Xiaojun Wu,Shuzhen Tian

DOI: https://doi.org/10.1109/fie.2015.7344154

2015-01-01

Abstract:Work in Progress: University-level cybersecurity education is encouraged by both the US government and academic organizations. A new practical course in cybersecurity in the summer semester is introduced, in which junior students made teams to learn in a student-centered and competitive style. Students were provided with course materials in five topics. An online judge system was developed with problems of levels from the beginner to the advanced to encourage competitive learning. A contest was held, in which teams designed their own problems and tried to solve the others'. A scoring method was used to avoid the students' problems being too easy or too difficult. Considerable engagement of the students was observed during the course. Almost all problems in the online judge system had been solved at the end of the semester, and the problems designed by the students involved a considerable breadth and depth of cybersecurity related knowledge and technologies. Feedbacks from the students greatly appreciated the online judge system and the contest. They also gave suggestion on the contest and suggested more presentation and discussion in the course.

Barry Horowitz,Peter Beling,Kevin Skadron,Ron D Williams,William Melvin,Ron D. Williams

DOI: https://doi.org/10.21236/ada626823

2015-01-31

Abstract:The Systems Engineering Research Center (SERC) has developed a novel cybersecurity concept for embedding security solutions into systems called System-Aware Cybersecurity. The overall goal of the System-Aware program is to develop low cost methods of protection against cyber exploits by our adversaries. Development of a prototype security system for securely monitoring an autonomous surveillance system on board an unmanned aerial vehicle for possible cyber attacks using reconfiguring systems for Sentinel-based architecture. Exploring decision support methodologies for determining on a mission basis the most critical system functions to secure employing attack tree tools and SysML/UML tools. Developing cyber security CONOPS for operation of UAV's that are possibly under attack. Exploring the opportunity to apply private Cloud capabilities as a Sentinel for monitoring ground-based systems so as be able to readily employ moving target and diversity solutions to secure the Sentinel and to monitor Cloud performance as a means for detecting possible cyber attacks. The major deliverables of the project were prototype-based and simulation experiments that result in enhanced understanding of requirements for cyber defense of systems and design patterns that can be reused across multiple system types.

Azqa Nadeem

DOI: https://doi.org/10.1145/3626252.3630821

2023-10-12

Abstract:Although many Computer Science (CS) programs offer cybersecurity courses, they are typically optional and placed at the periphery of the program. We advocate to integrate cybersecurity as a crosscutting concept in CS curricula, which is also consistent with latest cybersecurity curricular guidelines, e.g., CSEC2017. We describe our experience of implementing this crosscutting intervention across three undergraduate core CS courses at a leading technical university in Europe between 2018 and 2023, collectively educating over 2200 students. The security education was incorporated within CS courses using a partnership between the responsible course instructor and a security expert, i.e., the security expert (after consultation with course instructors) developed and taught lectures covering multiple CSEC2017 knowledge areas. This created a complex dynamic between three stakeholders: the course instructor, the security expert, and the students. We reflect on our intervention from the perspective of the three stakeholders -- we conducted a post-course survey to collect student perceptions, and semi-supervised interviews with responsible course instructors and the security expert to gauge their experience. We found that while the students were extremely enthusiastic about the security content and retained its impact several years later, the misaligned incentives for the instructors and the security expert made it difficult to sustain this intervention without organizational support. By identifying limitations in our intervention, we suggest ideas for sustaining it.

Computers and Society,Cryptography and Security

Noly M. De Ramos,Francisco Dente Esponilla II

DOI: https://doi.org/10.11591/ijere.v11i3.22863

2022-09-01

International Journal of Evaluation and Research in Education (IJERE)

Abstract:Digital technology has become an integral aspect of an educational system. Every state university funded the creation of Information Technology Offices to secure its Management Information System. The challenge on cybersecurity threatens the intellectual capital of students especially in a research university, theft of crucial information, and financial loss. The current study is a multiple case study of cybersecurity threats and challenges of Selected Philippine State Universities and Colleges in the National Capital Region. Sample participants were purposively selected Information Technology experts from various selected State College and Universities. A structured interview as the main instrument of the study investigated threats and challenges of cybersecurity to assess active and proactive approaches to developing a model framework for security resources in respective academic institutions. Responses gathered from the interview were consolidated and analyzed through a thematic coding process. The result of the study revealed the following challenges in cybersecurity are user education, cloud security, information security strategy, and unsecured personal devices. The creation of a program logic model will provide an informed cybersecurity planning, implementation, and assessment framework to the commission on higher education in collaboration with the Department of Information and Communication Technology, and the Philippine Association of the State Colleges and Universities.

Debarati Basu,Harinni K. Kumar,Vinod K. Lohani,N. Dwight Barnette,Godmar Back,Dave McPherson,Calvin J. Ribbens,Paul E. Plassmann

DOI: https://doi.org/10.1145/3328778.3366798

2020-02-26

Abstract:Cybersecurity education has been emphasized by several national organizations in the United States, including the National Academy of Engineering, which recognizes securing cyberspace as one of the 14 Engineering Grand Challenges. To prepare students for such challenges and to enhance cybersecurity education opportunities at our large research university, we implemented an NSF-funded cybersecurity education project. This project is a collaborative effort between faculty and graduate students in the Engineering Education, Computer Science (CS) and Computer Engineering (CPE) departments at a major US research university. In this effort, we integrated cybersecurity learning modules into multiple existing core CS and CPE courses following Jerome Bruner's spiral-theory model, which has previously been used to reformulate several academic curricula. In this paper, we present our cybersecurity curriculum initiative, describe the spiral-theory based process we developed to implement the curriculum and provide an in-depth description of four reusable cybersecurity learning modules that we developed. A core tenet of spiral theory holds to revisit topics as students advance through their curriculum. This work applies this approach to Cybersecurity education by carefully designing the learning objectives of the modules and its contents. For evaluating these learning modules we implemented pre and post-tests to assess students' technical knowledge, their perceptions towards the modules' learning objectives, and how it influenced their motivation to learn cybersecurity. Our findings are overwhelmingly positive and the students' feedback has helped us improve these learning modules. Since its inception, our initiative has educated more than $2\,000$ students and is currently being used to revise the affected courses' syllabi.

Albert Tay,Sebastian M Hayes,Drew Wilson,Emmie Hall,Dallin Kaufman

DOI: https://doi.org/10.28945/5313

2024-01-01

Issues in Informing Science and Information Technology

Abstract:Aim/Purpose. Capture the Flag (CTF) challenges are a popular form of cybersecurity education where students solve hands-on tasks in a game-like setting. These exercises provide learning experiences with various specific technologies and subjects, as well as a broader understanding of cybersecurity topics. Competitions reinforce and teach problem-solving skills that are applicable in various technical and non-technical environments outside of the competitions. Background. The Information Search Process (ISP) is a framework developed to under-stand the process by which an individual goes about studying a topic, identifying emotional ties connected to each step an individual takes. As the individual goes through the problem-solving process, there is a clear flow from uncertainty to clarity; the individual’s feelings, thoughts, and actions are all interconnected. This study aims to investigate the learning of cybersecurity concepts within the framework of the ISP, specifically in the context of CTF competitions. Methodology. A comprehensive research methodology designed to incorporate quantitative and qualitative analyses to draw the parallels between the participants’ emotional experiences and the affective dimensions of learning will be implemented to measure the three primary goals. Contribution. This study contributes significantly to the broader landscape of cybersecurity education and cognitive-emotional experiences in problem-solving. Findings. The study has three primary goals. First, we seek to enhance our under-standing of the emotional and intellectual aspects involved in problem-solving, as demonstrated by the ISP approach. Second, we aim to gain in-sights into how the presentation of CTF challenges influences the learning experience of participants. Lastly, we strive to contribute to the improvement of cybersecurity education by identifying actionable steps for more effective teaching of technical skills and approaches. Recommendations for Practitioners. Competitions reinforce and teach problem-solving skills applicable in various technical and non-technical environments outside of the competitions. Recommendations for Researchers. The Information Search Process (ISP) framework may enhance our understanding of the emotional and intellectual aspects involved in problem-solving as we study the emotional ties connected to each step an individual takes as the individual goes through the problem-solving process. Impact on Society. Our pursuit of advancing our understanding of cybersecurity education will better equip future generations with the skills and knowledge needed to ad-dress the evolving challenges of the digital landscape. This will better pre-pare them for real-world challenges. Future Research. Future studies would include the development of a cybersecurity curriculum on vulnerability exploitation and defense. It would include practice exploiting practical web and binary vulnerabilities, reverse engineering, system hardening, security operations, and understanding how they can be chained together.

Michael Whitney,Heather Richter Lipford,Bill Chu,Jun Zhu

DOI: https://doi.org/10.1145/2676723.2677280

2015-01-01

Abstract:Many of the security vulnerabilities common in today's software can be prevented with standard secure coding practices. Computer science students who will become the developers of that software need to learn about those practices so they can prevent such vulnerabilities. Many computing programs are addressing this need through additional lectures, elective courses, or more holistic approaches to integrate security across curriculums. We are exploring a complementary approach, integrating secure coding education into the IDE to provide a learning opportunity in the context of writing code. In this paper, we report on two field studies using an IDE tool in an advanced Web programming course. Our results indicate that the tool can increase students' awareness and knowledge of secure programming, but to be most effective, instructors may need to incentivize its use through in-class methods and careful timing of its introduction.

Maureen Namukasa,Maria Chaparro Osman,Cherrise Ficke,Isabella Piasecki,TJ OConnor,Meredith Carroll

DOI: https://doi.org/10.1080/10447318.2024.2314349

IF: 4.92

2024-02-22

International Journal of Human-Computer Interaction

Abstract:Cybersecurity education heavily utilizes competition-based approaches, such as capture-the-flag (CTF) games to support the need for a skilled cybersecurity workforce. Although CTFs expose students to cybersecurity work competencies, their competitive nature may contribute to the lack of diversity in cybersecurity programs. In response, we developed a technology-based, experiential learning approach utilizing Internet of Things (IoT) devices to educate learners about cybersecurity concepts. We evaluated the approach's effectiveness in engaging and sparking interest in a diverse sample of high school students. Our results indicated that (a) all participants reported a moderate challenge-skill balance, (b) underrepresented minorities (URMs) reported significantly higher engagement than non-URMs, and (c) significantly more female students compared to male students reported increased levels of intent to pursue cybersecurity after participating in the learning activity. We present the approach, methods, results, implications, and recommendations for the use of IoT devices in cybersecurity education to train a more diverse workforce.

computer science, cybernetics,ergonomics

Lwin Khin Shar,Christopher M. Poskitt,Kyong Jin Shim,Li Ying Leonard Wong

DOI: https://doi.org/10.48550/arXiv.2204.12416

2022-04-26

Cryptography and Security

Abstract:Cybersecurity education is considered an important part of undergraduate computing curricula, but many institutions teach it only in dedicated courses or tracks. This optionality risks students graduating with limited exposure to secure coding practices that are expected in industry. An alternative approach is to integrate cybersecurity concepts across non-security courses, so as to expose students to the interplay between security and other sub-areas of computing. In this paper, we report on our experience of applying the security integration approach to an undergraduate web programming course. In particular, we added a practical introduction to secure coding, which highlighted the OWASP Top 10 vulnerabilities by example, and demonstrated how to identify them using out-of-the-box security scanner tools (e.g. ZAP). Furthermore, we incentivised students to utilise these tools in their own course projects by offering bonus marks. To assess the impact of this intervention, we scanned students' project code over the last three years, finding a reduction in the number of vulnerabilities. Finally, in focus groups and a survey, students shared that our intervention helped to raise awareness, but they also highlighted the importance of grading incentives and the need to teach security content earlier.

Junghwan "John" Rhee,Myungah Park,Fei Zuo,Shuai Zhang,Gang Qian,Goutam Mylavarapu,Hong Sung,Thomas Turner

2023-01-01

Journal of Computing Sciences in Colleges

Abstract:Increasing cybersecurity incidents call for a competitive cybersecurity workforce more than ever. We create new comprehensive cybersecurity university curricula in a metro undergraduate-focused regional university. Our program is distinguished from other programs by specializing in incident response, which addresses the analysis of attack trails and damages followed by infrastructure hardening including software, systems, and policies to prevent future attacks. This special theme requires practical strength such as certifiable deep knowledge, hands-on skills, and research-involved cybersecurity activities. We present the design and implementation of the cybersecurity curricula in our institution.

Zul-Azri Ibrahim,Md Nabil Ahmad Zawawi,Fiza Abdul Rahim,Ahmad Haziq Ashrofie Hanafi,Haikal Rokman,Ahmad Dahaqin Ibrahim

DOI: https://doi.org/10.52650/ejcsit.v7i1.107

2021-10-22

electronic Journal of Computer Science and Information Technology

Abstract:Cybersecurity education topics require technical understanding. However, it is a challenging task for any teacher to introduce topics to students who have no technical background. Recently, the concept of gamification has been implemented as a tool to inculcate student’s interest using a variety of popular in-games techniques and applying them to educational modules. Extending from this notion, it was found that Capture the Flag (CTF) competition style is a successful way of introducing students to various technical concepts in the standard computer science curriculum. During the 2019 school holiday, a CTF for secondary school students was run at Universiti Tenaga Nasional (UNITEN) with the primary goal of introducing secondary school students to various cybersecurity topics and also to inculcate their interest in cybersecurity. The method that we used is different from other CTF or similar events, in which we use a scenario-based approach. We found that this method attracts participants in solving each challenge in a competitive environment.

Fei Zuo,Junghwan Rhee,Myungah Park,Gang Qian

DOI: https://doi.org/10.48550/arXiv.2309.01839

2023-10-14

Abstract:In the past few years, an incident response-oriented cybersecurity program has been constructed at University of Central Oklahoma. As a core course in the newly-established curricula, Secure System Administration focuses on the essential knowledge and skill set for system administration. To enrich students with hands-on experience, we also develop a companion coursework project, named PowerGrader. In this paper, we present the course structure as well as the companion project design. Additionally, we survey the pertinent criterion and curriculum requirements from the widely recognized accreditation units. By this means, we demonstrate the importance of a secure system administration course within the context of cybersecurity education.

Cryptography and Security

Valdemar Švábenský,Jan Vykopal

DOI: https://doi.org/10.48550/arXiv.1903.04174

2019-03-11

Computers and Society

Abstract:This Work-In-Progress Paper for the Innovative Practice Category presents a novel experiment in active learning of cybersecurity. We introduced a new workshop on hacking for an existing science-popularizing program at our university. The workshop participants, 28 teenagers, played a cybersecurity game designed for training undergraduates and professionals in penetration testing. Unlike in learning environments that are simplified for young learners, the game features a realistic virtual network infrastructure. This allows exploring security tools in an authentic scenario, which is complemented by a background story. Our research aim is to examine how young players approach using cybersecurity tools by interacting with the professional game. A preliminary analysis of the game session showed several challenges that the workshop participants faced. Nevertheless, they reported learning about security tools and exploits, and 61% of them reported wanting to learn more about cybersecurity after the workshop. Our results support the notion that young learners should be allowed more hands-on experience with security topics, both in formal education and informal extracurricular events.

Erin E. Blanchard,Sue S. Feldman,Marjorie Lee White,Ryan Allen,Thad Phillips,Michelle R. Brown

DOI: https://doi.org/10.1055/s-0044-1790551

IF: 2.762

2024-11-08

Applied Clinical Informatics

Abstract:Background Experiential learning through simulation allows students to apply didactic knowledge to real-world situations. Tabletop simulation allows for the exploration of a variety of topics, including cybersecurity in health care. Due to its low frequency, yet high-risk nature, simulation is a perfect educational modality to practice responding to a cybersecurity attack. As such, the authors designed and executed a tabletop cybersecurity simulation consisting of a prebriefing, four rounds of injects detailing potential cybersecurity breaches that students must address, and structured debriefings that included input from cybersecurity content experts. This simulation was performed in 2018, 2019, 2022, and 2023, during graduate Health Informatics (HI) students' residential visits. Objective The simulation allowed opportunities for HI students to apply knowledge of cybersecurity principles to an unfolding tabletop simulation containing injects of scenarios they may encounter in the real world. Methods Survey data were used to assess the students' perceptions of the simulation. Topics assessed included overall satisfaction, teamwork and communication, and length of the event. Additionally, in 2022 and 2023, data were collected on psychological safety and whether to include them in future HI residential visits. Results Eighty-eight graduate HI students took part in the cybersecurity simulation over four annual residential visits. Most students were satisfied with the event, found it valuable, and could see it impacting their future practice as informaticists. Additionally, students indicated high levels of psychological safety. Multiple students requested that additional simulations be incorporated into the curriculum. Conclusion A tabletop cybersecurity simulation was utilized to allow HI students the ability to apply knowledge related to cybersecurity breaches to real-world examples. The simulation's best practices of prebriefing, psychological safety, and structured debriefing with expert feedback were emphasized in the simulation's design and implementation. Students found the simulation valuable and worth including in the curriculum. The HI on-site visit survey is conducted as part of ongoing program quality improvement efforts and therefore exempt from institutional review board approval. The standard simulation survey is classified by the University of Alabama at Birmingham Institutional Review Board as exempt (approval no.: IRB-120822005). Received: 30 May 2024 Accepted: 13 August 2024 Article published online: 06 November 2024 © 2024. Thieme. All rights reserved. Georg Thieme Verlag KG Rüdigerstraße 14, 70469 Stuttgart, Germany

medical informatics

Archana Bhavani Vasanth Kumar,Gia Grier McGinnis,Laundette Jones,Erin R Hager,Sequoia L Wright,Cara Felter,Greg Carey,Bret Hassel,Arletha W Livingston,Elizabeth A Parker

DOI: https://doi.org/10.15695/jstem/v7i1.01

Abstract:University of Maryland, Baltimore CURE Connections (UMB CURE) connects West Baltimore high school students with STEM enrichment including hands-on research and community outreach. This study's purpose was to describe successes and challenges of implementing the virtual Community Health Worker curriculum during the summer programming for UMB CURE high school scholars. This certificate-based program was designed to teach students about the community health field while providing training that demonstrates competence as a community health worker. The training was implemented over two summer sessions (2020 and 2021). Scholars completed a survey to assess program satisfaction. A subset of scholars completed qualitative interviews that focused on scholars' summer program experience and recommendations for program improvement. Engagement metrics (scholar participation, retention) were compiled. Overall themes from qualitative interviews included (1) overall summer program experience, (2) about the Morehouse curriculum, (3) advice for future scholars, (4) in-person versus virtual summer program, and (5) recommendations for the program. While the program was generally well-received, scholars required more instruction and guidance than anticipated. Many found the required assignments challenging to navigate, citing virtual instruction as a reason. Scholars also requested more hands-on synchronous STEM-focused activities. These data will be used to modify future programming to engage scholars in out-of-school-time STEM initiatives.

Sang-Yoon Chang,Kay Yoon,Simeon Wuthier,Kelei Zhang

DOI: https://doi.org/10.48550/arXiv.2206.08971

2022-06-17

Computers and Society

Abstract:Team collaboration among individuals with diverse sets of expertise and skills is essential for solving complex problems. As part of an interdisciplinary effort, we studied the effects of Capture the Flag (CTF) game, a popular and engaging education/training tool in cybersecurity and engineering, in enhancing team construction and collaboration. We developed a framework to incorporate CTF as part of a computer-human process for expertise recognition and role assignment and evaluated and tested its effectiveness through a study with cybersecurity students enrolled in a Virtual Teams course. In our computer-human process framework, the post-CTF algorithm using the CTF outcomes assembles the team (assigning individuals to teams) and provides the initial role assignments, which then gets updated by human-based team discussions. This paper shares our insights, design choices/rationales, and analyses of our CTF-incorporated computer-human process framework. The students' evaluations revealed that the computer-human process framework was helpful in learning about their team members' backgrounds and expertise and assigning roles accordingly made a positive impact on the learning outcomes for the team collaboration skills in the course. This experience report showcases the utility of CTF as a tool for expertise recognition and role assignments in teams and highlights the complementary roles of CTF-based and discussion-based processes for an effective team collaboration among engineering students.

Brandon Earwood,Jeong Yang,Young Rae Kim

DOI: https://doi.org/10.1109/tale52509.2021.9678713

2021-12-05

Abstract:As security is a crucial aspect in the process of developing software systems, software engineers must have a strong understanding of security concepts for an application being developed and tested. There has been a growing demand for these skills to be taught on all knowledge levels in computing courses. This paper builds on a study related to a series of security modules designed to meet that demand for teaching security concepts to students in computer science courses. Six small lessons in three security modules are implemented into a CS2 course, and the outcomes of this implementation are assessed. Each concept in the modules is broken up into a general description of the security problem, sample code written in Java, and sample code of the solution. Along with the security modules, an open-ended, problem-solving Model-Eliciting Activity (MEA) was developed as a project for students to demonstrate an understanding of the security concepts. Experimental studies were conducted to investigate the teaching effectiveness of implementing cyber security modules with the MEA project and students' experiences in conceptual modeling tasks in problem solving. After implementing the security modules with the MEA, students showed a good understanding of cyber security concepts, and the instructor's beliefs about teaching shifted from teacher-centered to student-centered. 41.7% of the developed solutions from the MEA groups showed a sufficient degree of creativity, and 58.3% of the solutions seemed suitable for real-world implementation. The initial activities leading to student developed solutions effectively prepared students within the scope of the course, but additional discussion and resources may be necessary to expand on creativity and practicality.

Kamil Malinka,Anton Firc,Pavel Loutocký,Jakub Vostoupal,Andrej Krištofík,František Kasl

DOI: https://doi.org/10.1145/3649217.3653633

2024-04-18

Abstract:To keep up with the growing number of cyber-attacks and associated threats, there is an ever-increasing demand for cybersecurity professionals and new methods and technologies. Training new cybersecurity professionals is a challenging task due to the broad scope of the area. One particular field where there is a shortage of experts is Ethical Hacking. Due to its complexity, it often faces educational constraints. Recognizing these challenges, we propose a solution: integrating a real-world bug bounty programme into cybersecurity curriculum. This innovative approach aims to fill the gap in practical cybersecurity education and also brings additional positive benefits. To evaluate our idea, we include the proposed solution to a secure coding course for IT-oriented faculty. We let students choose to participate in a bug bounty programme as an option for the semester assignment in a secure coding course. We then collected responses from the students to evaluate the outcomes (improved skills, reported vulnerabilities, a better relationship with security, etc.). Evaluation of the assignment showed that students enjoyed solving such real-world problems, could find real vulnerabilities, and that it helped raise their skills and cybersecurity awareness. Participation in real bug bounty programmes also positively affects the security level of the tested products. We also discuss the potential risks of this approach and how to mitigate them.

Cryptography and Security

Valdemar Švábenský,Pavel Čeleda,Jan Vykopal,Silvia Brišáková

DOI: https://doi.org/10.1016/j.cose.2020.102154

2021-01-05

Abstract:Capture the Flag challenges are a popular form of cybersecurity education, where students solve hands-on tasks in an informal, game-like setting. The tasks feature diverse assignments, such as exploiting websites, cracking passwords, and breaching unsecured networks. However, it is unclear how the skills practiced by these challenges match formal cybersecurity curricula defined by security experts. We explain the significance of Capture the Flag challenges in cybersecurity training and analyze their 15,963 textual solutions collected since 2012. Based on keywords in the solutions, we map them to well-established ACM/IEEE curricular guidelines to understand which skills the challenges teach. We study the distribution of cybersecurity topics, their variance in different challenge formats, and their development over the past years. The analysis showed the prominence of technical knowledge about cryptography and network security, but human aspects, such as social engineering and cybersecurity awareness, are neglected. We discuss the implications of these results and relate them to contemporary literature. Our results indicate that future Capture the Flag challenges should include non-technical aspects to address the current advanced cyber threats and attract a broader audience to cybersecurity.

Cryptography and Security

Stylianos Karagiannis,Emmanouil Magkos

DOI: https://doi.org/10.1108/ics-04-2019-0050

2020-11-13

Information and Computer Security

Abstract:Purpose This paper aims to highlight the potential of using capture the flag (CTF) challenges, as part of an engaging cybersecurity learning experience for enhancing skills and knowledge acquirement of undergraduate students in academic programs. Design/methodology/approach The approach involves integrating interactivity, gamification, self-directed and collaborative learning attributes using a CTF hosting platform for cybersecurity education. The proposed methodology includes the deployment of a pre-engagement survey for selecting the appropriate CTF challenges in accordance with the skills and preferences of the participants. During the learning phase, storytelling elements were presented, while a behavior rubric was constructed to observe the participants’ behavior and responses during a five-week lab. Finally, a survey was created for getting feedback from the students and for extracting quantitative results based on the attention, relevance, confidence and satisfaction (ARCS) model of motivational design. Findings Students felt more confident about their skills and were highly engaged to the learning process. The outcomes in terms of technical skills and knowledge acquisition were shown to be positive. Research limitations/implications As the number of participants was small, the results and information retrieved from applying the ARCS model only have an indicative value; however, specific challenges to overcome are highlighted which are important for the future deployments. Practical implications Educators could use the proposed approach for deploying an engaging cybersecurity learning experience in an academic program, emphasizing on providing hands-on practice labs and featuring topics from real-world cybersecurity cases. Using the proposed approach, an educator could also monitor the progress of the participants and get qualitative and quantitative statistics regarding the learning impact for each exercise. Social implications Educators could demonstrate modern cybersecurity topics in the classroom, closing further the gap between theory and practice. As a result, students from academia will benefit from the proposed approach by acquiring technical skills, knowledge and experience through hands-on practice in real-world cases. Originality/value This paper intends to bridge the existing gap between theory and practice in the topics of cybersecurity by using CTF challenges for learning purposes and not only for testing the participants’ skills. This paper offers important knowledge for enhancing cybersecurity education programs and for educators to use CTF challenges for conducting cybersecurity exercises in academia, extracting meaningful statistics regarding the learning impact.