How Do You Get Cybersecurity Students to Think Like Criminals?
nytimes.com> Almost by definition, college classroom settings and the students who thrive in them are not a natural fit for the kinds of disruptive, rebellious and troublemaking instincts that lend themselves to finding new ways to compromise computers.
An effective way is to channel that make them compete like they'd do in the real world. Set up a bunch of VMs on an isolated network with a game server running of some sort, so they'd have to do trade or do an auction. But at the same time the packages are slightly outdated on the machine, a few too many ports open, etc the protocol has a few weaknesses. And see what they'd do. Of course that takes a lot more resources and dedication from the instructor.
> The students were expected (and encouraged) to cheat on the test but told that if they were caught, they would fail the exam. Of the 20 students in the class where this exercise was tested, all succeeded in cheating without being caught, much to their professors’ delight.
Absolutely fascinating.
This reminds me of the mythbusters lie detector episode (For the moment, let's disregard the efficacy of the polygraph). One of the things they said was there has to be a physical, actual, realistic, consequence for the test subject in order for the polygraph "to work."
Similarly, if all the exams were setup so that the only possible way was to cheat or face failure, I think you would force them into the mindset.
I'm taking cybersecurity classes in NYC recently and granted we touch upon the topic of how to think like a bad actor but most of the curriculum is just trying to keep up with the myriad of topics we need to go over to cover our bases. Thinking like a bad actor is indeed one of those topics that is very hard to explicitly teach, besides already well-known techniques, and angles of attack.
A few things I've noted of the more successful students:
-Students who do well already tend to have a huge passion for the topic before they ever showed up for day 1. I know it sounds obvious but those folks do not need the class, however on the flip side they are the ones who enjoy it the most too. Even when its not employer reimbursed tuition, they are getting the most satisfaction out of the class, despite knowing this stuff already.
-Participating in CTFs and online "Hack this site" and paid labs is a thing they do. No one does bug bounty programs but that's the next level up or dream.
-They pickup small nuances the teachers mention and start researching it right away, nuances that do not get registered by those first learning the topic, or ignored by those who think they know it all already
-Keeping up with daily news is a breeze since it's not a chore for them
-Anyone who mentions the reason they are taking the class is to gain a broad picture understanding e.g. to understand what the tech sec ops are doing, or for better decision making, or even to give better "orders" to their info sec teams (risk mgmt., audit, investigation, standards builder) tend not to know the material that well. Their reasons are fine, and ultimately they will get what they aim to achieve, but not only does it feel diametrically opposed with those who want to learn even more from the class and get their hands dirty, it slows down the class to their level, when they become the majority (not all classes have the same makeup of student profiles).
-Ultimately, it's what you put into the class. Your project can be a bobo I've researched 5 articles before presenting to I want to challenge myself like no tomorrow.