Alan T. Sherman,Linda Oliva,Enis Golaszewski,Dhananjay Phatak,Travis Scheponik,Geoffrey L. Herman,Dong San Choi,Spencer E. Offenberger,Peter Peterson,Josiah Dykstra,Gregory V. Bard,Ankur Chattopadhyay,Filipo Sharevski,Rakesh Verma,Ryan Vrecenar

DOI: https://doi.org/10.1109/msec.2019.2929812

2019-11-01

Abstract:Presently, there is no rigorous, research-based method for measuring the quality of cybersecurity instruction. Validated assessment tools are needed so that cybersecurity educators have trusted methods for discerning whether efforts to improve student preparation are successful. The Cybersecurity Assessment Tools (CATS) Project⁹ provides rigorous evidence-based instruments for assessing and evaluating educational practices (<uri>http://www.cisa.umbc.edu/cats/index.html</uri>). The first instrument is the Cybersecurity Concept Inventory (CCI), which measures how well students understand core concepts in cybersecurity (especially adversarial thinking) after a first course in the field. The second instrument, the Cybersecurity Curriculum Assessment (CCA), measures how well students understand the same core concepts after completing a full cybersecurity curriculum and whether they are ready to enter the workforce as cybersecurity professionals. These tools can identify pedagogies and content that are effective in teaching cybersecurity.

computer science, information systems, software engineering

Albert Tay,Sebastian M Hayes,Drew Wilson,Emmie Hall,Dallin Kaufman

DOI: https://doi.org/10.28945/5313

2024-01-01

Issues in Informing Science and Information Technology

Abstract:Aim/Purpose. Capture the Flag (CTF) challenges are a popular form of cybersecurity education where students solve hands-on tasks in a game-like setting. These exercises provide learning experiences with various specific technologies and subjects, as well as a broader understanding of cybersecurity topics. Competitions reinforce and teach problem-solving skills that are applicable in various technical and non-technical environments outside of the competitions. Background. The Information Search Process (ISP) is a framework developed to under-stand the process by which an individual goes about studying a topic, identifying emotional ties connected to each step an individual takes. As the individual goes through the problem-solving process, there is a clear flow from uncertainty to clarity; the individual’s feelings, thoughts, and actions are all interconnected. This study aims to investigate the learning of cybersecurity concepts within the framework of the ISP, specifically in the context of CTF competitions. Methodology. A comprehensive research methodology designed to incorporate quantitative and qualitative analyses to draw the parallels between the participants’ emotional experiences and the affective dimensions of learning will be implemented to measure the three primary goals. Contribution. This study contributes significantly to the broader landscape of cybersecurity education and cognitive-emotional experiences in problem-solving. Findings. The study has three primary goals. First, we seek to enhance our under-standing of the emotional and intellectual aspects involved in problem-solving, as demonstrated by the ISP approach. Second, we aim to gain in-sights into how the presentation of CTF challenges influences the learning experience of participants. Lastly, we strive to contribute to the improvement of cybersecurity education by identifying actionable steps for more effective teaching of technical skills and approaches. Recommendations for Practitioners. Competitions reinforce and teach problem-solving skills applicable in various technical and non-technical environments outside of the competitions. Recommendations for Researchers. The Information Search Process (ISP) framework may enhance our understanding of the emotional and intellectual aspects involved in problem-solving as we study the emotional ties connected to each step an individual takes as the individual goes through the problem-solving process. Impact on Society. Our pursuit of advancing our understanding of cybersecurity education will better equip future generations with the skills and knowledge needed to ad-dress the evolving challenges of the digital landscape. This will better pre-pare them for real-world challenges. Future Research. Future studies would include the development of a cybersecurity curriculum on vulnerability exploitation and defense. It would include practice exploiting practical web and binary vulnerabilities, reverse engineering, system hardening, security operations, and understanding how they can be chained together.

Mohammad Azzeh,Ahmad Mousa Altamimi,Mahmood Albashayreh,Mohammad A AL-Oudat

DOI: https://doi.org/10.48550/arXiv.2209.10407

2022-09-12

Cryptography and Security

Abstract:This study examines the effect of adopting cybersecurity concepts on the IT curriculum and determines the potential effect on students' knowledge of cybersecurity practices and level of awareness. To this end, a pilot study was first conducted to measure the current level of cybersecurity awareness. The results revealed that students do not have much knowledge of Cybersecurity. Thus, a four-step approach was proposed to infuse the relevant cybersecurity topics in five matched courses based on the latest Cybersecurity curricular guidelines (CSEC2017). A sample of 42 students was selected purposively without prior knowledge of Cybersecurity and divided identically into experimental and control groups. Students in the experimental group were asked to take five consecutive courses over five semesters. In each course, groups went through a pre-test for the infused topics. Then, the experimental group taught the corresponding infused topics. A post-test was administered to both groups at the end of each course, and the t-test was conducted. The results found significant differences between marks of prior and post-tests for 11 out of 14 infused topics. These satisfactory results would encourage universities to infuse cybersecurity concepts into their curriculum

Azqa Nadeem

DOI: https://doi.org/10.1145/3626252.3630821

2023-10-12

Abstract:Although many Computer Science (CS) programs offer cybersecurity courses, they are typically optional and placed at the periphery of the program. We advocate to integrate cybersecurity as a crosscutting concept in CS curricula, which is also consistent with latest cybersecurity curricular guidelines, e.g., CSEC2017. We describe our experience of implementing this crosscutting intervention across three undergraduate core CS courses at a leading technical university in Europe between 2018 and 2023, collectively educating over 2200 students. The security education was incorporated within CS courses using a partnership between the responsible course instructor and a security expert, i.e., the security expert (after consultation with course instructors) developed and taught lectures covering multiple CSEC2017 knowledge areas. This created a complex dynamic between three stakeholders: the course instructor, the security expert, and the students. We reflect on our intervention from the perspective of the three stakeholders -- we conducted a post-course survey to collect student perceptions, and semi-supervised interviews with responsible course instructors and the security expert to gauge their experience. We found that while the students were extremely enthusiastic about the security content and retained its impact several years later, the misaligned incentives for the instructors and the security expert made it difficult to sustain this intervention without organizational support. By identifying limitations in our intervention, we suggest ideas for sustaining it.

Computers and Society,Cryptography and Security

Brandon Earwood,Jeong Yang,Young Rae Kim

DOI: https://doi.org/10.1109/tale52509.2021.9678713

2021-12-05

Abstract:As security is a crucial aspect in the process of developing software systems, software engineers must have a strong understanding of security concepts for an application being developed and tested. There has been a growing demand for these skills to be taught on all knowledge levels in computing courses. This paper builds on a study related to a series of security modules designed to meet that demand for teaching security concepts to students in computer science courses. Six small lessons in three security modules are implemented into a CS2 course, and the outcomes of this implementation are assessed. Each concept in the modules is broken up into a general description of the security problem, sample code written in Java, and sample code of the solution. Along with the security modules, an open-ended, problem-solving Model-Eliciting Activity (MEA) was developed as a project for students to demonstrate an understanding of the security concepts. Experimental studies were conducted to investigate the teaching effectiveness of implementing cyber security modules with the MEA project and students&#x27; experiences in conceptual modeling tasks in problem solving. After implementing the security modules with the MEA, students showed a good understanding of cyber security concepts, and the instructor&#x27;s beliefs about teaching shifted from teacher-centered to student-centered. 41.7% of the developed solutions from the MEA groups showed a sufficient degree of creativity, and 58.3% of the solutions seemed suitable for real-world implementation. The initial activities leading to student developed solutions effectively prepared students within the scope of the course, but additional discussion and resources may be necessary to expand on creativity and practicality.

Stylianos Karagiannis,Emmanouil Magkos

DOI: https://doi.org/10.1108/ics-04-2019-0050

2020-11-13

Information and Computer Security

Abstract:Purpose This paper aims to highlight the potential of using capture the flag (CTF) challenges, as part of an engaging cybersecurity learning experience for enhancing skills and knowledge acquirement of undergraduate students in academic programs. Design/methodology/approach The approach involves integrating interactivity, gamification, self-directed and collaborative learning attributes using a CTF hosting platform for cybersecurity education. The proposed methodology includes the deployment of a pre-engagement survey for selecting the appropriate CTF challenges in accordance with the skills and preferences of the participants. During the learning phase, storytelling elements were presented, while a behavior rubric was constructed to observe the participants’ behavior and responses during a five-week lab. Finally, a survey was created for getting feedback from the students and for extracting quantitative results based on the attention, relevance, confidence and satisfaction (ARCS) model of motivational design. Findings Students felt more confident about their skills and were highly engaged to the learning process. The outcomes in terms of technical skills and knowledge acquisition were shown to be positive. Research limitations/implications As the number of participants was small, the results and information retrieved from applying the ARCS model only have an indicative value; however, specific challenges to overcome are highlighted which are important for the future deployments. Practical implications Educators could use the proposed approach for deploying an engaging cybersecurity learning experience in an academic program, emphasizing on providing hands-on practice labs and featuring topics from real-world cybersecurity cases. Using the proposed approach, an educator could also monitor the progress of the participants and get qualitative and quantitative statistics regarding the learning impact for each exercise. Social implications Educators could demonstrate modern cybersecurity topics in the classroom, closing further the gap between theory and practice. As a result, students from academia will benefit from the proposed approach by acquiring technical skills, knowledge and experience through hands-on practice in real-world cases. Originality/value This paper intends to bridge the existing gap between theory and practice in the topics of cybersecurity by using CTF challenges for learning purposes and not only for testing the participants’ skills. This paper offers important knowledge for enhancing cybersecurity education programs and for educators to use CTF challenges for conducting cybersecurity exercises in academia, extracting meaningful statistics regarding the learning impact.

Brennan Denzel,Maíra Marques Samary

DOI: https://doi.org/10.1145/3545947.3573272

2022-03-01

Abstract:In the last couple years, the interest in computer science programs has significantly increased both within the academic realm and the general population. Currently, students entering computer science programs possess very diverse computing experience; some have never coded before, some have a little code experience, and others have years worth of experience. Because of this, the fixed-structured program style, where students follow a predetermined, specific course path does not work very well; students are often left feeling frustrated and discouraged because the courses they have to do are either too easy or too hard. This deters many students from pursuing careers or majors in computer science. To solve this issue, a standardized assessment that will measure students' knowledge independently of any previously learned programming languages is necessary. This paper presents the idea and a partial validation of a General Computer Science Concept Inventory (GCSCI). The goal is to have a language independent assessment that can measure students' knowledge of the concepts contained within the introductory CS courses (CS0, CS1, CS2). Here we present the topics covered in the first part of the GCSCI and its validity assessment. Students doing an Intro to CS course were invited to participate in the validation of the first part of the GCSCI. Of the 25 questions generated, which have a good coverage of the concepts being evaluated, 14 were validated.

Computer Science

Sang-Yoon Chang,Kay Yoon,Simeon Wuthier,Kelei Zhang

DOI: https://doi.org/10.48550/arXiv.2206.08971

2022-06-17

Computers and Society

Abstract:Team collaboration among individuals with diverse sets of expertise and skills is essential for solving complex problems. As part of an interdisciplinary effort, we studied the effects of Capture the Flag (CTF) game, a popular and engaging education/training tool in cybersecurity and engineering, in enhancing team construction and collaboration. We developed a framework to incorporate CTF as part of a computer-human process for expertise recognition and role assignment and evaluated and tested its effectiveness through a study with cybersecurity students enrolled in a Virtual Teams course. In our computer-human process framework, the post-CTF algorithm using the CTF outcomes assembles the team (assigning individuals to teams) and provides the initial role assignments, which then gets updated by human-based team discussions. This paper shares our insights, design choices/rationales, and analyses of our CTF-incorporated computer-human process framework. The students' evaluations revealed that the computer-human process framework was helpful in learning about their team members' backgrounds and expertise and assigning roles accordingly made a positive impact on the learning outcomes for the team collaboration skills in the course. This experience report showcases the utility of CTF as a tool for expertise recognition and role assignments in teams and highlights the complementary roles of CTF-based and discussion-based processes for an effective team collaboration among engineering students.

Ryan Shah,Manuel Maarek,Shenando Stals,Lynne Baillie,Sheung Chi Chan,Robert Stewart,Hans-Wolfgang Loidl,Olga Chatzifoti

DOI: https://doi.org/10.48550/arXiv.2307.16535

2023-07-31

Abstract:Cybersecurity is an important topic which is often viewed as one that is inaccessible due to steep learning curves and a perceived requirement of needing specialist knowledge. With a constantly changing threat landscape, practical solutions such as best-practices are employed, but the number of critical cybersecurity-related incidents remains high. To address these concerns, the National Cyber Security Centre published a Cybersecurity Body of Knowledge (CyBOK) to provide a comprehensive information base used to advise and underpin cybersecurity learning. Unfortunately, CyBOK contains over 1000 pages of in-depth material and may not be easy to navigate for novice individuals. Furthermore, it does not allow for easy expression of various cybersecurity scenarios that such individuals may be exposed to. As a solution to these two issues, we propose the use of a playing cards format to provide introductory cybersecurity knowledge that supports learning and discussion, using CyBOK as the foundation for the technical content. Upon evaluation in two user studies, we found that 80% of the participants agreed the cards provided them with introductory knowledge of cybersecurity topics, and 70% agreed the cards provided an interface for discussing topics and enabled them to make links between attacks, vulnerabilities and defences.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Maureen Namukasa,Maria Chaparro Osman,Cherrise Ficke,Isabella Piasecki,TJ OConnor,Meredith Carroll

DOI: https://doi.org/10.1080/10447318.2024.2314349

IF: 4.92

2024-02-22

International Journal of Human-Computer Interaction

Abstract:Cybersecurity education heavily utilizes competition-based approaches, such as capture-the-flag (CTF) games to support the need for a skilled cybersecurity workforce. Although CTFs expose students to cybersecurity work competencies, their competitive nature may contribute to the lack of diversity in cybersecurity programs. In response, we developed a technology-based, experiential learning approach utilizing Internet of Things (IoT) devices to educate learners about cybersecurity concepts. We evaluated the approach's effectiveness in engaging and sparking interest in a diverse sample of high school students. Our results indicated that (a) all participants reported a moderate challenge-skill balance, (b) underrepresented minorities (URMs) reported significantly higher engagement than non-URMs, and (c) significantly more female students compared to male students reported increased levels of intent to pursue cybersecurity after participating in the learning activity. We present the approach, methods, results, implications, and recommendations for the use of IoT devices in cybersecurity education to train a more diverse workforce.

computer science, cybernetics,ergonomics

Debarati Basu,Harinni K. Kumar,Vinod K. Lohani,N. Dwight Barnette,Godmar Back,Dave McPherson,Calvin J. Ribbens,Paul E. Plassmann

DOI: https://doi.org/10.1145/3328778.3366798

2020-02-26

Abstract:Cybersecurity education has been emphasized by several national organizations in the United States, including the National Academy of Engineering, which recognizes securing cyberspace as one of the 14 Engineering Grand Challenges. To prepare students for such challenges and to enhance cybersecurity education opportunities at our large research university, we implemented an NSF-funded cybersecurity education project. This project is a collaborative effort between faculty and graduate students in the Engineering Education, Computer Science (CS) and Computer Engineering (CPE) departments at a major US research university. In this effort, we integrated cybersecurity learning modules into multiple existing core CS and CPE courses following Jerome Bruner&#x27;s spiral-theory model, which has previously been used to reformulate several academic curricula. In this paper, we present our cybersecurity curriculum initiative, describe the spiral-theory based process we developed to implement the curriculum and provide an in-depth description of four reusable cybersecurity learning modules that we developed. A core tenet of spiral theory holds to revisit topics as students advance through their curriculum. This work applies this approach to Cybersecurity education by carefully designing the learning objectives of the modules and its contents. For evaluating these learning modules we implemented pre and post-tests to assess students&#x27; technical knowledge, their perceptions towards the modules&#x27; learning objectives, and how it influenced their motivation to learn cybersecurity. Our findings are overwhelmingly positive and the students&#x27; feedback has helped us improve these learning modules. Since its inception, our initiative has educated more than $2\,000$ students and is currently being used to revise the affected courses&#x27; syllabi.

Hongmei Chi,Jinwei Liu,Weifeng Xu,Mingming Peng,Jon DeGoicoechea

DOI: https://doi.org/10.53735/cisse.v9i1.140

2022-03-08

Journal of The Colloquium for Information Systems Security Education

Abstract:The integration of cyber-physical systems (CPS) has been extremely advantageous to society, it merges the attention of cybersecurity for vehicles as a timely concern as a matter of public and individual. The failure of any vehicle system could have a serious impact on vehicle control and cause undesired consequences. With the growing demand for security in CPS, there are few hands-on labs/modules available for training current students, future engineers, or IT professionals to understand cybersecurity in CPS. This study describes the execution of a free security testbed to replicate a vehicle’s network system and the implementation of this testbed via hands-on lab designed to introduce concepts of vehicle control systems. The hands-on lab simulates insider threat scenarios where students had to use can-utils toolkits and SavvyCAN to send, modify, and capture the network packet and exploit the system vulnerability threats such as replay attacks and fuzzing attacks on the vehicle system. We conducted a case study with 21 university-level students, and all students completed the hands-on lab, pretest, posttest, and a satisfaction survey as part of a non-graded class assignment. The experimental results show that most students were not familiar with cyber-physical systems and vehicle control systems and never had the chance to do any hands-on lab in this field before. Furthermore, students reported that the hands-on lab helped them learn about CAN-bus and rated high scores for enjoyment. We discussed the design of an affordable tool to teach about vehicle control systems and proposed directions for future work.

Fei Zuo,Junghwan Rhee,Yonghyun Kim,Jeehyun Oh,Gang Qian

DOI: https://doi.org/10.1145/3585059.3611416

2023-01-01

Abstract:Undergraduate research activities have demonstrated their ability to enhance learning outcomes, improve student retention, and foster critical thinking. In particular, cybersecurity is a highly practical discipline, and relying solely on passive learning or observation is far from sufficient. By actively engaging in research, students can better comprehend and apply the knowledge that they have acquired, thus cultivating their ability to solve practical problems. On the other hand, we observe that well-established datasets hold paramount importance for AI-driven cybersecurity applications, while pertinent data are usually a precious and scarce resource. In this paper, we introduce a comprehensive dataset SecAtlas towards research-involved cybersecurity programs using real-world cases. The dataset construction provides students with various realistic samples of cyber-attacks and vulnerabilities, which can make them experience the complexity of cybersecurity and acquire relevant skills. More importantly, SecAtlas greatly facilitates the engagement of students in subsequent data-centric cybersecurity research. Finally, we conduct a set of studies to evaluate the collected dataset. The investigation results demonstrate the effectiveness of applying the proposed dataset to practical security projects.

Matthew Ferland,Varun Nagaraj Rao,Arushi Arora,Drew van der Poel,Michael Luu,Randy Huynh,Freddy Reiber,Sandra Ossman,Seth Poulsen,Michael Shindler

2024-11-22

Abstract:Concept inventories are standardized assessments that evaluate student understanding of key concepts within academic disciplines. While prevalent across STEM fields, their development lags for advanced computer science topics like dynamic programming (DP) -- an algorithmic technique that poses significant conceptual challenges for undergraduates. To fill this gap, we developed and validated a Dynamic Programming Concept Inventory (DPCI). We detail the iterative process used to formulate multiple-choice questions targeting known student misconceptions about DP concepts identified through prior research studies. We discuss key decisions, tradeoffs, and challenges faced in crafting probing questions to subtly reveal these conceptual misunderstandings. We conducted a preliminary psychometric validation by administering the DPCI to 172 undergraduate CS students finding our questions to be of appropriate difficulty and effectively discriminating between differing levels of student understanding. Taken together, our validated DPCI will enable instructors to accurately assess student mastery of DP. Moreover, our approach for devising a concept inventory for an advanced theoretical computer science concept can guide future efforts to create assessments for other under-evaluated areas currently lacking coverage.

Data Structures and Algorithms,Computers and Society

Lwin Khin Shar,Christopher M. Poskitt,Kyong Jin Shim,Li Ying Leonard Wong

DOI: https://doi.org/10.48550/arXiv.2204.12416

2022-04-26

Cryptography and Security

Abstract:Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Cori Faklaris,Laura Dabbish,Jason I. Hong

DOI: https://doi.org/10.48550/arXiv.2204.03114

2022-04-06

Cryptography and Security

Abstract:We present SA-13, the 13-item Security Attitude inventory. We develop and validate this assessment of cybersecurity attitudes by conducting an exploratory factor analysis, confirmatory factor analysis, and other tests with data from a U.S. Census-weighted Qualtrics panel (N=209). Beyond a core six indicators of Engagement with Security Measures (SA-Engagement, three items) and Attentiveness to Security Measures (SA-Attentiveness, three items), our SA-13 inventory adds indicators of Resistance to Security Measures (SA-Resistance, four items) and Concernedness with Improving Compliance (SA-Concernedness, three items). SA-13 and the subscales exhibit desirable psychometric qualities; and higher scores on SA-13 and on the SA-Engagement and SA-Attentiveness subscales are associated with higher scores for security behavior intention and for self-reported recent security behaviors. SA-13 and the subscales are useful for researchers and security awareness teams who need a lightweight survey measure of user security attitudes. The composite score of the 13 indicators provides a compact measurement of cybersecurity decisional balance.

Alina Torbunova,Adnan Ashraf,Ivan Porres

2024-07-10

Abstract:Context: To effectively defend against ever-evolving cybersecurity threats, software systems should be made as secure as possible. To achieve this, software developers should understand potential vulnerabilities and apply secure coding practices. To prepare these skilled professionals, it is important that cybersecurity concepts are included in programming courses taught at universities. Objective: To present a comprehensive and unbiased literature review on teaching of cybersecurity concepts in programming courses taught at universities. Method: We perform a Systematic Mapping Study. We present six research questions, define our selection criteria, and develop a classification scheme. Results and Conclusions: We select 24 publications. Our results show a wide range of research contributions. We also outline guidelines and identify opportunities for future studies. The guidelines include coverage of security knowledge categories and evaluation of contributions. We suggest that future studies should cover security issues, negative impacts, and countermeasures, as well as apply evaluation techniques that examine students' knowledge. The opportunities for future studies are related to advanced courses, security knowledge frameworks, and programming environments. Furthermore, there is a need of a holistic security framework that covers the security concepts identified in this study and is suitable for education.

Programming Languages

Jun-ichiro Yasuda,Michael M. Hull,Naohiro Mae,Kentaro Kojima

2024-10-24

Abstract:Although conceptual assessment tests are frequently administered in a pre/post-semester fashion, there are inherent issues with this paradigm. Specifically, education researchers and instructors have limited ability to observe the progression of student conceptual understanding throughout the course. Furthermore, instructors are limited in the usefulness of the feedback they can give to the students involved. To address these issues, we propose the use of computerized adaptive testing (CAT) and increasing the frequency of CAT-based assessments during the course, while reducing the test length per administration, thus keeping or decreasing the total number of test items administered throughout the course. The feasibility of this idea depends on how far the test length per administration can be reduced without compromising the test accuracy and precision. Specifically, the overall test length is desired to be shorter than when the full assessment is administered as a pretest and subsequent post-test. To achieve this goal, we developed a CAT algorithm that we call Chain-CAT. This algorithm sequentially links the results of each CAT administration using collateral information. We developed the Chain-CAT algorithm using the items of the Force Concept Inventory (FCI) and analyzed the efficiency by numerical simulations. We found that collateral information significantly improved the test efficiency, and the overall test length could be shorter than the pre-post method. Without constraints for item balancing and exposure control, simulation results indicated that the efficiency of Chain-CAT is comparable to that of the pre-post method even if the length of each CAT administration is only 5 items and the CAT is administered 9 times throughout the semester. (To continue, see text.)

Physics Education

Valdemar Švábenský,Pavel Čeleda,Jan Vykopal,Silvia Brišáková

DOI: https://doi.org/10.1016/j.cose.2020.102154

2021-01-05

Abstract:Capture the Flag challenges are a popular form of cybersecurity education, where students solve hands-on tasks in an informal, game-like setting. The tasks feature diverse assignments, such as exploiting websites, cracking passwords, and breaching unsecured networks. However, it is unclear how the skills practiced by these challenges match formal cybersecurity curricula defined by security experts. We explain the significance of Capture the Flag challenges in cybersecurity training and analyze their 15,963 textual solutions collected since 2012. Based on keywords in the solutions, we map them to well-established ACM/IEEE curricular guidelines to understand which skills the challenges teach. We study the distribution of cybersecurity topics, their variance in different challenge formats, and their development over the past years. The analysis showed the prominence of technical knowledge about cryptography and network security, but human aspects, such as social engineering and cybersecurity awareness, are neglected. We discuss the implications of these results and relate them to contemporary literature. Our results indicate that future Capture the Flag challenges should include non-technical aspects to address the current advanced cyber threats and attract a broader audience to cybersecurity.

Cryptography and Security

Marco Alfano,Viviana Bastidas,Paul Heynen,Markus Helfert

DOI: https://doi.org/10.48550/arXiv.2302.05166

2023-02-10

Cryptography and Security

Abstract:Governments around the world are required to strengthen their national cybersecurity capabilities to respond effectively to the growing, changing, and sophisticated cyber threats and attacks, thus protecting society and the way of life as a whole. Responsible government institutions need to revise, evaluate, and bolster their national cybersecurity capabilities to fulfill the new requirements, for example regarding new trends affecting cybersecurity, key supporting laws and regulations, and implementations risk and challenges. This report presents a comprehensive assessment instrument for cybersecurity at the national level in order to help countries to ensure optimum response capability and more effective use of critical resources of each state. More precisely, the report - builds a common understanding of the critical cybersecurity capabilities and competence to be assessed at the national level, - adds value to national strategic planning and implementation which impact the development and adaptation of national cybersecurity strategies, - provides an overview of the assessment approaches at the national level, including capabilities, frameworks, and controls, - introduces a comprehensive cybersecurity instrument for countries to determine areas of improvement and develop enduring national capabilities, - describes how to apply the proposed national cybersecurity assessment framework in a real-world case, and - presents the results and lessons learned of the application of the assessment framework at the national level to assist governments in further building cybersecurity capabilities.