| NSF Org: |
DGE Division Of Graduate Education |
| Recipient: |
|
| Initial Amendment Date: | August 17, 2018 |
| Latest Amendment Date: | August 17, 2018 |
| Award Number: | 1821788 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Li Yang
liyang@nsf.gov (703)292-2677 DGE Division Of Graduate Education EDU Directorate for STEM Education |
| Start Date: | September 1, 2018 |
| End Date: | August 31, 2022 (Estimated) |
| Total Intended Award Amount: | $315,984.00 |
| Total Awarded Amount to Date: | $315,984.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1049 UNIVERSITY DRIVE 209 DARLAND DULUTH MN US 55812-3011 (218)726-7582 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
1049 University Drive Duluth MN US 55812-3011 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.076 |
ABSTRACT
The stream of high-profile computer security breaches resulting from errors well-known to security experts provides an opportunity to improve cybersecurity education to effectively prepar the next generation of cybersecurity professionals. Students have deeply ingrained misconceptions about how computer security ought to work, and students rely on this false intuition when reasoning about security. The goal of this project is to develop a series of active learning exercises, that use videos, and hands-on exercises, to address these misconceptions. The learning modules will be validated in the classroom, and then published using an open source license.
This research will follow the iterative model created by Hestenes and Halloun, but it will be applied to common misconceptions in the computer security knowledge of computer science majors. Misconceptions will be identified through pre- and post-tests and used to create a reusable security concept inventory (SCI). A large pool of volunteer experts from industry and academia will be surveyed to determine their ideas about misconceptions that non-experts have about cybersecurity. This will result in a list of the most significant misconceptions in cybersecurity. Using volunteer instructors at multiple colleges and universities, students will be questioned about these topics resulting in a SCI that can be used to assess understanding of these issues. Data generated from administering the SCI will be used to create a set of open source active learning modules, where each module will target a specific misconception identified in the inventory.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
We surveyed 85 experts in cybersecurity to identify common misconceptions held by novices in cybersecurity (e.g., recent CS graduates). Each expert answered questions about misconceptions in six areas of cybersecurity and a 7th "catch-all" area. Then, with the help of eight security education researchers, the team created a codebook of common themes and identified the most frequent misconceptions in the data.
We identified approximately 100 distinct misconceptions as identified by our experts. Examples of specific frequent misconceptions include that:
- assumptions can be safely made about security
- you do not need to think adversarially about people or systems
- physical security is easy to get right
- encryption hides everything sensitive about a plaintext
- a "least privilege" policy is not required for security
- only the encryption algorithm matters, not details of its use
- writing your own encryption is a good idea
- security is a technical problem requiring only technical solutions
- online tracking is not extensive enough to reduce privacy
- confidentiality and privacy are the same thing
- security has permanent solutions
- security is binary -- you have it or you don't
Seven frequently-appearing groups of misconceptions appeared when the data was analyzed, including the belief that 1) cryptography is more powerful than it is in reality, 2) people and systems can be trusted to operate as expected (failing to think adversarially), 3) security controls are effective and correct, 4) allowing unnecessary privileges is a safe practiceg, 5) most users and systems are not targets for cyberattacks, 6) data can be perfectly and safely anonymized while remaining useful, and 7) physical security is not critical for cybersecurity.
We then created a multiple-choice test for these misconceptions by asking students open-ended questions probing discrete misconceptions within each category. Next, we took students' most frequent wrong answers and created a multiple-choice "mis-concept inventory" intended to help identify the misconceptions that students hold, so that instructors can identify gaps in knowledge and remediate the specific misconceptions in question. This test will be validated and made freely available to qualified instructors / practitioners. (Validation requires testing with a large number of subjects and statistical analysis and was not part of the original scope of the project.)
To help instructors teach students the correct concepts underlying these ideas, we created hands-on, interactive, active learning exercises that students can access using a web browser from anywhere. Each exercise features reading material discussing the misconception and its correct counterpart followed by a web-based interactive demonstration or exploration of the issue that shows the outcomes of the misconception. Activities also include a comprehension quiz.
These exercises include:
- A game showing how systems with one layer of defense will be compromised when that one defense fails (controls are not perfect)
- A funny demonstration where users can instruct a sci-fi robot to make impossible or dangerous recipes, demonstrating why testing the validity of input is critical for security (adversarial thinking)
- An exercise that demonstrates how crypto.graphy does not hide or protect everything about data (cryptography)
- An exercise where students find weaknesses in access control systems (privileges & access control)
- An interactive demonstration showing how randomized attacks result in virtually all vulnerable machines getting compromised (everyone is a target)
- An exercise where students de-anonymize subjects in a fictional data set by cross-referencing anonymized data with public data (privacy and anonymity)
- An interactive fiction game where students explore how physical security is both essential and difficult to get right (physical security)
For example, in the physical security activity, students first read about classic issues in physical security and why it underpins almost all cybersecurity. Then, they take on the role of a thief in a retro-themed "text adventure" who is in an office after hours with a list of electronic items to steal from a business. The player must explore the small, self-contained office in order to figure out how to break the existing physical security mechanisms. At the same time, players learn first-hand -- through game actions -- how physical access to computers often gives an attacker tremendous privileges that software and hardware defenses cannot mitigate. These exercises and some accompanying videos will be available at https://lars.d.umn.edu/misconceptions/ in early 2023.
Our hope is that this work will enable instructors and practitioners to have robust understanding of some of the critical and pernicious misconceptions surrounding cybersecurity, and that this will result in better education and stronger security for our country and world.
Last Modified: 12/22/2022
Modified by: Peter A Peterson
Please report errors in award information by writing to: awardsearch@nsf.gov.
