Pros/Cons of teaching cyber-security

From the experience of teaching a month-long crash course in cyber-security I gleaned some insight into some strengths and weaknesses of cyber-security as a educational subject:

Some observed strengths:

  • Naturally hands-on/experiential
  • Can have a fun Hollywood mystique
  • Proof of understanding can be discrete

Some observed weaknesses:

  • Huge spectrum of knowledge/skills in any group of students
  • Terminal intimidation

I’ll discuss some of my thoughts on the above bullet points. Most poignantly, many of the weaknesses of this topic are actually just the converses of a strength. While one student is intrigued to be behind the wheel in a Terminal screen (because of all the Hollywood imagery) another student sees nothing but a blinking cursor, and has no idea where to begin. And although the discrete evidence of understanding is nice for grading, the all-or-nothing feel of an assignment can be daunting to some students. Finally, though it clearly is so easy to make cyber-security topics hands-on, many other resources are available online, and a handful of students can complete half of picoCTF alone and the rest cannot open a problem file in the terminal.

My tactic for dealing with the diversity of skills/knowledge was to lecture at a high level and fairly slowly, but give access to all of picoCTF 2018, thus letting advanced students complete more advanced problems. I don’t have much information on how this tactic worked, but I think it left much to be desired, as even advanced students hit walls that they needed help with. While my students in the summer of 2019 were great at answering questions, most were not apt to ask questions (with notable exceptions) and though my TA’s and I did help student overcome obstacles in advanced picoCTF problems, I believe I have much to learn in dealing with this challenging aspect of cyber-security education.

Something I was not expecting was how much fun students had when they felt enabled to use the terminal in exciting ways (ala my custom Hash Cracking Challenge available here.) I got to teach students a lot by instructing them how to access files I had placed in a shared folder available through picoCTF 2018 shell server. There were 6 levels of the challenges (I supplied possible passwords, and the students had to sift through more and more of them) most students completed the first couple levels, a few completed all but the last level and only one student completed the last level, which is just about perfect distribution in my opinion. It was a very simple challenge (to my eyes) but students loved it, and I think for future iterations of this course, I want to do more things like that.

Lastly, I cannot emphasize enough the challenge of familiarizing students with the terminal. As a computer security researcher, I was a bit side-swiped by the difficulty my students had with the terminal, but other cyber-security instructors I have talked with also point to the terminal as perhaps the biggest learning curve to cyber-security education. It is very different than the usual way of interacting with computing devices and perhaps security educators do not communicate well about the reasons why terminal usage is so critical to the security engineering toolset …

I will continue to ponder these things and try teaching those around me with different tacts, but what are some of the pedagogical aspects that cyber-security make easy and some that it makes hard in your experience?