Conceptual analysis of cyber security education based on live competitions

Live competitions, i.e. Capture the Flag, provide noteworthy experiences for the participants while offering both hands-on practice and entertainment. Aiming at performing a conceptual analysis as a basis for improving their pedagogical utilization, we investigate a number of live competition paradigms and analyse their structure by decomposing them into their respective elements and defining their relations. Moreover, we record the possible obstacles related to the pedagogical utilization of live competitions and group them into distinct categories. As a result, we construct a concept map of the technological and pedagogical characteristics of live competitions. Based on the proposed concept map and the recorded obstacles, we present a comparative evaluation scheme that we employ on three live competition approaches from the literature in order to reveal their value with respect to the educational impact. Finally, we discuss the results of our study and suggest directions for its utilization in the phases of analysis, feasibility and assessment towards developing of new live competition approaches for educational purposes. The adopted assumptions can bind the design of new efforts in cyber security education domain such as gamification and game based learning approaches that need to rely on sound learning theories, e.g. cognitive and experiential learning.

[1]  Lance J. Hoffman,et al.  Exploring a national cybersecurity exercise for universities , 2005, IEEE Security & Privacy Magazine.

[2]  Tom Chothia,et al.  An Offline Capture The Flag-Style Virtual Machine and an Assessment of Its Value for Cybersecurity Education , 2015 .

[3]  Sonja M Glumich,et al.  DefEX: Hands-On Cyber Defense Exercise for Undergraduate Students , 2011 .

[4]  Abdullah Konak,et al.  Using Kolb's Experiential Learning Cycle to improve student learning in virtual computer laboratories , 2014, Comput. Educ..

[5]  Martin Mink,et al.  Evaluation of the Offensive Approach in Information Security Education , 2010, SEC.

[6]  Yanick Fratantonio,et al.  Ten Years of iCTF: The Good, The Bad, and The Ugly , 2014, 3GSE.

[7]  Daryl Johnson,et al.  Developing Small Team-Based Cyber Security Exercises , 2012 .

[8]  Timothy H. Lacey,et al.  Collective Views of the NSA/CSS Cyber Defense Exercise on Curricula and Learning Objectives , 2009, CSET.

[9]  Yan Bei,et al.  Cyber defense competition: a tale of two teams , 2011 .

[10]  Tim Leek,et al.  The Fun and Future of CTF , 2014, 3GSE.

[11]  Sebastian Koch,et al.  Disturbed Playing: Another Kind of Educational Security Games , 2012, CSET.

[12]  Alberto J. Cañas,et al.  A TEORIA SUBJACENTE AOS MAPAS CONCEITUAIS E COMO ELABORÁ-LOS E USÁ-LOS * THE THEORY UNDERLYING CONCEPT MAPS AND HOW TO CONSTRUCT AND USE THEM , 2010 .

[13]  Jelena Mirkovic,et al.  Class Capture-the-Flag Exercises , 2014, 3GSE.

[14]  Ram Dantu,et al.  Experiences During a Collegiate Cyber Defense Competition , 2010 .

[15]  Teodor Sommestad,et al.  Cyber Security Exercises and Competitions as a Platform for Cyber Security Experiments , 2012, NordSec.

[16]  Kevin Chung,et al.  Learning Obstacles in the Capture The Flag Model , 2014, 3GSE.

[17]  Joseph Paul Cohen,et al.  Effectiveness of Cybersecurity Competitions , 2012 .

[18]  Robert G. Abbott,et al.  Human Performance Factors in Cyber Security Forensic Analysis , 2015 .

[19]  Zachary N. J. Peterson,et al.  This is not a game: early observations on using alternate reality games for teaching security concepts to first-year undergraduates , 2015 .

[20]  Kim-Kwang Raymond Choo,et al.  Building the Next Generation of Cyber Security Professionals , 2014, ECIS.

[21]  Gloria Gomez,et al.  CmapTools: A Knowledge Modeling and Sharing Environment , 2004 .

[22]  E. Weippl,et al.  Leveraging Competitive Gamification for Sustainable Fun and Profit in Security Education , 2015 .

[23]  Simon S. Woo,et al.  Engaging Novices in Cybersecurity Competitions: A Vision and Lessons Learned at ACM Tapia 2015 , 2015 .

[24]  Bogdan Alexandru Bratosin Cyber Defense Exercises and their Role in Cyber Warfare , 2014 .

[25]  Jelena Mirkovic,et al.  Teaching Cybersecurity with DeterLab , 2012, IEEE Security & Privacy.

[26]  Yan Bai,et al.  Cyber defense competition: enhancing student competency in information security , 2011, SIGITE '11.

[27]  David H. Tobey,et al.  An Argument for Game Balance: Improving Student Engagement by Matching Difficulty Level with Learner Readiness , 2014, 3GSE.

[28]  Nasir D. Memon,et al.  Winning Cybersecurity One Challenge at a Time , 2012, IEEE Security & Privacy.

[29]  Aunshul Rege,et al.  Multidisciplinary Experiential Learning for Holistic Cybersecurity Education, Research and Evaluation , 2015 .

[30]  Giovanni Vigna,et al.  Organizing Large Scale Hacking Competitions , 2010, DIMVA.

[31]  Wu-chang Feng A Scaffolded, Metamorphic CTF for Reverse Engineering , 2015 .

[32]  David Brumley,et al.  PicoCTF: A Game-Based Computer Security Competition for High School Students , 2014, 3GSE.

[33]  Gianluca Stringhini,et al.  Hit 'em where it hurts: a live security exercise on cyber situational awareness , 2011, ACSAC '11.

[34]  Terrence O'Connor,et al.  Experiences with Practice-Focused Undergraduate Security Education , 2010, CSET.

[35]  Robert G. Abbott,et al.  Factors Impacting Performance in Competitive Cyber Exercises. , 2014 .

[36]  Martin C. Carlisle,et al.  Using CTFs for an Undergraduate Cyber Education , 2015 .

[37]  Victor-Valeriu Patriciu,et al.  Guide for designing cyber security exercises , 2009 .

[38]  M. G. Jones,et al.  The concept map as a research and evaluation tool: Further evidence of validity , 1994 .

[39]  Nickolai Zeldovich,et al.  Experiences in Cyber Security Education: The MIT Lincoln Laboratory Capture-the-Flag Exercise , 2011, CSET.

[40]  Luigi Catuogno,et al.  An internet role-game for the laboratory of network security course , 2008, ITiCSE.