Teaching Cyber Security
New Cyber and Information Security programs are emerging at a very fast pace. Almost every university has one as part of their curriculum now. This will come at no surprise to anyone who has just vaguely followed the news in recent years. Our society is fundamentally dependent on IT systems, everything is interconnected through the Internet, but vulnerabilities/hacks/breaches are occurring on a daily basis. Therefore, the number of students interested in obtaining a degree in this field is very high, and there is clearly a lack of qualified cyber security professionals.
For such reasons many universities have "added" a Cyber Security undergraduate or graduate degree to their curricula. This is often viewed as a "specialization" or "add-on" to a Computer Science degree. Unfortunately, many curriculum designers fail to realize the critical importance of the interdisciplinary nature of this area. Admittedly, cyber security needs professionals who are good at using keyboards. However, the challenges graduates will face in their jobs are much more complex. Cyber Security requires a good understanding of law, human factors/psychology, mathematics/ cryptography, social sciences, economics, security & risk management/IT audit, etc. And even within the technical domains, there is quite a difference in skills required for, say, someone working in network/system monitoring, to big data/machine learning, to someone doing digital forensics for a law enforcement agency, or malware reverse engineering for a security firm, and someone performing penetration tests, etc. Ideally, a graduate out of a Cyber Security program should have a basic understanding of all of those areas, plus an academic background please.
This sums up the challenges curriculum designers need to face these days. It needs to be well understood that this area is fundamentally different from any of the existing curricula and cannot be viewed as an "add-on". The main challenges are:
- Creating the foundations for a truly interdisciplinary understanding of the subject area.
- Making sure we do not loose academic values (such as critical thinking).
The last point is very important, as we need to ensure there is a distinct reason for attending a university. Decay of academic degrees have been reported manifold. Without an academic degree it is very hard to get a job, but as more and more students obtain such degrees there is also no distinctive advantage anymore for graduates. In fact, industry asks more and more for specific skills to be covered in university programs. In the area of cyber security, most of those skills can actually be obtained through vocational education or profession trainings—a university degree is not required.
For several years now, the higher education sector is discussing the changes that the information age has and will have on transforming the foundations of universities. Massive Open Online Courses (MOOCs) are cheaper, operate at large scale, and provide location-independent education. MOOCs also allow students to be more flexible to learn at their own optimal pace and time. Critics ask what the future of universities will look like in the face of this global online revolution, in particular with respect to the raising cost of higher education?
The Problem of the Higher-Education Industry
Today universities provide to the student: (1) detailed knowledge of a particular subject area, and (2) an accredited certificate. Online courses, on the other hand, have the potential to provide more inspiring, more career-oriented and more specialized knowledge—compared to already overworked academics. Some institutions already offer accredited certificates, and it will only be a matter of time until industry recognize those certificates as job qualifications.
Is this going to be the end of the traditional higher education institutions? Are we sleepwalking into a crisis?
One important aspect has been forgotten in this argumentation: universities are supposed to be more than an accumulation of information. One of the cornerstones of academia was always the transformation of thought, the ability to dissect scientific concepts and to think in abstract forms and structures. Those are values of higher education since Socrates or Plato, but they have changed in the light of large commercialization. This commercialization is slowly leading to a decay of the quality of our graduates. Let me illustrate this at the example of the Cyber Security MSc program at Tallinn University of Technology. We are now in the process of transforming from a free to a paid program. Soon our students will have to pay €12,000 for attending the 2-year long MSc program. Looking at prices that universities elsewhere charge, for example top-universities in UK or USA, the difference is not that large anymore. While the intention of the government and university might have been to get some of the "expenses back", the intake will change fundamentally. Not only will capable and smart students, who are living in poor families, no longer be able to afford to come to study, but also those students who can afford studying will rather go to better ranked universities—especially if the same degree qualification can be obtained in one instead of two years. On top of this, in the future it will be possible to get all the knowledge required to obtain a well-paid job, without the need to pay for an expensive academic degree. What is the need then for a second or third tier university?
We are now at a critical time, higher education is transforming and this can either be a blessing or a curse. If universities fail to understand that we are facing disruptive technology it will lead to the bankruptcy of many higher education institutions. On the other hand we have now the chance to use this new technology to our advantages. "The question is whether current academic leaders have the vision, courage, and decisiveness to position their institutions to be academic leaders in the 21st century".
In 1984 educational psychologist Benjamin Bloom described the 2-sigma problem, which essentially states that a student subject to 1-to-1 tuition will develop from an average student into one at the top 98% quantile of all students. MOOCs can perfectly replace large-scale lectures, but they do not adjust adequately to the learning individual. Team building, communication, and interpersonal skills are vital in a globalized world and difficult to obtain via MOOCs.
Experimenting with transformations in the area of Cyber Security
Let me try to illustrate the challenges and opportunities that the interdisciplinary nature of Cyber Security poses: Image a MSc-level course on "hardening operating systems", and also imagine one student with 10 years of system administration experience (yes, we do have such students) attending this course, and another student being a graduate from an IT-Law program (without much "traditional computer science" background knowledge). Clearly both students are among the Cyber Security target audience. However, with traditional teaching methods it is next to impossible to teach such a course, as the experienced system administrator will be fundamentally bored; while the law graduate would be lost right after the first set of lectures. And while informal feedback from students typically confirms that they enjoy the breath different backgrounds of their colleagues, it poses unique challenges on the teaching methodology.
However, here is the unique opportunity for "flipped classroom" and "Education 3.0" teaching approaches. The student from our example with 10 years of system administration experience, might have to learn about the difference between criminal and civil law; while the lawyer will have to understand what a bash shell is. For this MOOCs can be an excellent enabler. Students can work in their own pace through areas where knowledge is missing. The quality of the online learning course is often also much better than the quality of a random unmotivated and overworked lecturer. And finally, learning the facts or reading a book is not what needs to be done in a classroom using PowerPoint. Time can be much better spent in smaller study-groups or seminar courses, and on 1-to-1 teaching, which creates a positive feedback loop and integrates Benjamin Bloom's 2-sigma problem as a fundamental part of the teaching strategy.
The overall mix of students with different backgrounds and different future dreams is then creating an inspiring atmosphere, to delve into a discourse and create an understanding for the interdiciplinary problems we are facing.
This forms the basis for a constructive transformation of higher education, which integrates disruptive learning and teaching techniques instead of competing with them over the same market-share.
For example, adaptive learning techniques can be used to assess students capabilities and then adjust accordingly. Think of it, for example, in the following way: imagine the task given to the student is to configure a system to only allow ssh version 2 access to a server. Anyone with basic linux skills will be able to do that in less than 30 seconds, while the task might take quite a long time for a student without the required background knowledge. Just measuring the time to solve this task will already be a sufficient metric to assess the skill-level and, dependent on the outcome, the system then either adapt to go and cover more material from the linux fundamental area or just skill the branch completely and move to the next topic area. I-tee could serve as the underlying platform for building such an adaptive learning platform.
The value of universities?
One big question remains unanswered. How do we bridge in the future the academic values into a curriculum already filled with technical details. The technical details are of critical importance to understand and solve real-world issues, but they change over time and do not form the basis of academic thinking. It will be important to get the balance right in the future. In my opinion, a few aspects are important to keep in mind:
Engage students in scientific discourse. Today we have a wide choice of technology that allows us to optimize our teaching, but in needs to engage the student. Technology can not only be used to reduce repetitive tasks, but may also foster academic discourse. For example, blended learning proposes careful mix between asynchronous Internet technologies with face-to-face learning. It is important to appreciate the different cultural backgrounds and teach in a way that suites everyone, and this method also addresses Bloom's 2-sigma problem.
Integrate technology in a meaningful way. Simple role-play tools can create realistic situations, which significantly improve student's motivation. However, technology should never be used just for the shake of using technology. In my teaching I integrate it in the form of role-play scenarios. For example, to recreate the operations of an Internet Service Provider (ISP). Or in simpler forms via online discussion forums. Such simple tricks will encourage quieter students to "speak-up", as the anonymity of the forum can allow students to think first. However, it is important that the technology makes sense to the student, e.g., via replicating the processes of the Internet Engineering Task Force (IETF).
Teach skills beyond "detailed knowledge". We are observing an ever-increasing gap between detailed knowledge and fundamental theory. In particular in cyber security our graduates need to have detailed knowledge, but my goal is also to develop metacognitive processes that transforms thought structures. This often goes beyond the communication of basic knowledge that is required by the curriculum. In my teaching this is integrated by an open-ended question/assignment at the beginning of the course and letting the students workout how to solve the detail. This enables also creative thinking.
I will illustrate those principles at the example of three classes that I have created:
Special Topics of Cyber Security (ITC9010 & ITC9020) a joint research course taught at Tallinn University of Technology in-collaboration with University of Adelaide, Hochschule Ravensburg-Weingarten & HITSA.
The objective of this year-long course it to strengthen Estonia's position on international cyber security research excellence.
Estonia has an active start-up scene and "can-do" attitude, but is still lacking in research excellence. In the world rankings, the best Estonian university (University of Tartu) was ranked at 314 and Tallinn University of Technology obtained a 600+ ranking. In order to strengthen the cyber security research profile, Estonia needs long-term collaboration with strong research-intensive universities around the globe. Combining research innovation with the existing start-up mentality will be a catalyst for future evolution of the Cyber Security scene in the region.
This course is designed to build the basis for the brightest cyber security students to establish long-term collaborations on an international-level. The starting point for this is solving some concrete problems in an international collaborative way. While targeting Cyber Security PhD students, we also admit MSc students, who have a strong interest in pursuing an academic career, conducting research, and publishing papers. The aim is to develop towards one of the flagship courses of the academic side of the university's program and invite brighter minds to come to Estonia. Throughout the course the participants will be constantly mentored on a one-to-one basis.
It's a year-long/two-semester course, where the first semester focuses on research topic finding, literature review and research methodology and the second semester focuses on research results, and paper writing. The course starts the collaborative research with a two-week face-to-face meeting in January in Adelaide, Australia (hosted by University of Adelaide). During that time small international teams form. After the workshop, the participating students return home, but continue to work together on their chosen research topics remotely. In July, the students meet again face-to-face, this time in Estonia. During that meeting, there is time to discuss initial research results at an Interdisciplinary Cyber Research (ICR) workshop, and sit down together to work on the problems. For the international students coming to Estonia, we organise an "e-Estonia-dream" tour and their visit is also aligned with the C3S Summer School (see below). At the end of the year it's expected that the research efforts have led to an academic paper draft.
This course is a teaching experiment already in the second-year iteration for establishing long-term collaborating research with other research-intensive universities around the world.
See course website for more information.
The Cyber Security Summer School (C3S) at Tallinn University of Technology, funded by the Information Technology Foundation for Education in Estonia (HITSA),
aims at top-level cyber security education attracting world-leading speakers and using innovative and novel teaching methods to create a week-long memorable learning experience. As Estonia is on the forefront of Cyber Security in many aspects, this summer school makes its contribution by bringing together the young researchers across the world to spread this know-how and culture. I have been in charge of the design, concept and the academic content since its beginning and it has been running for the last consecutive three years.
Cyber Security Summer School 2017
The theme of this C3S was on Social Engineering—Capture the Flag. Social engineering is one of the major concerns in cyber security. The human factor is often regarded as the weakest link and someone is always clicking on a link they really shouldn't click on. Sadly, the education and awareness in this area is low and for this reason cyber criminals are so successful. We must raise this bar and train our next generation of cyber experts better. Unfortunately, not too much research goes into how this can be done effectively. Teaching and training methods are lacking—and this is for a very good reason: social engineering is a hybrid area covering (among others) psychology, technology and criminology. Furthermore, it includes and targets humans, which becomes quickly borderline ethical. So instead of trying to find a suitable ethical and legal way of teaching effectively the dangers of social engineering, many just shy-away from this area. However, in order to advance education in this space, it's absolutely critical to learn how to teach social engineering topics and discuss them openly within the community of cyber security experts. In this summer school, participants had the very unique opportunity to be able to experience a real-world social engineering pen-test against a real company.
The event was organized jointly with Tobias Eggendorfer (Hochschule Ravensburg-Weingarten). Speakers of this event included Freddy Dezeure (former head of EU-CERT), Kieren Nicolas Lovell (Cambridge CERT), Aunshul Rege, Dirk Labudde, Jeffrey Moulton, Kätlin Konstabel, Ralph Echemendia ("The Ethical Hacker"), Vesselin Popov (Psychometrics Centre, Cambridge University). Participation was limited to 50 students, and we had 22 speakers or mentors. http://www.studyitin.ee/c3s2017.
Cyber Security Summer School 2016
The summer school focused on Digital Forensic—from a Technology and Law perspective. This interdisciplinary summer school aimed at fostering an understanding between "techies and lawyers". During the week, the students were confronted with a completely fictions scenario (where a minister was murdered while abroad). The students got a laptop that was "recovered from the crime scene", phone records, etc. The techies needed to do the forensic analysis, and extract documents that are relevant for the moot court case. The objective was to create a learning environment that is engaging for lawyers as well as techies and engage them into a meaningful dialog.
It was jointly run with Helen Eenmaa-Dimitrieva founder and director of the IT-Law at Tartu University. Speakers presenting included: Tobias Eggendorfer, Didier Meuwly, Hein Dries-Ziekenheiner, Jeffrey Moulton, Merike Kaeo, and barrister Stephen Mason. We had 45 PhD-level-student, 15 mentors.
Cyber Security Summer School 2015
This summer school focused on Information Security and was run jointly with Jon Crowcroft (Cambridge University, UK). We were very fortunate to get a set of very prestigious speakers. This list included: Steve Bellovin, George Danezis, Richard Gold, Mehis Hakkaja, Tristan Henderson, Richard "Dick" Kemmerer, Vern Paxson, Kristjan Vassil, Walter Willinger, Ben Zevenbergen. 70 PhD students, 14 mentors participating.
Overall, the Cyber Security Summer School and ICR form an integral part of this research excellence course, but attendance is not limited to students participating in this intensive research training. In fact, ICR has typically over 100 attendees, and the C3S is limited to not more than 50 participants.
Further courses to discuss include:
Network Protocol Design (ITC8061) at Tallinn University of Technology:
This module focuses on fundamental problems of network protocols and various design decisions and their implications. It also includes security related protocols and gives a better understanding why it's sometimes so hard to secure the Internet. The course includes "traditional" lectures, but the main focus is on a practical lab in blend-learning-style. The students are tasked to develop and implement their own chat-protocol.
Objective of this module is to design and implement a "distributed chat-system protocol over UDP". Every Internet user understands what a chat-system is. The additional requirement in the assignment is to develop a distributed protocol and use UDP. This brings the class across many issues that exists in real distributed networks (e.g., layers, routing, reliability, flooding/multicast, authentication, etc.). One important aspect is to achieve interoperability, this means the whole class needs to reach agreement on one protocol, but still every group has to have their own implementation.
Besides technical learning outcomes, this course aims at levels 5 to 6 in Blooms Taxonomy—trying to foster creative thinking. Besides this the module teaches about the IETF standardization processes, remote collaboration challenges, and has a large software development component in its design (students have to write programs in excess of 2,000 lines of code to pass this module).
Online discussion forums and chat rooms easily integrate in this module. It is interesting to observe the group dynamics and the way students approach this problem. Those communication patterns typically reassemble those dynamics that can be observed in the IETF (besides the nasty politics that sometimes co-exists in the real IETF). Such a module teaches much more skills than just basic facts about protocols. This type of blend learning also lets students answers their peers question, this starts an unbounded educational discourse. In the past I never needed to intervene on peer-discussions that students had. It is actually very interesting to see how students slowly truly understand the problems behind Internet protocols, and it becomes noticeable what they could not learn from books or traditional lectures.
In a fast changing field, such as Cyber Security, it is important for the students to realize how the field is changing and where/how to keep up-to-date as the technology will continue to change over time.
Networks Lab (COP502) former course at Loughborough University:
The objective of this course is to "build the Internet". The students form groups, each group gets three Cisco 2801 routers, three Laptops (which will serve as their "data-centers"), and cables. The role-play scenario is to build and operate an ISP. The course is typically sized around 30-40 students (limited by the equipment). The course includes traditional lectures, in which the students are guided through essential material and ensures compliance with the curriculum. Lab sessions allow "hands-on" interactions with the technology. An open-ended task-format in the assignment forces students to think on a broader level. Students are encouraged to find solutions online and come-up with ideas that go beyond the material. This would be very similar to an upper-management real-life job in an ISP, just with a strong technological component as well. The most important feedback that I received from students was that they feel they are learning something real and relevant and use the equipment to experiment with different ideas. Every year I typically had a few students, who ask me if they could continue to work on the equipment (in their spare time after the module has finished).
The strength of this course was really in the lab-sessions, which again allows respecting Bloom's two-sigma problem: Good students or students with prior background knowledge could progress faster through the material, and will not get bored. The module can easily be organized in a way to always remain stimulating for all students. For example, advanced groups will one day start getting "attacked" and have to face cyber security challenges (in a similar way as ISPs need to consider security related issues); while weaker groups can learn at their own optimal pace. It is important not overwhelm students, but also provide sufficient challenge for intellectual growth. The fact that the students can touch the equipment is actually an essential component. Learning all this in a physical lab adds to the credibility of the course.
The field of education itself is changing fast. It can be expected that the commercialization of higher education (incl. raising cost of education, raising numbers of students) will soon lose students to online versions of MOOCs. Those courses scale better and can offer the same level of knowledge at a cheaper price. However, institutions that stick to strong academic values, will find themselves equipped with a rich learning environment for graduates of the information-age. Those institutions can discover the transformative potential of modern technology, but the high quality of the institution will always have to come from inspired teachers.