple, pay now, or your insulin pump will be turned off.

The growth in ransomware is one of the “darker” activities cre-ated by the diffusion of crypto-currencies. Crypto-currency is too complicated for many computer

users to understand. And even if they are willing to pay, victims might not know where to start or how to navigate the process. However, IT professionals need to learn about crypto-currencies and blockchain. Crypto-currencies and ransomware are not going away. By employing more sophis-ticated modus operandi, more resourceful and skilled extortion-ists will increase their success rates. IT professionals need to understand this space and how to help their organizations address it when it occurs.

References 1. “Bitcoin a Favourite of Ransom-

wares—Cyber Extortion to Shoot Up if Govts Don’t Act Soon,” Mon-eycontrol.com, 27 Apr. 2017; bit .ly/2qiMSrr.

2. A. Mizrahi, “Hackers Release New TV Episodes after Netflix Re-fuses to Pay Bitcoin Ransom,” Fi-nance Magnates, 5 Apr. 2017; bit .ly/2uvagDL.

3. “North Korean Hackers Behind Global Cyberattack?” CBS News, 16 May 2017; cbsn.ws/2qnYHjt.

4. J. Berr, “‘WannaCry’ Ransomware Attack Losses Could Reach $4 Billion,” CBS News, 16 May 2017; cbsn.ws/2rluoXx.

5. “WannaCry Outbreak: Ransom Payments Reach $64,000, Around 48,000 Attack Attempts in India,” Moneycontrol.com. 19 May 2017; bit.ly/2pQaio5.

6. K. Collins, “Inside the Digital Heist that Terrorized the World—and Only Made $100k,” Quartz, 21 May 2017; bit.ly/2qO0e0e.

7. T. Simonite, “Companies Are Stockpiling Bitcoin to Pay Off Cy-bercriminals,” MIT Tech. Rev., 7 June 2016; bit.ly/1YeQSpU.

8. E. Chan and S. Kim, “Cybersleuths Unearth More Clues Linking WannaCry to North Korea,” Bloom-berg News, 23 May 2017; bloom .bg/2v9Hbzt.

9. Deep Shift Technology Tipping Points and Societal Impact Survey Report, World Economic Forum, Sept. 2015; bit.ly/1KlN8ZR.

10. R. Huckstep, “What Does the Fu-ture Hold for Blockchain and In-surance?” Daily Fintech, 14 Jan. 2016; bit.ly/2dRLBkz.

11. J. Titcomb, “Bitcoin Surveillance Firm Elliptic Raises $5M as Banks Push into Blockchain,” The Tele-graph, 20 Mar. 2016; bit.ly/1T3SBwc.

12. S. Usborne, “Digital Gold: Why Hackers Love Bitcoin,” The Guard-ian, 15 May 2017; bit.ly/2qlaMW2.

13. “Bitcoin’s Murkier Rivals Line Up to Displace it as Cybercriminals’ Favorite,” Fortune, 18 May 2017; for .tn/2qY6kOv.

14. “Bitcoin Tracker: WannaCry Doesn’t Pay,” Pymnts.com, 19 May 2017; bit.ly/2ucjLby.

15. S. Petulla, “Ransomware Attack: This Is the Total Paid and How the Virus Spread,” NBC News, 15 May 2017; nbcnews.to/2wi3bIR.

16. “Few Victims Are Paying Hackers Because Using Bitcoin Is Hard,” Newsmax, 15 May 2017; nws.mx/2v9WnN6.

17. B.K. Sidhu, “Should You Stock Up on Bitcoins to Pay for Future Ran-somware Attacks?” The Star, 19 May 2017; bit.ly/2qHMjul.

18. A. Sarkhel and N. Christopher, “Indian Companies WannaCry over Bitcoin Payments Too,” Eco-nomic Times, 17 May 2017; bit.ly/ 2ryiGcd.

19. M. Scott and N. Wingfield, “Hack-ing Attack Has Security Experts Scrambling to Contain Fallout,” New York Times, 13 May 2017; nyti .ms/2pJnD0I.

20. “WannaCry Should Make People Treat Cyber-Crime Seriously,” Economist, 20 May 2017; econ .st/2r0g3Uv.

21. M. Scott and N. Perlroth, “With Ransomware, It’s Pay and Embold-en Perpetrators, or Lose Precious Data,” New York Times, 17 May 2017; nyti.ms/2pNWizm.

www.computer.org/computingedge 35 computer.org/ITPro 15

22. “Hotel Ransomed by Hackers as Guests Locked Out of Rooms,” The Local, 28 Jan. 2017; bit.ly /2v9wjlb.

23. P. Mozur, M. Scott, and V. Goel, “Victims Call Hackers’ Bluff as Ransomware Deadline Nears,” New York Times, 19 May 2017; nyti.ms /2ryx4SM.

24. M. Kan, “Old Windows PCs Can Stop WannaCry Ransomware with New Microsoft Patch,” PC World, 15 May 2017; bit.ly/2wirIx8.

25. A. Mizrahi, “33% of UK Firms Are Buying Bitcoin in Anticipation of Cyber Attacks,” Finance Magnates, 6 Aug. 2016; bit.ly/2v7t4wb.

26. “WannaCry Attack Is Good Busi-ness for Cyber Security Firms,” Fortune, 19 May 2017; for.tn /2q4GpRa.

27. P. Mozur, “China, Addicted to Bootleg Software, Reels from Ransomware Attack,” New York Times, 15 May 2017; nyti.ms /2wi5ATT.

Nir Kshetri is a professor of manage-ment in the Bryan School of Business and Economics at the University of North Carolina at Greensboro. Contact him at [email protected].

Jeffrey Voas is a cofounder of Cigital and Computer’s Cybertrust column editor. He’s an IEEE Fellow. Contact him at [email protected].

Read your subscriptions through the myCS publications portal at

http://mycs.computer.org

PURPOSE: The IEEE Computer Society is the world’s largest association of computing

professionals and is the leading provider of technical information in the field.

MEMBERSHIP: Members receive the monthly magazine Computer, discounts, and

opportunities to serve (all activities are led by volunteer members). Membership is

open to all IEEE members, affiliate society members, and others interested in the

computer field.

OMBUDSMAN: Email [email protected].

COMPUTER SOCIETY WEBSITE: www.computer.org

Next Board Meeting: 12–13 November 2017, Phoenix, AZ, USA

EXECUTIVE COMMITTEEPresident: Jean-Luc Gaudiot

President-Elect: Hironori Kasahara; Past President: Roger U. Fujii; Secretary:

Forrest Shull; First VP, Treasurer: David Lomet; Second VP, Publications: Gregory

T. Byrd; VP, Member & Geographic Activities: Cecilia Metra; VP, Professional &

Educational Activities: Andy T. Chen; VP, Standards Activities: Jon Rosdahl; VP,

Technical & Conference Activities: Hausi A. Müller; 2017–2018 IEEE Director &

Delegate Division VIII: Dejan S. Milojičić; 2016–2017 IEEE Director & Delegate

Division V: Harold Javid; 2017 IEEE Director-Elect & Delegate Division V-Elect:

John W. Walz

BOARD OF GOVERNORSTerm Expiring 2017: Alfredo Benso, Sy-Yen Kuo, Ming C. Lin, Fabrizio Lombardi,

Hausi A. Müller, Dimitrios Serpanos, Forrest J. Shull

Term Expiring 2018: Ann DeMarle, Fred Douglis, Vladimir Getov, Bruce M.

McMillin, Cecilia Metra, Kunio Uchiyama, Stefano Zanero

Term Expiring 2019: Saurabh Bagchi, Leila De Floriani, David S. Ebert, Jill I. Gostin,

William Gropp, Sumi Helal, Avi Mendelson

EXECUTIVE STAFFExecutive Director: Angela R. Burgess; Director, Governance & Associate Executive

Director: Anne Marie Kelly; Director, Finance & Accounting: Sunny Hwang;

Director, Information Technology & Services: Sumit Kacker; Director, Membership

Development: Eric Berkowitz; Director, Products & Services: Evan M. Butterfield;

Director, Sales & Marketing: Chris Jensen

COMPUTER SOCIETY OFFICESWashington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928

Phone: +1 202 371 0101 • Fax: +1 202 728 9614 • Email: [email protected]

Los Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720

Phone: +1 714 821 8380 • Email: [email protected]

Membership & Publication Orders

Phone: +1 800 272 6657 • Fax: +1 714 821 4641 • Email: [email protected]

Asia/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo 107-

0062, Japan • Phone: +81 3 3408 3118 • Fax: +81 3 3408 3553 • Email: tokyo.ofc@

computer.org

IEEE BOARD OF DIRECTORSPresident & CEO: Karen Bartleson; President-Elect: James Jefferies; Past President: Barry L. Shoop; Secretary: William Walsh; Treasurer: John W. Walz; Director & President, IEEE-USA: Karen Pedersen; Director & President, Standards Association: Forrest Don Wright; Director & VP, Educational Activities: S.K. Ramesh; Director & VP, Membership and Geographic Activities: Mary Ellen Randall; Director & VP, Publication Services and Products: Samir El-Ghazaly; Director & VP, Technical Activities: Marina Ruggieri; Director & Delegate Division V: Harold Javid; Director & Delegate Division VIII: Dejan S. Milojičić

revised 31 May 2017

14 IT Pro September/October 2017

IT TRENDS

about attaining bitcoins and then transferring them. From the ex-tortionists’ standpoint, such ser-vices are likely to be effective for situations represented by cell 3, which have both high complexity and high gravity.

However, some organizations might lack cybersecurity expertise and experience in dealing with cy-berattacks such as those involving ransomware. It is suggested that 85 percent of US medical institu-tions lack qualified personnel to perform basic cybersecurity tasks, such as patching software and monitoring threats.26

Cell 4. Most users from developing countries belong to cell 4. Pirated software in developing countries arguably accelerates the spread of ransomware.27 About 4,000 of the 40,000 institutions affected by WannaCry in China were univer-sities. Concerns were raised about students being unable to access their work.19 However, the amount asked by the extortionists—$300 to $600—was too expensive for most students.23

A t the time of this writing, another attack, known as Petya, occurred, impacting

the Ukraine government’s banks and electricity grid, as well as other countries and corporations (bit .ly/2uec6t0). One frightening as-pect here is that these attacks are mainly on computers, not devices. It is not far-fetched to imagine fu-ture scenarios in which devices such as pacemakers and infusion pumps become targets—for exam-ple, pay now, or your insulin pump will be turned off.

The growth in ransomware is one of the “darker” activities cre-ated by the diffusion of crypto-currencies. Crypto-currency is too complicated for many computer

users to understand. And even if they are willing to pay, victims might not know where to start or how to navigate the process. However, IT professionals need to learn about crypto-currencies and blockchain. Crypto-currencies and ransomware are not going away. By employing more sophis-ticated modus operandi, more resourceful and skilled extortion-ists will increase their success rates. IT professionals need to understand this space and how to help their organizations address it when it occurs.

References 1. “Bitcoin a Favourite of Ransom-

wares—Cyber Extortion to Shoot Up if Govts Don’t Act Soon,” Mon-eycontrol.com, 27 Apr. 2017; bit .ly/2qiMSrr.

2. A. Mizrahi, “Hackers Release New TV Episodes after Netflix Re-fuses to Pay Bitcoin Ransom,” Fi-nance Magnates, 5 Apr. 2017; bit .ly/2uvagDL.

3. “North Korean Hackers Behind Global Cyberattack?” CBS News, 16 May 2017; cbsn.ws/2qnYHjt.

4. J. Berr, “‘WannaCry’ Ransomware Attack Losses Could Reach $4 Billion,” CBS News, 16 May 2017; cbsn.ws/2rluoXx.

5. “WannaCry Outbreak: Ransom Payments Reach $64,000, Around 48,000 Attack Attempts in India,” Moneycontrol.com. 19 May 2017; bit.ly/2pQaio5.

6. K. Collins, “Inside the Digital Heist that Terrorized the World—and Only Made $100k,” Quartz, 21 May 2017; bit.ly/2qO0e0e.

7. T. Simonite, “Companies Are Stockpiling Bitcoin to Pay Off Cy-bercriminals,” MIT Tech. Rev., 7 June 2016; bit.ly/1YeQSpU.

8. E. Chan and S. Kim, “Cybersleuths Unearth More Clues Linking WannaCry to North Korea,” Bloom-berg News, 23 May 2017; bloom .bg/2v9Hbzt.

9. Deep Shift Technology Tipping Points and Societal Impact Survey Report, World Economic Forum, Sept. 2015; bit.ly/1KlN8ZR.

10. R. Huckstep, “What Does the Fu-ture Hold for Blockchain and In-surance?” Daily Fintech, 14 Jan. 2016; bit.ly/2dRLBkz.

11. J. Titcomb, “Bitcoin Surveillance Firm Elliptic Raises $5M as Banks Push into Blockchain,” The Tele-graph, 20 Mar. 2016; bit.ly/1T3SBwc.

12. S. Usborne, “Digital Gold: Why Hackers Love Bitcoin,” The Guard-ian, 15 May 2017; bit.ly/2qlaMW2.

13. “Bitcoin’s Murkier Rivals Line Up to Displace it as Cybercriminals’ Favorite,” Fortune, 18 May 2017; for .tn/2qY6kOv.

14. “Bitcoin Tracker: WannaCry Doesn’t Pay,” Pymnts.com, 19 May 2017; bit.ly/2ucjLby.

15. S. Petulla, “Ransomware Attack: This Is the Total Paid and How the Virus Spread,” NBC News, 15 May 2017; nbcnews.to/2wi3bIR.

16. “Few Victims Are Paying Hackers Because Using Bitcoin Is Hard,” Newsmax, 15 May 2017; nws.mx/2v9WnN6.

17. B.K. Sidhu, “Should You Stock Up on Bitcoins to Pay for Future Ran-somware Attacks?” The Star, 19 May 2017; bit.ly/2qHMjul.

18. A. Sarkhel and N. Christopher, “Indian Companies WannaCry over Bitcoin Payments Too,” Eco-nomic Times, 17 May 2017; bit.ly/ 2ryiGcd.

19. M. Scott and N. Wingfield, “Hack-ing Attack Has Security Experts Scrambling to Contain Fallout,” New York Times, 13 May 2017; nyti .ms/2pJnD0I.

20. “WannaCry Should Make People Treat Cyber-Crime Seriously,” Economist, 20 May 2017; econ .st/2r0g3Uv.

21. M. Scott and N. Perlroth, “With Ransomware, It’s Pay and Embold-en Perpetrators, or Lose Precious Data,” New York Times, 17 May 2017; nyti.ms/2pNWizm.

This article originally appeared in IT Professional, vol. 19, no. 5, 2017.

From the analytical engine to the supercomputer, from Pascal to von Neumann, IEEE Annals of the History of Computing covers the breadth of computer history. � e quarterly publication is an active center for the collection and dissemination of information on historical projects and organizations, oral history activities, and international conferences.

www.computer.org/annals

IEEE Software seeks practical, readable

articles that will appeal to experts and nonexperts

alike. The magazine aims to deliver reliable

information to software developers and managers to

help them stay on top of rapid technology change.

Submissions must be original and no more than 4,700

words, including 250 words for each table and � gure.

Author guidelines: www.computer.org/software/author

Further details: [email protected]

www.computer.org/software

Call for Articles


DEPARTMENT: PERVASIVE HEALTHCARE

Semantic Activity Analytics for Healthy Aging Challenges and Opportunities

As real-life activity data from many aging individuals

become available, insights gleaned from such data

could be leveraged to foster healthy aging. The

emerging field of semantic activity analytics is

addressing this challenge.

The World Health Organization (WHO) and its member states are actively promoting a global paradigm shift in healthy aging research from a disease focus to a contextu-alized person focus.1 WHO’s new Healthy Aging defini-tion is, in effect, a dynamic system model and requires understanding how—within individual persons and over time—brain structures, physiology, skills, personality traits, impairments, activities, and environmental contexts interact to allow the optimization and stabilization of

health and wellbeing. To study these complex relationships and inform older individuals and healthcare providers about actions needed to improve healthy aging requires new ways of captur-ing and analytically integrating high-density, within-person activity and context data from large groups of individuals.

Advances in measurement technology now make it is feasible to combine the acquisition and analysis of high-density data on real-life activity outcomes with individual data on multiple psychological and biological functions, skills, impairments, and contexts, perhaps for millions of older individuals. Research investments to establish an individualized evidence architecture that integrates data on abilities, traits, impairments, activities, and environmental exposures into reliably and validly measurable health outcomes on the individual and population level will help support the new healthy aging paradigm. This evidence architecture would harness the benefits afforded by these integrated data, leading toward the optimization of older adults’ health and wellbeing around the world. The rapid build-up of analytical capacities for developing and test-ing causal dynamic health models will allow researchers to upscale analytical models from one person to large populations.

Mike Martin University of Zurich and Collegium Helveticum

Robert Weibel University of Zurich

Christina Röcke University of Zurich

Steven M. Boker University of Virginia

Department Editors: Gabriela Marcu; [email protected]

Jesus Favela; [email protected]


IEEE PERVASIVE COMPUTING

SEMANTIC ACTIVITY ANALYTICS The key to leveraging high-density multiscale health activity data is semantic activity analytics, which automatically interprets real-life data streams with respect to their health value in given contexts. In fact, semantic activity analytics is at the core of a new understanding of “contextual-ized health.” Real-life activity data will be useful if the health- and aging-related information can be extracted easily, quickly, affordably, safely, and comprehensively. One important aspect of semantic activity analysis is creating visual or numerical representations of the activity data and making these accessible to the individuals who collected them, healthcare providers, and gov-ernments to better inform their decisions. Examples include the step count at the end of a day, heat maps of locations frequently visited, or barcodes representing a sequence of physical or social activities.2,3

Experimentally controlled cross-sectional and longitudinal studies have characterized old age by declines in physical abilities, general physical fitness, or maximum motor performance. These studies have demonstrated the association between levels of physical fitness and levels of cognitive abilities and wellbeing. In addition, many experi-mentally controlled studies have shown that physical ability training improves physical and cognitive abilities in older adults.4 It can also be demonstrated that enriched environments allowing engagement in activities that activate physical skills are beneficial for the longitudinal maintenance of physical fitness and wellbeing of older individuals. Thus, physical activities and mobility that allow individuals to achieve desired outcomes, such as functional mobility, are clearly of central importance to the health of older persons. Interestingly, the existing literature has mostly examined physical abilities and a number of physical activity indicators to predict health impairments on a population level, but it has not often integrated the full range of other real-life activities in all domains of life, such as cognitive, social, and mobility activities, to predict health stabilization on an individual level. However, the range, intensity, frequency, regularity, duration, variation, and contexts of real-life physical activities differ enormously among persons and could be uncorrelated with the maximum ability of an individual. Thus, due to a lack of instruments to measure real-life mobility activities in older persons, there is a large gap in our knowledge about older adults’ mobility in real-life environments.

EXTRACTING USEFUL HEALTH PARAMETERS FROM HIGH-DENSITY ACTIVITY MEASUREMENTS In line with WHO guidelines,6 we recommend establishing a research initiative for the develop-ment and validation of healthy-aging-related indicators from core activity domains such as phys-ical activity, social activity, and cognitive activity that provide quick information on the health of individuals and populations.

As an example of data that can be used to quickly learn about health-relevant aspects of behav-ior, consider physical activity barcodes. In one study,2 researchers used three body-mounted sensors to assess 16 different states of physical activities of 80-year-olds with and without severe chronic pain each second for five days, amounting to 120,000 measurements of physical states in each person. After translating these data into a barcode-like pattern, the researchers extracted several parameters: the number of different activities, the intensity of physical activities over any given interval of time, and the range from lowest to highest intensity over the observation period. These were typical activity parameters with the added value of 97 percent accurate determination of what individuals actually did (versus 50–80 percent for typical self-reported data). But there was an additional advantage: the sequences themselves could be examined. For instance, the randomness or entropy of the sequence of activities over the five days could be calculated and validated for health-related meaning. The study reported that 80-year-olds with severe pain have a highly predictable, regular, nonrandom pattern of physical activities, whereas nonpain individ-uals have a much more random pattern of physical activities. This is because individuals with

There is a large gap

in our knowledge

about older adults’

mobility in real-life

environments.


PERVASIVE HEALTHCARE

severe pain try to be physically active despite the pain but also purposefully rest at specific times, whereas individuals unlimited by pain can respond to the randomly occurring activity opportunities in their environment.

With inexpensive sensor technology for data acquisition and the entropy parameter applied to physical activity barcodes, there is an affordable measure of physical health activities that can be used to detect increases and decreases in desired physical activity patterns person by person and for large groups of individuals. It could potentially also be used to assess the action opportunities in a given environment; with few action opportunities, even pain-free persons will show a less random pattern of activities.

EXTRACTING USEFUL HEALTH INDICATORS IN PARTICULAR DOMAINS A similar approach can be used for a wide range of real-life mobility data. Applying geographic information system (GIS) methods and the highly frequent measurement of space use and motor activities, one can derive health-relevant parameters. Potentially relevant space use constructs include probability maps, buffer zones, deviations from predicted paths, points of interest and frequency of visits, roaming entropy, and sequence analyses.5 One can derive space use and macro mobility from GPS tracks, and motor activities and micro mobility from accelerometer data. Comparing actual space use with the potential path area will indicate the extent to which available environments are used. The GPS tracks can be segmented and related to points of interest (home, amenities, and so on) to extract frequently (or rarely) visited places. Based on the detected features of interest, it is possible to evaluate the use of roaming entropy to measure the extent of exploratory behavior. Combining such parameters derived from real-life activity data with existing laboratory measurements and well-established measurements of health-related abilities, traits, or impairments will validate the usefulness of particular parameters as popula-tion-level indicators of healthy aging.

With increasing availability of affordable sensor technology and storage and computational power, the acquisition of real-life activity data and their rapid preprocessing and parameteriza-tion can be applied in large numbers of individuals. For instance, physical activity barcoding entropy parameters applied to physical activity measurements of thousands of individuals could be a highly affordable way of assessing the effects of interventions on real-life activities.

A similar approach could be applied to other types of activity sequences, including social activi-ties, cognitive activities, or a combination of different activities. It has to be stressed that the search for regularities or regular patterns that correlate with health outcomes does not suffice, because this step is about extracting information that is causally linked to healthy aging—thus the term “semantic analytics.” As high-density, real-life activity data can only be semantically interpreted in relation to environments and opportunities provided in the environments, and the theoretical models needed cannot be derived from the associations or grouping of data alone, the development of meaningful parameters is practically a new science. It combines engineering approaches with interdisciplinary expertise, and high levels of methodological skills with theo-retical causal thinking.

To know what parameters could potentially be useful and to test their usefulness in real-life environments requires the development of interpretation and analytical models for health-related activities. As activities have rarely been empirically studied in healthy aging research so far, we recommend building computational capacity for such research through the development of these parameters; this is best done with research groups combining expertise from users, engineering, information science, health sciences, longitudinal multilevel analysis methodology, and particu-lar fields of application such as pain or multimorbidity in older adults.

FUNCTIONAL ABILITY PROFILES Semantic activity analytics could be integrated in functional ability profiles including all ele-ments of WHO’s 2015 Healthy Aging definition—for example, a functional mobility ability


IEEE PERVASIVE COMPUTING

profile, a functional social ability profile, or a functional cognitive ability profile. On the indi-vidual level, these profiles would typically combine standard assessment tools of abilities, traits, impairments, contexts, and their interactions with new standard, real-life activity and activity context parameters. In addition, they can be combined with individual-specific information in a standardized way, including individual health priorities or particular idiosyncratic activity and context parameters. This is the prerequisite for systematically individualizing interventions. Coordinated research involving stakeholders will lead to the development and validation of core functional ability profiles usable in the whole population of old adults. Jointly developing proce-dures on how to use them would ensure understanding, acceptability, and establishment as standard assessment tools for healthcare in the aging population.

An example of such an individualized intervention, based on skills or traits, comes from new work on trait-based targeting and tailoring. Using personality traits as an example, we can build practical tools to improve patient outcomes by creating risk models based on prior studies of personality traits predicting patient and health outcomes. These form the basis of a risk-scoring algorithm indexing the likelihood of these outcomes in new sets of patients. Risk scores can inform physicians and other health providers of the chances of a given outcome, allowing en-hanced resources (for example, medication reminders, follow-up calls, and more frequent doctor visits) to be directed toward higher-risk patients. This individualization or personalization of health interventions can be done electronically, with mobile health (mHealth) or electronic health (eHealth) applications such as healthcare software and health apps for smartphones or tablets. Moreover, such individualized interventions can be based on any of the variables mentioned above: personality traits, skills, physiology or biomarkers, activities, impairments, or individual differences in contextual variables.

Ultimately, the functional ability profiles allow fingerprinting of individual-level healthy aging on a population scale. This can be achieved by measuring and combining in each individual in a population three types of core elements: internationally useable core elements, country- or group-specific core elements, and individual-specific core elements. Developing and providing measurement tools to reliably and rapidly assess core functional ability profiles on a population level is required to assess healthy aging and the effects of interventions on it.

CONCLUSION For diagnosticians, clinicians, researchers, and older adults, their relatives, or their healthcare providers, reliable information on real-life physical and mobility activity patterns and their inter-pretation has the potential of adding highly valuable information to existing clinical and labora-tory-based ability and impairment measures. Combining these types of information in individual mobility profiles improves the basis for health-related decisions about what to do in order to maintain an individual’s wellbeing. The activity measurement also has the potential of being used as an outcome measure to determine the effectiveness of interventions targeting the mobili-ty of individuals.

ACKNOWLEDGMENTS Steven M. Boker was supported by the Initiative for the Dynamics of Health Development (IDHD). Mike Martin, Robert Weibel, and Christina Röcke were supported by the Universi-ty of Zurich Research Priority Program “Dynamics of Healthy Aging” and Velux Stiftung grant 917. Martin was also supported by Collegium Helveticum. The article is based on a report for WHO by Martin and several coauthors. None of the authors of this article has a conflict of interest.


severe pain try to be physically active despite the pain but also purposefully rest at specific times, whereas individuals unlimited by pain can respond to the randomly occurring activity opportunities in their environment.

With inexpensive sensor technology for data acquisition and the entropy parameter applied to physical activity barcodes, there is an affordable measure of physical health activities that can be used to detect increases and decreases in desired physical activity patterns person by person and for large groups of individuals. It could potentially also be used to assess the action opportunities in a given environment; with few action opportunities, even pain-free persons will show a less random pattern of activities.

EXTRACTING USEFUL HEALTH INDICATORS IN PARTICULAR DOMAINS A similar approach can be used for a wide range of real-life mobility data. Applying geographic information system (GIS) methods and the highly frequent measurement of space use and motor activities, one can derive health-relevant parameters. Potentially relevant space use constructs include probability maps, buffer zones, deviations from predicted paths, points of interest and frequency of visits, roaming entropy, and sequence analyses.5 One can derive space use and macro mobility from GPS tracks, and motor activities and micro mobility from accelerometer data. Comparing actual space use with the potential path area will indicate the extent to which available environments are used. The GPS tracks can be segmented and related to points of interest (home, amenities, and so on) to extract frequently (or rarely) visited places. Based on the detected features of interest, it is possible to evaluate the use of roaming entropy to measure the extent of exploratory behavior. Combining such parameters derived from real-life activity data with existing laboratory measurements and well-established measurements of health-related abilities, traits, or impairments will validate the usefulness of particular parameters as popula-tion-level indicators of healthy aging.

With increasing availability of affordable sensor technology and storage and computational power, the acquisition of real-life activity data and their rapid preprocessing and parameteriza-tion can be applied in large numbers of individuals. For instance, physical activity barcoding entropy parameters applied to physical activity measurements of thousands of individuals could be a highly affordable way of assessing the effects of interventions on real-life activities.

A similar approach could be applied to other types of activity sequences, including social activi-ties, cognitive activities, or a combination of different activities. It has to be stressed that the search for regularities or regular patterns that correlate with health outcomes does not suffice, because this step is about extracting information that is causally linked to healthy aging—thus the term “semantic analytics.” As high-density, real-life activity data can only be semantically interpreted in relation to environments and opportunities provided in the environments, and the theoretical models needed cannot be derived from the associations or grouping of data alone, the development of meaningful parameters is practically a new science. It combines engineering approaches with interdisciplinary expertise, and high levels of methodological skills with theo-retical causal thinking.

To know what parameters could potentially be useful and to test their usefulness in real-life environments requires the development of interpretation and analytical models for health-related activities. As activities have rarely been empirically studied in healthy aging research so far, we recommend building computational capacity for such research through the development of these parameters; this is best done with research groups combining expertise from users, engineering, information science, health sciences, longitudinal multilevel analysis methodology, and particu-lar fields of application such as pain or multimorbidity in older adults.

FUNCTIONAL ABILITY PROFILES Semantic activity analytics could be integrated in functional ability profiles including all ele-ments of WHO’s 2015 Healthy Aging definition—for example, a functional mobility ability



REFERENCES

1. World Report on Ageing and Health, World Health Organization, 2015. 2. A. Paraschiv-Ionescu et al., “Barcoding Human Physical Activity to Assess Chronic

Pain Conditions,” PLOS One, vol. 7, no. 2, 2012; https://doi.org/10.1371/journal.pone.0032239.

3. D.B. Richardson et al., “Spatial Turn in Health Research,” Science, vol. 339, no. 6126, 2013, pp. 1390–1392.

4. S. Colcombe and A.F. Kramer, “Fitness Effects on the Cognitive Function of Older Adults: A Meta-Analytic Study,” Psychological Science, vol. 14, no. 2, 2003, pp. 125–130.

5. U. Demšar et al., “Analysis and Visualisation of Movement: An Interdisciplinary Review,” Movement Ecology, vol. 3, no. 5, 2015; https://doi.org/10.1186/s40462-015-0032-y.

6. M. Martin et al., Intrinsic Capacity and Functional Ability—How to Operationalize It through the Use of Individual Data, Criteria for Measurement, Data Standards and Use in Modelling Outcomes of Interest, and Key Gaps, pending publication.

ABOUT THE AUTHORS Mike Martin is a professor of psychology of aging and gerontology, co-director of the University of Zurich Research Priority Program “Dynamics of Healthy Aging” and the Dig-ital Society Initiative (DSI), and a Collegium Heleveticum fellow. Contact him at [email protected].

Robert Weibel is a professor of geographics information systems at the University of Zur-ich. Contact him at [email protected].

Christina Röcke is co-director and senior research group leader at the University of Zurich Research Priority Program “Dynamics of Healthy Aging.” Contact her at [email protected].

Steven M. Boker is a professor and area head of quantitative psychology and director of the Human Dynamics Lab at The University of Virginia. Contact him at [email protected].

This article originally appeared in IEEE Pervasive Computing, vol. 17, no. 3, 2018.

2469-7087/18/$33.00 © 2018 IEEE Published by the IEEE Computer Society December 2018 41 Published by the IEEE Computer Society 0272-1716/17/$33.00 © 2017 IEEE IEEE Computer Graphics and Applications 19

Editor: André StorkGraphically Speaking

Experiencing the Sights, Smells, Sounds, and Climate of Southern Italy in VRVito M. Manghisi, Michele Fiorentino, Michele Gattullo, Antonio Boccaccio, Vitoantonio Bevilacqua, Giuseppe L. Cascella, Michele Dassisti, and Antonio E. UvaPolytechnic University of Bari

In many regions tourism is an important, if not the most important, driver for employment. As long-distance travel has become more af-

fordable, such regions have increasingly competed against one another to attract tourists. Histori-cally, countries and regions have used TV and magazine advertisements to increase tourism. As VR devices become less expensive and more com-monplace, VR promotions that showcase a region’s various attractions will have greater impact.

This article explores what it takes to make in-teractive computer graphics and VR attractive as a promotional vehicle, from the points of view of the tourism agencies and the tourists themselves. Speci� cally, in response to a call from local au-thorities seeking to increase the tourism appeal of the Apulia region in southern Italy, we pro-posed an alternative approach to traditional tour-ism marketing and advertising efforts—a physical stand containing only videos looping on a screen, lea� ets, and local personnel. Our ambition was to exploit current VR and human-machine interface (HMI) technologies to design and provide an in-teractive, innovative, and attractive user experi-ence that we call the Multisensory Apulia Touristic Experience (MATE).

Why the Apulia Region Needs VRApulia is a charming region located in the far southeast area of Italy. A narrow peninsula re-ferred as the “heel” of Italy’s “boot,” it is sur-rounded by sea and has a population of about 4 million inhabitants. Thanks to its extraordinary culture, history, and natural landscapes, this land has great tourism potential. However, Apu-lia’s economy is weak compared to the rest of It-aly (17.70K Euros gross domestic product [GDP] per inhabitant versus 32.20K Euros in northwest

Italy in 2014).1 Regional authorities have recently promoted tourist activities and obtained positive results: a 4.5 percent increase in Italian tourists and a 13 percent increase in international visi-tors in 2016.

Despite this success, the region is still far less known than other Italian destinations. The local authorities are exploring new ways to promote it and have agreed to invest in application-oriented VR research.

Therefore, our main objective is to design and develop an innovative system able to share Apulia’s cultural heritage in an engaging and multisensory experience. We began by implementing a test case that follows a scenic trip through the Apulia’s Murgia territory to showcase its hidden cultural treasures, local scents, and mild climate.

Inspirations and AmbitionsStudies have shown that virtual environment (VE) applications can effectively promote tourism.2,3

These applications create a sense of presence, and this sense of “being there” is known to be the re-sult of two psychological states: immersion and in-volvement.4 Related literature has proven that the sense of presence in VEs grows with the number of senses engaged5–7 and with the level of agreement among them.

We drew our inspiration from Sensorama,8 a multisensory VE system invented in the 1960s by Mort Heilig (see Figure 1). Sensorama is a motor-bike simulator that allows the user to sit on a real saddle and experience an interactive ride with stereo scopic vision, 3D sound, vibrations, wind, and smells. This extremely innovative idea failed when it was developed because of the technical immaturity of the technologies involved and � -nancial issues.

g6gra.indd 19 10/10/17 7:55 PM

42 ComputingEdge December 201820 November/December 2017

Graphically Speaking

As VR systems evolved, the number of senses embraced by VEs increased. The Multimodal Floor9 produces a virtual walk in which users walk on a real mobile floor that mimics a natural surface, such as snow or ice, with visual, audio, and hap-tic feedback. Yasushi Ikei and his colleagues later developed the FiveStar,10 an interactive personal display consisting of a stereo visual, 3D audio, haptic/tactile, wind/scent, and vestibular display. Jorge Freitas and his colleagues proposed a multi-sensory management and visualization system for multisensory content.11 It provides visual, auditory, haptic, and olfactory feedback as well as an inter-face that lets users author the virtual experience by defining the timestamps that indicate when to stimulate each sense.

MATE DesignWe designed MATE as a virtual tour in collabo-ration with industrial partners and local tourism authorities, who played an active part in defining the system’s requirements and features. One of the main design requests was to build a mobile plat-form that could be relocated to various promotional events all over Europe, such as public exhibitions and fairs. Also, to minimize the operating costs, the system needed to be simple enough that it could be run by a small number of unqualified staff.

Therefore, we installed the system inside a 20-foot container that is divided into two main areas: the control room and the user experience zone (see Figure 2). The control room hosts the main PC, the ambient control unit (ACU), and the power

(a) (b)

Figure 1. Sensorama: (a) illustration from the patent (US 3050870) by Morton Heilig and (b) the product advertisement from the 1960s. (Courtesy of Scott Fisher’s Telepresence)

Odor diffusers

Entrance

(a) (b)

3D audio

Container

Control room

Display wall

Kinect v2

Power managementsystem

User experience area3D audio

Infrared heaterpanels

Air conditioning

Water nebulizationsystem

Figure 2. Multisensory Apulia Touristic Experience (MATE) mobile container configuration: (a) installed systems in the user experience zone and the control room and (b) a photo of the control room.

g6gra.indd 20 10/10/17 7:55 PM

www.computer.org/computingedge 43 IEEE Computer Graphics and Applications 21

management. The user experience area is about 12 square meters and can host four to six visitors simultaneously.

To allow MATE visitors to see, hear, feel, and smell the real Apulia, we asked ourselves what could be added to the visual feed to deliver a unique, surprising experience. Our goal was to trigger a memorable event for the users.

To do so, MATE enhances the user experience by providing olfactory and climatic stimuli. As users take the tour and enter a new scene, the humidity, lighting, and ambient scents change accordingly. To convey the olfactory stimuli, we used an ar-ray of odor diffusers using the Solid Fragrance Re-lease (SFR) system from Oikos Fragrances. Odors are delivered using a ventilation fan in the mobile container.

Unlike traditional technologies based on evap-oration, combustion, or spraying processes, the diffusion is based on solid-state activation. This process lets us modulate and control the release of the olfactory note, keeping the original qualitative characteristics of the fragrance while maintaining the transmission of the desired olfactory message.

To control the climate conditions, we used an oversized air conditioning system (Daikin SARARA FTXZ50N/RXZ50N KLIC-DD KNX FTXZ50NV1B, 5.8 kW cooling, 9.2 kW max heating power), a 400 W infrared heating panel (Infrapower IPW400), a water nebulization system, and an as-pirator (EVVOK1 mod. 250 by Erre.Gi. srl). The climate condition system allows for rapid temper-ature and humidity changes, ranging from 15°C to 30°C and from 40 to 60 percent, respectively. We implemented the water nebulization system to simulate rain and fog using six mini-drop emitters mounted on the ceiling and an 800 W pump. The aspirator (with a flow rate of 500 cubic meters per hour) rapidly cleans the air to allow for fast scent and climate changes. Furthermore, an intensity and RGB-color-controlled lighting system provides variable lighting conditions.

For the visual stimuli, we chose 2D rather than 3D footage for the virtual tour. There were many reasons for this choice, but the most important was to avoid the cyber-sickness effect.12 Cyber-sickness can cause discomfort and even vertigo when the users are standing in a restricted environment, which could cause visitors to fall or cause other potentially dangerous situations. In our tests, we encountered a high rate of cyber-sickness among casual users with short or no training time and when the point of view could not be controlled individually. As a second consideration, the added value enabled by 3D depth perception is limited in

virtual tours consisting of mostly landscapes and confined places.

Other solutions, such as the currently available autostereoscopic displays, may diminish the visual quality. In addition, 3D goggles or head-mounted displays (HMDs) lead to practical problems, such as the time to fit and adjust the devices (especially if the users wear glasses), eye distance calibration, device sensitivity to the moisture introduced by our climate condition system, risk of theft, hy-giene, and user isolation.

Ultimately, we mounted a professional 85-inch ultra-high definition (UHD) LED monitor (Sam-sung QM85D) to the wall at one end of the visi-tor area. The screen is connected to a desktop PC hidden in the control room and is able to render 4K resolution tours at approximately 120 Hz and to generate 3D stereo sound. The audio is provided by a 5.1 channel surround system (Logitech Z906).

Because MATE must work with people of all ages who are unfamiliar with VR, and even IT technol-ogy in general, the user interface design should also be easy to use with minimal training. We wanted to provide a shared group experience for up to six users, in accordance with the commu-nal, familial experience of the visiting site. For reasons similar to those for the goggles (theft and hygiene), we decided not to use physical control-lers such as a joystick, glove, or mouse.

We implemented a natural gesture-based inter-face (see Figure 3). The gesture-detection system is based on the Microsoft Kinect v2 RGB-D, mounted under the screen. Users’ gestures are detected by proper heuristics using the joint data obtained from the Microsoft skeleton tracking as input. The interaction is controlled by the “dominant user,” who is detected among the group of visitors as the closest to the sensor.

Zoom out

Zoom in

Move the pointer

Gaze control

Select elements

Point at the item to select

Figure 3. MATE gesture-based interface controls. The user closest to the sensor can navigate the virtual tour with five possible commands: gaze direction control, zoom in, zoom out, select hotspot/item, and move to the point of interest.

g6gra.indd 21 10/10/17 7:55 PM

20 November/December 2017


As VR systems evolved, the number of senses embraced by VEs increased. The Multimodal Floor9 produces a virtual walk in which users walk on a real mobile floor that mimics a natural surface, such as snow or ice, with visual, audio, and hap-tic feedback. Yasushi Ikei and his colleagues later developed the FiveStar,10 an interactive personal display consisting of a stereo visual, 3D audio, haptic/tactile, wind/scent, and vestibular display. Jorge Freitas and his colleagues proposed a multi-sensory management and visualization system for multisensory content.11 It provides visual, auditory, haptic, and olfactory feedback as well as an inter-face that lets users author the virtual experience by defining the timestamps that indicate when to stimulate each sense.

MATE DesignWe designed MATE as a virtual tour in collabo-ration with industrial partners and local tourism authorities, who played an active part in defining the system’s requirements and features. One of the main design requests was to build a mobile plat-form that could be relocated to various promotional events all over Europe, such as public exhibitions and fairs. Also, to minimize the operating costs, the system needed to be simple enough that it could be run by a small number of unqualified staff.

Therefore, we installed the system inside a 20-foot container that is divided into two main areas: the control room and the user experience zone (see Figure 2). The control room hosts the main PC, the ambient control unit (ACU), and the power

(a) (b)

Figure 1. Sensorama: (a) illustration from the patent (US 3050870) by Morton Heilig and (b) the product advertisement from the 1960s. (Courtesy of Scott Fisher’s Telepresence)

Odor diffusers

Entrance

(a) (b)

3D audio

Container

Control room

Display wall

Kinect v2

Power managementsystem

User experience area3D audio

Infrared heaterpanels

Air conditioning

Water nebulizationsystem

Figure 2. Multisensory Apulia Touristic Experience (MATE) mobile container configuration: (a) installed systems in the user experience zone and the control room and (b) a photo of the control room.

g6gra.indd 20 10/10/17 7:55 PM



The users can interact one at a time and take the lead by simply moving forward. To ensure a play-ful and easy-to-learn experience, we limited the interface to five possible commands: gaze direction control, zoom in, zoom out, select hotspot/item, and move to the point of interest. Our interface is bimanual so it can be operated by both right- and left-handed users. The system detects the “control hand” in real time as the one kept at the highest height. Users can switch their control hand in real time, which has the advantage of unconsciously reducing fatigue and the “gorilla arm effect.”13

The Apulia tour consists of a set of scenes, each of which is a spherical image of the real site an-notated with multimedia content and linked to the others by hotspots. Using the five gesture controls, MATE visitors can interactively navigate 360-degree 2D images during their virtual tour experience.

Authoring SystemThe MATE system integrates three modules: the display system, the user interface, and the envi-ronmental module (see Figure 4). We used the krpano suite (www.krpano.com) as the main framework for implementing the tour. Each vir-tual scene includes krpano basic functionalities, such as multimedia content (videos and sounds) and static or animated hotspots (active areas to trigger tour events).

One of our main successes was the design of the MATE authoring methodology and a set of utility applications that allow users without program-ming expertise (such as historians and marketing personnel) to create tours autonomously.

The process starts with a high-level description of the tour that determines the objectives and the targeted users. The next step is media creation and processing, where image and video process-ing lead to the final digital media content. To help users create spherical scenes, we developed cus-tom scripts using the ImageMagick library (www.imagemagick.org). They can start from different media types: static images (such as overlapped panorama pictures, 360-degree spherical im-ages, or single flat images) and videos (including 360-degree videos). Traditional 2D images and videos can be visualized in a scene of the tour in-side pop-up windows, and the author can adjust the sizes. This feature was required because some of the existing media could not be recaptured spe-cifically for this project.

The next step is to define the climate and smell control with a custom XML file using a visual edi-tor. In the final phase, the author links the scenes using hotspots and sets up the transition effects. Smooth transitions are important both to reduce cyber-sickness and improve the overall user experi-ence. An Apache server running on the desktop PC hosts the virtual tour.

Natural behaviorVE

User Interface module

Web browser

Display system

Gesture detection module

Apache Web server

Environmental module

Tour �les and folders

tour.html

WebSocketclient

Dominant userDetector

Gesturedetector

Debuginterface

Kinect sensorKinect for

windows SDK DLL Depthstream

Joints data

Mouse eventsSW-simulator

RPC OSprimitives

<<TCP/IP>>

Display port

Visual feedback

Controlsoftware

WebSocketserver

Scent dispenserarray

Infrared heaters

Air conditioner

Control unit

Haptic feedback

Olfactory feedback

3D audio system

Display wall

Auditory feedback

con�gurator.xmlAspirator

Nebulizator

Lighting system

Figure 4. Functional scheme of the MATE system. The three modules include the display system, the user interface, and the environmental module.

g6gra.indd 22 10/10/17 8:04 PM


All the ambient condition changes are triggered by the tour events and are controlled by a dedi-cated XML configuration file. The file stores all the parameter settings related to the scene’s climate conditions and scents. To enable communication between the tour and the environmental control system, we developed a custom JavaScript function that implements a WebSocket client. It is embed-ded in the HTML pages of the tour and exchanges messages with a WebSocket server that runs on the environmental control side in a climate con-trol unit (developed by the authors). For each scene transition event, the client sends a message with a payload containing information related to the new scene and the dominant user’s position. The con-trol unit decodes the payload and delivers it to the specific actuators of the environmental changes. To guarantee coherence among stimuli, we calibrated the visual transition between scenes by using auto-matic timers to anticipate the emissions that have higher latency (such as odors and climate changes).

Case Study: The Murgia ExperienceApulia offers a range of attractions, from the unique and remarkable trulli in Alberobello and the magnificent Castel del Monte in Andria (both UNESCO World Heritage Sites) to the crystal-clear waters surrounding the Tremiti Islands and the outdoor adventures that await in the Murgia National Park. The region is soaked in tradition and folklore, and its food and wine specialties are known all over the world. Our effort was to convey all these experiences to MATE visitors.

In particular, as a test case, we chose the Murgia countryside, which suffers from limited public awareness despite its tourism potential. The tour

simulates a trip through the Murgia territory to discover its “hidden treasures” (see Figure 5). The natural landscapes portion of the tour sur-rounds visitors with typical Apulian scents such as the countryside’s native vegetation: thyme, wild gooseberry, and wild fennel. The Murgia territory’s highest elevation is Monte Caccia, at 679 meters above sea level. The rocks are mostly composed of Cretacic limestone, so that karst landscapes prevail in the area, with doline fields, sinkholes, and caves. The ancient Appian Way, one of the earliest and strategically most important Roman roads of the ancient republic dating back to 312 BC, crosses these territories. The tour also shows visitors the Masseria Jesce, an ancient manor farm dating back to the 16th century. Visitors will see the farm’s architectural features and can admire a rock settlement surrounding it, which consists of amphitheater caves, including a frescoed crypt dedicated to the Archangel St. Michael dating from the mid-14th century that contains a deesis (see Figure 5).

Most of the sites included in the tour are nor-mally not accessible to the public for safety and conservation reasons. However, the high-resolution images and display, the possibility to zoom in, and the textual descriptions provide a useful and excit-ing experience.

During the tour, users also visit a traditional bakery and experience the production of bread from the Altamura region, with the related scents.

We implemented a simple authoring method to develop the test case scenario of Murgia’s countryside. We then carried out a preliminary within-subject design user test with 16 voluntary participants (average age 28, 80 percent male).

Figure 5. Murgia Experience case study. The tour simulates a trip through the Murgia territory, showing its “hidden treasures,” including natural landscapes (as seen by the user inside MATE in the container) and a frescoed crypt dedicated to the Archangel St. Michael.

g6gra.indd 23 10/10/17 7:55 PM



The users can interact one at a time and take the lead by simply moving forward. To ensure a play-ful and easy-to-learn experience, we limited the interface to five possible commands: gaze direction control, zoom in, zoom out, select hotspot/item, and move to the point of interest. Our interface is bimanual so it can be operated by both right- and left-handed users. The system detects the “control hand” in real time as the one kept at the highest height. Users can switch their control hand in real time, which has the advantage of unconsciously reducing fatigue and the “gorilla arm effect.”13

The Apulia tour consists of a set of scenes, each of which is a spherical image of the real site an-notated with multimedia content and linked to the others by hotspots. Using the five gesture controls, MATE visitors can interactively navigate 360-degree 2D images during their virtual tour experience.

Authoring SystemThe MATE system integrates three modules: the display system, the user interface, and the envi-ronmental module (see Figure 4). We used the krpano suite (www.krpano.com) as the main framework for implementing the tour. Each vir-tual scene includes krpano basic functionalities, such as multimedia content (videos and sounds) and static or animated hotspots (active areas to trigger tour events).

One of our main successes was the design of the MATE authoring methodology and a set of utility applications that allow users without program-ming expertise (such as historians and marketing personnel) to create tours autonomously.

The process starts with a high-level description of the tour that determines the objectives and the targeted users. The next step is media creation and processing, where image and video process-ing lead to the final digital media content. To help users create spherical scenes, we developed cus-tom scripts using the ImageMagick library (www.imagemagick.org). They can start from different media types: static images (such as overlapped panorama pictures, 360-degree spherical im-ages, or single flat images) and videos (including 360-degree videos). Traditional 2D images and videos can be visualized in a scene of the tour in-side pop-up windows, and the author can adjust the sizes. This feature was required because some of the existing media could not be recaptured spe-cifically for this project.

The next step is to define the climate and smell control with a custom XML file using a visual edi-tor. In the final phase, the author links the scenes using hotspots and sets up the transition effects. Smooth transitions are important both to reduce cyber-sickness and improve the overall user experi-ence. An Apache server running on the desktop PC hosts the virtual tour.

Natural behaviorVE

User Interface module

Web browser

Display system

Gesture detection module

Apache Web server

Environmental module

Tour �les and folders

tour.html

WebSocketclient

Dominant userDetector

Gesturedetector

Debuginterface

Kinect sensorKinect for

windows SDK DLL Depthstream

Joints data

Mouse eventsSW-simulator

RPC OSprimitives

<<TCP/IP>>

Display port

Visual feedback

Controlsoftware

WebSocketserver

Scent dispenserarray

Infrared heaters

Air conditioner

Control unit

Haptic feedback

Olfactory feedback

3D audio system

Display wall

Auditory feedback

con�gurator.xmlAspirator

Nebulizator

Lighting system

Figure 4. Functional scheme of the MATE system. The three modules include the display system, the user interface, and the environmental module.

g6gra.indd 22 10/10/17 8:04 PM



We asked them to navigate the virtual tour in two separate sessions (in counterbalanced order): one on a simple desktop PC with a mouse and the other inside MATE. Figure 6 shows a picture from the gesture interaction tests performed in the laboratory.

At the end, we interviewed users using a ques-tionnaire. Our participants indicated that their enjoyment was significantly higher in the MATE as opposed to using the PC with mouse interface (p = 0.015).

Currently, the MATE system is being integrated into a full-scale prototype demonstrator that

will be carried all around Europe. Based on our experience and feedback, we think that the use of 360-degree videos can further increase the wow effect and fun factor. Another suggestion from our case study participants was to use source images for the 360-degree panoramas, with as high a res-olution as possible, so users can enjoy the zoom-in function to discover new details.

In the future, we plan to evaluate MATE in fur-ther tests to measure its usability, enjoyment and engagement, and user satisfaction. We believe that the versatility of MATE’s authoring system will make reusable it so other regions can use it for promotions as well.

AcknowledgmentsThis work was developed as part of the PAC02L2_00228 “VirtualMurgia - Smart-Multisense Ubiquitous Sys-tem for Territorial Promotion of Apulia’s Culture and

Traditions of Murgia” project, which was cofunded by the Apulia Region and the European Union under the Cohesion Action Plan.

References 1. Eurostat, “2014 GDP per Capita: Twenty-One

Regions Below Half of the EU Average,” 26 Feb. 2016; ec.europa.eu/eurostat/web/products-press-releases/ -/1-26022016-AP.

2. M.Y. Hyun, S. Lee, and C. Hu, “Mobile-Mediated Virtual Experience in Tourism: Concept, Typology and Applications,” J. Vacation Marketing, vol. 15, no. 2, 2009, pp. 149–164.

3. Y.-H. Cho, Y. Wang, and D.R. Fesenmaier, “Searching for Experiences,” J. Travel & Tourism Marketing, vol. 12, no. 4, 2002, pp. 1–17.

4. B.G. Witmer and M.J. Singer, “Measuring Presence in Virtual Environments: A Presence Questionnaire,” Presence: Teleoperators and Virtual Environments, vol. 7, no. 3, 1998, pp. 225–240.

5. H.Q. Dinh et al., “Evaluating the Importance of Multi-Sensory Input on Memory and the Sense of Presence in Virtual Environments,” Proc. IEEE Virtual Reality, 1999, pp. 222–228.

6. M. Slater and S. Wilbur, “A Framework for Immersive Virtual Environments (FIVE): Speculations on the Role of Presence in Virtual Environments,” Presence: Teleoperators and Virtual Environments, vol. 6, no. 6, 1997, pp. 603–616.

7. M. Feng, A. Dey, and R.W. Lindeman, “An Initial Exploration of a Multi-sensory Design Space: Tactile Support for Walking in Immersive Virtual Environments,” Proc. IEEE Symp. 3D User Interfaces (3DUI), 2016, pp. 95–104.

Figure 6. Laboratory gesture-interaction tests. The Murgia Experience case study indicated that the users’ enjoyment was significantly higher in the MATE.

g6gra.indd 24 10/10/17 7:55 PM


8. M. Heilig, “Beginnings: Sensorama and the Telesphere Mask,” Digital Illusion, 1998, pp. 343–351.

9. A.W. Law et al., “Multimodal Floor for Immersive Environments,” Proc. ACM SIGGRAPH Emerging Technologies, 2009, p. 16.

10. Y. Ikei et al., “A Multisensory VR System Exploring the Ultra-Reality,” Proc. 18th Int’l Conf. Virtual Systems and Multimedia (VSMM), 2012, pp. 71–78.

11. J. Freitas et al., “Information System for the Management and Visualization of Multisensorial Contents,” Proc. 10th Iberian Conf. Information Systems and Technologies (CISTI), 2015, pp. 1–7.

12. L. Rebenitsch and C. Owen, “Review on Cybersickness in Applications and Visual Displays,” Virtual Reality, vol. 20, no. 2, 2016, pp. 101–125.

13. J.D. Hincapié-Ramos et al., “Consumed Endurance: A Metric to Quantify Arm Fatigue of Mid-Air Interactions,” Proc. SIGCHI Conf. Human Factors in Computing Systems, 2014, pp. 1063–1072.

Vito M. Manghisi is a PhD student in the Department of Mechanics, Mathematics, and Management (DMMM) at the Polytechnic University of Bari. Contact him at [email protected].

Michele Fiorentino is an associate professor in the DMMM at the Polytechnic University of Bari. Contact him at [email protected].

Michele Gattullo is a researcher in the DMMM at the Polytechnic University of Bari. Contact him at michele [email protected].

Antonio Boccaccio is a researcher in the DMMM at the Polytechnic University of Bari. Contact him at antonio [email protected].

Vitoantonio Bevilacqua is a researcher in the Depart-ment of Electrical and Computer engineering (DEI) at the Polytechnic University of Bari. Contact him at vitoantonio [email protected].

Giuseppe L. Cascella is a researcher in the DEI at the Poly-technic University of Bari. Contact him at giuseppeleonardo [email protected].

Michele Dassisti is an associate professor in the DMMM at the Polytechnic University of Bari. Contact him at michele [email protected].

Antonio E. Uva is an associate professor in the DMMM at the Polytechnic University of Bari. Contact him at antonio [email protected].

Contact department editor André Stork at andre.stork@igd .fraunhofer.de.

revised 31 May 2017

PURPOSE: The IEEE Computer Society is the world’s largest association of computing professionals and is the leading provider of technical information in the field.MEMBERSHIP: Members receive the monthly magazine Computer, discounts, and opportunities to serve (all activities are led by volunteer members). Membership is open to all IEEE members, affiliate society members, and others interested in the computer field.OMBUDSMAN: Email [email protected] SOCIETY WEBSITE: www.computer.org

Next Board Meeting: 12–13 November 2017, Phoenix, AZ, USA

EXECUTIVE COMMITTEEPresident: Jean-Luc GaudiotPresident-Elect: Hironori Kasahara; Past President: Roger U. Fujii; Secretary: Forrest Shull; First VP, Treasurer: David Lomet; Second VP, Publications: Gregory T. Byrd; VP, Member & Geographic Activities: Cecilia Metra; VP, Professional & Educational Activities: Andy T. Chen; VP, Standards Activities: Jon Rosdahl; VP, Technical & Conference Activities: Hausi A. Müller; 2017–2018 IEEE Director & Delegate Division VIII: Dejan S. Milojičić; 2016–2017 IEEE Director & Delegate Division V: Harold Javid;

2017 IEEE Director-Elect & Delegate Division V-Elect: John W. Walz

BOARD OF GOVERNORSTerm Expiring 2017: Alfredo Benso, Sy-Yen Kuo, Ming C. Lin, Fabrizio Lombardi, Hausi

A. Müller, Dimitrios Serpanos, Forrest J. Shull

Term Expiring 2018: Ann DeMarle, Fred Douglis, Vladimir Getov, Bruce M. McMillin,

Cecilia Metra, Kunio Uchiyama, Stefano Zanero

Term Expiring 2019: Saurabh Bagchi, Leila De Floriani, David S. Ebert, Jill I. Gostin,

William Gropp, Sumi Helal, Avi Mendelson

EXECUTIVE STAFFExecutive Director: Angela R. Burgess; Director, Governance & Associate Executive Director: Anne Marie Kelly; Director, Finance & Accounting: Sunny Hwang; Director, Information Technology & Services: Sumit Kacker; Director, Membership Development: Eric Berkowitz; Director, Products & Services: Evan M. Butterfield; Director, Sales & Marketing: Chris Jensen

COMPUTER SOCIETY OFFICESWashington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928Phone: +1 202 371 0101 • Fax: +1 202 728 9614 • Email: [email protected] Los Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720Phone: +1 714 821 8380 • Email: [email protected]

MEMBERSHIP & PUBLICATION ORDERSPhone: +1 800 272 6657 • Fax: +1 714 821 4641 • Email: [email protected]/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo 107-0062, Japan • Phone: +81 3 3408 3118 • Fax: +81 3 3408 3553 • Email: [email protected]

IEEE BOARD OF DIRECTORSPresident & CEO: Karen Bartleson; President-Elect: James Jefferies; Past President: Barry L. Shoop; Secretary: William Walsh; Treasurer: John W. Walz; Director & President, IEEE-USA: Karen Pedersen; Director & President, Standards Association: Forrest Don Wright; Director & VP, Educational Activities: S.K. Ramesh; Director & VP, Membership and Geographic Activities: Mary Ellen Randall; Director & VP, Publication Services and Products: Samir El-Ghazaly; Director & VP, Technical Activities: Marina Ruggieri; Director & Delegate Division V: Harold Javid; Director & Delegate Division VIII: Dejan S. Milojičić

Read your subscriptions through the myCS publications portal at http://mycs.computer.org.

g6gra.indd 25 10/10/17 7:55 PM



We asked them to navigate the virtual tour in two separate sessions (in counterbalanced order): one on a simple desktop PC with a mouse and the other inside MATE. Figure 6 shows a picture from the gesture interaction tests performed in the laboratory.

At the end, we interviewed users using a ques-tionnaire. Our participants indicated that their enjoyment was significantly higher in the MATE as opposed to using the PC with mouse interface (p = 0.015).

Currently, the MATE system is being integrated into a full-scale prototype demonstrator that

will be carried all around Europe. Based on our experience and feedback, we think that the use of 360-degree videos can further increase the wow effect and fun factor. Another suggestion from our case study participants was to use source images for the 360-degree panoramas, with as high a res-olution as possible, so users can enjoy the zoom-in function to discover new details.

In the future, we plan to evaluate MATE in fur-ther tests to measure its usability, enjoyment and engagement, and user satisfaction. We believe that the versatility of MATE’s authoring system will make reusable it so other regions can use it for promotions as well.

AcknowledgmentsThis work was developed as part of the PAC02L2_00228 “VirtualMurgia - Smart-Multisense Ubiquitous Sys-tem for Territorial Promotion of Apulia’s Culture and

Traditions of Murgia” project, which was cofunded by the Apulia Region and the European Union under the Cohesion Action Plan.

References 1. Eurostat, “2014 GDP per Capita: Twenty-One

Regions Below Half of the EU Average,” 26 Feb. 2016; ec.europa.eu/eurostat/web/products-press-releases/ -/1-26022016-AP.

2. M.Y. Hyun, S. Lee, and C. Hu, “Mobile-Mediated Virtual Experience in Tourism: Concept, Typology and Applications,” J. Vacation Marketing, vol. 15, no. 2, 2009, pp. 149–164.

3. Y.-H. Cho, Y. Wang, and D.R. Fesenmaier, “Searching for Experiences,” J. Travel & Tourism Marketing, vol. 12, no. 4, 2002, pp. 1–17.

4. B.G. Witmer and M.J. Singer, “Measuring Presence in Virtual Environments: A Presence Questionnaire,” Presence: Teleoperators and Virtual Environments, vol. 7, no. 3, 1998, pp. 225–240.

5. H.Q. Dinh et al., “Evaluating the Importance of Multi-Sensory Input on Memory and the Sense of Presence in Virtual Environments,” Proc. IEEE Virtual Reality, 1999, pp. 222–228.

6. M. Slater and S. Wilbur, “A Framework for Immersive Virtual Environments (FIVE): Speculations on the Role of Presence in Virtual Environments,” Presence: Teleoperators and Virtual Environments, vol. 6, no. 6, 1997, pp. 603–616.

7. M. Feng, A. Dey, and R.W. Lindeman, “An Initial Exploration of a Multi-sensory Design Space: Tactile Support for Walking in Immersive Virtual Environments,” Proc. IEEE Symp. 3D User Interfaces (3DUI), 2016, pp. 95–104.

Figure 6. Laboratory gesture-interaction tests. The Murgia Experience case study indicated that the users’ enjoyment was significantly higher in the MATE.

g6gra.indd 24 10/10/17 7:55 PM

Want to know more about the Internet?This magazine covers all aspects of Internet computing, from programming and standards to security and networking.

www.computer.org/internet

no

vem

ber

• d

ecem

ber

201

5

IC-19-06-c1 Cover-1 October 9, 2015 3:26 PM

IEEE INTERN

ET COM

PUTIN

G

NO

vEMbER • D

ECEMbER 2015

ThE IN

TERNET O

f YOU

vO

l. 19, NO

. 6 w

ww

.COM

PUTER

.ORG

/INTERN

ET/

ma

rc

h •

ap

ril

201

6

IC-20-02-c1 Cover-1 February 11, 2016 10:30 PM

IEEE INTERN

ET COM

PUTIN

G

Ma

RCh • a

PRIl 2016 ExPlO

RING

TOM

ORRO

w’s IN

TERNET

vOl. 20, N

O. 2

ww

w.CO

MPU

TER.O

RG/IN

TERNET/

jan

ua

ry

• fe

br

ua

ry

201

6

IC-20-01-c1 Cover-1 December 7, 2015 1:45 PM

IEEE INTERN

ET COM

PUTIN

G

jaN

Ua

RY • fEbRUa

RY 2016 IN

TERNET ECO

NO

MICs

vOl. 20, N

O. 1

ww

w.CO

MPU

TER.O

RG/IN

TERNET/

ma

y •

jun

e 2

016

IC-20-03-c1 Cover-1 April 13, 2016 8:45 PM

IEEE INTERN

ET COM

PUTIN

G

MaY • jU

NE 2016

ClOU

D sTOR

aGE

vOl. 20, N

O. 3

ww

w.CO

MPU

TER.O

RG/IN

TERNET/

july

• a

ug

us

t 2

016IEEE IN

TERNET CO

MPU

TING

jU

lY • aU

GU

sT 2016 M

EasU

RING

ThE IN

TERNET

vOl. 20, N

O. 4

ww

w.CO

MPU

TER.O

RG/IN

TERNET/

This article originally appeared in IEEE Computer Graphics and Applications, vol. 37, no. 6, 2017.

Keep up with the latest IEEE Computer Society publications and activities wherever you are.

Follow us:

stay connected.

� | @ComputerSociety, @ComputingNow

� | facebook.com/IEEEComputerSociety, facebook.com/ComputingNow

� | IEEE Computer Society, Computing Now

� | youtube.com/ieeecomputersociety

� | instagram.com/ieee_computer_society

gamifi cation security and privacy healthcare · 2019-02-07 · deep-learning processor with...

Documents