Information Security Education for Cyber Resilience

The research results of competencies and competence models of professionals in the Information Security (IS) field are presented. The group structure of competencies, which form a Competency Model (CM) for IS professional academic training, has been determined. The fundamental difference between the academic community’s and the professional community’s CMs is shown. The urgency of a general professional competencies’ (GPCs) group formation during IS academic training is shown. A group structure model, in which specific subgroups are identified, is proposed. The relevance of the study of the first (so-called basic) level of subgroups of general educational competencies is determined. They are versatile across a variety of academic training programmes. Basic GPCs are formulated, and their characteristics are determined. The training modules, with their annotations and labor inputs, are described as parts of academic disciplines. The validity of the results obtained is confirmed by the positive experience in developing competencies and CM in the framework of training IS professionals on the specific educational programmes at the National Research Nuclear University MEPhI (Moscow Engineering Physics Institute) (Moscow, Russian Federation).

Cybersecurity is becoming increasingly important to individuals and society alike. However, due to its theoretical and practical complexity, keeping students interested in the foundations of cybersecurity is a challenge. One way to excite such interest is to tie it to current events, for example elections. Elections are important to both individuals and society, and typically dominate much of the news before and during the election. We are developing a curriculum based on elections and, in particular, an electronic voting protocol. Basing the curriculum on an electronic voting framework allows one to teach critical cybersecurity concepts such as authentication, privacy, secrecy, access control, encryption, and the role of non-technical factors such as policies and laws in cybersecurity, which must include societal and human factors. Student-centered interactions and projects allow them to apply the concepts, thereby reinforcing their learning.

Cybersecurity education is critical in addressing the global cyber crisis. However, cybersecurity is inherently complex and teaching cyber can lead to cognitive overload among students. Cognitive load includes: 1) intrinsic load (IL- due to inherent difficulty of the topic), 2) extraneous (EL- due to presentation of material), and 3) germane (GL- due to extra effort put in for learning). The challenge is to minimize IL and EL and maximize GL. We propose a model to develop cybersecurity learning materials that incorporate both the Bloom’s taxonomy cognitive framework and the design principles of content segmentation and interactivity. We conducted a randomized control/treatment group study to test the proposed model by measuring cognitive load using two eye-tracking metrics (fixation duration and pupil size) between two cybersecurity learning modalities – 1) segmented and interactive modules, and 2) traditional-without segmentation and interactivity (control). Nineteen computer science majors in a large comprehensive university participated in the study and completed a learning module focused on integer overflow in a popular programming language. Results indicate that students in the treatment group had significantly less IL (p < 0.05), EL (p < 0.05), and GL (p < 0.05) as compared to the control group. The results are promising, and we plan to further the work by focusing on increasing the GL. This has interesting potential in designing learning materials in cybersecurity and other computing areas.

As technology proliferates and becomes indispensable to all functions of society, so does the need to ensure its security and resilience through cyber defense training, education, and professional development. This paper presents a layered model that supports cyber defense training progressively through the development of technology services, digital context, performance assessment, and impact analysis. The methods used were applied to college laboratories associated with cybersecurity classes, defense training exercises, cyber based competitions, and graduate research program designs. The service layer presents methods for developing the technical infrastructure and agile deployment necessary to support cyber defense training. This, then, is layered with conceptual frameworks to guide teams as they immerse into scenarios within cyberspace. To enhance team performance in this space and to enhance the value of the training process itself, psychometric feedback, Agile methods, and quantitative assessments are used to track efficacy and facilitate future development. The final layer represents active incident response and ongoing collaborative efforts between institutions and across disciplines. The work is presented as a progression and illustrates a decade of research from 2010 to 2020. The context has been updated here with the intention that it can be used as a guide for designing a broad range of collaborative cyber defense and cyber range programs. The influence of socio-behavioral factors increasingly illuminates the path forward.

Computing students are not receiving enough education and practice in secure programming. A key part of being able to successfully implement secure programming practices is the development of secure programming self-efficacy. This paper examines the development of a scale to measure secure programming self-efficacy among students participating in a secure programming clinic (SPC). The results show that the secure programming self-efficacy scale is a reliable and useful measure that correlates satisfactorily with related measures of programming expertise. This measure can be used in secure programming courses and other learning environments to assess students’ secure programming efficacy.

Children today are more exposed to cyberspace and cyber threats than any of the previous generations. Due to the ever-evolving nature of digital technologies, devices like cell phones and tablets are more accessible to both young and old. Although technological advancements create many opportunities to its users, it also exposes them to many different threats. Young users are especially vulnerable, as they are rarely educated about these threats and how to protect themselves against them. One possible solution to this problem is to employ serious games as an educational tool to introduce concepts relating to cybersecurity and overall digital wellness on a level that is appropriate to a younger audience. This paper, therefore, presents the development of a mobile serious game to promote the digital wellness and foster cybersecurity awareness of pre-school children by incorporating existing literature in a new format. In order to assess its appropriateness as an educational tool, the resulting serious game was subjected to expert review with a focus on its value of conveying security and wellness concepts at the proper level, thereby promoting children’s safety in the digital world.

The COVID-19 pandemic has forced individuals to adopt online applications and technologies, as well as remote working patterns. However, with changes in technology and working patterns, new vulnerabilities are likely to arise. Cybersecurity threats have rapidly evolved to exploit uncertainty during the pandemic, and users need to apply careful judgment and vigilance to avoid becoming the victim of a cyber-attack. This paper explores the factors that motivate security behaviour, considering the current environmental uncertainty. An adapted model, primarily based on the Protection Motivation Theory (PMT), is proposed and evaluated using data collected from an online survey of 222 respondents from a Higher Education institution. Data analysis was performed using Partial Least Squares Structural Equation Modelling (PLS-SEM). The results confirm the applicability of PMT in the security context. Respondents’ behavioural intention, perceived threat vulnerability, response cost, response efficacy, security habits, and subjective norm predicted self-reported security behaviour. In contrast, environmental uncertainty, attitude towards policy compliance, self-efficacy and perceived threat severity did not significantly impact behavioural intention. The results show that respondents were able to cope with environmental uncertainty and maintain security behaviour.

The importance of the human aspects of cybersecurity cannot be overstated in light of the many cybersecurity incidents stemming from insecure user behavior. Users are supposed to engage in secure behavior by use of security features or procedures but those struggle to get widespread use and one hindering factor is usability. While several previous papers studied various usability factors in the cybersecurity domain, a common understanding of usable security is missing. Further, usability covers a large range of aspects and understanding what aspects users prioritize is integral for development of truly usable security features. This paper builds on previous work and investigates what usability factors users prioritize and what demographic factors that affects the perception of usability factors. This is done through a survey answered by 1452 respondents from Sweden, Italy and UK. The results show that users prefer security functions to minimize resource consumption in terms of cost, device performance and time. The study further demonstrate that users want security functions to require as little effort as possible and just work. Further, the study determines that nation of residence and IT-competence greatly impacts the perception of usability for security functions while gender and age does so to a much lesser extent.