PicoCTF: A Game-Based Computer Security Competition for High School Students

The shortage of computer security experts is a critical problem. To encourage greater computer science interest among high school students, we designed and hosted a computer security competition called PicoCTF. Unlike existing competitions, PicoCTF focused primarily on offense and presented challenges in the form of a web-based game. Approximately 2,000 teams participated, with students playing for an average of 12 hours. We present the game-based competition design, an evaluation based on survey responses and website interaction statistics, and insights into the students who played. Further we have released our platform and challenges as an open source project, which has been adapted into the curricula of 40 high schools. Since its release in August of 2013, the PicoCTF platform has been used to host six other capturethe-flag competitions.

[1]  Gregory B. White,et al.  The CyberPatriot National High School Cyber Defense Competition , 2010, IEEE Secur. Priv..

[2]  Gianluca Stringhini,et al.  Hit 'em where it hurts: a live security exercise on cyber situational awareness , 2011, ACSAC '11.

[3]  John R. James,et al.  Architecture of a cyber defense competition , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[4]  Allen B. Tucker,et al.  A Model Curriculum for K--12 Computer Science: Final Report of the ACM K--12 Task Force Curriculum Committee , 2003 .

[5]  Giovanni Vigna Teaching Network Security Through Live Exercises , 2003, World Conference on Information Security Education.

[6]  Nickolai Zeldovich,et al.  Experiences in Cyber Security Education: The MIT Lincoln Laboratory Capture-the-Flag Exercise , 2011, CSET.

[7]  Chris Stephenson,et al.  Running on Empty: the Failure to Teach K--12 Computer Science in the Digital Age , 2010 .

[8]  Mike O'Leary Small-Scale Cyber Security Competitions , 2012 .

[9]  Aman Yadav,et al.  Learning to teach computer science: the need for a methods course , 2012, CACM.

[10]  Cynthia E. Irvine,et al.  Active Learning with the CyberCIEGE Video Game , 2011, CSET.

[11]  Terrence O'Connor,et al.  Experiences with Practice-Focused Undergraduate Security Education , 2010, CSET.

[12]  Wenliang Du,et al.  Enhancing Security Education with Hands-On Laboratory Exercises , 2010 .

[13]  Sergey Bratus What Hackers Learn that the Rest of Us Don't: Notes on Hacker Curriculum , 2007, IEEE Security & Privacy.

[14]  Joseph Paul Cohen,et al.  Challenge Based Learning in Cybersecurity Education , 2011 .

[15]  Cynthia E. Irvine,et al.  Amplifying Security Education in the Laboratory , 1999 .

[16]  Timothy H. Lacey,et al.  Collective Views of the NSA/CSS Cyber Defense Exercise on Curricula and Learning Objectives , 2009, CSET.

[17]  Joseph Paul Cohen,et al.  Effectiveness of Cybersecurity Competitions , 2012 .