https://cisse.info/journal/index.php/cisse/gateway/plugin/WebFeedGatewayPlugin/atomJournal of The Colloquium for Information Systems Security Education2024-02-27T19:57:04+00:00Andrew Belónabelon@thecolloquium.orgOpen Journal Systems<p>The The Colloquium for Information Systems Security Education (CISSE) community meets every year at a different part of the Country in order to elaborate and further discuss the most effective means of maintaining a high standard of excellence in practice in cybersecurity education. In order to have any credibility as a source of new and evolving knowledge it is important that the highest academic standards apply to the presentation of new knowledge to the membership.</p>https://cisse.info/journal/index.php/cisse/article/view/191Small Cities, Big Threats2024-02-27T20:53:53+00:00Addy MoranFord PowersAshley BillmanChristian Perry
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Small town governments were once thought to be at a lower risk from cyber threat actors due to their geographical isolation and small digital footprint. The past few years has shown that to be definitively false, with several different threat actors successfully attacking local municipalities, ultimately causing disruptions to critical services, monetary loss, and privacy breaches. With the now ubiquitous presence of the internet, the reality is small city governments are at the same, if not even higher, overall risk of being attacked as large entities. For small municipalities and organizations, there may not be much opportunity to invest additional resources into cyber security due to staffing concerns and limited budgets. This paper will discuss how, while it may seem the overall risk of a cyberattack is lower because these organizations are “small fish”, the probability and impact of an attack are just as high, if not higher in some circumstances, than large, high visibility organizations."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}"><strong>The following is a partner paper published to the CISSE journal. For more information, please visit the <a href="https://pisces-intl.org/" target="_blank" rel="noopener">PISCES</a> website.</strong></span></p> <p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Small town governments were once thought to be at a lower risk from cyber threat actors due to their geographical isolation and small digital footprint. The past few years has shown that to be definitively false, with several different threat actors successfully attacking local municipalities, ultimately causing disruptions to critical services, monetary loss, and privacy breaches. With the now ubiquitous presence of the internet, the reality is small city governments are at the same, if not even higher, overall risk of being attacked as large entities. For small municipalities and organizations, there may not be much opportunity to invest additional resources into cyber security due to staffing concerns and limited budgets. This paper will discuss how, while it may seem the overall risk of a cyberattack is lower because these organizations are “small fish”, the probability and impact of an attack are just as high, if not higher in some circumstances, than large, high visibility organizations."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Small town governments were once thought to be at a lower risk from cyber threat actors due to their geographical isolation and small digital footprint. The past few years has shown that to be definitively false, with several different threat actors successfully attacking local municipalities, ultimately causing disruptions to critical services, monetary loss, and privacy breaches. With the now ubiquitous presence of the internet, the reality is small city governments are at the same, if not even higher, overall risk of being attacked as large entities. For small municipalities and organizations, there may not be much opportunity to invest additional resources into cyber security due to staffing concerns and limited budgets. This paper will discuss how, while it may seem the overall risk of a cyberattack is lower because these organizations are “small fish”, the probability and impact of an attack are just as high, if not higher in some circumstances, than large, high visibility organizations.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/190The PISCES Approach to Cyber Education2024-02-27T20:53:53+00:00Addy MoranFord PowersLisa CampbellMelanie Rodriguez
<p><strong>The following is a partner paper published to the CISSE journal. For more information, please visit the <a href="https://pisces-intl.org/" target="_blank" rel="noopener">PISCES</a> website.</strong></p> <p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"The Public Infrastructure Security Cyber Education System (PISCES) program has had significant impact on the cyber security posture of small municipalities and has helped develop qualified entry-level cyber analysts with real-world experience. Due to the ever-evolving nature of cyber security, adjusting our cyber security educational approach to be just as flexible is of dire importance. This paper will address how the PISCES program educates the students and partners with the municipalities, the aspects of cyber security training that PISCES does not cover and makes suggestions on how cyber security training can be applied to other situations."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">The Public Infrastructure Security Cyber Education System (PISCES) program has had significant impact on the cyber security posture of small municipalities and has helped develop qualified entry-level cyber analysts with real-world experience. Due to the ever-evolving nature of cyber security, adjusting our cyber security educational approach to be just as flexible is of dire importance. This paper will address how the PISCES program educates the students and partners with the municipalities, the aspects of cyber security training that PISCES does not cover and makes suggestions on how cyber security training can be applied to other situations.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/189What Is Interesting and Relevant About Cybersecurity?2024-02-27T20:53:53+00:00Cheryl ReschJinnie ShinChristina Gardner-McCune
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Cyber attacks are a common feature of current news and many of them are the result of easy to avoid vulnerabilities in software. It is imperative that students graduating from an undergraduate Computer Science (CS) curriculum understand the consequences of vulnerable code. When developing lessons and assignments, it would be useful to have a sense of students’ attitude toward cybersecurity and appreciation of the need to write secure code. This paper describes an analysis of the results of a survey of students in core CS courses at our large public university, in which students answer free response questions about what they find interesting and relevant about cybersecurity. The survey was conducted in Fall 2022 and repeated in Spring 2023 after cybersecurity interventions were introduced into several core CS courses. We performed a Natural Language Processing (NLP) analysis of the free response answers to determine the overarching themes in the responses. We found that the most prevalent topics students are interested in are cryptography and penetration testing, and did not change over the two semesters. In answer to the question about the relevance of studying cybersecurity, we found that as students progress through the curriculum, what students find relevant moves from protecting their personal data to its importance in job duties and writing secure programs. When developing lessons and assignments, it may be helpful to introduce cryptography or penetration testing to engage students. Also, students should be taught early and often about the relevance of cybersecurity in their future job duties."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Cyber attacks are a common feature of current news and many of them are the result of easy to avoid vulnerabilities in software. It is imperative that students graduating from an undergraduate Computer Science (CS) curriculum understand the consequences of vulnerable code. When developing lessons and assignments, it would be useful to have a sense of students’ attitude toward cybersecurity and appreciation of the need to write secure code. This paper describes an analysis of the results of a survey of students in core CS courses at our large public university, in which students answer free response questions about what they find interesting and relevant about cybersecurity. The survey was conducted in Fall 2022 and repeated in Spring 2023 after cybersecurity interventions were introduced into several core CS courses. We performed a Natural Language Processing (NLP) analysis of the free response answers to determine the overarching themes in the responses. We found that the most prevalent topics students are interested in are cryptography and penetration testing, and did not change over the two semesters. In answer to the question about the relevance of studying cybersecurity, we found that as students progress through the curriculum, what students find relevant moves from protecting their personal data to its importance in job duties and writing secure programs. When developing lessons and assignments, it may be helpful to introduce cryptography or penetration testing to engage students. Also, students should be taught early and often about the relevance of cybersecurity in their future job duties.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/188Transforming Cyber Education thru Open to All Accessible Pathways2024-02-27T20:53:53+00:00Sin Ming LooElizabeth KhanEleanor TaylorChar Sample
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Boise State University’s (BSU) Cyber Operations and Resilience CORe program was intentionally designed so that any student, especially non-traditional and non-technical students, with an interest in cybersecurity could have an education and training pathway to enter the cyber workforce. The CORe curriculum focuses on teaching students how to design, apply, and improve cybersecurity through the interaction of people, processes, and technology. CORe is a stackable curriculum with elective credit hours and options for various academic and industry certificates and certifications that enable students to customize their unique career pathway. The CORe program guides students to think about the system being managed, the risks presented, and the dynamic intersection of system elements when considering how to incorporate resilience frameworks in achieving a resilient system. By developing systems thinking, the students gain an understanding of the interdependencies interacting with the operational system. The CORe program encourages students to integrate cybersecurity knowledge with models and frameworks found in other academic disciplines through a unifying systems approach. CORe is designed around the realities of today’s broad cyber landscape: that breaches will occur in any system over time and proactive design of resilience into systems to detect, respond, and recover in a timely and orderly manner is critical. Students are taught to think holistically about cybersecurity focusing on all system elements. CORe is not a traditional cybersecurity degree. CORe is distinguished by the non-traditional engineering, computer science approach to cybersecurity education with the singular focus on infusing resilience operations and transdisciplinary systems thinking principles throughout the curriculum."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Boise State University’s (BSU) Cyber Operations and Resilience CORe program was intentionally designed so that any student, especially non-traditional and non-technical students, with an interest in cybersecurity could have an education and training pathway to enter the cyber workforce. The CORe curriculum focuses on teaching students how to design, apply, and improve cybersecurity through the interaction of people, processes, and technology. CORe is a stackable curriculum with elective credit hours and options for various academic and industry certificates and certifications that enable students to customize their unique career pathway. The CORe program guides students to think about the system being managed, the risks presented, and the dynamic intersection of system elements when considering how to incorporate resilience frameworks in achieving a resilient system. By developing systems thinking, the students gain an understanding of the interdependencies interacting with the operational system. The CORe program encourages students to integrate cybersecurity knowledge with models and frameworks found in other academic disciplines through a unifying systems approach. CORe is designed around the realities of today’s broad cyber landscape: that breaches will occur in any system over time and proactive design of resilience into systems to detect, respond, and recover in a timely and orderly manner is critical. Students are taught to think holistically about cybersecurity focusing on all system elements. CORe is not a traditional cybersecurity degree. CORe is distinguished by the non-traditional engineering, computer science approach to cybersecurity education with the singular focus on infusing resilience operations and transdisciplinary systems thinking principles throughout the curriculum.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/187The Design and Development of Hands-on Activities for Digital Forensics Education2024-02-27T20:53:53+00:00Xinli WangVijay BhuseSara Sutton
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"It has been widely admitted by researchers and educators that hands-on activities are a core component in digital forensics education to help students gain practical skills that are needed in real-world forensic investigations. However, it is not clear in existing works about what kinds of hands-on activities are recommended to be integrated into a digital forensics course and how to design and develop them. In our teaching practice, hands-on activities for a digital forensics course are designed in three categories: 1) activities that assist students in learning how to use common digital forensics tools; 2) activities that help students gain in-depth understanding of the basic concepts and fundamental knowledge that are presented in class lectures; 3) activities that promote students the development of mindsets and data analytical skills that are needed for a digital forensic investigator. Various formats are employed to develop these hands-on exercises in different categories. The educational objectives and student learning outcomes map well to the CAE-CD (Centers of Academic Excellence - Cyber Defense) outcomes by completing their forensic knowledge units. In this paper, we share our idea and experience to design and implement such hands-on assignments in each category for meeting specific educational objectives. Sample exercises are briefly described to explain our idea in each category. Open source tools and data sets are introduced for references. Experiences, lessons, and sample feedback from students are discussed. Our results will provide a point of reference for those who teach digital forensics courses at a college or university, or are developing a digital forensic curriculum.\n"}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">It has been widely admitted by researchers and educators that hands-on activities are a core component in digital forensics education to help students gain practical skills that are needed in real-world forensic investigations. However, it is not clear in existing works about what kinds of hands-on activities are recommended to be integrated into a digital forensics course and how to design and develop them. In our teaching practice, hands-on activities for a digital forensics course are designed in three categories: 1) activities that assist students in learning how to use common digital forensics tools; 2) activities that help students gain in-depth understanding of the basic concepts and fundamental knowledge that are presented in class lectures; 3) activities that promote students the development of mindsets and data analytical skills that are needed for a digital forensic investigator. Various formats are employed to develop these hands-on exercises in different categories. The educational objectives and student learning outcomes map well to the CAE-CD (Centers of Academic Excellence - Cyber Defense) outcomes by completing their forensic knowledge units. In this paper, we share our idea and experience to design and implement such hands-on assignments in each category for meeting specific educational objectives. Sample exercises are briefly described to explain our idea in each category. Open source tools and data sets are introduced for references. Experiences, lessons, and sample feedback from students are discussed. Our results will provide a point of reference for those who teach digital forensics courses at a college or university, or are developing a digital forensic curriculum.<br></span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/186Leveraging Gamification and Game-based Learning in Cybersecurity Education2024-02-27T20:53:53+00:00Lowri WilliamsEirini AnthiYulia CherdantsevaAmir Javed
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"This paper investigates the use of gamification and game-based learning in the field of cybersecurity education. Due to their technical complexity and lack of coherence, traditional pedagogical methods, such as lectures, may fail to engage and inspire students, especially those from non-cyber backgrounds. To address this issue, we devised two distinct cybersecurity frameworks/games based on traditional Capture The Flag (CTF) competitions; an open-ended CTF event and a story-based CTF. Such games have demonstrated potential across multiple disciplines, including computer science, physics, mathematics, and engineering, as well as across multiple levels of study including undergraduate and postgraduate students. The positive feedback and significant increase in the interest to pursue a postgraduate course in cybersecurity, especially among non-cybersecurity students, attest to the success of this gamification strategy. As such, this paper provides valuable insights for enhancing the attractiveness and efficacy of cybersecurity education, thereby encouraging a broader spectrum of non-technical and non-cybersecurity students to pursue this crucial field."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This paper investigates the use of gamification and game-based learning in the field of cybersecurity education. Due to their technical complexity and lack of coherence, traditional pedagogical methods, such as lectures, may fail to engage and inspire students, especially those from non-cyber backgrounds. To address this issue, we devised two distinct cybersecurity frameworks/games based on traditional Capture The Flag (CTF) competitions; an open-ended CTF event and a story-based CTF. Such games have demonstrated potential across multiple disciplines, including computer science, physics, mathematics, and engineering, as well as across multiple levels of study including undergraduate and postgraduate students. The positive feedback and significant increase in the interest to pursue a postgraduate course in cybersecurity, especially among non-cybersecurity students, attest to the success of this gamification strategy. As such, this paper provides valuable insights for enhancing the attractiveness and efficacy of cybersecurity education, thereby encouraging a broader spectrum of non-technical and non-cybersecurity students to pursue this crucial field.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/185Impact of a Cybersecurity Work-Related Course on Students' Career Thoughts and Attitudes2024-02-27T20:53:54+00:00Marcia CombsRandall JoyceCain Bynum
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"This article proposes a research study conducted at Murray State University Cybersecurity and Network Management program to investigate the impact of work-related experiential learning on college students' career thoughts and attitudes within the context of cybersecurity career development. The Cybersecurity and Network Management program introduced the CNM 518 course based on the Public Infrastructure Security Cyber Education System (PISCES) project that offers practical, hands-on experiences. The proposed research project slated for Spring 2024, aims to assess how this work-related experiential learning influences students' career thoughts and attitudes, using the Career Thoughts Inventory as a measurement tool. This research project emphasizes the importance of reflective learning within CNM 518 and aims to contribute empirical evidence on the impact of work-related experiential learning on students' career thoughts and how such learning experiences positively influence the career decision-making processes and, subsequently, the broader field of cybersecurity education."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This article proposes a research study conducted at Murray State University Cybersecurity and Network Management program to investigate the impact of work-related experiential learning on college students' career thoughts and attitudes within the context of cybersecurity career development. The Cybersecurity and Network Management program introduced the CNM 518 course based on the Public Infrastructure Security Cyber Education System (PISCES) project that offers practical, hands-on experiences. The proposed research project slated for Spring 2024, aims to assess how this work-related experiential learning influences students' career thoughts and attitudes, using the Career Thoughts Inventory as a measurement tool. This research project emphasizes the importance of reflective learning within CNM 518 and aims to contribute empirical evidence on the impact of work-related experiential learning on students' career thoughts and how such learning experiences positively influence the career decision-making processes and, subsequently, the broader field of cybersecurity education.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/184Immersive Learning2024-02-27T20:53:54+00:00Denise FerebeeJerome BlakemoreMarcus KellyZina ParkerMicheal ZhouTyana WhiteFarheen DahaniJiya Webster
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Teaching cybersecurity professionals has changed from applying puzzle-based learning scenarios, general tabletops, and general gamification to an immersive learning environment. In today's teaching environment, there are known methods to teach cybersecurity tool techniques. However, beyond the technical aspect, cybersecurity professional need to understand the psychology of crime. These teaching and learning needs have become more prevalent in criminal justice, education, and computer science degree programs and aspects of job professions because learners need to understand and be able to recognize why crimes are committed. Thus, opening another major area of research in cybersecurity. Teaching someone what it means to protect systems, networks, and programs from digital attacks is difficult. Each person needs some frame of reference. Through their personal frame of reference, they discern and consume the information and find a basis for its purpose. This is known as the learning process and each individual journey is different. The learning process is affected by personal experience. Thus, creating a climate for misunderstanding through applying personal experiences to a situation that may have had a different personal or professional interaction. Because of misunderstandings and unconscious bias that occur in this type of learning structure, the misunderstandings and unconscious bias have the potentiality of being propagated into professional career interactions and investigations. Thus, this project will present a learning platform/framework to explore cybersecurity methods, discern interactions, explore the psychology of why a crime is committed through a collaborative virtual reality (VR) immersive environment."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Teaching cybersecurity professionals has changed from applying puzzle-based learning scenarios, general tabletops, and general gamification to an immersive learning environment. In today's teaching environment, there are known methods to teach cybersecurity tool techniques. However, beyond the technical aspect, cybersecurity professional need to understand the psychology of crime. These teaching and learning needs have become more prevalent in criminal justice, education, and computer science degree programs and aspects of job professions because learners need to understand and be able to recognize why crimes are committed. Thus, opening another major area of research in cybersecurity. Teaching someone what it means to protect systems, networks, and programs from digital attacks is difficult. Each person needs some frame of reference. Through their personal frame of reference, they discern and consume the information and find a basis for its purpose. This is known as the learning process and each individual journey is different. The learning process is affected by personal experience. Thus, creating a climate for misunderstanding through applying personal experiences to a situation that may have had a different personal or professional interaction. Because of misunderstandings and unconscious bias that occur in this type of learning structure, the misunderstandings and unconscious bias have the potentiality of being propagated into professional career interactions and investigations. Thus, this project will present a learning platform/framework to explore cybersecurity methods, discern interactions, explore the psychology of why a crime is committed through a collaborative virtual reality (VR) immersive environment.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/183Evaluation of AI Models to Update Cybersecurity Curriculum 2024-02-27T20:53:54+00:00Chizoba UbahPaige ZaleppaBlair TaylorSiddharth Kaza
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"This study explores the performance of several Large Language Models (LLMs) across different facets of Cybersecurity Modules. Using prompt engineering, this work evaluates publicly available LLMs for their ability to assess the suitability of secure coding topics based on learning outcomes, categorize these topics following OWASP standards, and generate up-to-date examples for curriculum use. The findings would highlight the transformative role that LLMs would play for future advancements in Cybersecurity education."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This study explores the performance of several Large Language Models (LLMs) across different facets of Cybersecurity Modules. Using prompt engineering, this work evaluates publicly available LLMs for their ability to assess the suitability of secure coding topics based on learning outcomes, categorize these topics following OWASP standards, and generate up-to-date examples for curriculum use. The findings would highlight the transformative role that LLMs would play for future advancements in Cybersecurity education.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/182Develop and Disseminate Hands-on Lab Materials of Privacy Concepts and Technologies to Educators2024-02-27T20:53:54+00:00Na LiLin LiMengjun XieBugrahan Yalvac
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"In the era of digitalization, a massive amount of data has been generated from people’s online activities or use of portable/wearable devices. The data often carries rich information about people. Therefore, privacy technologies are needed, from data generation to usage and from transmission to storage, to protect people’s sensitive information. Although the research community is making great progress in addressing advanced privacy protection technologies, very few educational materials have been developed to incorporate the latest research results and engage students in learning privacy technologies, especially for younger generations. In this paper, we present our newly designed educational materials on privacy technologies, which can be used for training high quality cybersecurity professionals to meet the ever-increasing demand. The developed learning modules not only incorporate the latest research results in privacy technologies but also include effective hand-on lab activities. To help other institutions effectively teach privacy technologies, we organized a faculty training workshop in summer 2022. Twenty-nine faculty from twenty institutions nationwide participated in the training. Survey results show that the participants gained a better understanding of privacy issues and demonstrated strong interest in teaching privacy technologies after attending the workshop."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">In the era of digitalization, a massive amount of data has been generated from people’s online activities or use of portable/wearable devices. The data often carries rich information about people. Therefore, privacy technologies are needed, from data generation to usage and from transmission to storage, to protect people’s sensitive information. Although the research community is making great progress in addressing advanced privacy protection technologies, very few educational materials have been developed to incorporate the latest research results and engage students in learning privacy technologies, especially for younger generations. In this paper, we present our newly designed educational materials on privacy technologies, which can be used for training high quality cybersecurity professionals to meet the ever-increasing demand. The developed learning modules not only incorporate the latest research results in privacy technologies but also include effective hand-on lab activities. To help other institutions effectively teach privacy technologies, we organized a faculty training workshop in summer 2022. Twenty-nine faculty from twenty institutions nationwide participated in the training. Survey results show that the participants gained a better understanding of privacy issues and demonstrated strong interest in teaching privacy technologies after attending the workshop.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/181Creating a Practical Education in Space Cybersecurity Through Antenna Design and Implementation2024-02-27T20:53:54+00:00Clark DuncanRandall JoyceSpencer BuggJason MarquardtMarcia Combs
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"With the increasing concerns over cybersecurity and space systems preparing the next generation of cybersecurity professionals is critical. In this research, undergraduate and graduate students were exposed to cybersecurity and space systems through practical antenna design and implementation in hopes of capturing pirate communication signals while in the Western Kentucky area. Students designed and built turnstile and helical antennas that focused on the 255 MHz and 318 MHz frequencies that interfaced with software-defined radios. With these systems, students were able to capture a limited range of low earth orbiting (LEO) satellite communications while ascertaining an understanding of satellite communication fundamentals. Overall, students were able to gain an understanding of antenna design, the importance of radio frequency, and satellite communications."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">With the increasing concerns over cybersecurity and space systems preparing the next generation of cybersecurity professionals is critical. In this research, undergraduate and graduate students were exposed to cybersecurity and space systems through practical antenna design and implementation in hopes of capturing pirate communication signals while in the Western Kentucky area. Students designed and built turnstile and helical antennas that focused on the 255 MHz and 318 MHz frequencies that interfaced with software-defined radios. With these systems, students were able to capture a limited range of low earth orbiting (LEO) satellite communications while ascertaining an understanding of satellite communication fundamentals. Overall, students were able to gain an understanding of antenna design, the importance of radio frequency, and satellite communications.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/180Assessing the Effectiveness and Security Implications of AI Code Generators2024-02-27T20:53:54+00:00Maryam TaebHongmei ChiShonda Bernadin
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Students, especially those outside the field of cybersecurity, are increasingly turning to Large Language Model (LLM)-based generative AI tools for coding assistance. These AI code generators provide valuable support to developers by generating code based on provided input and instructions. However, the quality and accuracy of the generated code can vary, depending on factors such as task complexity, the clarity of instructions, and the model’s familiarity with the programming language. Additionally, these generated codes may inadvertently utilize vulnerable built-in functions, potentially leading to source code vulnerabilities and exploits. This research undertakes an in-depth analysis and comparison of code generation, code completion, and security suggestions offered by prominent AI models, including OpenAI CodeX, CodeBert, and ChatGPT. The research aims to evaluate the effectiveness and security aspects of these tools in terms of their code generation, code completion capabilities, and their ability to enhance security. This analysis serves as a valuable resource for developers, enabling them to proactively avoid introducing security vulnerabilities in their projects. By doing so, developers can significantly reduce the need for extensive revisions and resource allocation, whether in the short or long term."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Students, especially those outside the field of cybersecurity, are increasingly turning to Large Language Model (LLM)-based generative AI tools for coding assistance. These AI code generators provide valuable support to developers by generating code based on provided input and instructions. However, the quality and accuracy of the generated code can vary, depending on factors such as task complexity, the clarity of instructions, and the model’s familiarity with the programming language. Additionally, these generated codes may inadvertently utilize vulnerable built-in functions, potentially leading to source code vulnerabilities and exploits. This research undertakes an in-depth analysis and comparison of code generation, code completion, and security suggestions offered by prominent AI models, including OpenAI CodeX, CodeBert, and ChatGPT. The research aims to evaluate the effectiveness and security aspects of these tools in terms of their code generation, code completion capabilities, and their ability to enhance security. This analysis serves as a valuable resource for developers, enabling them to proactively avoid introducing security vulnerabilities in their projects. By doing so, developers can significantly reduce the need for extensive revisions and resource allocation, whether in the short or long term.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/179Assessing Common Software Vulnerabilities in Undergraduate Computer Science Assignments2024-02-27T20:53:54+00:00Andrew SandersGursimran Singh WaliaAndrew Allen
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"As the demand for secure coding education grows, there is a need for improvements in how secure coding is taught and in preparing students to develop more secure software. As time in a Computer Science classroom is finite, educational efforts should be placed on targeting the most common types of vulnerabilities to better prepare students to avoid common security pitfalls in coding. Existing research in this area mainly focuses on developing vulnerability detection tools rather than analyzing the types of commonly produced vulnerabilities by students. Limited research exists in determining common student-produced vulnerabilities, and the available studies differ from the types of vulnerabilities that are researched in vulnerability detection literature. Our research works to further establish the types of vulnerabilities produced by students by using a static analysis tool on assignment code submissions in an undergraduate Programming II (CS2) course. We present our findings on what types of vulnerabilities are commonly produced by students and contrast them with what is commonly researched in the literature. We find there is little overlap between the vulnerability types reported by our study and other studies in the research area. This research has potential implications for secure coding education in a Computer Science curriculum. Further work should be done to establish the contexts in which specific vulnerability types are more likely to be produced and how to best teach students to avoid producing these vulnerabilities.\n"}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">As the demand for secure coding education grows, there is a need for improvements in how secure coding is taught and in preparing students to develop more secure software. As time in a Computer Science classroom is finite, educational efforts should be placed on targeting the most common types of vulnerabilities to better prepare students to avoid common security pitfalls in coding. Existing research in this area mainly focuses on developing vulnerability detection tools rather than analyzing the types of commonly produced vulnerabilities by students. Limited research exists in determining common student-produced vulnerabilities, and the available studies differ from the types of vulnerabilities that are researched in vulnerability detection literature. Our research works to further establish the types of vulnerabilities produced by students by using a static analysis tool on assignment code submissions in an undergraduate Programming II (CS2) course. We present our findings on what types of vulnerabilities are commonly produced by students and contrast them with what is commonly researched in the literature. We find there is little overlap between the vulnerability types reported by our study and other studies in the research area. This research has potential implications for secure coding education in a Computer Science curriculum. Further work should be done to establish the contexts in which specific vulnerability types are more likely to be produced and how to best teach students to avoid producing these vulnerabilities.<br></span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/178An Exploration of Factors Influencing Oversharing on Facebook Groups2024-02-27T20:53:54+00:00Marc DupuisBreanna PowellMargaret LanphereManual DuarteBilly Hao
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"Social media usage is extremely prevalent and so is the oversharing of personal information online. This paper aims to examine the factors that influence information disclosure on Facebook and how participation in groups may affect sharing behaviors. Groups can provide a more intimate and supportive environment, which may lead to excessive information sharing. An online survey was conducted on Amazon’s Mechanical Turk platform with 373 accepted responses from self-reported Facebook users. The data was analyzed to determine which demographic and personality factors are correlated with oversharing behaviors on user profiles and within Facebook groups. This work has implications for understanding how individuals seek support online and what information they feel comfortable disclosing. Oversharing may increase user feelings of social support but also may make users vulnerable to cyberbullying and social engineering attacks."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Social media usage is extremely prevalent and so is the oversharing of personal information online. This paper aims to examine the factors that influence information disclosure on Facebook and how participation in groups may affect sharing behaviors. Groups can provide a more intimate and supportive environment, which may lead to excessive information sharing. An online survey was conducted on Amazon’s Mechanical Turk platform with 373 accepted responses from self-reported Facebook users. The data was analyzed to determine which demographic and personality factors are correlated with oversharing behaviors on user profiles and within Facebook groups. This work has implications for understanding how individuals seek support online and what information they feel comfortable disclosing. Oversharing may increase user feelings of social support but also may make users vulnerable to cyberbullying and social engineering attacks.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/177An Analysis of Prerequisites for Artificial Intelligence / Machine Learning-Assisted Malware Analysis Learning Modules2024-02-27T20:53:54+00:00Portia PuseyMaanak GuptaSudip MittalMahmoud Abdelsalam
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"This paper presents the findings of action research conducted to evaluate new modules created to teach learners how to apply machine learning (ML) and artificial intelligence (AI) techniques to malware data sets. The trend in the data suggest that learners with cybersecurity competencies may be better prepared to complete the AI/ML modules’ exercises than learners with AI/ML competencies. We describe the challenge of identifying prerequisites that could be used to determine learner readiness, report our findings, and conclude with the implications for instructional design and teaching practice."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This paper presents the findings of action research conducted to evaluate new modules created to teach learners how to apply machine learning (ML) and artificial intelligence (AI) techniques to malware data sets. The trend in the data suggest that learners with cybersecurity competencies may be better prepared to complete the AI/ML modules’ exercises than learners with AI/ML competencies. We describe the challenge of identifying prerequisites that could be used to determine learner readiness, report our findings, and conclude with the implications for instructional design and teaching practice.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/176Addressing the Need for Interculturality in Cybersecurity Education2024-02-27T20:53:54+00:00Stephanie SwartzDeveeshree Nayak
<p><span data-sheets-root="1" data-sheets-value="{"1":2,"2":"This paper addresses the need for incorporating global virtual team (GVT) projects into cybersecurity education curricula in an effort to develop students’ understanding of different cultures and hone their abilities to work across multiple time zones, communicate using digital communication platforms as well as improve their virtual project and time management skills. An example of a GVTs project, Virtual Business Professional, is presented in order to illustrate how collaborative online international learning (COIL) can be embedded into IT-related coursework. It is the authors’ intention to encourage instructors and administrators at institutions of higher learning to support and carry out transdisciplinary GVT projects in order to best prepare graduates for the challenges of the 21st century global workplace."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":4,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This paper addresses the need for incorporating global virtual team (GVT) projects into cybersecurity education curricula in an effort to develop students’ understanding of different cultures and hone their abilities to work across multiple time zones, communicate using digital communication platforms as well as improve their virtual project and time management skills. An example of a GVTs project, Virtual Business Professional, is presented in order to illustrate how collaborative online international learning (COIL) can be embedded into IT-related coursework. It is the authors’ intention to encourage instructors and administrators at institutions of higher learning to support and carry out transdisciplinary GVT projects in order to best prepare graduates for the challenges of the 21st century global workplace.</span></p>
2024-02-27T00:00:00+00:00Copyright (c) 2024 https://cisse.info/journal/index.php/cisse/article/view/175Virginia Cyber Navigator Internship Program (VA-CNIP)2023-03-08T15:58:35+00:00Angela OrebaughJack DavidsonDeborah JohnsonDaniel GrahamWorthy Martin
<p><span data-sheets-value="{"1":2,"2":"A coalition of Virginia universities, in partnership with the Virginia Department of Elections (ELECT), launched the Virginia Cyber Navigator Internship Program (VA-CNIP) – an innovative educational program to develop future cybersecurity professionals to protect the election infrastructure. The program addresses the need for more skilled cybersecurity professionals, and those who are supporting public services such as elections. This paper provides an overview of the key components of the program: a full semester gateway course covering sociotechnical election topics, a two-day kickoff bootcamp to prepare students for their internship, an internship with an election office, and a one-day debrief and assessment at the end of the internship."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">A coalition of Virginia universities, in partnership with the Virginia Department of Elections (ELECT), launched the Virginia Cyber Navigator Internship Program (VA-CNIP) – an innovative educational program to develop future cybersecurity professionals to protect the election infrastructure. The program addresses the need for more skilled cybersecurity professionals, and those who are supporting public services such as elections. This paper provides an overview of the key components of the program: a full semester gateway course covering sociotechnical election topics, a two-day kickoff bootcamp to prepare students for their internship, an internship with an election office, and a one-day debrief and assessment at the end of the internship.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/174Techniques to Overcome Network Attacks (Sybil Attack, Jamming Attack, Timing Attack) in VANET2023-03-08T15:58:35+00:00Sinan Ameen NomanTravis Atkison
<p><span data-sheets-value="{"1":2,"2":"VANET is a type of Ad hoc network that enables the communication between vehicles and roadside units. It provides a broad range of applications, such as blind crossing, accident avoidance, protection, interactive route planning, traffic situation monitoring in real-time, etc. These applications are required to be very secure to achieve a reliable service and provide safety for drivers. This paper sheds light on three different types of attacks (Sybil Attack, Jamming Attack, Timing Attack) that can critically affect the vehicular ad hoc network environment. Furthermore, we present techniques that can overcome these attacks."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">VANET is a type of Ad hoc network that enables the communication between vehicles and roadside units. It provides a broad range of applications, such as blind crossing, accident avoidance, protection, interactive route planning, traffic situation monitoring in real-time, etc. These applications are required to be very secure to achieve a reliable service and provide safety for drivers. This paper sheds light on three different types of attacks (Sybil Attack, Jamming Attack, Timing Attack) that can critically affect the vehicular ad hoc network environment. Furthermore, we present techniques that can overcome these attacks.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/173Teaching Software Security to Novices With User Friendly Armitage2023-03-08T15:58:35+00:00Christopher Morales-GonzalezMatthew HarperXinwen Fu
<p><span data-sheets-value="{"1":2,"2":"With cybercrime increasing by 600% during the COVID-19 pandemic, the demand for cybersecurity professionals has also risen significantly. There are roughly 700,000 unfilled cybersecurity positions that continue to affect businesses and have the potential to cause significant problems. Education for novice cybersecurity students suffers from teaching materials not being practical, modern, nor intuitive enough to inspire these students to pursue a career in the cybersecurity field. In this paper, we present our methodology and create a module for teaching the basics of software security using Armitage and Metasploit. We design our module and hands-on labs using a preconfigured Windows 10 VM, a Metasploitable VM and a Kali Linux VM with custom-made tools. Our methodology and module is validated through the results of a GenCyber high school cybersecurity camp. The module is available at GitHub."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">With cybercrime increasing by 600% during the COVID-19 pandemic, the demand for cybersecurity professionals has also risen significantly. There are roughly 700,000 unfilled cybersecurity positions that continue to affect businesses and have the potential to cause significant problems. Education for novice cybersecurity students suffers from teaching materials not being practical, modern, nor intuitive enough to inspire these students to pursue a career in the cybersecurity field. In this paper, we present our methodology and create a module for teaching the basics of software security using Armitage and Metasploit. We design our module and hands-on labs using a preconfigured Windows 10 VM, a Metasploitable VM and a Kali Linux VM with custom-made tools. Our methodology and module is validated through the results of a GenCyber high school cybersecurity camp. The module is available at GitHub.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/172Teaching Offensive and Defensive Cyber Security in Schools using a Raspberry Pi Cyber Range2023-03-08T15:58:35+00:00Phil LeggAlan MillsIan Johnson
<p><span data-sheets-value="{"1":2,"2":"Computer Science as a subject is now appearing in more school curricula for GCSE and A level, with a growing demand for cyber security to be embedded within this teaching. Yet, teachers face challenges with limited time and resource for preparing practical materials to effectively convey the subject matter. We hosted a series of workshops designed to understand the challenges that teachers face in delivering cyber security education. We then worked with teachers to co-create practical learning resources that could be further developed as tailored lesson plans, as required for their students. In this paper, we report on the challenges highlighted by teachers, and we present a portable and isolated infrastructure for teaching the basics of offensive and defensive cyber security, as a co-created activity based on the teacher workshops. Whilst we present an example case study for red and blue team student engagement, we also reflect on the wide scope of topics and tools that students would be exposed to through this activity, and how this platform could then be generalised for further cyber security teaching."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Computer Science as a subject is now appearing in more school curricula for GCSE and A level, with a growing demand for cyber security to be embedded within this teaching. Yet, teachers face challenges with limited time and resource for preparing practical materials to effectively convey the subject matter. We hosted a series of workshops designed to understand the challenges that teachers face in delivering cyber security education. We then worked with teachers to co-create practical learning resources that could be further developed as tailored lesson plans, as required for their students. In this paper, we report on the challenges highlighted by teachers, and we present a portable and isolated infrastructure for teaching the basics of offensive and defensive cyber security, as a co-created activity based on the teacher workshops. Whilst we present an example case study for red and blue team student engagement, we also reflect on the wide scope of topics and tools that students would be exposed to through this activity, and how this platform could then be generalised for further cyber security teaching.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/171Teaching Case2023-03-08T15:58:35+00:00Garry L. White
<p><span data-sheets-value="{"1":2,"2":"Democracy is based on education according to Socrates (470-390 B.C.) A lack of education leads to election problems. The 2020 presidential election has raised questions of election fraud and rigged software and the integrity of the results. Such questions can be resolved through election technology & security education. Education can put you in a position of knowledge if you find yourself in a discussion on voter fraud. The purpose of this paper is to propose a curriculum for different courses on election security and election technology to educate people. Individuals’ trust of an election can be impacted by education which may overriding propaganda, and fake news. Proposed curriculum also covers misleading election numbers from statistics and Benford's Law."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Democracy is based on education according to Socrates (470-390 B.C.) A lack of education leads to election problems. The 2020 presidential election has raised questions of election fraud and rigged software and the integrity of the results. Such questions can be resolved through election technology & security education. Education can put you in a position of knowledge if you find yourself in a discussion on voter fraud. The purpose of this paper is to propose a curriculum for different courses on election security and election technology to educate people. Individuals’ trust of an election can be impacted by education which may overriding propaganda, and fake news. Proposed curriculum also covers misleading election numbers from statistics and Benford's Law.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/170Structure or Anarchy2023-03-08T15:58:35+00:00Jason M. PittmanHelen G. BarkerShaho Alaee
<p>Bibliometric analysis is essential for understanding the growth, health, and trajectory of scientific disciplines. In effect, such analyses help researchers determine if a given field is well-structured or fragmented through anarchy. Prior work examined to what extent cybersecurity education research generated a follow-up study. The goal of the work was to uncover bibliometric features and characteristics linked to overall maturity of the field. The results suggested little, if any, research follow up or extension took place based on the dearth of interlinking between citations. This work continues the line of bibliometric description by investigating if cybersecurity education papers are not extended because of discoverability issues during literature reviews. To answer this question, this work explored structural bibliometric indicators in 163 journal and conference articles. Specifically, we extracted metadata keywords and paper content keywords as input to frequency analyses of the sample articles. The results revealed 12.4% of the sample contains metadata keywords. Further, 18.03% of the sample contained educated related keywords. Lastly, four of the top five sample papers by citation count do not contain keywords at all and papers with content only keywords exhibited more frequent citation than those with only metadata keywords. Based on these results, we offer observational conclusions as well as notions for future work.</p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/169Simulating Cybersecurity Risk Using Advanced Quantitative Risk Assessment Techniques2023-03-08T15:58:36+00:00Basil Hamdan
<p><span data-sheets-value="{"1":2,"2":"This paper; a scenario-based teaching case study, aims to introduce students in a Cybersecurity Risk Management course to advanced quantitative risk assessment techniques. The case study utilizes a fictitious company for which a risk assessment is underway. Assuming the role of the Cybersecurity Risk Team of the company, students are tasked with determining the risk exposure the company faces from a threat scenario against one of its mission-critical information resources. Specifically, the students are required to (1) quantify the monetary losses that could result from a threat scenario, (2) compute the inherited risk exposure from the threat scenario, (3) compute the residual risk given the implantation of certain security controls, and (4) compute the rate of return on the security controls. The case study holds the promise of enhancing the overall learning of the students and boosting their marketability as future cybersecurity professionals."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This paper; a scenario-based teaching case study, aims to introduce students in a Cybersecurity Risk Management course to advanced quantitative risk assessment techniques. The case study utilizes a fictitious company for which a risk assessment is underway. Assuming the role of the Cybersecurity Risk Team of the company, students are tasked with determining the risk exposure the company faces from a threat scenario against one of its mission-critical information resources. Specifically, the students are required to (1) quantify the monetary losses that could result from a threat scenario, (2) compute the inherited risk exposure from the threat scenario, (3) compute the residual risk given the implantation of certain security controls, and (4) compute the rate of return on the security controls. The case study holds the promise of enhancing the overall learning of the students and boosting their marketability as future cybersecurity professionals.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/168Security Mindset Fundamentals and Second Language Learning2023-03-08T15:58:36+00:00Amy Kuiken
<p><span data-sheets-value="{"1":2,"2":"Security mindsets can be said to engage elements of situational awareness and analytical, creative, and practical elements of adversarial thinking. Scholars have debated whether this is taught or fostered, but they have acknowledged that security mindsets are critical. Here, the argument is made that implicit features of language itself can be drawn on in everyday K12+ second language (L2) learning settings to introduce members of the general populace and, among them, potential future members of the cybersecurity workforce, to security thinking. Beyond the features of language itself, L2 lessons can also be adapted to familiarize students with explicit security-related topics and scenarios. By exploiting these novel connections between language learning and security thinking, L2 learning contexts can become a security mindset training ground for millions of U.S. students."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Security mindsets can be said to engage elements of situational awareness and analytical, creative, and practical elements of adversarial thinking. Scholars have debated whether this is taught or fostered, but they have acknowledged that security mindsets are critical. Here, the argument is made that implicit features of language itself can be drawn on in everyday K12+ second language (L2) learning settings to introduce members of the general populace and, among them, potential future members of the cybersecurity workforce, to security thinking. Beyond the features of language itself, L2 lessons can also be adapted to familiarize students with explicit security-related topics and scenarios. By exploiting these novel connections between language learning and security thinking, L2 learning contexts can become a security mindset training ground for millions of U.S. students.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/167RADICL CTF2023-03-08T15:58:36+00:00Taegan WilliamsTiffany FuhrmannMichael Haney
<p><span data-sheets-value="{"1":2,"2":"To address the nationwide workforce shortage of skilled and educated cyber-informed engineers, we must develop low-cost and highly effective resources for industrial control systems education and training. College curricula in technology management, cybersecurity, and computer science aim to build students’ computational and adversarial thinking abilities but are often done only through theory and abstracted concepts [1]. To better a student’s understanding of industrial control system applications, post-secondary institutions can use gamification to increase student interest through an interactive, user-friendly, hands-on experience. RADICL CTF can provide post-secondary institutions with new opportunities for low-cost, guided exercises for industrial control system (ICS) education to help students master adversarial thinking. Based on an extension to picoCTF, RADICL CTF is a platform for students to design, implement and evaluate exercises that test their understanding of core concepts in industrial control systems cybersecurity, answering the need for more interactive education methods. The main contributions of this paper are the improvement of the cyber-security curriculum through extending the picoCTF platform to promote the gamification of industrial control system concepts with consideration to the Purdue Reference Architecture."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">To address the nationwide workforce shortage of skilled and educated cyber-informed engineers, we must develop low-cost and highly effective resources for industrial control systems education and training. College curricula in technology management, cybersecurity, and computer science aim to build students’ computational and adversarial thinking abilities but are often done only through theory and abstracted concepts [1]. To better a student’s understanding of industrial control system applications, post-secondary institutions can use gamification to increase student interest through an interactive, user-friendly, hands-on experience. RADICL CTF can provide post-secondary institutions with new opportunities for low-cost, guided exercises for industrial control system (ICS) education to help students master adversarial thinking. Based on an extension to picoCTF, RADICL CTF is a platform for students to design, implement and evaluate exercises that test their understanding of core concepts in industrial control systems cybersecurity, answering the need for more interactive education methods. The main contributions of this paper are the improvement of the cyber-security curriculum through extending the picoCTF platform to promote the gamification of industrial control system concepts with consideration to the Purdue Reference Architecture.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/166Practical Labs for Teaching SDN Security2023-03-08T15:58:36+00:00Souvik DasKamil Sarac
<p><span data-sheets-value="{"1":2,"2":"The rapid adoption of Software Defined Networking (SDN) in the industry has exposed certain security risks today some of which are unique to its paradigm. Security issues around the use-cases that expose these risks are fundamentally aligned with the networking and cybersecurity concepts that are taught at the graduate level in academia. In this paper, we present a number of lab activities on SDN security that are inspired from practical use-cases in SDN deployments. The goal of this effort is to help students give a shape to their thought process about the practical security implications of SDN deployments and gain valuable practical domain knowledge in securing an environment with such deployments."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">The rapid adoption of Software Defined Networking (SDN) in the industry has exposed certain security risks today some of which are unique to its paradigm. Security issues around the use-cases that expose these risks are fundamentally aligned with the networking and cybersecurity concepts that are taught at the graduate level in academia. In this paper, we present a number of lab activities on SDN security that are inspired from practical use-cases in SDN deployments. The goal of this effort is to help students give a shape to their thought process about the practical security implications of SDN deployments and gain valuable practical domain knowledge in securing an environment with such deployments.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/165Meeting the Challenges of Large Online Graduate Cybersecurity Classes in the Age of COVID2023-03-08T15:58:36+00:00Michael WhitmanHerbert Mattord
<p><span data-sheets-value="{"1":2,"2":"Designing curriculum and teaching delivery programs that can meet the needs of specialized groups of employers and students is challenging in the best of times. When extra criteria are added, such as making a degree program fully online when also limited with the number of fully qualified faculty due to constrained resources, flexibility is a requirement. This is a case study of one such program development project that saw the design and development of a Master-level program of study in Cybersecurity that was designed at one level of expected faculty resource availability that had to rapidly evolve in a new direction due to significant resource restrictions. Built on a model of maximizing the productivity of a few fully qualified faculty by leveraging less qualified but very capable part-time staff to meet the needs of online delivery of large sections of graduate instruction."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Designing curriculum and teaching delivery programs that can meet the needs of specialized groups of employers and students is challenging in the best of times. When extra criteria are added, such as making a degree program fully online when also limited with the number of fully qualified faculty due to constrained resources, flexibility is a requirement. This is a case study of one such program development project that saw the design and development of a Master-level program of study in Cybersecurity that was designed at one level of expected faculty resource availability that had to rapidly evolve in a new direction due to significant resource restrictions. Built on a model of maximizing the productivity of a few fully qualified faculty by leveraging less qualified but very capable part-time staff to meet the needs of online delivery of large sections of graduate instruction.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/164Interactive Program Visualization to Teach Stack Smashing2023-03-08T15:58:36+00:00Harini RamaprasadMeera SridharErik Akeyson
<p><span data-sheets-value="{"1":2,"2":"This paper presents an experience report on using an interactive program visualization tool — Dynamic, Interactive Stack-Smashing Attack Visualization (DISSAV) — and a complementary active-learning exercise to teach stack smashing, a key software security attack. The visualization tool and active-learning exercise work synergistically to guide the student through challenging, abstract concepts in the advanced cybersecurity area. DISSAV and the exercise are deployed within the software security module of an undergraduate cybersecurity course that introduces a broad range of security topics. A study is designed that collects and evaluates student perceptions on the user interface of DISSAV and the effectiveness of the two resources in improving student learning and engagement. The study finds that over 80% of responses to user interface questions, 66% of responses to student learning questions and 64% of responses to student engagement questions are positive, suggesting that the resources improve student learning and engagement in general. The study does not find discernible patterns of difference in responses from students of different ages and varying levels of prior experience with stack smashing attacks, program visualization tools and C programming."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">This paper presents an experience report on using an interactive program visualization tool — Dynamic, Interactive Stack-Smashing Attack Visualization (DISSAV) — and a complementary active-learning exercise to teach stack smashing, a key software security attack. The visualization tool and active-learning exercise work synergistically to guide the student through challenging, abstract concepts in the advanced cybersecurity area. DISSAV and the exercise are deployed within the software security module of an undergraduate cybersecurity course that introduces a broad range of security topics. A study is designed that collects and evaluates student perceptions on the user interface of DISSAV and the effectiveness of the two resources in improving student learning and engagement. The study finds that over 80% of responses to user interface questions, 66% of responses to student learning questions and 64% of responses to student engagement questions are positive, suggesting that the resources improve student learning and engagement in general. The study does not find discernible patterns of difference in responses from students of different ages and varying levels of prior experience with stack smashing attacks, program visualization tools and C programming.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/163Interactive Cyber-Physical System Hacking2023-03-08T15:58:36+00:00Jonathan WhitePhil LeggAlan Mills
<p>Cyber Security as an education discipline covers a variety of topics that can be challenging and complex for students who are new to the subject domain. With this in mind, it is crucial that new students are motivated by understanding both the technical aspects of computing and networking, and the real-world implications of compromising these systems. In this paper we approach this task to create an engaging outreach experience, on the concept of cyber-physical systems, using a Scalextric slot-car racetrack. In the activity, students seek to compromise the underlying computer system that is linked to the track and updates the scoreboard system, in order to inflate their own score and to sabotage their opponent. Our investigation with this technique shows high levels of engagement whilst providing an excellent platform for teaching basic concepts of enumeration, brute forcing, and privilege escalation. It also provokes discussion on how this activity relates to real-world cases of cyber-physical systems security in the sports domain and beyond.</p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Educationhttps://cisse.info/journal/index.php/cisse/article/view/162Improving Workplace and Societal Cybersecurity via Post-Secondary General Education2023-03-08T15:58:36+00:00Maeve Dion
<p><span data-sheets-value="{"1":2,"2":"Everyone has a role to play in cybersecurity and cyber risk management, but people without security backgrounds seldom understand—let alone accept or endorse—such roles. Public and private organizations face common challenges in facilitating more secure behaviors among employees. As part of their missions, most colleges and universities in the United States have general education programs that aim to instill certain competencies and characteristics in all graduates (for individual and greater good). This paper proposes that a cybersecurity general education course could help improve common workplace challenges in cybersecurity training and awareness, and that such a course could align with each institution’s general education goals to benefit not only graduates but also communities and society writ large."}" data-sheets-userformat="{"2":15297,"3":{"1":0},"9":0,"10":0,"11":3,"12":0,"14":{"1":2,"2":0},"15":"Calibri","16":11}">Everyone has a role to play in cybersecurity and cyber risk management, but people without security backgrounds seldom understand—let alone accept or endorse—such roles. Public and private organizations face common challenges in facilitating more secure behaviors among employees. As part of their missions, most colleges and universities in the United States have general education programs that aim to instill certain competencies and characteristics in all graduates (for individual and greater good). This paper proposes that a cybersecurity general education course could help improve common workplace challenges in cybersecurity training and awareness, and that such a course could align with each institution’s general education goals to benefit not only graduates but also communities and society writ large.</span></p>
2023-03-08T00:00:00+00:00Copyright (c) 2023 Journal of The Colloquium for Information Systems Security Education