Can Games Fix What’s Wrong with Computer Security Education?

We had the pleasure of Zachary Peterson visiting UCL on a Cyber Security Fulbright Scholarship. The title is from his presentation given at our annual ACE-CSR event in November 2016.

Zachary Peterson is an associate professor of computer science at Cal Poly, San Luis Obispo. The key problem he is trying to solve is that the educational system is producing many fewer computer security professionals than are needed; an article he’d seen just two days before the ACE meeting noted a 73% rise in job vacancies in the last year despite a salary premium of 9% over other IT jobs. This information is backed up by the 2014 Taulbee survey, which found that the number of computer security PhDs has declined to 4% of the US total. Lack of diversity, which sees security dominated by white and Asian males, is a key contributing factor. Peterson believes that diversity is not only important as a matter of fairness, but essential because white males are increasingly a demographic minority in the US and because monocultures create perceptual blindness. New perspectives are especially needed in computer security as present approaches are not solving the problem on their own.

Peterson believes that the numbers are so bad because security is under-represented in both the computer science curriculum and in curriculum standards. The ACM 2013 curriculum guidelines recommend only three contact hours (also known as credit hours) in computer security in an entire undergraduate computer science degree. These are typically relegated to an upper-level elective class, and subject to a long chain of prerequisites, so they are only ever seen by a self-selected group who have survived years of attrition – which disproportionately affects women. The result is to create a limited number of specialists, unnecessarily constrain the student body, and limit the time students have to practice before joining the workforce. In addition, the self-selected group who do study security late in their academic careers have developed both set habits and their mind set before encountering an engineering task. Changing security into a core competency and teaching it as early as secondary school is essential but has challenges: security can be hard, and pushing it to the forefront may worsen existing problems seen in computer science more broadly, such as the solitary, anti-social, creativity-deficient image perception of the discipline.

Peterson believes games can help improve this situation. CTFTime, which tracks games events, reports a recent explosion in cyber security games to over 56 games events per year since 2013. These games, if done correctly, can teach core security skills in an entertaining – and social – way, with an element of competition. Strategic thinking, understanding an adversary’s motivation, rule interpretation, and rule-breaking are essential for both game-playing and security engineering.

Peterson has helped develop a new course at Cal Poly, CPE 123, which is intended to teach both computer science and computer security to a broader audience with no prior experience, using game-like coursework and authentic, meaningful problems to demonstrate the social relevance of computer security to their lives. Games and puzzles, he argues, are ideal for teaching people to think adversarially and counterfactually.

The course accordingly includes material that until now has typically been reserved for those upper-division computer science students. The first program many of Peterson’s CPE 123 students will ever write is a password cracker, working through increasingly difficult levels of an online password manager. Through this relevant exercise, students learn security concepts such as the limits of computing and authentication, alongside fundamental programming concepts such as loops, conditionals, types, objects, and methods. Peterson incorporates pedagogical methods such as reflective journalling, meta-cognitive exercises, near-peer instruction, and process-oriented guided inquiry learning. All have been shown to increase retention and understanding, especially in the STEM disciplines. Analysing surveys and the students’ journals has showed that students found the course fun, that it helped them make connections to real-world security issues, and gave them greater self-efficacy – which has been shown to be the number one predictor of a security career choice among cybersecurity gamers. In addition, the students’ own behaviour had changed. While not all had added lock codes and become more cautious with unfamiliar websites, those who hadn’t were more thoughtful and analytical about the reasons.

Peterson believes, however, that it’s essential to reach students even earlier, and is working on social board and table games that are more accessible for younger kids with low literacy and confidence. Such games are unobtrusive, require no equipment to maintain, are easy to deploy in a classroom, and although they don’t pretend to depict reality they do provide a context for discussing real ideas in network security.

The first of these games, [d0x3d!], developed with help from the National Science Foundation, is a collaborative, open source, network security board game for one to four players. Assuming the roles of white-hat hackers, players work together to infiltrate the network of an enemy who has stolen their secrets, reclaim the stolen material, and exit the network leaving no traces behind. The game is designed to allow creative adaptations and remixes. The point, Peterson said, is to enable students to learn to think adversarially, more than to write and correct insecure code, and also to begin to think about the value of different types of digital assets and the ways the game deviates from the real world. Independent studies have found that [dD0x3d!] is suitable for classroom use, and the website provides curriculum modules.

Challenges remain. The terminology used to introduce the idea to educators and new players is confusing; for example, there is little language available to describe a game’s difficulty or pedagogical goals. Peterson is trying to overcome these challenges and introduce more science to “what is now an art” via the workshop Advances in Security Education workshop, co-located with the USENIX Security Symposium. Peterson encourages everyone to download the game and use it in their own communities.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *