Advantages and challenges of using capture-the-flag games in cyber security education

Abstract. The world around us is digitalising fast and internet is almost everywhere, which makes cyber security an inevitable part of our lives. This thesis explored if capture-the-flag (CTF) games are viable solution to teaching cyber security. Research method used was a narrative literature review. 16 academic sources were reviewed, nine of which used quantitative research methods. Prior research showed that capture-the-flag games had a positive impact on participants’ motivation and engagement levels. In some studies, capture-the-flag games were found to lead to statistically better learning results and better understanding of computer security. Other resulting advantages were better practical knowledge in cyber security, increased grades and increased confidence in cyber security skills. Organising such games was found to be a challenging job and consequently, knowledge is required from both organisers and participants of capture-the-flag games. Capture-the-flag game environments are complex and support staff is needed in organising such games. Designing the challenges to be appropriately challenging was found to be a difficult task and a related problem was challenge avoidance. Quality assurance was found to be an important, but often overlooked part of the design process. In some papers, plagiarism was mentioned being a trouble. Automated approval of flag submissions in the games could lead to students illicitly sharing flags. Besides plagiarism, other ethical implications of teaching offensive computer security methods were a concern to many authors, but no quantitative research on this topic has so far been conducted

Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS - a collection of Technical Notes Part 1

This report provides an introduction and overview of the Technical Topic Notes (TTNs) produced in the Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS (Tigars) project. These notes aim to support the development and evaluation of autonomous vehicles. Part 1 addresses: Assurance-overview and issues, Resilience and Safety Requirements, Open Systems Perspective and Formal Verification and Static Analysis of ML Systems. Part 2: Simulation and Dynamic Testing, Defence in Depth and Diversity, Security-Informed Safety Analysis, Standards and Guidelines

Fit for Industry 4.0

This volume presents a further training concept on Industry 4.0 for vocational teachers, which was developed for transnational use by the "Gesellschaft für Internationale Zusammenarbeit" (GIZ) together with SEAMEO VOCTECH (Regional Centre for Vocational and Technical Education and Training) and ASEAN (Association of Southeast Asian Nations) for transnational use. In connection with the thematic focus on digitalisation and the accompanying change in the world of work, innovative teaching and learning methods for self-reliant learning and the promotion of communicative and social competences are presented. In the transfer project, the professional and didactical competences of teachers and trainers are promoted

Explainable software systems

Software and software-controlled technical systems play an increasing role in our daily lives. In cyber-physical systems, which connect the physical and the digital world, software does not only influence how we perceive and interact with our environment but software also makes decisions that influence our behavior. Therefore, the ability of software systems to explain their behavior and decisions will become an important property that will be crucial for their acceptance in our society. We call software systems with this ability explainable software systems. In the past, we have worked on methods and tools to design explainable software systems. In this article, we highlight some of our work on how to design explainable software systems. More specifically, we describe an architectural framework for designing self-explainable software systems, which is based on the MAPE-loop for self-adaptive systems. Afterward, we show that explainability is also important for tools that are used by engineers during the development of software systems. We show examples from the area of requirements engineering where we use techniques from natural language processing and neural networks to help engineers comprehend the complex information structures embedded in system requirements

Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices

Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how algorithms would function as they drew on defined inputs. But cyber-physical systems draw on unbounded inputs from the real world. Moreover, with wide networks of cyber-physical medical devices, a single cybersecurity breach could pose lethal dangers to masses of patients. The U.S. Food and Drug Administration (FDA) is tasked with regulating medical devices to ensure safety and effectiveness, but its regulatory approach—designed decades ago to regulate traditional medical hardware—is ill-suited to the unique problems of cybersecurity. Because perfect cybersecurity is impossible and every cybersecurity improvement entails costs to affordability and health, designers need standards that balance costs and benefits to inform the optimal level of risk. The FDA, however, conducts limited cost-benefit analyses, believing that its authorizing statute forbids consideration of economic costs. We draw on statutory text and case law to show that this belief is mistaken and that the FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity. We describe three approaches the FDA could take to implement this analysis as a practical matter. Of these three, we recommend an approach modeled after the Federal Trade Commission’s cost-benefit test. Regardless of the specific approach the FDA chooses, however, the critical point is that the agency must weigh costs and benefits to ensure the right level of cybersecurity. Until then, medical device designers will face continued uncertainty as cybersecurity threats become increasingly dangerous

Optimizing Cybersecurity Risk in Medical Cyber-Physical Devices

Medical devices are increasingly connected, both to cyber networks and to sensors collecting data from physical stimuli. These cyber-physical systems pose a new host of deadly security risks that traditional notions of cybersecurity struggle to take into account. Previously, we could predict how algorithms would function as they drew on defined inputs. But cyber-physical systems draw on unbounded inputs from the real world. Moreover, with wide networks of cyber-physical medical devices, a single cybersecurity breach could pose lethal dangers to masses of patients. The U.S. Food and Drug Administration (FDA) is tasked with regulating medical devices to ensure safety and effectiveness, but its regulatory approach—designed decades ago to regulate traditional medical hardware—is ill-suited to the unique problems of cybersecurity. Because perfect cybersecurity is impossible and every cybersecurity improvement entails costs to affordability and health, designers need standards that balance costs and benefits to inform the optimal level of risk. The FDA, however, conducts limited cost-benefit analyses, believing that its authorizing statute forbids consideration of economic costs. We draw on statutory text and case law to show that this belief is mistaken and that the FDA can and should conduct cost-benefit analyses to ensure safety and effectiveness, especially in the context of cybersecurity. We describe three approaches the FDA could take to implement this analysis as a practical matter. Of these three, we recommend an approach modeled after the Federal Trade Commission’s cost-benefit test. Regardless of the specific approach the FDA chooses, however, the critical point is that the agency must weigh costs and benefits to ensure the right level of cybersecurity. Until then, medical device designers will face continued uncertainty as cybersecurity threats become increasingly dangerous

Ensuring Cyber-Security in Smart Railway Surveillance with SHIELD

Modern railways feature increasingly complex embedded computing systems for surveillance, that are moving towards fully wireless smart-sensors. Those systems are aimed at monitoring system status from a physical-security viewpoint, in order to detect intrusions and other environmental anomalies. However, the same systems used for physical-security surveillance are vulnerable to cyber-security threats, since they feature distributed hardware and software architectures often interconnected by ‘open networks’, like wireless channels and the Internet. In this paper, we show how the integrated approach to Security, Privacy and Dependability (SPD) in embedded systems provided by the SHIELD framework (developed within the EU funded pSHIELD and nSHIELD research projects) can be applied to railway surveillance systems in order to measure and improve their SPD level. SHIELD implements a layered architecture (node, network, middleware and overlay) and orchestrates SPD mechanisms based on ontology models, appropriate metrics and composability. The results of prototypical application to a real-world demonstrator show the effectiveness of SHIELD and justify its practical applicability in industrial settings