Security in Game Development: Consciously Neglecting a Critical Side Quest

Published April 6, 2026 · Reading time approx. 5 minutes

Game development and IT security barely overlap. That's the picture painted by a qualitative study from the CISPA Helmholtz Center for Information Security. For the paper "Skipping the Security Side Quests" (Klostermeyer et al., 2024), presented at ACM CCS 2024, the research team conducted 20 semi-structured interviews with professional game developers across 15 countries. The findings are sobering.

Why Does the Games Industry Treat Security as a Side Quest?

The title nails it. In video games, side quests are optional — nice, but not required to finish. That's exactly how many studios treat security.

Interviewees held all kinds of roles: developers, managers, publishers, security experts, producers, freelancers. Across every position, a pattern emerged. People know security matters. They just don't allocate resources for it. Lead author Philip Klostermeyer puts it bluntly: the games industry's approach to security is reactive and inconsistent.

Five Security Areas, One Shared Problem

The study identifies five security-relevant areas in game development:

• Anti-Cheat: Countermeasures against cheating in multiplayer games
• Asset Security: Protecting intellectual property — game art, source code, unreleased content
• Network Security: Securing client-server communications
• Software Stability: Guarding against crashes, exploits, and game logic manipulation
• User Data Protection: Handling player accounts, payment information, and personal data responsibly

The common thread across all five: not enough money, not enough time, not enough expertise. Security measures almost always lose to feature pressure and tight deadlines.

Why Does Anti-Cheat Protect Revenue Instead of Players?

Anti-cheat dominates the security conversation in gaming. That makes sense — cheaters drive away paying players, and that directly hurts revenue. Studios invest here first.

But look at the motivation. It's not about player safety. It's about protecting the business model. If cheating doesn't threaten revenue, nobody acts.

Kernel-level anti-cheat systems make things worse. This software runs with the highest system privileges on players' machines, creating new attack surfaces in the process. A concrete example: in 2022, attackers exploited a vulnerability in Genshin Impact's anti-cheat driver to deploy ransomware. The mechanism meant to stop cheaters opened a door for malware — affecting players regardless of whether they still had the game installed.

Big Studios vs. Indie Developers

The gap between large and small studios is massive.

Major publishers and AAA studios employ dedicated security teams, run penetration tests, and budget for external audits. Small and mid-sized studios face a different reality entirely. A five-person indie team simply can't assign someone to security. Those developers are simultaneously designers, testers, community managers, and DevOps engineers. Security falls through the cracks because nobody's there to catch it.

Team size and budget correlate directly with security maturity. Not surprising, but it doesn't make small studios any less vulnerable.

Why Are There No Security Standards in the Games Industry?

Here's what the researchers find particularly alarming: there are no industry-wide security standards for game development. Finance has PCI DSS. Healthcare has HIPAA. General software development has OWASP. Games have nothing comparable.

Most interviewees had never attended any security training. Security knowledge — when it existed — was passed along informally or looked up on a case-by-case basis. Systematic education? Nonexistent.

This creates a self-reinforcing knowledge gap. If you don't know what threats exist, you can't estimate the effort needed to counter them. And if you can't estimate the effort, you won't budget for it.

The Dilemma of Conscious Neglect

Perhaps the most unsettling finding: the games industry doesn't primarily suffer from ignorance. The people interviewed know security is a problem. They know their games have vulnerabilities. They know player data could be at risk.

Yet little happens.

Money, time, and know-how form a triangle of inaction. Studios would need to invest, carve out development time, and build expertise simultaneously. In an industry defined by crunch periods and thin margins, security stays the side quest that gets skipped.

What Needs to Change

The study doesn't offer a ready-made solution — the problem's too multifaceted for that. But the direction is clear.

First, the games industry needs its own security standards. Not a copy of OWASP, but guidelines tailored to the specific challenges of game development — covering anti-cheat, asset protection, and player data handling.

Second, accessible training is missing. Security courses designed for the working reality of small studios could close the knowledge gap without demanding unrealistic resources.

Third, platform operators and publishers need to step up. Those who distribute and sell games have the market power to make security requirements mandatory — much like app stores enforce minimum privacy standards.

Conclusion

The games industry has a security problem it recognizes but doesn't fix. The qualitative study by Klostermeyer et al. provides empirical evidence: 20 interviews, 15 countries, five security areas — and a consistent pattern of conscious deprioritization. For the more than three billion gamers worldwide whose data and systems are affected, that's not acceptable.

The full study is available at: Klostermeyer et al., "Skipping the Security Side Quests: A Qualitative Study on Security Practices and Challenges in Game Development", ACM CCS 2024.

This article is an AI-generated summary of the scientific publication "Skipping the Security Side Quests: A Qualitative Study on Security Practices and Challenges in Game Development" (ACM CCS 2024). The content has been editorially reviewed.