cart

Members

Join Login

Membership and collaboration facilitated by Member 365.

Members

Join Login

Membership and collaboration facilitated by Member 365.

24th Colloquium

November 4 - 5, 2020

Online Sessions

24th Colloquium - Academic Papers

Abstracts for accepted academic papers submitted to the 24th Colloquium are available below. We are currently evaluating research papers to be considered for publication in our bi-annual Journal of The Colloquium for Information System Security Education. For more information, or to communicate with our editorial team, please email journal@thecolloquium.org.

Experiential Activities for Risk Management Education

Michael E. Whitman; Robert L. Chaput

Experiential Activities for Risk Management Education

Michael E. Whitman; Robert L. Chaput

A core premise in the instruction of Information Security/Cybersecurity is that risk management is a cornerstone of security management, as evidenced in the promotion of GRC (Governance, Risk Management and Compliance) as the strategic triad in the trade press. While a theoretical exploration of risk management is important, the provision of an experiential activity to support the theory is valuable in cementing the knowledge in students. This paper will discuss popular risk management methodologies and examine a number of tools to support the instruction of the more common methodologies by instructors without substantial cost or learning curve.

Judging Competencies in Recent Cybersecurity Graduates

Nelbert St. Clair; John Girard

Judging Competencies in Recent Cybersecurity Graduates

Nelbert St. Clair; John Girard

This innovative research project chronicles how cybersecurity professionals and professors rate recent cybersecurity graduates in the components of Cybersecurity Competency Model. Noteworthy findings included that information technology graduates exhibit poor reading, writing, and some communication skills; there was a statistically significant difference between the two groups in their thoughts on the importance of mathematics; and there was a significant difference between the two groups pertaining to (a) planning and organization and (b) working with tools of technology.

Follow the Money Through Apple Pay

Dominicia Williams; Yen-Hung (Frank) Hu; Mary Ann Hoppa

Follow the Money Through Apple Pay

Dominicia Williams; Yen-Hung (Frank) Hu; Mary Ann Hoppa

Rapid growth in the number of mobile phones and their users has brought ecommerce applications and mobile payments to the forefront along with raising significant new cybersecurity concerns. Consumer enthusiasm for “tap-and-go” purchases must be tempered with knowledge about new risks and responsibilities that come along with these payment technologies. This paper highlights and analyzes key risks within end-to-end mobile-payment transactions through the lens of one of the most popular services: Apple Pay. Hackers are relentlessly adapting their ploys to breach these payment systems. Proactive approaches are identified to better secure vulnerabilities in smartphones, networks, communication, consumers, merchants and banks, along with practical, proactive countermeasure and action plans.

Building Capacity for Systems Thinking in Higher Education Cybersecurity Programs

Esther A. Enright; Connie Justice; Sin Ming Loo; Eleanor Taylor; Char Sample; D. Cragin Shelton

Building Capacity for Systems Thinking in Higher Education Cybersecurity Programs

Esther A. Enright; Connie Justice; Sin Ming Loo; Eleanor Taylor; Char Sample; D. Cragin Shelton

The decentralized nature of cybersecurity programs in higher education leads to a lack of unifying knowledge, skills, and dispositions in the cybersecurity workforce. The emphasis on teaching the latest technologies and techniques without a sufficient foundation in systems thinking could result in graduating students without the capacity to function as constructive agents operating in complex systems. Having a unifying, cohesive cybersecurity systems framework can bridge some of these gaps. In this article, we argue that cybersecurity programs and courses must contextualize their instruction on a specific topic by teaching students to situate their learning on the system level. Additionally, we suggest that active learning strategies, in particular case study analysis and concept mapping, are particularly well suited to support this type of student learning. This article presents a cohesive framework for teaching systems thinking in cybersecurity programs and courses. The framework is designed to support meaningful reform in the currently decentralized, (mostly) unregulated academic ecosystem that manages the preparation of our cybersecurity workforce.

Do Users Correctly Identify Password Strength?

Jason M. Pittman; Nikki Robinson

Do Users Correctly Identify Password Strength?

Jason M. Pittman; Nikki Robinson

Much of the security for information systems rests upon passwords. Yet, the scale of password use is producing elevated levels of cognitive burden. Existing research has investigated the effects of this cognitive burden with a focus on weak versus strong passwords. However, the literature presupposes that users can meaningfully identify such. Further, there may be ethical implications of forcing users to identify password strength when they are unable to do so. Accordingly, the purpose of this study was to measure what socioeconomic characteristics, if any, led participants to identify weak and strong password strengths in a statistically significant manner. We gathered 436 participants using Amazon’s Mechanical Turk platform and asked them to identify 50 passwords as either weak or strong. Then, we employed a Chi-square test of independence to measure the potential relationship between three socioeconomic characteristics (education, profession, technical skill) and the frequency of correct weak and strong password identification. The results show significant relationships across all variable combinations except for technical skill and strong passwords which revealed no relationship.

An Experimental setup for Detecting SQLi Attacks using Machine Learning Algorithms

Binh An Pham; Vinitha Hannah Subburaj

An Experimental setup for Detecting SQLi Attacks using Machine Learning Algorithms

Binh An Pham; Vinitha Hannah Subburaj

SQL injection attacks (SQLi attacks) have proven their danger on several website types such as social media, e-shopping, etc... In order to prevent such attacks from occurring, this research effort investigates on efficient ways of detection and prevention, so that we can preserve each cyber-user’s right of privacy. This research effort is aimed at investigating and looking at different ways to protect websites from SQL injection attacks. In this research effort, machine learning algorithms were used to detect such SQLi attacks. Machine Learning (ML) algorithms are algorithms that can learn from the data provided and infer interesting results from the dataset. We used SQL code and user input as our data and ML algorithms to detect malicious code. The machine learning model developed in this research can detect such attacks from happening in future. The precision and accuracy of the machine learning algorithms in terms of predicting the SQLi attacks has been calculated and reported in this research paper.

Weak Password Policies: A Lack of Corporate Social Responsibility

Tobi A. West

Weak Password Policies: A Lack of Corporate Social Responsibility

Tobi A. West

Data breaches continue to occur as weak password policies prevail on major websites, at costs reaching billions of dollars annually. Password attacks are a known cause of data breaches and abuse of user accounts. Enforcing strong password policies should be considered part of an organization’s corporate social responsibility. Major technology companies are socially obligated to go beyond internal policies to strengthen their password policies for external-facing consumer accounts to help reduce the risk of data breaches or sensitive data exposure. Strong, enforceable password policies are beneficial to reduce the risk of successful network attacks and prevent unauthorized access to sensitive data stored in online consumer accounts. This study includes a compilation of current password policies for major social media sites, online streaming services, and online retailers to demonstrate the lack of strong password requirements across multiple industries and spanning decades of corporate establishment in the online environment. Recommendations are provided for organizations to strengthen their password policies to align with NIST Special Publication 800-63-3 as part of their corporate social responsibility to provide protection for sensitive consumer data for millions of customers and online marketplace sellers.

Higher Education Social Engineering Attack Scenario, Awareness & Training Model

Thai H. Nguyen; Sajal Bhatia

Higher Education Social Engineering Attack Scenario, Awareness & Training Model

Thai H. Nguyen; Sajal Bhatia

In today’s information security ecosystem, hackers and threat actors are increasingly using social engineering tactics to circumvent advanced technical security technologies. While every year there are vast leaps in technical security systems, one critical dynamic, the human psychology still needs a dire upgrade to their operating system. The human dynamic and our innate psychological processing algorithms need a new approach to mitigate social engineering attacks. Higher education institutions are prime target for social engineering engagement missions as they house a large diverse population of faculties, students, alumni, and employees in their ecosystem. This diversity paired with increasing inclusion of international individuals only expands the existing dynamic vulnerable landscape, thereby requiring innovative methods to secure it. In this paper, the authors utilize an existing framework to develop nine specialized and publicly available social engineering attack scenarios geared toward a higher education environment. The paper also proposes preliminary models for social engineering awareness and training to combat such attacks. The effectiveness of the proposed models will be assessed by comparing pre- and post- awareness surveys as part of the future work.

Applied Cyber Security for Applied Software Engineering Undergraduate Program

Yulia Cherdantseva; Phil Smart

Applied Cyber Security for Applied Software Engineering Undergraduate Program

Yulia Cherdantseva; Phil Smart

In the current landscape where a constantly growing number of cyber threats is accompanied by the increasing shortage of cyber security professionals, it is essential to provide a well thought-out hands-on cyber security education as a part of all Computer Science and Software Engineering degrees. This paper described the experience of designing and delivering a Cyber Security module to Level 5 students on a three-year BSc Applied Software Engineering program. The key goal of the module is to instil the importance of cyber security in software development, and to teach in practice modern security techniques. While being predominantly focused on web-application security, the module also covers foundational cyber security concepts, cryptography and network security, and discusses non-technical topics including security frameworks and security economics. The paper presents the outline of the module, the configuration of the virtual machine used, the structure and content of sessions.

Quantum Cryptography Exercise Schedules with Concept Dependencies

A. Parakh; V. Bommanapally; P. Chundi; M. Subramaniam

Quantum Cryptography Exercise Schedules with Concept Dependencies

A. Parakh; V. Bommanapally; P. Chundi; M. Subramaniam

The design of a gamified instructional paradigm requires careful identification of concepts, concept dependencies, and concept flow in order to achieve maximum student proficiency, in a subject matter, while maintaining engagement. This is especially true for difficult and counter-intuitive fields such as quantum cryptography. In this paper, we present an abstraction of concepts that are needed to learn quantum key distribution in a gamified environment. This is coupled with a powerful adaptive navigation algorithm that guides students from one exercise to the next in the game such that maximum proficiency is achieved in various concepts associated with each exercise. The student traverses through different lessons in the game achieving the lesson outcomes in an efficient manner. This represents the first of its kind abstraction of quantum cryptography concepts and a navigation algorithm for a gamified paradigm.

Evaluating the Effectiveness of Gamification on Students’ Performance in a Cybersecurity Course

Fikirte Demmese; Xiaohong Yuan; Darina Dicheva

Evaluating the Effectiveness of Gamification on Students’ Performance in a Cybersecurity Course

Fikirte Demmese; Xiaohong Yuan; Darina Dicheva

The motivation of students to actively engage in course activities has significant impact on the outcome of academic courses. Prior studies have shown that innovative instructional interventions and course delivery methods have a vital role in boosting the motivation of students. Gamification tools aid course delivery by utilizing well established game design principles to enhance skill development, routine practice and self-testing. In this article, we present a study on how the use of a course gamification platform dubbed OneUp impacts the motivation of students in an online cyber security course. The study shows that more than 90% of the respondents agreed that OneUp has improved the effectiveness of the course delivery. In addition, 75% of the respondents want to use OneUp in their future courses. Furthermore, our analysis shows that OneUp has improved the median grade of students from B+ to A- compared to the same course delivered the previous year without using OneUp.

Enhancing Cyber Defense Preparation Through Interdisciplinary Collaboration, Training, and Incident Response

Tristen K. Amador; Roberta A. Mancuso; Erik L. Moore; Steven P. Fulton; Daniel M. Likarish

Enhancing Cyber Defense Preparation Through Interdisciplinary Collaboration, Training, and Incident Response

Tristen K. Amador; Roberta A. Mancuso; Erik L. Moore; Steven P. Fulton; Daniel M. Likarish

To enhance the capabilities of a cyber defense collaborative, a psychometric analysis team was embedded in a collaborative incident response team. Collaborative incident response community members included the State of Colorado, the Colorado National Guard, Regis University, private companies, and others. The collaborative training developed when National Guard leadership saw the Rocky Mountain Collegiate Cyber Defense Competition held at Regis, and planning began around the potential of collaborative training. The case presented shows the progressive efforts that allowed this to move from enhancing training exercises to being embedded during live cyber defense operations. Some outcomes of the psychometric evaluation are presented here as an embedded quantitative study within the framing case analysis. The case analysis is then used to formulate a generalized model designed to support opportunities for a range of interdisciplinary collaboration in support of technical endeavors with operations security requirements as exemplified by cyber defense. The resulting model provides a framework for expanding research to other disciplines.

Tempting High School Students into Cybersecurity with a Slice of Raspberry Pi

Sandra Gorka; Alicia McNett; Jacob R. Miller; Bradley M. Webb

Tempting High School Students into Cybersecurity with a Slice of Raspberry Pi

Sandra Gorka; Alicia McNett; Jacob R. Miller; Bradley M. Webb

Improving the Pipeline is an NSF grant project [1] to extend the Information Assurance and Cybersecurity pipeline into the high school environment by offering an after-school for college credit course to students. This paper discusses the use of an isolated and portable Raspberry Pi network within the course.

Integration of Blockchain Concepts into Computer Science Curriculum

Eric Sakk; Shuangbao Paul Wang

Integration of Blockchain Concepts into Computer Science Curriculum

Eric Sakk; Shuangbao Paul Wang

In this work, we consider the nexus between blockchain technology and computer science curriculum. While it is possible to introduce the blockchain paradigm using a single course, the depth of a single topic can often be sacrificed at the expense of covering a breadth of information. As blockchain is an emerging technology, it is important to embed various concepts throughout the undergraduate curriculum with the depth necessary to reinforce each facet. Using a just in time approach, we define exactly where and how blockchain topics relevant to computer science should be introduced. As a means for active learning pedagogy, we introduce a lab framework for students to gain hands-on experience. Finally, we describe collaborations with industry to provide mentorship and internship opportunities.

Last modified on Friday, 18 September 2020 20:46

More in this category: « 24th Colloquium - Agenda

The Colloquium recognizes that the protection of information and infrastructures that are used to create, store, process, and communicate information is vital to business continuity and security. The Colloquium's goal is to work together to define current and emerging requirements for information assurance education and to influence and encourage the development and expansion of information assurance curricula, especially at the graduate and undergraduate levels.

24th Colloquium

FREE online sessions will be held this November.

Online Sessions

Recent Posts