Improving Cyber Security Education

Members and Collaborators


Computer and Network Security are very dynamic fields, with new threats and defenses appearing daily. There is a growing demand for competent workforce in these fields throughout US industries and government agencies, with main job requirements being experience and practical skills. Many universities teach security topics at the undergraduate and the graduate level. But in sharp contrast to market trends, security education in universities is often conducted in classrooms, with use of textbooks, blackboard and slides, and with focus on theory and case studies. The resulting students are not fully prepared to meet real security challenges in the real world. This approach also reduces retention in Computer Science, as passive learning lessens student motivation.

In our research we create publicly available education materials for active learning of cybersecurity concepts. Such learning increases student engagement and motivation, and helps them internalize concepts they learned in class through exercising them on a testbed, in a safe but realistic network environment.

Our research also focuses on understanding how people learn with testbeds, and overcoming technical challenges in this learning through automated intervention.

Homework Exercises

With a team of cyber security educators, we have developed homework exercises that utilize DeterLab testbed to demonstrate various attacks and defenses. All the exercises are publicly available at DeterLab's education Web page.

Class Capture-the-Flag Exercises

Cybersecurity is a unique field of science and engineering, because its main challenges are not solely dictated by technological limitations or the theoretical complexity of the underlying problems. Rather, cybersecurity advances are driven by the clash of minds -- researchers create new defenses and criminals adapt their attacks in response. This adversarial game is at the heart of each cybersecurity challenge, but it is sadly absent from cybersecurity education. The ACM defines three types of learning outcomes in their Computer Science Curricula 2013:

  1. Familiarity -- A student understands the concept at the theoretical level. This is usually achieved via textbooks and lectures.
  2. Usage -- A student understands the concept and can apply it correctly when a situation requires it. This is usually achieved by a mix of lectures and practical exercises that are well-specified and demonstrate basic concepts.
  3. Assessment -- A student understands the concept, can correctly recognize the given concept in practice, can weigh it and related concepts as solutions to some problem and can apply each of them correctly. This is usually achieved by a mix of lectures and practical exercises that are open and allow for exploration and decision-making.

As students advance on their learning path from familiarity to assessment, student engagement, interest and retention increase. Currently, many security classes are taught the old-fashioned way, using textbooks and lectures, with focus on theory and case studies. This leads only to familiarity learning outcomes and results in narrowly educated and poorly trained professionals. Commendably, some classes include hands-on exercises to demonstrate concepts taught in lectures, and lead to usage learning outcomes. This is necessary but not sufficient. Students acquire some practical skills performing these exercises but do not get to experience the adversarial nature of the field, nor do they get to apply their newly acquired skills to novel situations where success depends on their inventiveness, ability to make the right decisions quickly and work in a team. These skills are needed daily in a cybersecurity career. Accordingly, the better equipped our students are with these skills when they graduate, the more quickly and competently they will enter the work force.

We aim to revitalize security education through class capture-the-flag exercises (CCTFs). These are small-scoped Capture-the-Flag (CTF) exercises, designed to require a few weeks of preparation from students and to be conducted in as little time as a two-hour class. They engage teams of students in attack-defense scenarios. Each team plays both the defense and the attack role, which enables them to understand and acquire the adversarial thinking model needed for a cybersecurity career. We have designed CCTFs to require minimal support from teachers -- their setup and scoring is automated and they are conducted on the DeterLab testbed. Each CCTF focuses on one security topic (e.g., cryptography, exploits, denial-of-service, etc.). This scoping enables students to exercise skills they have recently learned in class and possibly practiced through hands-on exercises. After each CCTF, a teacher leads an in-class post-mortem analysis on the event, enabling students to identify what they did right or wrong and to improve for future competitions. We believe that these exercises will help students achieve the assessment learning outcome and own the material they learned in class at a deeper, more masterful level -- while also having a lot of fun.

Studying How People Learn With Testbeds

This effort develops ACSLE – a framework for automated assessment of student learning in practical cybersecurity exercises. ACSLE engages in constant and extensive monitoring of student interaction with the computer and it correlates these activities with desired learning outcomes. Based on the collected data and based on observation of different student activities on the same practical task, ACSLE builds a knowledge base of successful and unsuccessful paths. Using this knowledge, ACSLE ca: (1) identify paths that lead to failure and alert students and instructors in a timely manner, (2) suggest that contain helpful information (3) alert the instructor to provide hints to students who struggle with a task, (4) alert instructors to difficult tasks, where majority of students require help.

Software and Datasets

All software and materials derived in this work are available via Shared Materials section on DeterLab testbed.


These efforts are supported by the NSF DUE grant #0920719, NSF Cybercorps grant #1723717, NSF SaTC grant #1224035, and DHS grant #N66001-07-C-2001. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or of the Department of Homeland Security.