Spartan Daily, November 8, 2018

Volume 151, Issue 35https://scholarworks.sjsu.edu/spartan_daily_2018/1077/thumbnail.jp

Designing Authentic Cybersecurity Learning Experiences: Lessons from the Cybermatics Playable Case Study

This paper reports our work on an educational simulation that we call the Playable Case Study (PCS). A PCS is characterized by a fictitious narrative integrated with real-world learning activities, helping students learn skills, knowledge, and dispositions relevant to a professional career. We describe a recent pilot test of a PCS focused on the discipline of cybersecurity, emphasizing the kinds of tensions and difficulties that can arise during the development of immersive, experiential learning experiences: a) challenges accompanying the work of interdisciplinary PCS teams, particularly maintaining technical accuracy while still developing an authentic and engaging narrative; b) reconciling the opportunities provided by the philosophy of the simulation with the need to scaffold educational experiences to support students’ capabilities; and c) integrating the PCS into the classroom environment. We also provide design recommendations, in the form of questions that others can consider if they are attempting to create similar educational experiences

Towards Routinely Using Virtual Reality in Higher Education

Virtual reality promises to be a tool that can improve higher education. Immersive virtual environments offer the chance to enrich courses with experiential learning experiences. The technological possibilities evolve rapidly and more and more researchers report on adopting virtual reality for learning – albeit such work often has a more or less experimental character. However, the base of knowledge on using virtual reality in higher education is growing; educators who want to employ virtual reality to amend courses, to extend the curriculum with experiential learning, or who want to offer new content enabled through virtual reality, find increasingly rich advice. With this article, we contribute to this advice by providing insights from three research cases. Although these were experimental, their embedding into a larger project enables us to propose recommendations for educators. The ultimate aim of our work is the routine use of virtual reality in higher education

Tabletop Exercise For Cybersecurity Educational Training; Theoretical Grounding And Development

Haridus- ja treeningaspektid on riiklike küberturvalisuse strateegiate vitaalsed komponendid, et kujundada, tugevdada ning proovile panna otsustajate valmisolekut nii aktuaalsete kui võimalike tulevaste küberväljakutsete ees. Küberkaitses ja -julgeolekus on otsuste langetamisel üliolulised kriisijuhtimisoskused, et suuta adekvaatselt vastata juhtumitele, mil era- või avalik heaolu ja turvalisus on ohustatud. Selle magistritöö eesmärk on välja pakkuda küberjulgeoleku strateegiate hariduslike komponentide võimalike ning teadaolevate nõrkuste parandamine, arutledes teadlikkuse väljaõpete mudeleid märkimisväärse mõjuga osavõtjatele, fookusega strateegilise otsustamisvõimega personalil, mis võiks osaleda küberjuhtumis. Töö toetab simulatsioonil põhinevate stsenaariumite kasutamist ning keskendub mudelõppuste kujundamisele. Käesolev töö näitab, kuidas mudelõpe võib olla tõhus viis küberjuhtumites strateegiliste otsuste langetamisel teadlikkuse, mõistmise ja ettevalmistuse kujundamiseks, parandamiseks ning proovilepanemiseks. Lõputöö tugineb ditsiplinaarsel ja kontseptuaalsel õpinguteooriate integratsioonil mängustamisel põhinevate ajenditega ning juhtimisteooriatega. Stsenaariumil põhinev treening pakub turvalist ja paindlikku keskkonda, kus osavõtja on pandud kriitilisse situatsiooni, säilitades realistlikku ülevaate küberkriisi tunnustest ning võimalikest ohtudest. Simulatsioon väljendab võimalikke väljakutseid, nõudes kriisijuhtimisoskusi ning kohast reaktsiooni. Mudelõppused võimaldavad andragoogilise kasu ja hariduslike eesmärkide realiseerimist innovatiivsel ja kaasaval meetodil. Selle treeningmudeli tulemused mõõdetakse kasutades Bloomi õppe-kasvatustöö eesmärkide liigituse kontrollitud taksonoomiat, arvesse võttes kogemusõppe ja paiknevustunnetuse elemente. VOOT-tsükkel pakub läbimõeldud otsustusprotsessi, mis samuti sobib antud ettepaneku dünaamikasse. Lisaks panustab töö originaalse modulaarse juhendiga, mida treenijad ning õppejõud saavad kasutada mudelõppe teostamiseks küberjulgeolekus. Riikliku ja rahvusvahelise tasandi mudelõppuste kogemus ja osavõtt sai empiirilist tuge teoreetilisele integratsioonile ning teadustas modulaarse juhendi arengut. Töö on kvalitatiivne. Lõputöö panustab asjakohasesse akadeemilisse dialoogi selle teoreetiliste alustega. Samuti praktiliselt, kuna pakub vahendeid simulatsioonipõhise mudelõppe läbiviimiseks.Education and training aspects are vital components of national cybersecurity strategies, to shape, enhance and test the decision maker’s level of preparedness before current and future challenges that can arise from a cyber incident. Decision-making processes in cyber defense and security require crucial crisis management competences capable of generating a comprehensive response where safety, well-being and other public and private assets could be put at stake. The purpose of this thesis is to suggest the improvement of potential and perceived weaknesses on the educational components of cyber security strategies, discussing awareness-training models with significant impact on the participants, focusing on strategic decision-making level personnel that could partake of cyber related incidents. The work supports the use of simulation-based scenarios, and concentrates on the design of Tabletop exercises. This thesis shows when a tabletop exercise could be an effective mechanism to shape, enhance and test the awareness, understanding and preparation for strategic decision makers in cyber related incidents. The thesis draws from a disciplinary integration of learning, human computer interaction, and management theories. A scenario-based training provides a safe and flexible environment where the participant is placed into a critical situation while maintaining a realistic insight into the characteristics of cyber crisis and the threats and attacks that may take place. The simulation represents possible challenges, demanding crisis management capacity and an appropriate response. Tabletop exercises permits that andragogical benefits and educational purposes be realized through an innovative and engaging method. Considering elements from experiential learning and situated cognition the learning outcomes of this training model will be measured, using Bloom’s revised taxonomy of educational objectives. The OODA Loop will suggest a thoughtful decision making process that also fits well the dynamic of the current proposal. Additionally, the thesis will contribute with an original modular guide that trainers and educators can use for the implementation of a Tabletop exercise on cyber security. National and international level tabletop exercises experience and participation provided empirical support to the theoretical contribution on theory integration, and informed the modular guide development. The work is qualitative and therefore seeks to observe, interpret and understand, by using documental analysis, and observation methods. The work contributes to the relevant academic dialog on its theoretical grounds and also in practical terms, by providing with tools readily applicable to the creation of simulation based tabletop exercises

Multidisciplinary Game-Based Approach for Generating Student Enthusiasm for Addressing Critical Infrastructure Challenges

Building upon experiences from past course offering,1 several universities across the United States (U.S) have incorporated a critical infrastructure educational game platform as a unifying platform to integrate different disciplines to a common goal. The critical infrastructure backbones of the world provide the delivery mechanisms for energy and other utilities that provide the lifestyle we have come to expect in our society. As these critical infrastructure systems have evolved, the complexity of their integration has generated numerous challenges as a side effect of increased automation that are more pronounced as the infrastructure ages. Although still a modern technological wonder, the power grid needs a workforce that understands the complex, interdependent facets of the current grid as it evolves to a smarter grid and is pushed closer to its limits through improvements in automated measurement and control. The next generation of technology developers and operators will require an interdisciplinary understanding to reliably and securely integrate advanced communication and control technologies into the infrastructure and create systems to address the new demands of increased renewable and distributed generation, complex markets, and resilience to damaging storms and cyber attacks. Educational institutions need to accept the challenge of weaving the great diversity of contributing disciplines into the common fabric which allows specialties to effectively work together

Benefits and Pitfalls of Using Capture The Flag Games in University Courses

The concept of Capture the Flag (CTF) games for practicing cybersecurity skills is widespread in informal educational settings and leisure-time competitions. However, it is not much used in university courses. This paper summarizes our experience from using jeopardy CTF games as homework assignments in an introductory undergraduate course. Our analysis of data describing students' in-game actions and course performance revealed four aspects that should be addressed in the design of CTF tasks: scoring, scaffolding, plagiarism, and learning analytics capabilities of the used CTF platform. The paper addresses these aspects by sharing our recommendations. We believe that these recommendations are useful for cybersecurity instructors who consider using CTF games for assessment in university courses and developers of CTF game frameworks

Hack the room:an augmented reality game for non-experts to learn ethical hacking

Abstract. The shortage of cybersecurity skills caused by a widespread talent drought is having a signifcant economic impact on organizations globally. Several initiatives have been implemented to address this defcit, providing new educational pathways for novice and advanced students. Recently, ethical hacking gamifcation platforms and Capture the Flag (CTF) online games have risen in popularity, offering fun and engaging content that motivate beginners to acquire offensive and defensive cybersecurity skills. However, the use of augmented reality (AR) applications for cybersecurity skill development remains mostly unexplored. Against this backdrop, the overall aim of the thesis is to examine whether CTF games in AR can improve learning outcomes in information security and enhance security situational awareness. Specifcally, we explore how AR gamifcation impacts training and overall experience in the context of ethical hacking tasks. To achieve this, we have created Hack the Room, which is an ethical hacking game developed in Unity, where players use Linux terminals to solve CTF-style tasks. The game can be used for learning key cybersecurity concepts vital for organizations, and target users who have no previous cybersecurity experience, and need to be retrained for future-proofng organizations. In the game, the player has to use simple simple Linux terminal commands like listing fles in directories and reading fles stored in virtual machines hosted in the cloud (CSC Pouta) to reach the predetermined tasks. Each playthrough lasts 20 minutes and features three tasks. The game can be modifed or made more diffcult by changing the tasks in the virtual machine. The main goal of the game is to complete all of the tasks in the game. Our gamifcation concept was evaluated in a feld experiment that included six participants divided into two groups, an expert group (N=3) and a non-expert group (N=3). The expert group responded to a questionnaire that assessed their situational awareness during the game, while the non-expert group responded to a questionnaire that evaluated learning outcomes. The participants reported positive learning outcomes and high situational awareness after playing the game.Hack the room : lisätyn todellisuuden peli eettisen hakkeroinnin oppimiseen. Tiivistelmä. Pula tietoturvaosaamisesta vaikuttaa taloudellisesti organisaatioihin maailmanlaajuisesti. Tämän puutteen korjaamiseksi on tehty useita aloitteita, joissa tarjotaan oppipolkuja aloitteleville sekä edistyneemmille oppillaille. Eettisen hakkeroinnin pelillistämisalustat sekä Capture the Flag- (CTF) (suom. lipunryöstö) verkkopelit ovat lisänneet suosiotaan viime vuosina ja ne tarjoavat hyvän mahdollisuuden vasta-alkajille opetella tietoturvahyökkäämistä ja -puolustamista. Lisätyn todellisuuden hyödyntämistä tietoturvakoulutuksessa ei ole kuitenkaan tutkittu laajalti. Tässä kandidaatin tutkinnossa käsitellään lisätyn todellisuuden hyödyntämistä CTF-peleissä sekä sitä, miten lisätty todellisuus vaikuttaa tietoturvallisuuden ja turvallisuuden tilannetietoisuuden oppimiseen. Käsittelemme erityisesti, miten lisätyn todellisuuden pelillistäminen vaikuttaa harjoitteluun sekä yleiseen kokemukseen eettisissä hakkerointitehtävissä. Tämän mahdollistamiseksi loimme Hack the Roomin, joka on Unityssä kehitetty kyberturvallisuuspeli, jossa pelaajat käyttävät Linux-terminaaleja läpäistäkseen lipunryöstötyyppisiä tehtäviä. Sitä voidaan käyttää työkaluna henkilöiden tietoturvaan tutustuttamiseen, kouluttamiseen ja uudelleen opettamiseen. Pelin tehtävät koostuivat yksinkertaisista tehtävistä, joissa käytettiin Linuxkomentoja, kuten tiedostojen listaamista ja -lukemista. Jokainen pelikerta on 20 minuutin pituinen ja sisältää kolme tehtävää. Peliä voi muokata tarpeiden mukaan, esimerkiksi nostaa vaikeustasoa muuttamalla pelin virtuaalikonetta. Pelin käyttämä virtuaalikone sijaitsee CSC Pouta-palvelimella. Kehittämämme pelillistämiskonsepti evaluoitiin kenttäkokeella. Kokeessa oli 6 osallistujaa, jotka jaettiin kahteen ryhmään. Ryhmät koostuivat asiantuntijoista ja henkilöistä, joilla ei ollut aiempaa kokemusta eettisestä hakkeroinnista. Asiantuntijoiden ryhmä vastasi kyselyyn, joka mittasi heidän tilannetietoisuuttaan ja toinen ryhmä kyselyyn, joka mittasi heidän oppimistaan pelissä. Kenttäkoe osoitti sekä positiivisia oppimistuloksia, että korkeaa tilannetietoisuutta pelissä

Guidelines for cybersecurity education campaigns

In our technology- and information-infused world, cyberspace is an integral part of modern-day society. As the number of active cyberspace users increases, so too does the chances of a cyber threat finding a vulnerable target increase. All cyber users who are exposed to cyber risks need to be educated about cyber security. Human beings play a key role in the implementation and governing of an entire cybersecurity and cybersafety solution. The effectiveness of any cybersecurity and cybersafety solutions in a societal or individual context is dependent on the human beings involved in the process. If these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in these cybersecurity solutions. It is essential that all users be educated to combat any threats. Children are a particularly vulnerable subgroup within society. They are digital natives and make use of ICT, and online services with increasing frequency, but this does not mean they are knowledgeable about or behaving securely in their cyber activities. Children will be exposed to cyberspace throughout their lifetimes. Therefore, cybersecurity and cybersafety should be taught to children as a life-skill. There is a lack of well-known, comprehensive cybersecurity and cybersafety educational campaigns which target school children. Most existing information security and cybersecurity education campaigns limit their scope. Literature reports mainly on education campaigns focused on primary businesses, government agencies and tertiary education institutions. Additionally, most guidance for the design and implementation of security and safety campaigns: are for an organisational context, only target organisational users, and mostly provide high-level design recommendations. This thesis addressed the lack of guidance for designing and implementing cybersecurity and cybersafety educational campaigns suited to school learners as a target audience. The thesis aimed to offer guidance for designing and implementing education campaigns that educate school learners about cybersecurity and cybersafety. This was done through the implementation of an action research process over a five-year period. The action research process involved cybersecurity and cybersafety educational interventions at multiple schools. A total of 18 actionable guidelines were derived from this research to guide the design and implementation of cybersecurity and cybersafety education campaigns which aim to educate school children