Session I - November 4th

Introduction & Welcome

24th Colloquium Kick-off

  • 11:00 AM EST
  • 8:00 AM PST
  • 4:00 PM GMT

Keynote

Although 2020 is the Year of the Crisis, Only One is New

  • 11:15 AM EST
  • 8:15 AM PST
  • 4:15 PM GMT

CISSE UK

“What’s in it for me?”: Growing a Cyber Security Education Community

  • 11:45 AM EST
  • 8:45 AM PST
  • 4:45 PM GMT

EC-Council

Sponsor update

  • 12:05 PM EST
  • 9:05 AM PST
  • 5:05 PM GMT

Paper Introduction

Exploring Security Challenges

  • 12:10 PM EST
  • 9:10 AM PST
  • 5:10 PM GMT

Paper Session 1

Integration of Blockchain Concepts into Computer Science Curriculum

  • Eric Sakk, Paul Wang
Eric Sakk, Shuangbao Paul Wang

In this work, we consider the nexus between blockchain technology and computer science curriculum. While it is possible to introduce the blockchain paradigm using a single course, the depth of a single topic can often be sacrificed at the expense of covering a breadth of information. As blockchain is an emerging technology, it is important to embed various concepts throughout the undergraduate curriculum with the depth necessary to reinforce each facet. Using a just in time approach, we define exactly where and how blockchain topics relevant to computer science should be introduced. As a means for active learning pedagogy, we introduce a lab framework for students to gain hands-on experience. Finally, we describe collaborations with industry to provide mentorship and internship opportunities.

  • 12:15 PM EST
  • 9:15 AM PST
  • 5:15 PM GMT

Paper Session 4

Experiential Activities for Risk Management Education

  • Michael Whitman, Bob Chaput
Michael E. Whitman, Robert L. Chaput

A core premise in the instruction of Information Security/Cybersecurity is that risk management is a cornerstone of security management, as evidenced in the promotion of GRC (Governance, Risk Management and Compliance) as the strategic triad in the trade press. While a theoretical exploration of risk management is important, the provision of an experiential activity to support the theory is valuable in cementing the knowledge in students. This paper will discuss popular risk management methodologies and examine a number of tools to support the instruction of the more common methodologies by instructors without substantial cost or learning curve.

  • 12:35 PM EST
  • 9:35 AM PST
  • 5:35 PM GMT

Paper Session 3

Higher Education Social Engineering Attack Scenario, Awareness & Training Model

  • Thai Nguyen
Thai H. Nguyen, Sajal Bhatia

In today’s information security ecosystem, hackers and threat actors are increasingly using social engineering tactics to circumvent advanced technical security technologies. While every year there are vast leaps in technical security systems, one critical dynamic, the human psychology still needs a dire upgrade to their operating system. The human dynamic and our innate psychological processing algorithms need a new approach to mitigate social engineering attacks. Higher education institutions are prime target for social engineering engagement missions as they house a large diverse population of faculties, students, alumni, and employees in their ecosystem. This diversity paired with increasing inclusion of international individuals only expands the existing dynamic vulnerable landscape, thereby requiring innovative methods to secure it. In this paper, the authors utilize an existing framework to develop nine specialized and publicly available social engineering attack scenarios geared toward a higher education environment. The paper also proposes preliminary models for social engineering awareness and training to combat such attacks. The effectiveness of the proposed models will be assessed by comparing pre- and post- awareness surveys as part of the future work.

  • 12:55 PM EST
  • 9:55 AM PST
  • 5:55 PM GMT

Special Session

How to Use the 20 Critical Controls in Your Business

  • 1:15 PM EST
  • 10:15 AM PST
  • 6:15 PM GMT

Session I Close

Sessions Wrap Up

  • 1:35 PM EST
  • 10:35 AM PST
  • 6:35 PM GMT

Session II - November 4th

Session II Open

Session Introduction

  • 3:00 PM EST
  • 12:00 PM PST
  • 8:00 PM GMT

National Cyber League (NCL)

Sponsor Update

  • 3:10 PM EST
  • 12:10 PM PST
  • 8:10 PM GMT

Paper Introduction

Focus on Student Performance

  • 3:15 PM EST
  • 12:15 PM PST
  • 8:15 PM GMT

Paper Session 5

Evaluating the Effectiveness of Gamification on Students’ Performance in a Cybersecurity Course

  • Fikirte Demmese
Fikirte Demmese, Xiaohong Yuan, Darina Dicheva

The motivation of students to actively engage in course activities has significant impact on the outcome of academic courses. Prior studies have shown that innovative instructional interventions and course delivery methods have a vital role in boosting the motivation of students. Gamification tools aid course delivery by utilizing well established game design principles to enhance skill development, routine practice and self-testing. In this article, we present a study on how the use of a course gamification platform dubbed OneUp impacts the motivation of students in an online cyber security course. The study shows that more than 90% of the respondents agreed that OneUp has improved the effectiveness of the course delivery. In addition, 75% of the respondents want to use OneUp in their future courses. Furthermore, our analysis shows that OneUp has improved the median grade of students from B+ to A- compared to the same course delivered the previous year without using OneUp.

  • 3:20 PM EST
  • 12:20 PM PST
  • 8:20 PM GMT

Paper Session 6

Judging Competencies in Recent Cybersecurity Graduates

  • John Girard
Nelbert St. Clair, John Girard

This innovative research project chronicles how cybersecurity professionals and professors rate recent cybersecurity graduates in the components of Cybersecurity Competency Model. Noteworthy findings included that information technology graduates exhibit poor reading, writing, and some communication skills; there was a statistically significant difference between the two groups in their thoughts on the importance of mathematics; and there was a significant difference between the two groups pertaining to (a) planning and organization and (b) working with tools of technology.

  • 3:40 PM EST
  • 12:40 PM PST
  • 8:40 PM GMT

Paper Session 7

Tempting High School Students into Cybersecurity with a Slice of Raspberry Pi

  • Sandra Gorka
Sandra Gorka, Alicia McNett, Jacob R. Miller, Bradley M. Webb

Improving the Pipeline is an NSF grant project [1] to extend the Information Assurance and Cybersecurity pipeline into the high school environment by offering an after-school for college credit course to students. This paper discusses the use of an isolated and portable Raspberry Pi network within the course.

  • 4:00 PM EST
  • 1:00 PM PST
  • 9:00 PM GMT

Paper Introduction

Building Better Educational Programs

  • 4:20 PM EST
  • 1:20 PM PST
  • 9:20 PM GMT

Paper Session 8

Applied Cyber Security for Applied Software Engineering Undergraduate Program

  • Yulia Cherdantseva
Yulia Cherdantseva, Phil Smart

In the current landscape where a constantly growing number of cyber threats is accompanied by the increasing shortage of cyber security professionals, it is essential to provide a well thought-out hands-on cyber security education as a part of all Computer Science and Software Engineering degrees. This paper described the experience of designing and delivering a Cyber Security module to Level 5 students on a three-year BSc Applied Software Engineering program. The key goal of the module is to instil the importance of cyber security in software development, and to teach in practice modern security techniques. While being predominantly focused on web-application security, the module also covers foundational cyber security concepts, cryptography and network security, and discusses non-technical topics including security frameworks and security economics. The paper presents the outline of the module, the configuration of the virtual machine used, the structure and content of sessions.

  • 4:25 PM EST
  • 1:25 PM PST
  • 9:25 PM GMT

Paper Session 9

Building Capacity for Systems Thinking in Higher Education Cybersecurity Programs

  • Connie Justice, D. Cragin Shelton
Esther A. Enright, Connie Justice, Sin Ming Loo, Eleanor Taylor, Char Sample, D. Cragin Shelton

The decentralized nature of cybersecurity programs in higher education leads to a lack of unifying knowledge, skills, and dispositions in the cybersecurity workforce. The emphasis on teaching the latest technologies and techniques without a sufficient foundation in systems thinking could result in graduating students without the capacity to function as constructive agents operating in complex systems. Having a unifying, cohesive cybersecurity systems framework can bridge some of these gaps. In this article, we argue that cybersecurity programs and courses must contextualize their instruction on a specific topic by teaching students to situate their learning on the system level. Additionally, we suggest that active learning strategies, in particular case study analysis and concept mapping, are particularly well suited to support this type of student learning. This article presents a cohesive framework for teaching systems thinking in cybersecurity programs and courses. The framework is designed to support meaningful reform in the currently decentralized, (mostly) unregulated academic ecosystem that manages the preparation of our cybersecurity workforce.

  • 4:45 PM EST
  • 1:45 PM PST
  • 9:45 PM GMT

Paper Session 10

Enhancing Cyber Defense Preparation Through Interdisciplinary Collaboration, Training, and Incident Response

  • Tristen Amador
Tristen K. Amador, Roberta A. Mancuso, Erik L. Moore, Steven P. Fulton, Daniel M. Likarish

To enhance the capabilities of a cyber defense collaborative, a psychometric analysis team was embedded in a collaborative incident response team. Collaborative incident response community members included the State of Colorado, the Colorado National Guard, Regis University, private companies, and others. The collaborative training developed when National Guard leadership saw the Rocky Mountain Collegiate Cyber Defense Competition held at Regis, and planning began around the potential of collaborative training. The case presented shows the progressive efforts that allowed this to move from enhancing training exercises to being embedded during live cyber defense operations. Some outcomes of the psychometric evaluation are presented here as an embedded quantitative study within the framing case analysis. The case analysis is then used to formulate a generalized model designed to support opportunities for a range of interdisciplinary collaboration in support of technical endeavors with operations security requirements as exemplified by cyber defense. The resulting model provides a framework for expanding research to other disciplines.

  • 5:05 PM EST
  • 2:05 PM PST
  • 10:05 PM GMT

Session II Close

Sessions Wrap Up

  • 5:25 PM EST
  • 2:25 PM PST
  • 10:25 PM GMT

Session III - November 5th

Session III Open

Session Introduction

  • 11:00 AM EST
  • 8:00 AM PST
  • 4:00 PM GMT

Keynote

U.S. Equities Process

  • 11:10 AM EST
  • 8:10 AM PST
  • 4:10 PM GMT

The Colloquium

Annual Awards

  • 11:40 AM EST
  • 8:40 AM PST
  • 4:40 PM GMT

Jones & Bartlett Learning

Sponsor update

  • Mike Sullivan, Ned Hinman
  • 11:55 AM EST
  • 8:55 AM PST
  • 4:55 PM GMT

Paper Introduction

Vital Passwords

  • Stephen Miller
  • 12:00 PM EST
  • 9:00 AM PST
  • 5:00 PM GMT

Paper Session 11

Weak Password Policies: A Lack of Corporate Social Responsibility

  • Tobi West
Tobi A. West

Data breaches continue to occur as weak password policies prevail on major websites, at costs reaching billions of dollars annually. Password attacks are a known cause of data breaches and abuse of user accounts. Enforcing strong password policies should be considered part of an organization’s corporate social responsibility. Major technology companies are socially obligated to go beyond internal policies to strengthen their password policies for external-facing consumer accounts to help reduce the risk of data breaches or sensitive data exposure. Strong, enforceable password policies are beneficial to reduce the risk of successful network attacks and prevent unauthorized access to sensitive data stored in online consumer accounts. This study includes a compilation of current password policies for major social media sites, online streaming services, and online retailers to demonstrate the lack of strong password requirements across multiple industries and spanning decades of corporate establishment in the online environment. Recommendations are provided for organizations to strengthen their password policies to align with NIST Special Publication 800-63-3 as part of their corporate social responsibility to provide protection for sensitive consumer data for millions of customers and online marketplace sellers.

  • 12:05 PM EST
  • 9:05 AM PST
  • 5:05 PM GMT

Paper Session 12

Do Users Correctly Identify Password Strength?

  • Nikki Robinson
Jason M. Pittman, Nikki Robinson

Much of the security for information systems rests upon passwords. Yet, the scale of password use is producing elevated levels of cognitive burden. Existing research has investigated the effects of this cognitive burden with a focus on weak versus strong passwords. However, the literature presupposes that users can meaningfully identify such. Further, there may be ethical implications of forcing users to identify password strength when they are unable to do so. Accordingly, the purpose of this study was to measure what socioeconomic characteristics, if any, led participants to identify weak and strong password strengths in a statistically significant manner. We gathered 436 participants using Amazon’s Mechanical Turk platform and asked them to identify 50 passwords as either weak or strong. Then, we employed a Chi-square test of independence to measure the potential relationship between three socioeconomic characteristics (education, profession, technical skill) and the frequency of correct weak and strong password identification. The results show significant relationships across all variable combinations except for technical skill and strong passwords which revealed no relationship.

  • 12:25 PM EST
  • 9:25 AM PST
  • 5:25 PM GMT

Paper Introduction

Watching the Adversary

  • William Butler
  • 12:45 PM EST
  • 9:45 AM PST
  • 5:45 PM GMT

Paper Session 13

An Experimental setup for Detecting SQLi Attacks using Machine Learning Algorithms

  • Binh An Pham, Vinitha Subburaj
Binh An Pham, Vinitha Hannah Subburaj

SQL injection attacks (SQLi attacks) have proven their danger on several website types such as social media, e-shopping, etc... In order to prevent such attacks from occurring, this research effort investigates on efficient ways of detection and prevention, so that we can preserve each cyber-user’s right of privacy. This research effort is aimed at investigating and looking at different ways to protect websites from SQL injection attacks. In this research effort, machine learning algorithms were used to detect such SQLi attacks. Machine Learning (ML) algorithms are algorithms that can learn from the data provided and infer interesting results from the dataset. We used SQL code and user input as our data and ML algorithms to detect malicious code. The machine learning model developed in this research can detect such attacks from happening in future. The precision and accuracy of the machine learning algorithms in terms of predicting the SQLi attacks has been calculated and reported in this research paper.

  • 12:50 PM EST
  • 9:50 AM PST
  • 5:50 PM GMT

Paper Session 14

Follow the Money Through Apple Pay

  • Yen-Hung (Frank) Hu
Dominicia Williams, Yen-Hung (Frank) Hu, Mary Ann Hoppa

Rapid growth in the number of mobile phones and their users has brought ecommerce applications and mobile payments to the forefront along with raising significant new cybersecurity concerns. Consumer enthusiasm for “tap-and-go” purchases must be tempered with knowledge about new risks and responsibilities that come along with these payment technologies. This paper highlights and analyzes key risks within end-to-end mobile-payment transactions through the lens of one of the most popular services: Apple Pay. Hackers are relentlessly adapting their ploys to breach these payment systems. Proactive approaches are identified to better secure vulnerabilities in smartphones, networks, communication, consumers, merchants and banks, along with practical, proactive countermeasure and action plans.

  • 1:10 PM EST
  • 10:10 AM PST
  • 6:10 PM GMT

Paper Session 2

Quantum Cryptography Exercise Schedules with Concept Dependencies

  • Abhishek Parakh
Abhishek Parakh, Vidya Bommanapally, Parvathi Chundi, Mahadevan Subramaniam

The design of a gamified instructional paradigm requires careful identification of concepts, concept dependencies, and concept flow in order to achieve maximum student proficiency, in a subject matter, while maintaining engagement. This is especially true for difficult and counter-intuitive fields such as quantum cryptography. In this paper, we present an abstraction of concepts that are needed to learn quantum key distribution in a gamified environment. This is coupled with a powerful adaptive navigation algorithm that guides students from one exercise to the next in the game such that maximum proficiency is achieved in various concepts associated with each exercise. The student traverses through different lessons in the game achieving the lesson outcomes in an efficient manner. This represents the first of its kind abstraction of quantum cryptography concepts and a navigation algorithm for a gamified paradigm.

  • 1:30 PM EST
  • 10:30 AM PST
  • 6:30 PM GMT

The Colloquium

Conference Announcement

  • 1:50 PM EST
  • 10:50 AM PST
  • 6:50 PM GMT

Conclusion

Session Complete

  • 1:55 PM EST
  • 10:55 AM PST
  • 6:55 PM GMT