Advantages and challenges of using capture-the-flag games in cyber security education

Abstract. The world around us is digitalising fast and internet is almost everywhere, which makes cyber security an inevitable part of our lives. This thesis explored if capture-the-flag (CTF) games are viable solution to teaching cyber security. Research method used was a narrative literature review. 16 academic sources were reviewed, nine of which used quantitative research methods. Prior research showed that capture-the-flag games had a positive impact on participants’ motivation and engagement levels. In some studies, capture-the-flag games were found to lead to statistically better learning results and better understanding of computer security. Other resulting advantages were better practical knowledge in cyber security, increased grades and increased confidence in cyber security skills. Organising such games was found to be a challenging job and consequently, knowledge is required from both organisers and participants of capture-the-flag games. Capture-the-flag game environments are complex and support staff is needed in organising such games. Designing the challenges to be appropriately challenging was found to be a difficult task and a related problem was challenge avoidance. Quality assurance was found to be an important, but often overlooked part of the design process. In some papers, plagiarism was mentioned being a trouble. Automated approval of flag submissions in the games could lead to students illicitly sharing flags. Besides plagiarism, other ethical implications of teaching offensive computer security methods were a concern to many authors, but no quantitative research on this topic has so far been conducted

Security Scenario Generator (SecGen): A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events

Computer security students benefit from hands-on experience applying security tools and techniques to attack and defend vulnerable systems. Virtual machines (VMs) provide an effective way of sharing targets for hacking. However, developing these hacking challenges is time consuming, and once created, essentially static. That is, once the challenge has been "solved" there is no remaining challenge for the student, and if the challenge is created for a competition or assessment, the challenge cannot be reused without risking plagiarism, and collusion. Security Scenario Generator (SecGen) can build complex VMs based on randomised scenarios, with a number of diverse use-cases, including: building networks of VMs with randomised services and in-thewild vulnerabilities and with themed content, which can form the basis of penetration testing activities; VMs for educational lab use; and VMs with randomised CTF challenges. SecGen has a modular architecture which can dynamically generate challenges by nesting modules, and a hints generation system, which is designed to provide scaffolding for novice security students to make progress on complex challenges. SecGen has been used for teaching at universities, and hosting a recent UK-wide CTF event

Compete to Learn: Toward Cybersecurity as a Sport

To support the workforce gap of skilled cybersecurity professionals, gamified pedagogical approaches for teaching cybersecurity have exponentially grown over the last two decades. During this same period, e-sports developed into a multi-billion dollar industry and became a staple on college campuses. In this work, we explore the opportunity to integrate e-sports and gamified cybersecurity approaches into the inaugural US Cyber Games Team. During this tenure, we learned many lessons about recruiting, assessing, and training cybersecurity teams. We share our approach, materials, and lessons learned to serve as a model for fielding amateur cybersecurity teams for future competition

Benefits and Pitfalls of Using Capture The Flag Games in University Courses

The concept of Capture the Flag (CTF) games for practicing cybersecurity skills is widespread in informal educational settings and leisure-time competitions. However, it is not much used in university courses. This paper summarizes our experience from using jeopardy CTF games as homework assignments in an introductory undergraduate course. Our analysis of data describing students' in-game actions and course performance revealed four aspects that should be addressed in the design of CTF tasks: scoring, scaffolding, plagiarism, and learning analytics capabilities of the used CTF platform. The paper addresses these aspects by sharing our recommendations. We believe that these recommendations are useful for cybersecurity instructors who consider using CTF games for assessment in university courses and developers of CTF game frameworks

Building a Diverse Cybersecurity Workforce: A Study on Attracting Learners with Varied Educational Backgrounds

Cybersecurity has traditionally been perceived as a highly technical field, centered around hacking, programming, and network defense. However, this article contends that the scope of cybersecurity must transcend its technical confines to embrace a more inclusive approach. By incorporating various concepts such as privacy, data sharing, and ethics, cybersecurity can foster diversity among audiences with varying educational backgrounds, thereby cultivating a richer and more resilient security landscape. A more diverse cybersecurity workforce can provide a broader range of perspectives, experiences, and skills to address the complex and ever-evolving threats of the digital age. The research focuses on enhancing cybersecurity education to attract a diverse audience through the development and testing of a virtual platform on Haaukins (a cybersecurity training platform) designed with features resembling social media for capture-the-flag exercises. The results show that the cyber training platform effectively engages a diverse group of learners, bridging the gap between traditional technical boundaries and the urgent demand for comprehensive cybersecurity competence

Eliciting Requirements for a Student-focussed Capture the Flag

The current consensus is that a lack of skilled young persons entering the cyber security industry is contributing significantly to the accrescent cyber security skills gap. However, little progress has been made in terms of handling key contributing factors such as cyber security education. While Capture The Flag (CTF) exercises in cyber security education present some of the necessary requirements, we hypothesise that the current CTF forms do not possess the requirements necessary for promoting student engagement and learning. The paper presents the results of a study aimed at identifying the requirements of a student-focused CTF

On the Design of Security Games: From Frustrating to Engaging Learning

Hands-on cyber security training is generally accepted as an enjoyable and effective way of developing and practising skills that complement the knowledge gained by traditional education. At the same time, experience from organizing and participating in these events show that there is still room for making a larger impact on the learners, and providing more engaging and beneficial learning. In particular, the area of the game and exercise design is not sufficiently well-developed. There is no comprehensive methodology or best practices that can be used to prepare, test, and carry out events. We present the concept of a security game and lessons learned from a prototype game played by 260 participants. Based on the lessons, we describe the enhancements to the game design and a user study evaluating new game features. The results of the study show the importance of logging events which describe the course of the game. It also suggests what type of information can be estimated from the game logs and what can be found by other methods such as surveys.Praktická výuka v podobě cvičení a her je všeobecně považována za zábavnou a účinnou metodu rozvoje a procvičování dovedností v oblasti kyberbezpečnosti. Zkušenosti z přípravy této výuky a z účasti v některých cvičeních ukazují, že je zde stále prostor pro zvýšení výukového dopadu této metody na studenty. Zejména oblast návrhu cvičení a bezpečnostních her je v počátcích, např. neexistuje metodika nebo souhrn nejlepší praxe, které by učitel mohl využít při přípravě, testování a realizaci výukové aktivity. V článku představujeme koncept bezpečnostní hry a zkušenosti získané hraním prototypové hry 260 účastníky. Na základě těchto zkušeností jsme hru rozšířili a připravili uživatelské testování, jehož cílem bylo zhodnotit přínosy nových rozšíření. Výsledky testování ukázaly důležitost zaznamenávání akcí studentů během hry a jaké informace je možné získat jinými metodami, např. dotazníkovým šetřením

Teaching by Practice: Shaping Secure Coding Mentalities through Cybersecurity CTFs

The use of the Capture the Flag (CTF)-style competitions has grown popular in a variety of environments as a method to improve or reinforce cybersecurity techniques. However, while these competitions have shown promise in student engagement, enjoyment, and the teaching of essential workforce cybersecurity concepts, many of these CTF challenges have largely focused on cybersecurity as a general topic. Further, most in-school CTF challenges are designed with technical institutes in mind, prepping only experienced or upper-level students in cybersecurity studies for real-world challenges. Our paper aims to focus on the setting of a liberal arts institute, emphasizing secure coding as the focus of CTF-engaged learning for beginner to upper-level undergraduate students. We propose a survey system to evaluate the secure coding mentality of our students before and after taking these challenges, as well as an easily-hosted, low-resource CTF platform that students can access either in or outside of the classroom. We have found this system to be moderately effective at framing and improving the secure coding mentalities of our students