290 likes | 469 Vues
Three Strands in Security Education. Tadayoshi Kohno. Three Main Strands. Overall security awareness: Control-Alt-Hack (funded by Intel and NSF) Game development completed Evaluation: surveys and play sessions W/ Tamara Denning, Adam Lerner, and Adam Shostack
E N D
Three Strands in Security Education Tadayoshi Kohno
Three Main Strands • Overall security awareness: Control-Alt-Hack (funded by Intel and NSF) • Game development completed • Evaluation: surveys and play sessions • W/ Tamara Denning, Adam Lerner, and Adam Shostack • Overall security awareness, security thinking, and threat modeling: Security and Privacy Thread Discovery Cards (funded by NSF) • Cards largely completed • Preparing for distribution • W/ Tamara Denning, Batya Friedman, Daisy Fry, Nell Grey, and Daisy Yoo • Security throughout the curriculum: Book audit (funded by Intel) • Started • W/ Miles Sackler
Security and Games • [d0x3d!] • Exploit! • Elevation of Privilege • Protection Poker • CyberCIEGE • CyberProtect • Capture the flag competitions
Key Concepts Covered • Computer security is important for all items with computers • Vulnerabilities can come in a variety of shapes and forms • Diversity of attack techniques, creativity of attackers, and attacker motivations
Strategies for Use • Just play (e.g., leave in student lounge, or play with friends) • Play in class (may not work with all classrooms, e.g., graduate students vs high school AP classes) • Non-play classroom activities • Cards + game mechanics used as “starting off points” (e.g., pick two mission cards and discuss risks; create new cards)
Adversary’s Resources Note: Old text and photos
Adversary’s Methods Note: Old text and photos
Adversary’s Motivations Note: Old text and photos
Human Impact Note: Old text and photos
Usage Scenarios • Classroom activity examples • Audit specific technology • Use cards as “starting off” point • In industry • Does not replace threat modeling process • But our belief is that it can help creativity during a threat modeling process
Book Audit • Background: • Many students take lower-level computing courses • Fewer students take security courses, and even when they do they might be senior students (and have developed many habits along the way) • Introductory text books don’t necessarily address security • Goal: • Audit lower-level undergraduate textbooks from a security perspective
Status • In progress • Auditing books (two independent auditors per book) • Labeling security concerns with the “CWE/SANS Top 25 Most Dangerous Software Errors” codeshttp://cwe.mitre.org/top25/#Listing
Three Main Strands • Overall security awareness: Control-Alt-Hack (funded by Intel and NSF) • Game development completed • Evaluation: surveys and play sessions • W/ Tamara Denning, Adam Lerner, and Adam Shostack • Overall security awareness, security thinking, and threat modeling: Security and Privacy Thread Discovery Cards (funded by NSF) • Cards largely completed • Preparing for distribution • W/ Tamara Denning, Batya Friedman, Daisy Fry, Nell Grey, and Daisy Yoo • Security throughout the curriculum: Book audit (funded by Intel) • Started • W/ Miles Sackler
Social/Engagement Quotes • 56 undergraduates, Cyber-Security and Information Awareness: “It worked as a way to break the ice and get students from diverse majors get to know each other and get thinking about the topics of the course.” • 27 undergraduates, Computer and Network Security: “I just wanted to reiterate how great my students thought the game was! The students begged me to leave the game in the student lounge so they could continue to play, and from what I hear it’s made a trip or two out to our weekly majors night at the pub.”
Awareness Quotes • 60 high school students, Computers and Information Technology: “The game did not necessarily teach security methods, but it did a great job of teaching vocabulary and literacy.”...“It increased awareness of my program, and it got more students interested in computer science.” • 27 undergraduates, Computer and Network Security: “They really got into it and there was a lot of strategizing”...“They were mainly focused on causing pain to their classmates, but as I wandered around the room I heard some great discussions about the tradeoffs of choosing various hackers’ skill sets, what various missions meant, etc.”
Critiques • Game does take time to play, and time to learn • Expectations not set correctly: Game does not teach technical skills • “The game could use more specificity around computer activity. My students were hoping for a higher level of rigor.” • “Since we approached the game expecting to be tested on our knowledge of vulnerabilities and penetration techniques, we were dissatisfied in that manner, but we enjoyed the overall concept.”
Overall • 13 of 14 educators who used the game in their classrooms reported that they would suggest the game to others • 10 said they would use the game again • 2 more said they would use with different students or as out-of-class activities