ISCAP Proceedings: Abstract Presentation
Teaching Cybersecurity to Business and Law Undergraduates: An Innovative Team-based Authentic Learning Approach
Michael Lang
University of Galway
Abstract
This study reports on the author's experiences of teaching an introductory cybersecurity module to a cohort of 217 undergraduate business and law students (female 45%, male 55%) at the University of {ANONYMOUS} in the 2023/'24 academic year.
The learning outcomes were to develop abilities to (1) document how cybersecurity attacks and defences work in practice; (2) analyse cybersecurity threats and risks; (3) evaluate decision making outcomes of cybersecurity scenarios; (4) identify basic principles and techniques when designing a secure system; and (5) develop an incident management plan for a cybersecurity breach.
Students were placed into 55 teams, with 3 or 4 in each team. Each team was required to engage in an exercise called 'The Big Heist Challenge' which had two phases. In the first phase, teams had to devise a hypothetical cybersecurity attack plan against a fictitious organization of their own choice, which could be in any industry sector. In the second phase, teams were given the anonymised attack plan of another team and had to produce a defence plan to mitigate or avoid the cyberattack.
Students were permitted to replicate or mimic elements of actual cybersecurity attacks, provided they cited source materials and explained how their plan was influenced by previous attacks. As it turned out, most teams independently devised their own attack strategies, which for the most part were highly imaginative.
The deliverable for the attack phase required students to give an initial outline of the target organization and its security posture, and to explain the motive for the attack and its ultimate objective. Then they had to explain how the plan would be executed, stepping through the phases of the cybersecurity kill chain framework (i.e. reconnaissance, penetration, execution, and acting-on-objectives). They also had to present a 'Plan B' with alternative branches of action, in the event that some aspects of the original plan were scuppered.
The deliverable for the defence phase required students to attempt to foil an attempted attack. The 55 attack plans from the initial phase were stripped of all personally identifiable information, randomly shuffled, and allocated to a different team. Again, the defence plan was structured around the phases of the kill chain (Lockheed Martin, 2015), asking students to consider how the proposed strategies used by the attacker could be defeated through putting better processes and countermeasures in place. Additionally, students were asked to think about risk management and business continuity/disaster management, and to consider legal aspects (e.g. what crimes if any were committed? What should the defending organisation do to meet its legal obligations? What practical steps should be taken before contacting regulatory or law enforcement authorities?).
Teams were asked to provide optional feedback as part of their submission. Additionally, each individual student was invited to complete an anonymous questionnaire, which asked about various aspects such as skills development, authenticity, clarity of expectations, interaction with peers and with faculty, adequacy of resources, and effectiveness of the teaching approach, using items adapted from previous studies (Moore, 2011; Ramsden, 1996; Ravenscroft et al., 2017; Walder, 2017). Dummy items were included to ensure that students were paying attention. 29 responses were removed because of invalid responses to dummy items, leaving 86 valid responses to the questionnaire. Additionally, 26 teams provided feedback.
The students overwhelmingly felt that the learning outcomes were achieved, with 94% agreeing or strongly agreeing they effectively acquired the competence to document how cybersecurity attacks and defences work in practice, and 98% agreeing or strongly agreeing they effectively acquired the competence to analyse cybersecurity threats and risks.
Analysis of qualitative feedback revealed that students found the project engaging and enjoyable, particularly appreciating its innovative and interactive nature. They valued the opportunity to apply theoretical knowledge in a practical, real-world scenario, which they found more effective than traditional assignments. Collaboration was a major theme, with students highlighting the benefits of working in teams. They appreciated the division of labor, diversity of perspectives, and the seamless communication that enriched their learning experience. Some students encountered difficulties with the technical aspects of the assignment, particularly those without a technological background. They expressed uncertainty about the depth of technical detail required and suggested that additional resources or examples could be helpful. Further suggestions for improvement included providing examples of past work, having a dispute resolution protocol, and providing additional timely reminders to assist students with project management.
References:
Lockheed Martin (2015). Gaining The Advantage: Applying Cyber Kill Chain ® Methodology to Network Defense. Available at https://tinyurl.com/cyber-kill-chain
Moore, I. (2011). A Guide to Practice: Evaluating your Teaching Innovation, University of Birmingham and The National HE STEM Programme Curriculum Innovation Projects.
Ramsden, P. (1996). Learning to Teach in Higher Education. London: Routledge
Ravenscroft, B., Luhanga, U., & King, B. (2017). Adapting Bangert's online teaching effectiveness evaluation tool to a Canadian context. Innovations in Education and Teaching International, 54(4), 355-363.
Walder, A. M. (2017). Pedagogical Innovation in Canadian higher education: Professors' perspectives on its effects on teaching and learning. Studies in Educational Evaluation, 54, 71-82.