Applying Rating Systems to Challenge Based Cybersecurity Education

As technology becomes a larger part of everyday life, it becomes increasingly more important for CS and CIT students to learn about cyber security during their education. While many cyber security oriented courses exist, it is also necessary that students must be able to work and learn in an environment that resembles a real world context. To address this problem it has become common to adapt cyber security challenges into the classroom as a method for students to put their knowledge into practice. One problem is that these challenges can vary considerably in levels of difficulty, which makes it problematic for students to be able to select a challenge that is an appropriate difficulty for their skill level. A potential solution to this problem could be to adapt a rating system to rank both the students and the challenges. This would then allow the students to easily select challenges that are appropriate for them to engage with by comparing their own rating with the rating of available challenges. In this project we propose methods that could be used to adapt a rating system to an existing cyber security education program. Finally we propose a method to survey students that interact with the program so that the effect of the rating system can be measured

Trusted CI Experiences in Cybersecurity and Service to Open Science

This article describes experiences and lessons learned from the Trusted CI project, funded by the US National Science Foundation to serve the community as the NSF Cybersecurity Center of Excellence. Trusted CI is an effort to address cybersecurity for the open science community through a single organization that provides leadership, training, consulting, and knowledge to that community. The article describes the experiences and lessons learned of Trusted CI regarding both cybersecurity for open science and managing the process of providing centralized services to a broad and diverse community.Comment: 8 pages, PEARC '19: Practice and Experience in Advanced Research Computing, July 28-August 1, 2019, Chicago, IL, US

Malicious User Experience Design Research for Cybersecurity

This paper explores the factors and theory behind the user-centered research that is necessary to create a successful game-like prototype, and user experience, for malicious users in a cybersecurity context. We explore what is known about successful addictive design in the fields of video games and gambling to understand the allure of breaking into a system, and the joy of thwarting the security to reach a goal or a reward of data. Based on the malicious user research, game user research, and using the GameFlow framework, we propose a novel malicious user experience design approac

Evaluation of Game-Based Learning in Cybersecurity Education for High School Students

Game based learning is a new game play mechanism that the players explore various aspects of game play in a learning context designed by the instructor or the game designer. Nevertheless, general acceptance of game based learning as a new learning paradigm was deferred by a lack of well-controlled, large sample efficacy studies. To address the increasing need of cybersecurity workforce, this paper introduces a game based learning method for high school cybersecurity education. Purdue University Northwest launched GenCyber high school summer camps to about 200 high school students in Chicago metropolitan area. The survey conducted after the summer camp indicated that the game based learning for cybersecurity education was very effective in cybersecurity awareness training. Further analysis of survey data revealed that there is a gender difference in raising students' interests in cybersecurity and computer science education using game based learning method

Novel Alert Visualization: The Development of a Visual Analytics Prototype for Mitigation of Malicious Insider Cyber Threats

Cyber insider threat is one of the most difficult risks to mitigate in organizations. However, innovative validated visualizations for cyber analysts to better decipher and react to detected anomalies has not been reported in literature or in industry. Attacks caused by malicious insiders can cause millions of dollars in losses to an organization. Though there have been advances in Intrusion Detection Systems (IDSs) over the last three decades, traditional IDSs do not specialize in anomaly identification caused by insiders. There is also a profuse amount of data being presented to cyber analysts when deciphering big data and reacting to data breach incidents using complex information systems. Information visualization is pertinent to the identification and mitigation of malicious cyber insider threats. The main goal of this study was to develop and validate, using Subject Matter Experts (SME), an executive insider threat dashboard visualization prototype. Using the developed prototype, an experimental study was conducted, which aimed to assess the perceived effectiveness in enhancing the analysts’ interface when complex data correlations are presented to mitigate malicious insiders cyber threats. Dashboard-based visualization techniques could be used to give full visibility of network progress and problems in real-time, especially within complex and stressful environments. For instance, in an Emergency Room (ER), there are four main vital signs used for urgent patient triage. Cybersecurity vital signs can give cyber analysts clear focal points during high severity issues. Pilots must expeditiously reference the Heads Up Display (HUD), which presents only key indicators to make critical decisions during unwarranted deviations or an immediate threat. Current dashboard-based visualization techniques have yet to be fully validated within the field of cybersecurity. This study developed a visualization prototype based on SME input utilizing the Delphi method. SMEs validated the perceived effectiveness of several different types of the developed visualization dashboard. Quantitative analysis of SME’s perceived effectiveness via self-reported value and satisfaction data as well as qualitative analysis of feedback provided during the experiments using the prototype developed were performed. This study identified critical cyber visualization variables and identified visualization techniques. The identifications were then used to develop QUICK.v™ a prototype to be used when mitigating potentially malicious cyber insider threats. The perceived effectiveness of QUICK.v™ was then validated. Insights from this study can aid organizations in enhancing cybersecurity dashboard visualizations by depicting only critical cybersecurity vital signs

A Universal Cybersecurity Competency Framework for Organizational Users

The global reliance on the Internet to facilitate organizational operations necessitates further investments in organizational information security. Such investments hold the potential for protecting information assets from cybercriminals. To assist organizations with their information security, The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) was created. The framework referenced the cybersecurity work, knowledge, and skills required to competently complete the tasks that strengthen their information security. Organizational users’ limited cybersecurity competency contributes to the financial and information losses suffered by organizations year after year. While most organizational users may be able to respond positively to a cybersecurity threat, without a measure of their cybersecurity competency they represent a cybersecurity threat to organizations. The main goal of this research study was to develop a universal Cybersecurity Competency Framework (CCF) to determine the demonstrated cybersecurity Knowledge, Skills, and Tasks (KSTs) through the NCWF (NICE, 2017) as well as identify the cybersecurity competency of organizational users. Limited attention has been given in cybersecurity research to determine organizational users’ cybersecurity competency. An expert panel of cybersecurity professionals known as Subject Matter Experts (SMEs) validated the cybersecurity KSTs necessary for the universal CCF. The research study utilized the explanatory sequential mixed-method approach to develop the universal CCF. This research study included a developmental approach combining quantitative and qualitative data collection in three research phases. In Phase 1, 42 SMEs identified the KSTs needed for the universal CCF. The results of the validated data from Phase 1 were inputted to construct the Phase 2 semi-structured interview. In Phase 2, qualitative data were gathered from 12 SMEs. The integration of the quantitative and qualitative data validated the KSTs. In Phase 3, 20 SMEs validated the KST weights and identified the threshold level. Phase 3 concluded with the SMEs\u27 aggregation of the KST weights into the universal CCF index. The weights assigned by the SMEs in Phase 3 showed that they considered knowledge as the most important competency, followed by Skills, then Tasks. The qualitative results revealed that training is needed for cybersecurity tasks. Phase 3 data collection and analysis continued with the aggregation of the validated weights into a single universal CCF index score. The SMEs determined that 72% was the threshold level. The findings of this research study significantly contribute to the body of knowledge on information systems and have implications for practitioners and academic researchers. It appears this is the only research study to develop a universal CCF to assess the organizational user’s competency and create a threshold level. The findings also offer further insights into what organizations need to provide cybersecurity training to their organizational users to enable them to competently mitigate cyber-attacks

Cybersecurity Awareness Platform with Virtual Coach and Automated Challenge Assessment

Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.Comment: Preprint accepted for publication at the 6th Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems (CyberICPS 2020

Cybersecurity awareness platform with virtual coach and automated challenge assessment

Over the last years, the number of cyber-attacks on industrial control systems has been steadily increasing. Among several factors, proper software development plays a vital role in keeping these systems secure. To achieve secure software, developers need to be aware of secure coding guidelines and secure coding best practices. This work presents a platform geared towards software developers in the industry that aims to increase awareness of secure software development. The authors also introduce an interactive game component, a virtual coach, which implements a simple artificial intelligence engine based on the laddering technique for interviews. Through a survey, a preliminary evaluation of the implemented artifact with real-world players (from academia and industry) shows a positive acceptance of the developed platform. Furthermore, the players agree that the platform is adequate for training their secure coding skills. The impact of our work is to introduce a new automatic challenge evaluation method together with a virtual coach to improve existing cybersecurity awareness training programs. These training workshops can be easily held remotely or off-line.info:eu-repo/semantics/acceptedVersio

Local Government Cybersecurity: How Michigan Counties Cope with Cyber Threats

In the age of global interconnectedness, we can all be equally affected by cyberattacks. Given the evolving nature of threat landscapes, comprehensive and preemptive practices are needed now more than ever to keep local government and citizen data secure. According to Recorded Future, in 2019, local U.S. government infrastructure was targeted by ransomware attacks 100 times. Cyber threats to local government systems have been increasing exponentially over the last several years, and the frequency of attacks will only continue to grow. Although cyberattacks on local government entities are rising every year, the challenges county IT departments face in combating the thousands of yearly attacks remains largely unexamined. This research study aims to understand how Michigan counties are currently protecting their IT systems, define the challenges they face in improving their cybersecurity posture, and address the potential improvements regarding current cybersecurity practices. This thesis addresses these goals through semi-structured interviews and a post-interview questionnaire with local government IT leaders across the State of Michigan. The results of this research study found challenges local Michigan governments face in enhancing their county's culture of cybersecurity, operating with limited funding and support, and inability to properly utilize state resources due to limited staffing needed to operationalize. A surprising finding was learning how essential communication and relationship building are to cybersecurity and how these relationships impact the culture of cybersecurity in an organization. By identifying these challenges, policymakers can introduce evidence-based policies that will address the essential needs of local Michigan counties and provide actionable and implementable solutions. Additionally, it will enable researchers and cybersecurity professionals to develop recommendations and mitigating solutions to improve local Michigan government cybersecurity.Master of Science in InformationSchool of Informationhttp://deepblue.lib.umich.edu/bitstream/2027.42/168552/1/20210511_Duque,Marilu_Final_MTOP_Thesis.pd

Columbia World Projects Cybersecurity Forum Report

It is precisely because of the indispensable role the Internet plays in our lives that disruptions to the systems, and networks that undergird them, can rapidly bring so much of what we do to a standstill, undermine our privacy and civil liberties, and even threaten our prosperity and national security. And of course, it is not just systems that are connected to the Internet that are vulnerable to digital attack – so too are standalone systems, networks, and programs. While it is difficult to measure the precise level of exposure in this realm, there is a clear consensus that cybersecurity is one of the most significant and complex challenges facing the world today. To give just a few examples, the U.S. Director of National Intelligence said cybersecurity is one of his “greatest concerns and top priorities.” The U.S. Homeland Security Secretary’s has assessed that cyberweapons and sophisticated hacking pose a greater threat to the United States than the risk of physical attacks. Freedom House concluded that digital disinformation tactics have contributed to a global decline in Internet freedom every year for the last seven years, and played an important role in elections in at least 18 countries from 2016 to 2017 alone. And estimates regarding the global economic impact of cyber attacks range from $400 billion to more than$2 trillion each year. So too is there is a growing recognition that technology solutions alone cannot address the many vulnerabilities and possible vectors of attack, but rather that behavioral, normative, regulatory, social, and other interventions will also be critical to building effective solutions. Yet, despite these high-level warnings and the fact that a fair amount of attention and resources have been devoted in the last several years to cybersecurity, the increasing sophistication of cyber threats continues to outpace progress, as does the number of attacks, particularly in the United States and in Europe. It was with this understanding – that current efforts to address cybersecurity are insufficient – that participants in the Columbia World Projects (CWP) Forum on Cybersecurity began their opening plenary discussion. Approximately 35 experts with a range of different substantive and institutional perspectives shared their views on the nature of the threat, key vulnerabilities, and the particularly intractable challenges associated with addressing them. This discussion provided critical context for the concrete project proposals taken up later in the working groups (Section II), and helped inform the selection of projects meriting further development by CWP (Section III)