Skip to main content

About this book

This book constitutes the refereed proceedings of the 13th IFIP WG 11.8 World Conference on Information Security Education, WISE 13, held in Maribor, Slovenia, in September 2020. The conference was held virtually due to the COVID-19 pandemic.

The 13 full papers presented were carefully reviewed and selected from 28 submissions. The papers are organized in the following topical sections: teaching methods and tools; cybersecurity knowledge within the organization; and teaching of detection and forensics.

Table of Contents


Teaching Methods and Tools


Learning and Grading Cryptology via Automated Test Driven Software Development

Understanding common cryptological concepts like encryption, hashing, signatures, and certificates is a prerequisite when working as an IT security professional but it is also a major challenge in security education. Often students struggle with cryptology as sound previous mathematical knowledge is required and study time is limited. Teachers face the problem to fairly assess the students’ knowledge and understanding of cryptology. The paper presents an approach to face these challenges by utilizing test driven software development techniques for students who have taken courses in programming and theoretical cryptology. The paper describes the practical experience gained in courses with ~30 students utilizing a specialized client-server system to automate the tests. We propose that this setup is beneficial for learning as it gives immediate feedback and allows students to focus on the erroneous parts of their software. The test cases can also be used to grade students’ code by weighting the test cases e.g. in an exam setting.
Konstantin Knorr

An Institutional Risk Reduction Model for Teaching Cybersecurity

This work presents a model for reviewing the risks of institutions teaching cybersecurity. The work is based on efforts in this direction at Regis University and Adams 12 Five Star Schools in Colorado. These two institutions are described in a comparative case study reviewing the following four aspects of addressing risk: policy, adjudication, infrastructure protection, and curricular boundaries. The model is presented in a generalizable framework to facilitate risk analysis across the education of children in public schools, university level education, and professional development programs. This framework is not intended to supplement a traditional threat analysis program and not replace it. In addition to the specialized risks addressed here, institutions teaching cybersecurity are often perceived as potential targets for adversaries because of the schools as a pipeline to cyber defense activities, and because institutions teaching cybersecurity are part of societal long-term cyber defense strategies that confront criminal, nation state, and activist threats.
Erik Moore, Daniel Likarish, Bobbie Bastian, Michael Brooks

Education for the Multifaith Community of Cybersecurity

The demand for cybersecurity professionals is growing. Many cybersecurity academic and training programmes exist to prepare students and professionals for these jobs. The programmes cover many areas of cybersecurity with considerable overlap, but with different emphases. Some are highly technical and cover little non-technical; others do the opposite. Cybersecurity jobs typically require some technical knowledge, an ability to place security problems in a larger context, and an ability to communicate this information effectively and convincingly. The problem with treating technical and non-technical subjects as silos rather than recognizing the two are tightly related and need to be taught together. This paper shows how seven common cybersecurity frameworks and ten masters’ courses from the UK and US cover both technical and non-technical content. It examines the balance of technical courses, non-technical courses, and courses that mix both technical and non-technical material. It argues that these topics cannot be siloed, and their balance is critical to meeting the goals of the frameworks and programmes.
Steven Furnell, Matt Bishop

Quality Criteria for Cyber Security MOOCs

Cyber security MOOCs (Massive Open Online Courses) can enable lifelong learning and increase the cyber security competence of experts and citizens. This paper contributes with a review of existing cyber security MOOCs and MOOC quality assurance frameworks. It then presents quality criteria, which we elicited for evaluating whether cyber security MOOCs are worthy to be awarded with a quality seal. Finally, an exemplary evaluation of six selected European MOOCs is presented to exercise the quality seal awarding process. Additionally, the evaluation revealed that criteria for assuring privacy, ethics, meeting professional expectations and openness were on average not clearly met.
Simone Fischer-Hübner, Matthias Beckerle, Alberto Lluch Lafuente, Antonio Ruiz Martínez, Karo Saharinen, Antonio Skarmeta, Pierantonia Sterlini

An Analysis and Evaluation of Open Source Capture the Flag Platforms as Cybersecurity e-Learning Tools

Capture the Flag (CTF) challenges are typically used for hosting competitions related to cybersecurity. Like any other event, CTF competitions vary in terms of context, topics and purpose and integrate various features and characteristics. This article presents the results of a comparative evaluation between 4 popular open source CTF platforms, regarding their use for learning purposes. We conducted this evaluation as part of the user-centered design process by demonstrating the platforms to the potential participants, in order to collect descriptive insights regarding the features of each platform. The results of this evaluation demonstrated that participants approved the high importance of the selected features and their significance for enhancing the learning process. This study may be useful for organizers of learning events to select the right platform, as well as for future researchers to upgrade and to extend any particular platform according to their needs.
Stylianos Karagiannis, Elpidoforos Maragkos-Belmpas, Emmanouil Magkos

Cybersecurity Knowledge Within the Organisation


Designing Competency Models for Cybersecurity Professionals for the Banking Sector

The research results for the main stages of designing competency models (CMs) for cybersecurity (CS) professionals are presented. A strategy for designing such models was formulated. The CS-related terminology and conceptual framework were clarified. Areas, objects, and types of professional activity (PA) as a whole for CS professionals and the banking sector, in particular, were determined. It is proposed to use the role and process models to determine the tasks that employees of banking organizations should solve. The practical issues of developing CMs, which allowed to determine the order of their development and the typical structure, as well as to formulate recommendations on the content of a specific CM, are considered.
Andrey Vybornov, Natalia Miloslavskaya, Alexander Tolstoy

Exploring the Value of a Cyber Threat Intelligence Function in an Organization

Organizations can struggle to cope with the rapidly advancing threat landscape. A cyber threat intelligence (CTI) function broadly aims to understand how threats operate to better protect the organization from future attacks. This seems like a natural step to take in hardening security. However, CTI is understood and experienced differently across organizations. To explore the value of this function this study used a qualitative method, guided by the Socio-Technical Framework, to understand how the CTI function is interpreted by organizations in South Africa. Thematic analysis was used to provide an in-depth view of how each organization implemented its CTI function and what benefits and challenges they’ve experienced. Findings show that CTI tasks tend to be more manual and resource-intensive, but these challenges can be resolved through automation. It was noted that only larger organizations seem to have the budget and resources available to implement the CTI function, whereas smaller organizations put more reliance on tools. It was observed that skills for the CTI function can be learned on the job, but that formal education provides a good foundation. The findings illustrate the value the CTI function can provide an organization but also the challenges, thereby enabling other organizations to improve preparation before such a function is adopted.
Anzel Berndt, Jacques Ophoff

Automating the Communication of Cybersecurity Knowledge: Multi-case Study

Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company’s capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB’s hands-on skills, tools adaptedness, and the users’ willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB’s motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB’s business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption.
Alireza Shojaifar, Samuel A. Fricker, Martin Gwerder

Gaming for Cybersecurity Training


A Serious Game-Based Peer-Instruction Digital Forensics Workshop

Increasing threats in the area of information security raise the necessity for companies to be prepared for a digital forensic investigation. However, even the best investments in technology and infrastructure will fail if employees are not adequately trained. In this paper we propose a workshop concept combining the peer instruction method and elements from the field of serious games. The goal of the combined methods is to enable the participants to investigate a use case in an interactive and playful way. Our concept guides the participants step by step into an increasingly independent way of performing a digital forensic investigation.
Ludwig Englbrecht, Günther Pernul

Threat Poker: Gamification of Secure Agile

Agile software development is practiced in most software development projects around the world. To explicitly consider and include security requirements as part of agile software development is referred to as ‘secure agile’. To include security will naturally require additional time and effort, with potentially reduced agility as a consequence. To maintain agility, it is important to have efficient methods to include security in the development process. In this study, we describe enhancements to Threat Poker, which is a game designed for the software development team to deal with security threats identified during the agile development project. Games can be valuable educational tools for actively engaging students and practitioners alike. An experiment with students indicates that playing Threat Poker increases security awareness and that it is a fun and simple way to discuss identified security threats and how to remove security vulnerabilities during the software development process.
Audun Jøsang, Viktoria Stray, Hanne Rygge

Teaching of Detection and Forensics


How to Teach the Undecidability of Malware Detection Problem and Halting Problem

Malware detection is a term that is often associated to Computer Science Security. The underlying main problem is called Virus detection and consists in answering the following question: Is there a program that can always decide if a program is a virus or not? On the other hand, the undecidability of some problems is an important notion in Computer Science: an undecidable problem is a problem for which no algorithm exists to solve it. We propose an activity that demonstrates that virus detection is an undecidable problem. Hence we prove that the answer to the above question is no. We follow the proof given by Cohen in his PhD in 1983. The proof is close to the proof given by Turing in 1936 of the undecidability of the Halting problem. We also give an activity to prove the undecidability of the Halting problem. These proofs allow us to introduce two important ways of proving theorems in Computer Science: proof by contradiction and proof by case disjunction. We propose a simple way to present these notions to students using a maze. Our activity is unplugged, i.e. we use only a paper based model of computer, and is designed for high-school students. This is the reason why we use Scratch to write our “programs”.
Matthieu Journault, Pascal Lafourcade, Malika More, Rémy Poulain, Léo Robert

Enlivening Port Scanning Exercises with Capture the Flag and Deduction

Designing engaging exercises when students do not yet possess a lot of knowledge can be difficult. We show how we draw on students’ prior knowledge, along with basic introductory concepts, to design an elemental (but fun) port scan exercise in an introductory security testing module. While “capture the flag” is a security industry standard for exercises, it can require a lot of in-depth knowledge to properly implement and complete. Using basic computer science concepts such as ports and ASCII values, we design a simplified capture the flag exercise where students can make use of deductive reasoning to complete the game. Overall, the exercise was received favourably by the students who found it challenging but enriching.
Frans F. Blauw

Encouraging Equivocal Forensic Analysis Through the Use of Red Herrings

A core concept taught to forensic investigators is the practice of equivocal forensic analysis which is strongly advocated by researchers and practitioners to limit investigators from reaching incorrect conclusions, either due to their own bias, or as a result of subjectivity from others. The process is however a time-consuming one and students may not see the value in doing so amidst a busy academic schedule. This paper examines how the use of the red herring plot mechanism in a game-based storytelling environment can be used in a computer forensics semester module to effectively highlight the importance of evaluating the available evidence objectively and thus encourage students to avoid falling into the trap of developing and following preconceived theories.
Wai Sze Leung


Additional information

Premium Partner

    Image Credits