Journal of The Colloquium for Information Systems Security Education <p>The The Colloquium for Information Systems Security Education (CISSE) community meets every year at a different part of the Country in order to elaborate and further discuss the most effective means of maintaining a high standard of excellence in practice in cybersecurity education. In order to have any credibility as a source of new and evolving knowledge it is important that the highest academic standards apply to the presentation of new knowledge to the membership.</p> The Colloquium for Information Systems Security Education (CISSE) en-US Journal of The Colloquium for Information Systems Security Education 2641-4546 Are Cybersecurity Professionals Satisfied with Recent Cybersecurity Graduates? <p>This pioneering research project examines the expectations of cybersecurity professionals in terms of contentment with recent graduates. In particular, the project sought to determine the professionals' satisfaction with recent hires of undergraduate graduates. Overall, 73% of the participants indicated satisfaction with recent cybersecurity graduates. In addition, 67% of these professionals believed that recent graduates had a satisfactory level of competency.</p> Nelbert St. Clair John Girard Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 7 7 A Laboratory for Hands-on Cyber Threat Hunting Education <p>Cyber threat hunting has emerged as a critical part of cyber security practice. However, there is a severe shortage of cybersecurity professionals with advanced analysis skills for cyber threat hunting. Sponsored by NSA, the University of North Carolina at Charlotte (UNC Charlotte) and Forsyth Technical Community College (Forsyth Tech) have been developing freely-available, hands-on teaching materials for cyber threat hunting suitable for use in two-year community college curriculum, 4-year universities curriculum, as well as for collegiate threat hunting competitions. Our hands-on labs focus on exercising a set of essential technical skills (called the threat hunting skill set) in an enterprise environment and they are modeled after real-world scenarios. Our lab environment contains real threats (e.g., malware) against real software (e.g., Operating Systems and applications), and real security datasets. These labs are designed to help a student learn how to detect active and dormant malware, analyze its activities, and assess its impact. These labs also teach a student how to search and probe for anomalies in a variety of datasets using multiple analytical skills, such as statistical analysis. In this paper, we present the design and implementation of our hands-on labs.</p> Jinpeng Wei Bei-Tseng Chu Deanne Cranford-Wesley James Brown Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 7 7 Improving the Pipeline <p>There is currently a shortage of cybersecurity professionals worldwide. This paper presents an after-school program for high school students to explore cybersecurity topics and careers. The paper discusses the content of the course as well as the results that have been seen to date. A link to an online repository of program materials will be shared with the audience. This work effort is the result of the NSF funded grant Improving the Pipeline: After-School Model for Preparing Information Assurance and Cyber Defense Professionals (Grant No. 1623525).</p> Sandra Gorka Alicia McNett Jacob Miller Bradley Webb Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 5 5 Development of Cybersecurity Lab Exercises for Mobile Health <p>There is an emerging class of public health applications where non-health data from mobile apps, such as social media data, are used in subsequent models that identify threats to public health. On one hand, these models require accurate data, which would have an immense impact on public health. On the other hand, results from these models could compromise the privacy of an individual’s health status even without directly using health data. In addition, privacy could also be affected if systems hosting these models are compromised through security breaches. Students ought to be trained in evaluating the effectiveness of different protocols in ensuring privacy while providing useful data to the models. There is a lacuna in current cybersecurity education in training students in the context of both the above types of mobile health applications. The objective of this paper is to describe novel educational material to augment current cybersecurity courses for undergraduate and graduate students. We develop material to teach about fundamental concepts and issues related to security and privacy in mobile health applications and describe a cloud-based hands-on lab that lets students explore the consequences of different solution strategies. Hands-on lab exercises will provide students with insight into the development of practical solutions based on sound theoretical foundations.</p> Hongmei Chi Meysam Ghaffari Ashok Srinivasan Jinwei Liu Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 6 6 Introducing Secure Design by Scripting in an Undergraduate Microcontroller Based Design Course <p>This paper discusses a systematic approach to revising a second undergraduate course on microprocessor system design to improve student learning outcomes by introducing scripting-based design with a security mindset. The current course is based upon using the Dragon 12-Plus development system, which requires using compiled C code, and does not offer any on-board security features. The updated course has the intended outcomes of gaining design and technical skills on multiple microcontroller-based design platforms and introduce “security mindset” for networked systems. We introduce a Project Based Learning (PBL) approach, and the focus of the course is on hands-on activities where the students work on multiple design projects using C and MicroPython. The course hardware platform of Dragon 12-Plus is augmented with a small form factor pyboard, which is used to acquire sensor data and transmit securely for simple data analytics. We introduce three new laboratories, including one on data security using MicroPython. We also outline necessary changes to undergraduate engineering programming course sequence. Additionally, mapping of these new labs to CAE-CD KUs and the NICE Framework Specialty Areas is included.</p> Kalyan Mondal Angela Elias-Medina Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 6 6 Problem-based Learning for Cybersecurity Education <p>Traditional lecture-based approach with laboratory-based exercises is commonly used to teach cybersecurity. It is useful to provide hands-on experience to students. However, it fails to provide students an opportunity to completely explore the multi-faceted and ill-defined problems prevalent in the real-world cybersecurity scenarios. Problem-based learning is a student-centered pedagogy in which students are presented with complex, open-ended, real-world problems to promote learning of concepts and principles, contrary to the traditional lecture-style presentations. Over the years, the model has been adopted to teach concepts in other disciplines including economics, business administration, architecture, law, engineering and social work, however, there has been little work done in the field of cybersecurity. This paper illustrates the use of problem-based learning for cybersecurity education along-with an open cyber range architecture for preliminary implementation. This student-focused and active learning pedagogy has proven to not only provide students with an opportunity to learn relevant concepts, tools and techniques applicable to the given problem but also improve focus, interest, motivation, and foster lifelong learning skills, essential to survive in ever-changing cybersecurity field.</p> Mandar Shivapurkar Sajal Bhatia Irfan Ahmed Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 6 6 Teaching SDN Security Using Hands-on Labs in CloudLab <p>Software-Defined Networking (SDN) represents a major transition from traditional hardware-based networks to programmable software-based networks. While SDN brings visibility, elasticity, flexibility, and scalability, it also presents security challenges. This paper describes some of the hands-on labs we developed for teaching SDN security using the CloudLab platform. The hands-on labs have been used in a graduate level course on SDN/NFV related technologies. Our teaching experience of the hands-on labs is discussed. The hands-on labs can be adopted by other instructors to teach SDN security.</p> Xiaohong Yuan Zhipeng Liu Younghee Park Hongxin Hu Hongda Li Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 6 6 Serverless Computing Architecture Security and Quality Analysis for Back-end Development <p>The purpose of this paper is to propose how to improve both quality and security for the back-end of a modern software system through adapting to the serverless computing architecture. For this purpose, this paper will conduct the following three steps: 1) Show a complete back-end architecture using three serverless computing such as Amazon Web Service (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP). 2) Analyze each component's security and quality of each serverless computing provider and compare it to show similarities and differences. 3) Describe how using a cloud service improves the quality and security of a system.</p> Clark Ngo Peng Wang Tuan Tran Sam Chung Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 8 8 Synergy of Accreditation and CAE Designation <p>One of the impediments to applying for the NSA/DHS Center of Academic Excellence in Cyber Defense designation is the fear that it will require a great change to the curriculum or may negatively impact international functional accreditations. This paper provides lessons learned while preparing to apply for this designation and enhancing our international ABET (computer science) and AACSB (business) accreditations. We found synergy between the new cybersecurity requirements for accreditation and CAE designation. Additional benefits of CAE designation include standards which help design, build, market and assess strong, well-defined cybersecurity programs in both computer science and business, each of which caters to a different audience of students and future employers. Finally, the CAE designation requires collaboration inside and outside the University, encouraging an active outreach to other programs. All of these benefits work in concert with the ABET and AACSB accreditations, which explicitly require an internationally recognized curriculum that is taught by experts in their field and regularly assessed.</p> Thomas Augustine Haadi Jafarian Ilkyeun Ra Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 7 7 A Study on Cyber Attacks and Vulnerabilities in Mobile Payment Applications <p>The end-to-end mobile purchase process depends on the decisions and actions of many stakeholders, including consumers, mobile application developers, mobile payment service providers, merchants, financial institutions like banks and credit card companies, and their respective data centers. This paper presents a detailed look at mobile payments as a sequence of transactions to better understand what is required to authenticate, authorize, verify and process them, and where security vulnerabilities lie. This analysis was accomplished by conducting in-depth research on three popular use cases – Apple Pay, Google Pay, and Samsung Pay – analyzing their respective potentials for being compromised, and suggesting opportunities where higher levels of security can be attained. While many mechanisms exist that can contribute to safeguarding mobile transactions, this analysis shows many ways known vulnerabilities and attacks still can be leveraged to exploit users’ data within popular mobile payment solutions. Approaches for improving the security of mobile payment transactions are included as way ahead recommendations.</p> Oriel Rivers Yen-Hung Hu Mary Hoppa Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 9 9 A Study on Vulnerabilities and Threats to Wearable Devices <p>Connected, wearable devices are increasingly being adopted by individuals who want to monitor personal data such as location and vital biometrics, and to receive performance feedbacks and product updates in real time. The quality of life gains these gadgets support for users, and the opportunities they enable for vendors to maintain ongoing relationships with consumers, may backfire if security and privacy are not addressed appropriately. This research explored cybersecurity vulnerabilities, threats, and risks related to wearable devices using the Fitbit smartwatch as a popular example. Analysis focused on the sensors that are integrated into such devices. Understanding how these components work exposed ways they can be exploited, which in turn suggested ways to mitigate potential cyber-attacks on wearable devices. These findings provide a foundation for developing awareness and education, and recommending best practices for wearable devices to balance their functionality and convenience with personal privacy and organizational cybersecurity concerns.</p> Felton Blow Yen-Hung Hu Mary Hoppa Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 7 7 STEAM Powered K-12 Cybersecurity Education <p>The importance of incorporating cybersecurity education in K-12 to develop and strengthen the pipeline of students who pursue a cybersecurity major in college along with teaching cyber-awareness to all students cannot be overstated. Through efforts, such as the National Institute of Science and Technology (NIST) National Initiative for Cybersecurity Education (NICE) K-12 cybersecurity conferences and the NICE K-12 working groups this message is being spread to K-12 educators across the country. In Virginia, like many other states, there is a disparity among student and teacher preparation in cybersecurity between urban and rural areas. Schools lack two key resources: teachers with the required competencies and access to isolated computing networks – required for hands on exercises in security. Currently, efforts to introduce security are usually focused only at the high school level where students have already self-selected into relatively small interest groups. This paper describes the result of year-long, NSA funded project (PICSAR) designed to increase the number of teachers with competency in cybersecurity, while increasing the pipeline of students interested in cybersecurity. The project accomplished the first goal by providing graduate instruction in cybersecurity education and workshops to K-12 teachers. These same teachers then helped to accomplish the second goal through the development of age appropriate, integrated, STEAM lesson plans from Kindergarten through the 12th grade. For each topic in cybersecurity (e.g. Cryptography), a skills progression plan was developed and then lesson plans developed and piloted to appropriately introduce the topic at each grade level.</p> Joe Chase Prem Uppuluri Ellen Denny Blenna Patterson Jennifer Eller Darlene Lane Beverly Edwards Rebecca Onuskanich Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 8 8 A Model for Security Evaluation of Digital Libraries <p>The use of digital libraries (DLs) is increasing. To attract users and sustain digital libraries, security of these systems is critical. However, few studies in the digital library literature have focus on evaluating the security of a DL system. Through review of existing literature, standards and other security guidelines, we propose a novel model for security evaluation of digital libraries. We test the effectiveness of the model using the CLARK cybersecurity curriculum digital library ( at Towson University. We identify five core security criteria that are broken down into several requirements, in the model, that a DL should fulfill to achieve security. Results from the evaluation, which include static code analysis and expert review of CLARK’s security mechanisms, indicate the proposed model is significantly effective in evaluating the security requirements of digital libraries.</p> Nnatubemugo Ngwum Sagar Raina Sabina Aguon Blair Taylor Siddharth Kaza Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 12 12 Educating the Masses <p>Cybersecurity is no longer just the concern of Information Technology (IT) teams. Emerging technologies like artificial intelligence and machine learning are changing the game for cybersecurity. To remain relevant and promote pedagogical framework, K-12 and institutions of higher education should continue to have conversations about cybersecurity education. As part of the paradigm shift cybersecurity education should be a priority. It is essential to equip administration, faculty, staff, and students with the dos and don’ts to ensure end users are not introducing a threat. Having a “cyber aware” student means they go home and to the 21st Century workforce exercising those same best practices. As the National Cybersecurity Alliance points out: this is Shared Responsibility. We each have to work together to keep ourselves, families, schools, communities and our nation safe. The object of this paper is to communicate on the subject of cybersecurity – across all sectors of government, business, academic institution and individual.</p> D'Kyra Graham D'Nita Graham Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 4 4 A Study on Vulnerabilities and Threats to SCADA Devices <p>SCADA devices have increasingly become targets of malicious actors, alerting industries, governments and even private citizens to the need for more effective security measures, particularly for critical infrastructure and industrial control systems. To address concerns on this issue, a thorough survey and investigation was conducted on cyber-attacks targeting SCADA systems to propose solutions and recommendations for mitigating such attacks. This research first studied some historical perspectives on SCADA and associated risks, including examples of typical attacks. After summarizing known SCADA vulnerabilities and some attempts to harden these systems, a deeper-dive was taken on a breach of the Schneider Triconex Tricon 3008 safety system as an instructive use case. Some general recommendations were made for methodically securing SCADA networks. The long-term objective of this research is to better secure the future of SCADA and, by implication, the critical infrastructures that depend on this technology, through more focused cybersecurity vulnerability assessment and mitigation.</p> Dawn Silverman Yen-Hung Hu Mary Hoppa Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 8 8 Using the NICE Framework as a Metric to Analyze Student Competencies <p>This paper describes how the Department of Energy’s CyberForce Competition™ uses anomalies to map collegiate teams’ comprehension of different topics in cybersecurity. The competition is currently in its fourth iteration with a fifth planned in November 2019. Anomalies are challenges that collegiate teams must solve in order to receive points and vary in nature, timing, and skillset. All successful teams are able to manage the scale and prioritize which anomalies to complete. This paper identifies which NICE pillars students scored in the upper percentile, and which topics students averaged a lower score. These results may help educators in creating training programs, classes and curriculum to help close these knowledge gaps.</p> Jennifer Fowler Nate Evans Copyright (c) 2020 The Colloquium for Information Systems Security Education 2020-07-30 2020-07-30 7 1 18 18