Michael Whitney,Heather Richter Lipford,Bill Chu,Jun Zhu

DOI: https://doi.org/10.1145/2676723.2677280

2015-01-01

Abstract:Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.

Debarati Basu,Harinni K. Kumar,Vinod K. Lohani,N. Dwight Barnette,Godmar Back,Dave McPherson,Calvin J. Ribbens,Paul E. Plassmann

DOI: https://doi.org/10.1145/3328778.3366798

2020-02-26

Abstract:Cybersecurity education has been emphasized by several national organizations in the United States, including the National Academy of Engineering, which recognizes securing cyberspace as one of the 14 Engineering Grand Challenges. To prepare students for such challenges and to enhance cybersecurity education opportunities at our large research university, we implemented an NSF-funded cybersecurity education project. This project is a collaborative effort between faculty and graduate students in the Engineering Education, Computer Science (CS) and Computer Engineering (CPE) departments at a major US research university. In this effort, we integrated cybersecurity learning modules into multiple existing core CS and CPE courses following Jerome Bruner's spiral-theory model, which has previously been used to reformulate several academic curricula. In this paper, we present our cybersecurity curriculum initiative, describe the spiral-theory based process we developed to implement the curriculum and provide an in-depth description of four reusable cybersecurity learning modules that we developed. A core tenet of spiral theory holds to revisit topics as students advance through their curriculum. This work applies this approach to Cybersecurity education by carefully designing the learning objectives of the modules and its contents. For evaluating these learning modules we implemented pre and post-tests to assess students' technical knowledge, their perceptions towards the modules' learning objectives, and how it influenced their motivation to learn cybersecurity. Our findings are overwhelmingly positive and the students' feedback has helped us improve these learning modules. Since its inception, our initiative has educated more than $2\,000$ students and is currently being used to revise the affected courses' syllabi.

Nabin Chowdhury,Vasileios Gkioulos

DOI: https://doi.org/10.1007/s10207-023-00704-z

2023-06-03

International Journal of Information Security

Abstract:Current enterprises' needs for skilled cyber-security (CS) professionals have prompted the development of diverse CS training programs and offerings. It has been noted that even though enterprise staff is now more aware of security threats, the number of successful attacks against companies has all but decreased over the years. Several criticisms were raised against current CS training offerings, which often made them inadequate, or unable to change participants' behavior and security attitude. One of the main factors CS training programs are often not very effective is the lack of engagement or motivation of participants. This is often the result of training not being tailored to the needs or preferences of participants. In our previous work, we tackled this issue by developing a personalized learning theory-based model for developing CS training frameworks. In this work, we utilize the model to develop two CS training exercises: two game-based scenarios using the CS training video game Cyber CIEGE and one table-top team exercise. The exercises are later tested by involving a group of 12 students from the Norwegian Institute of Science and Technology (NTNU) Information Security master's degree program. According to the results of the experiment and the feedback from the students, students felt more engaged during the exercises due to having been participants in their development process. This has in turn motivated them to continue using the training tools independently in their spare time. Further research is recommended to establish whether the training development model is adequate for different target groups, as well as better performing than other models when developing full-fledged training programs.

computer science, information systems, theory & methods, software engineering

Ghaidaa Shaabany,Reiner Anderl

DOI: https://doi.org/10.1007/978-3-319-94782-2_20

2018-06-24

Abstract:In the light of the expanding digitization, connectivity and interconnection of machines, products, and services in Industrie 4.0, the increasing trend of digitalization and transformation to cyber-physical production systems reveal serious cybersecurity-related issues. BSI (the federal office for information security) in Germany has compiled a list of the most cybersecurity threats faced by manufacturing and process automation systems. The results show that the top threats are social engineering and phishing. From these two threats, it is clear that use of non-technical means like human weaknesses and/or unawareness is gaining a lot of prominence. The aim is to gain unauthorized access to target information and IT systems. Furthermore, the goal is to install malware in the victim’s systems, for example, by opening infected attachments. Therefore, human factor becomes a widely discussed topic by cybersecurity incidents nowadays. Facing these threats by utilizing technical measurements alone is not sufficient. Thus, it is important to provide engineers with an adequate cybersecurity awareness like, new possible threats and risks caused by extensive using of digitization. To fill this gap of knowledge at engineering faculties, this paper presents an effective course that concentrates on cybersecurity issues. The focus is to improve the ability to understand and detect these new cybersecurity threats in the industry. By designing this innovative and effective course, a new assessment model is developed. The model is based on important aspects that are required for enhancing student’s social competences and skills. In the first step, students should work together in teams on a given problem based on best practice examples and contents learned during the course. Another aspect that the mentioned assessment model focuses on is giving a feedback review. In this phase, students have to read the paper of another group and then give a systematic feedback according to specific identified criteria. In the final step, students have to present the results and discuss them with the advisor and then get their grades. Our findings show that there is an acute lack of social competence and skill enhancement by the engineering faculties. We believe that these skills are fundamental for engineering careers and therefore are intensively considered in the introduced course and assessment model.

Azqa Nadeem

DOI: https://doi.org/10.1145/3626252.3630821

2023-10-12

Abstract:Although many Computer Science (CS) programs offer cybersecurity courses, they are typically optional and placed at the periphery of the program. We advocate to integrate cybersecurity as a crosscutting concept in CS curricula, which is also consistent with latest cybersecurity curricular guidelines, e.g., CSEC2017. We describe our experience of implementing this crosscutting intervention across three undergraduate core CS courses at a leading technical university in Europe between 2018 and 2023, collectively educating over 2200 students. The security education was incorporated within CS courses using a partnership between the responsible course instructor and a security expert, i.e., the security expert (after consultation with course instructors) developed and taught lectures covering multiple CSEC2017 knowledge areas. This created a complex dynamic between three stakeholders: the course instructor, the security expert, and the students. We reflect on our intervention from the perspective of the three stakeholders -- we conducted a post-course survey to collect student perceptions, and semi-supervised interviews with responsible course instructors and the security expert to gauge their experience. We found that while the students were extremely enthusiastic about the security content and retained its impact several years later, the misaligned incentives for the instructors and the security expert made it difficult to sustain this intervention without organizational support. By identifying limitations in our intervention, we suggest ideas for sustaining it.

Computers and Society,Cryptography and Security

Mohammad Azzeh,Ahmad Mousa Altamimi,Mahmood Albashayreh,Mohammad A AL-Oudat

DOI: https://doi.org/10.48550/arXiv.2209.10407

2022-09-12

Cryptography and Security

Abstract:This study examines the effect of adopting cybersecurity concepts on the IT curriculum and determines the potential effect on students' knowledge of cybersecurity practices and level of awareness. To this end, a pilot study was first conducted to measure the current level of cybersecurity awareness. The results revealed that students do not have much knowledge of Cybersecurity. Thus, a four-step approach was proposed to infuse the relevant cybersecurity topics in five matched courses based on the latest Cybersecurity curricular guidelines (CSEC2017). A sample of 42 students was selected purposively without prior knowledge of Cybersecurity and divided identically into experimental and control groups. Students in the experimental group were asked to take five consecutive courses over five semesters. In each course, groups went through a pre-test for the infused topics. Then, the experimental group taught the corresponding infused topics. A post-test was administered to both groups at the end of each course, and the t-test was conducted. The results found significant differences between marks of prior and post-tests for 11 out of 14 infused topics. These satisfactory results would encourage universities to infuse cybersecurity concepts into their curriculum

Xiaojun Wu,Shuzhen Tian

DOI: https://doi.org/10.1109/fie.2015.7344154

2015-01-01

Abstract:Work in Progress: University-level cybersecurity education is encouraged by both the US government and academic organizations. A new practical course in cybersecurity in the summer semester is introduced, in which junior students made teams to learn in a student-centered and competitive style. Students were provided with course materials in five topics. An online judge system was developed with problems of levels from the beginner to the advanced to encourage competitive learning. A contest was held, in which teams designed their own problems and tried to solve the others'. A scoring method was used to avoid the students' problems being too easy or too difficult. Considerable engagement of the students was observed during the course. Almost all problems in the online judge system had been solved at the end of the semester, and the problems designed by the students involved a considerable breadth and depth of cybersecurity related knowledge and technologies. Feedbacks from the students greatly appreciated the online judge system and the contest. They also gave suggestion on the contest and suggested more presentation and discussion in the course.

Lwin Khin Shar,Christopher M. Poskitt,Kyong Jin Shim,Li Ying Leonard Wong

DOI: https://doi.org/10.48550/arXiv.2204.12416

2022-04-26

Cryptography and Security

Abstract:Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Jan Vykopal,Pavel Seda,Valdemar vbensk,Pavel eleda,Valdemar Svabensky,Pavel Celeda

DOI: https://doi.org/10.1109/tlt.2022.3216345

2022-01-01

IEEE Transactions on Learning Technologies

Abstract:Hands-on computing education requires a realistic learning environment that enables students to gain and deepen their skills. Available learning environments, including virtual and physical laboratories, provide students with real-world computer systems but rarely adapt the learning environment to individual students of various proficiency and background. We design a unique and novel smart environment for the adaptive training of cybersecurity skills. The environment collects a variety of student data to assign a suitable learning path through the training. To enable such adaptiveness, we propose, develop, and deploy a new tutor model and a training format. We evaluate the learning environment using two different adaptive trainings attended by 114 students of various proficiency. The results show that students were assigned tasks with a more appropriate difficulty, which enabled them to successfully complete the training. Students reported that they enjoyed the training, felt the training difficulty was appropriately designed, and would attend more training sessions like these. Instructors can use the environment for teaching any topic involving real-world computer networks and systems because it is not tailored to particular training. We freely release the software along with exemplary training so that other instructors can adopt the innovations in their teaching practice.

education & educational research,computer science, interdisciplinary applications

Filipo Sharevski,Adam Trowbridge,Jessica Westbrook

DOI: https://doi.org/10.48550/arXiv.1806.01198

2018-06-04

Computers and Society

Abstract:Training the future cybersecurity workforce to respond to emerging threats requires introduction of novel educational interventions into the cybersecurity curriculum. To be effective, these interventions have to incorporate trending knowledge from cybersecurity and other related domains while allowing for experiential learning through hands-on experimentation. To date, the traditional interdisciplinary approach for cybersecurity training has infused political science, law, economics or linguistics knowledge into the cybersecurity curriculum, allowing for limited experimentation. Cybersecurity students were left with little opportunity to acquire knowledge, skills, and abilities in domains outside of these. Also, students in outside majors had no options to get into cybersecurity. With this in mind, we developed an interdisciplinary course for experiential learning in the fields of cybersecurity and interaction design. The inaugural course teaches students from cybersecurity, user interaction design, and visual design the principles of designing for secure use - or secure design - and allows them to apply them for prototyping of Internet-of-Things (IoT) products for smart homes. This paper elaborates on the concepts of secure design and how our approach enhances the training of the future cybersecurity workforce.

Affan Yasin,Lin Liu,Tong Li,Jianmin Wang,Didar Zowghi

DOI: https://doi.org/10.1016/j.infsof.2017.12.002

IF: 3.9

2018-01-01

Information and Software Technology

Abstract:Context: Security, in digitally connected organizational environments of today, involves many different perspectives, including social, physical, and technical factors. In order to understand the interactions among these correlated aspects and elicit potential threats geared towards a given organization, different security requirements analysis approaches are proposed in the literature. However, the body of knowledge is yet to unleash its full potential due to the complex nature of security problems, and inadequate ways to improve security awareness of key players in the organization. Objective: Objective(s) of the research study is to improve the security awareness of players utilizing serious games via: (i) Know-how of security concepts and security protection; (ii) guided process of identifying valuable assets and vulnerabilities in a given organizational setting; (iii) guided process of defining successful security attacks to the organization. Method: Important methods used to address the above objectives include: (i) a comprehensive review of the literature to better understand security and game design elements; (ii) designing a serious game using cyber security knowledge and game-based techniques combined with security requirements engineering concepts; (iii) using empirical evaluation (observation and survey) to verify the effectiveness of the proposed game design. Result: The solution proposed is a serious game for security requirements education, which: (i) can be an effective and fun way of learning security related concepts; (ii) mimics a real life problem setting in a presentable and understandable way; (iii) motivates players to learn more about security related concepts in future. Conclusion: From this study, we conclude that the proposed Security Requirement Education Game (SREG) has positive results and is helpful for players of the game to get an understanding of security attacks and vulnerabilities.

Jun Zhu,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1145/2445196.2445396

2013-01-01

Abstract:Software flaws are a root cause of many of today's information security vulnerabilities. Current curricula emphasis on traditional information security issues does not address this root cause. We propose educating students on secure programming techniques through interactive tool support in the Integrated Development Environment (IDE). We believe this approach can complement other curricula efforts by teaching and providing continuous reinforcement of practices throughout programming tasks. In this paper, we evaluate our prototype tool, ASIDE, which provides instant security warnings, detailed explanations of vulnerabilities, and code generation. We report the results of an observational study on 20 students from an advanced Web programming course. The results provide early evidence that our tool could potentially help students learn about and practice secure programming in the context of their programming assignments.

Albert Tay,Sebastian M Hayes,Drew Wilson,Emmie Hall,Dallin Kaufman

DOI: https://doi.org/10.28945/5313

2024-01-01

Issues in Informing Science and Information Technology

Abstract:Aim/Purpose. Capture the Flag (CTF) challenges are a popular form of cybersecurity education where students solve hands-on tasks in a game-like setting. These exercises provide learning experiences with various specific technologies and subjects, as well as a broader understanding of cybersecurity topics. Competitions reinforce and teach problem-solving skills that are applicable in various technical and non-technical environments outside of the competitions. Background. The Information Search Process (ISP) is a framework developed to under-stand the process by which an individual goes about studying a topic, identifying emotional ties connected to each step an individual takes. As the individual goes through the problem-solving process, there is a clear flow from uncertainty to clarity; the individual’s feelings, thoughts, and actions are all interconnected. This study aims to investigate the learning of cybersecurity concepts within the framework of the ISP, specifically in the context of CTF competitions. Methodology. A comprehensive research methodology designed to incorporate quantitative and qualitative analyses to draw the parallels between the participants’ emotional experiences and the affective dimensions of learning will be implemented to measure the three primary goals. Contribution. This study contributes significantly to the broader landscape of cybersecurity education and cognitive-emotional experiences in problem-solving. Findings. The study has three primary goals. First, we seek to enhance our under-standing of the emotional and intellectual aspects involved in problem-solving, as demonstrated by the ISP approach. Second, we aim to gain in-sights into how the presentation of CTF challenges influences the learning experience of participants. Lastly, we strive to contribute to the improvement of cybersecurity education by identifying actionable steps for more effective teaching of technical skills and approaches. Recommendations for Practitioners. Competitions reinforce and teach problem-solving skills applicable in various technical and non-technical environments outside of the competitions. Recommendations for Researchers. The Information Search Process (ISP) framework may enhance our understanding of the emotional and intellectual aspects involved in problem-solving as we study the emotional ties connected to each step an individual takes as the individual goes through the problem-solving process. Impact on Society. Our pursuit of advancing our understanding of cybersecurity education will better equip future generations with the skills and knowledge needed to ad-dress the evolving challenges of the digital landscape. This will better pre-pare them for real-world challenges. Future Research. Future studies would include the development of a cybersecurity curriculum on vulnerability exploitation and defense. It would include practice exploiting practical web and binary vulnerabilities, reverse engineering, system hardening, security operations, and understanding how they can be chained together.

Stylianos Karagiannis,Emmanouil Magkos

DOI: https://doi.org/10.1108/ics-04-2019-0050

2020-11-13

Information and Computer Security

Abstract:Purpose This paper aims to highlight the potential of using capture the flag (CTF) challenges, as part of an engaging cybersecurity learning experience for enhancing skills and knowledge acquirement of undergraduate students in academic programs. Design/methodology/approach The approach involves integrating interactivity, gamification, self-directed and collaborative learning attributes using a CTF hosting platform for cybersecurity education. The proposed methodology includes the deployment of a pre-engagement survey for selecting the appropriate CTF challenges in accordance with the skills and preferences of the participants. During the learning phase, storytelling elements were presented, while a behavior rubric was constructed to observe the participants’ behavior and responses during a five-week lab. Finally, a survey was created for getting feedback from the students and for extracting quantitative results based on the attention, relevance, confidence and satisfaction (ARCS) model of motivational design. Findings Students felt more confident about their skills and were highly engaged to the learning process. The outcomes in terms of technical skills and knowledge acquisition were shown to be positive. Research limitations/implications As the number of participants was small, the results and information retrieved from applying the ARCS model only have an indicative value; however, specific challenges to overcome are highlighted which are important for the future deployments. Practical implications Educators could use the proposed approach for deploying an engaging cybersecurity learning experience in an academic program, emphasizing on providing hands-on practice labs and featuring topics from real-world cybersecurity cases. Using the proposed approach, an educator could also monitor the progress of the participants and get qualitative and quantitative statistics regarding the learning impact for each exercise. Social implications Educators could demonstrate modern cybersecurity topics in the classroom, closing further the gap between theory and practice. As a result, students from academia will benefit from the proposed approach by acquiring technical skills, knowledge and experience through hands-on practice in real-world cases. Originality/value This paper intends to bridge the existing gap between theory and practice in the topics of cybersecurity by using CTF challenges for learning purposes and not only for testing the participants’ skills. This paper offers important knowledge for enhancing cybersecurity education programs and for educators to use CTF challenges for conducting cybersecurity exercises in academia, extracting meaningful statistics regarding the learning impact.

Mac Malone,Yicheng Wang,Fabian Monrose

DOI: https://doi.org/10.1145/3450329.3476859

2021-10-06

Abstract:We present an online gamified learning platform for computer science and cybersecurity education. Exercises within the platform revolve around a custom game wherein students can demonstrate learned skills regarding password security, web security, traffic analysis, reverse engineering, cryptanalysis, and much more. We describe some key features that together make our platform novel, including its distributed infrastructure, game engine, integrated development environment, automated feedback system, and support for individualization. We demonstrate how these features assist in the learning process --- both in theory and in practice --- and report on the use of the platform in a cybersecurity course.

Lydia Kraus,Valdemar Švábenský,Martin Horák,Vashek Matyáš,Jan Vykopal,Pavel Čeleda

DOI: https://doi.org/10.48550/arXiv.2307.07608

2023-07-14

Computers and Society

Abstract:As cyber threats endanger everyone, from regular users to computing professionals, spreading cybersecurity awareness becomes increasingly critical. Therefore, our university designed an innovative cybersecurity awareness course that is freely available online for students, employees, and the general public. The course offers simple, actionable steps that anyone can use to implement defensive countermeasures. Compared to other resources, the course not only suggests learners what to do, but explains why and how to do it. To measure the course impact, we administered it to 138 computer science undergraduates within a compulsory information security and cryptography course. They completed the course as a part of their homework and filled out a questionnaire after each lesson. Analysis of the questionnaire responses revealed that the students valued the course highly. They reported new learning, perspective changes, and transfer to practice. Moreover, they suggested suitable improvements to the course. Based on the results, we have distilled specific insights to help security educators design similar courses. Lessons learned from this study are relevant for cybersecurity instructors, course designers, and educational managers.

Komal Bhupendra Vekaria,Prasad Calyam,Songjie Wang,Ramya Payyavula,Matthew Rockey,Nafis Ahmed

DOI: https://doi.org/10.1109/tlt.2021.3091904

2021-06-01

IEEE Transactions on Learning Technologies

Abstract:There is an increasing trend in cloud adoption of enterprise applications in, for example, manufacturing, healthcare, and finance. Such applications are routinely subject to targeted cyberattacks, which result in significant loss of sensitive data (e.g., due to data exfiltration in advanced persistent threats) or valuable utilities (e.g., due to resource the exfiltration of power in cryptojacking). There is a critical need to train highly skilled cybersecurity professionals, who are capable of defending against such targeted attacks. In this article, we present the design, development, and evaluation of the Mizzou Cyber Range, an online platform to learn basic/advanced cyber defense concepts and perform training exercises to engender the next-generation cybersecurity workforce. Mizzou Cyber Range features flexibility, scalability, portability, and extendability in delivering cyberattack/defense learning modules to students. We detail our "research-inspired learning" and "learn–apply–create" three-phase pedagogy methodologies in the development of four learning modules that include laboratory exercises and self-study activities using realistic cloud-based application testbeds. The learning modules allow students to gain skills in using latest technologies (e.g., elastic capacity provisioning, software-defined everything infrastructure) to implement sophisticated "attack defense by pretense" techniques. Students can also use the learning modules to understand the attacker–defender game in order to create disincentives (i.e., pretense initiation) that make the attacker's tasks more difficult, costly, time consuming, and uncertain. Lastly, we show the benefits of our Mizzou Cyber Range through the evaluation of student learning using auto-grading, rank assessments with peer standing- and monitoring of students' performance via feedback from prelab evaluation surveys and postlab technical assessments.

Maureen Namukasa,Maria Chaparro Osman,Cherrise Ficke,Isabella Piasecki,TJ OConnor,Meredith Carroll

DOI: https://doi.org/10.1080/10447318.2024.2314349

IF: 4.92

2024-02-22

International Journal of Human-Computer Interaction

Abstract:Cybersecurity education heavily utilizes competition-based approaches, such as capture-the-flag (CTF) games to support the need for a skilled cybersecurity workforce. Although CTFs expose students to cybersecurity work competencies, their competitive nature may contribute to the lack of diversity in cybersecurity programs. In response, we developed a technology-based, experiential learning approach utilizing Internet of Things (IoT) devices to educate learners about cybersecurity concepts. We evaluated the approach's effectiveness in engaging and sparking interest in a diverse sample of high school students. Our results indicated that (a) all participants reported a moderate challenge-skill balance, (b) underrepresented minorities (URMs) reported significantly higher engagement than non-URMs, and (c) significantly more female students compared to male students reported increased levels of intent to pursue cybersecurity after participating in the learning activity. We present the approach, methods, results, implications, and recommendations for the use of IoT devices in cybersecurity education to train a more diverse workforce.

computer science, cybernetics,ergonomics

Valdemar Švábenský,Jan Vykopal,Pavel Čeleda,Lydia Kraus

DOI: https://doi.org/10.48550/arXiv.2307.08582

2023-07-13

Computers and Society

Abstract:Cybersecurity professionals need hands-on training to prepare for managing the current advanced cyber threats. To practice cybersecurity skills, training participants use numerous software tools in computer-supported interactive learning environments to perform offensive or defensive actions. The interaction involves typing commands, communicating over the network, and engaging with the training environment. The training artifacts (data resulting from this interaction) can be highly beneficial in educational research. For example, in cybersecurity education, they provide insights into the trainees' learning processes and support effective learning interventions. However, this research area is not yet well-understood. Therefore, this paper surveys publications that enhance cybersecurity education by leveraging trainee-generated data from interactive learning environments. We identified and examined 3021 papers, ultimately selecting 35 articles for a detailed review. First, we investigated which data are employed in which areas of cybersecurity training, how, and why. Second, we examined the applications and impact of research in this area, and third, we explored the community of researchers. Our contribution is a systematic literature review of relevant papers and their categorization according to the collected data, analysis methods, and application contexts. These results provide researchers, developers, and educators with an original perspective on this emerging topic. To motivate further research, we identify trends and gaps, propose ideas for future work, and present practical recommendations. Overall, this paper provides in-depth insight into the recently growing research on collecting and analyzing data from hands-on training in security contexts.

Valdemar Švábenský,Jan Vykopal

DOI: https://doi.org/10.48550/arXiv.1903.04174

2019-03-11

Computers and Society

Abstract:This Work-In-Progress Paper for the Innovative Practice Category presents a novel experiment in active learning of cybersecurity. We introduced a new workshop on hacking for an existing science-popularizing program at our university. The workshop participants, 28 teenagers, played a cybersecurity game designed for training undergraduates and professionals in penetration testing. Unlike in learning environments that are simplified for young learners, the game features a realistic virtual network infrastructure. This allows exploring security tools in an authentic scenario, which is complemented by a background story. Our research aim is to examine how young players approach using cybersecurity tools by interacting with the professional game. A preliminary analysis of the game session showed several challenges that the workshop participants faced. Nevertheless, they reported learning about security tools and exploits, and 61% of them reported wanting to learn more about cybersecurity after the workshop. Our results support the notion that young learners should be allowed more hands-on experience with security topics, both in formal education and informal extracurricular events.