Professional Documents
Culture Documents
Abstract— This paper describes the application of the Chal- The protection of U.S. computer systems requires an army
lenge Based Learning (CBL) methodology to cybersecurity of cyber warriors and the current estimate is that there are
education. The overall goal is to improve student learning only 1000 workers skilled in this area. However, to meet the
via a multidisciplinary approach which encourages students computer security needs of government agencies and large
to collaborate with their peers, ask questions, develop a corporations, a force of 20,000 to 30,000 skilled specialists
deeper understanding of the subject and take actions in is needed [2]. In response to these heightened concerns,
solving real-world challenges. In this study, students es- the Senate Commerce Committee recently approved the
tablished essential questions which reflected their interests Cybersecurity Act (S.773) which recommends actions the
in information security, formulated challenges on how to government should take to improve the nation’s cyberse-
safeguard confidential information from cyber attacks and curity preparedness. Among them, the government should
then came up with solutions to secure their information and fund research leading to the development of new security
network. For guiding activities, students participated in two technologies, promote public awareness of cybersecurity
cybersecurity competitions against their peers from other issues, and encourage the growth of a trained and certified
local universities. In these simulated real-life competitions, cybersecurity workforce [3].
students were forced to work together, think on their own Universities are slow to react to the need of cybersecurity
two feet and apply their knowledge to defend against cyber education. It is very common for a computer science major
attacks. Assessments performed after the study showed im- to go through four or five years of undergraduate schooling
provement in students‘ computer and security skills, interest without taking a single required class on security[4]. Con-
in learning security and ability to teach others. Student sequently, they graduate without knowing anything about it.
learning was further reinforced with publication of their At the University of Massachusetts Boston, the Computer
research findings and making presentations to their fellow Science Department offers an ABET accredited curriculum
classmates. which covers traditional courses in programming, compilers,
operating systems and others. These courses tend to be
Keywords: cybersecurity, education, challenge based learning, theoretical and they do not deal with real-world problems in
CBL security. Recently, the department has added a more hands-
on BS in IT program that offers a course in Network Security
1. Introduction Administration. Since this is a new course, enrollment is
It is well known that cyber threats to the United States limited. Furthermore, CS majors interested in cybersecurity
are prevalent and they affect our society, business, and often cannot take it because they lack the required IT
government, yet there is no concerted effort among our prerequisites. The goal for this study is to apply innovative
government and private industries to overcome them. In student learning methodologies to teach cybersecurity to a
2010, the former Director of the National Security Agency, group of motivated CS/IT students who are interested in the
Mike McConnell, testified in the Senate that if there were topic.
a cyber war breaking out against our nation’s infrastructure,
we would lose. He reiterated his grim assessment a year 2. Challenge Based Learning
later that we are no better off, though the stakes have
risen higher [1]. His concern is realized with recent cyber Methodology
attacks emanating from servers in China on Google and Research has shown that student-centered learning ap-
several dozen U.S. companies. These attackers were able to proaches are efficacious in improving student learning [5]. In
penetrate the defense of company networks and attempted to particular, the challenge based learning (CBL) methodology
steal email accounts, information on weapon systems, and proposed by Apple Computer Inc., which employs a multi-
intellectual property. disciplinary approach in encouraging students to use their
Top officials in the Defense Department have long be- knowledge and technology to solve real-world problems,
lieved that the reason why the country’s cyber defense is not has reported to yield outstanding results [6]. The challenge
up to the challenge is due to a shortage of computer security approach works because most students are familiar with the
specialists who can battle attackers from other countries. concept since they have watched multiple reality TV shows
that are based on it. The common theme is that contestants
are presented with a challenge that requires them to draw on
prior learning, acquire new knowledge, work as a team, and
use their creativity to arrive at solutions. Another reason why
this concept is successful is that the participants are highly
motivated by the common goal of potentially winning a big
reward afterwards.
The challenge concept has been applied to the develop-
ment of cybersecurity skills among high school and college
students. One example is the U. S. Cyber Challenge spon-
sored by the Center for Strategic and International Studies
(CSIS), the SANS Institute, the U.S. Department of Defense
(DoD), universities and private industrial firms [7]. It is both
a national cybersecurity talent search and skills development
program. High school students compete on-line in the Cyber-
Patriot Competition sponsored by the Air Force Association Fig. 1: The CBL Framework
where they learn how to control computer networks, defend
and protect computer systems from cyber threats and hack-
ers. High school, college and graduate students participate
security, management, use and disposition of these data.
in the DoD Cyber Crime Center (DC3) Digital Forensics
For those that have been classified as Confidential,
Challenge and the NetWars competition. The DC3 Digital
such as Personally Identifiable Information (PII) and
Forensic Challenge is an on-line event that tests students on
Protected Information, federal, state laws/regulations
individual scenario-based, investigative tools, techniques and
or organization rules may govern how they should be
methodologies. The competition fosters innovation among
protected.
students and encourage them to provide technical solutions
• What does one do to safe guard Confidential informa-
for computer forensic examiners in the lab and in the field.
tion?
The NetWars is an interactive security challenge that tests
Depending on whether the threat is internal or external
students‘ security knowledge and capture the flag skills.
to the organization, the methods of safeguarding infor-
Successful contestants in these competitions are immediately
mation are different. In the case of internal threats, one
recognized and invited to attend regional security camps,
may have to take precautions against social engineer-
national challenges, or given grants or scholarships to study
ing tactics. In dealing with external threats, the most
cybersecurity.
effective way is to secure the network and computer
Apple Computer Inc. has applied CBL to the collaboration
systems.
project, Apple Classrooms of Tomorrow (ACOT), between
public schools, universities, and research agencies with great
success [8]. In this study, we adapt the CBL methodology 2.3 The Challenge
to teach practical cybersecurity education to a team of For each essential question, a challenge was formulated
nine CS/IT students with different backgrounds of computer that asked the students to come up with a specific answer
education. Some members are sophomores and some are or solution. In our study, the students came up with:
seniors. Most students have no prior formal training on • Keep confidential information safe
cybersecurity. They enroll in this study in addition to taking • Keep network safe from cyber attacks
their regular course load.
The CBL framework, as shown in Figure 1, is imple-
mented in this study as follows:
2.4 Guiding Questions
Students generated questions that they would need to
2.1 Big Idea discover solutions for in order to meet the challenges. Some
The team considered the topic: Cybersecurity, which has guiding questions were:
broad meanings and importance to the students and society. • What are social engineering tactics? How does one
guard against them?
2.2 Essential Questions • For sensitive information such as administrator pass-
The team came up with the following questions that words, how can they be changed frequently without the
reflected their interests and the needs of the community: excessive burden of remembering the changes?
• What kind of information does one need to keep secure? • How does one know that the organization is being
The classification of information would dictate the attacked?
• What are the techniques of configuring firewalls to password because they had to pilfer the selection card, the
secure the perimeter of the network? code and the way to interpret the code in order to construct
• What techniques do attackers use to penetrate a net- the exact password. At the NECCDC, this approach was
work’s defense? openly recognised as a good idea.
4. Student Learning Results There was a sharp increase of student interest in computer
Research has shown that group dynamics plays a crucial security after the study as depicted in Figure 4. This may be
role in student learning [11]. In our CBL study, the group due to the frequent meetings where students learned from
formed had various levels of technical expertise. Students each other. Another reason is that students saw how their
were encouraged to participate in open discussions and work knowledge was applied in a real world environment. Several
together in smaller groups based on their expertise. Meetings students from the team, after the study, formed a new student
served as a conduit for students to research topics, voice group with the purpose of spreading security knowledge and
their questions and opinions on topics which they had no interest among other fellow students in the CS department.
In this study, we formed a small group of nine students.
Group members had complementary skills in computer
programming and course knowledge. Some students had
working Windows and Linux knowledge, while others had
none. The team shared a common purpose of increasing their
computer security knowledge. Team members knew they had
to achieve a common set of specific performance goals. In
Fig. 4: Student’s self-reported interest in computer security, this study, these performance goals were specified by the
before (left) and after (right). competition organizers. For both NECCDC and MITCTF,
students were aware of the services they needed to install
and maintain. Throughout the study, students agreed on
Figure 5 shows that about half of the students, after going a common working approach. This included meeting and
through the study, felt they could teach computer security discussion in a democratic manner. Students with technical
and half could not. Although all students gained computer expertise tended to guide in this area by suggesting topics to
and security skills, some still did not feel comfortable research and troubleshoot configurations. Students voted to
enough to teach others. decide which direction to take. For example, if no students
were familiar with a piece of software application or tool,
then the group jointly determined the best course of action to
take. All group members felt they were mutually accountable
for the success of the team. In our case, the group was
highly critical of each others‘ performance. Students divided
up technical functions such as email configuration, central
authentication, and DNS; they were then held responsible for
that function. If a student did not master the configuration
Fig. 5: Student’s self-reported ability to teach others security and security for that function, other students would remind
topics, before (left) and after (right). him that he needed to do so. Each student expected other
students to become experts in some technical area or some
configuration of a particular system after they had studied
Although the students came with a range of technical it.
abilities and initial interest, Figure 6 shows that all students In our study, students found the guiding activities in
who participated in the study benefited greatly from the CBL participating in the NECCDC, and MITCTF competitions
experience. These benefits included knowledge gained by most beneficial. The competition provided a real-world cyber
networking with industry professionals, improving computer defense situation that our students practiced their knowledge
and security skills, and applying these skills in a practical, on. Students were forced to work in an intense atmosphere
real world environment. that they had to band together to work as a team in solving
a problem. Each team member contributed to the solution
based on his individual training. Also, what students found
most stimulating were discussions with security profes-
sionals from industry afterwards and learning from them
techniques on securing the network. They also appreciated
the opportunity to network with company recruiters and
students from other universities in sharing their experience.
Though the CBL methodology seems to improve overall
student learning, its benefits vary from one student to another
Fig. 6: Student’s self-reported benefit of the study. based on their interest and motivation. As compared to that
of conventional teaching methodologies, CBL student learn-
ing depends more heavily on self-study and peer instruction
efforts. Those who are not sufficiently motivated to learn
5. Student Observations new concepts or technologies on their own have less to
Our study is based on one student group comprising of gain. Furthermore, those who have less interest tend not to
students with different skill levels. Though the sample size show up at the meetings as often. Since these activities are
is small, we believe the CBL methodology is beneficial to mostly student-organized, there is no penalty for not showing
teaching cybersecurity education. Our student group exhibits up except for the fact that these students will learn less.
the six team basics required for high team performance [12]. Also, the presence of indifferent and unmotivated individuals
hinders the progress of the group. 7. Acknowledgments
The loose structure of the teams in CBL, though ben- This research was supported by the Spring 2011 Program
eficial to some team members, may not work for others. on Instructional Innovation (Pi2) grant, the College of Sci-
The lack of an instructor-student hierarchical structure may ence and Mathematics, University of Massachusetts Boston.
not give enough direction for some students to follow. As The authors would also like to thank the UMB-NECCDC
a result, they lose the motivation of attending meetings. team members for their participation in the research.
Student ability is also an important factor in learning a
highly technical subject such as cybersecurity. For example, References
the students need to have basic knowledge in networking [1] M. McConnell,“To win the cyber war we have to
and scripting in order to configure the firewall to fend off reinforce the cloud”, Financial Times, April 24, 2011.
attackers. These are not only key security concepts, they are [Online]. Available: http://www.ft.com/cms/s/0/078bf734-6e9b-11e0-
a13b-00144feabdc0.html
also vital skills for system administration. Without them, [2] K. Evans and F. Matters, “A Human Capital Crisis
they cannot learn how to secure a system in a short time. in Cybersecurity”, Center for Strategic and International
Consequently, more experienced students have to spend time Studies (CSIS), Nov. 15, 2010. [Online]. Available:
http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf
teaching the less knowledgeable ones. This slows down the [3] J. Vijayan, “Cybersecurity bill passes first hur-
team’s progress and reduces their overall learning. These dle”, Computerworld, March 24, 2010. [Online]. Avail-
observations suggest that the CBL methodology, especially able: http://www.computerworld.com/s/article/9174065/ Cybersecu-
rity_bill_passes_first_hurdle/
on teaching a highly technical subject like cybersecurity, can [4] (2011) “Security Lessons still lacking for Computer Science grads”, In-
achieve a better outcome if all team members start with the foWorld. [Online]. Available: http://www.infoworld.com/t/application-
basic prerequisite knowledge. security/security-lessons-still-lacking-computer-science-grads-769
[5] G. O‘Neill, T. McMahon “Student-Centered Learning: What does
Although our CBL study does not need much instructor it mean for students and lecturers”, University of College
intervention, it requires additional resources, such as equip- Dublin. [Online]. Available: http://www.aishe.org/readings/2005-
ment and support staff to support the activities of the group. 1/oneill-mcmahon-Tues_19th_Oct_SCL.html
[6] L.F. Johnson,R.S. Smith, J.T. Smythe, R.K. Varon “Challenge-
For example, to build a practice network, the students need Based Learning: An Approach for Our Time”, The New
dedicated computers, routers and switches. This equipment Media Consortium, Austin, Texas. [Online]. Available:
is often deployed at irregular times and their malfunction http://ali.apple.com/cbl/global/files/Challenge-Based%20Learning%20-
%20An%20Approach%20for%20Our%20Time.pdf
requires off-hours support. Also, because this study deals [7] (2011) “U. S. Cyber Challenge”, Cybersecurity Workforce
with computer security, students have to negotiate firewall Development Division, Center for Internet Security. [Online].
policy with the university’s IT department so that the practice Available: http://workforce.cisecurity.org/
[8] (2011) “Challenge Based Learning- Take action and make
network will not be blocked from the Internet. These difficul- a difference”, Apple Computer Inc.. [Online]. Available:
ties highlight the importance of additional support resources http://ali.apple.com/cbl/global/files/CBL_Paper.pdf
and their flexibility in support hours that are needed to [9] (2011) Northeast Collegiate Cyber Defense Competition (NECCDC)
on March 4-6, 2011 in EMC Corporation, Franklin, MA. [Online].
effectively apply CBL to cybersecurity education. However, Available: http://www.ccs.neu.edu/neccdc2011/index.html
we believe that the potential gain in student learning justifies [10] (2011) MIT Lincoln Laboratory/CSAIL Capture the Flag Competition
the extra effort to overcome these obstacles. on April 2-3, 2011 in MIT, Cambridge, MA. [Online]. Available:
http://mitctf2011.wikispaces.com/
[11] D.R. Forsyth,Group Dynamics, 5th ed., Wadsworth Publishing, 2009.
[12] J.R. Katzenbach, D.K. Smith. “The Wisdom of Teams”, New York,
6. Conclusions NY: HarperCollins, 2003.