Blair Taylor

Moving beyond security tracks: integrating security in cs0 and cs1

In response to the national computer security crisis, colleges and universities have developed security tracks and specialized security courses. While security tracks are effective at producing security experts, they only reach a small subset of students and occur after students have established a foundation of coding techniques. Most undergraduate computing students learn programming and design with little regard to security issues. To complement our security track and reach all computing students at the beginning of their studies, we piloted security integration across sections of CS0 and CS1, using a series of security laboratory modules. Preliminary results show increased security knowledge in the security-targeted sections. This paper describes the details and results of this pilot, which serves as a model for further integration throughout the CS curriculum.

Security injections: modules to help students remember, understand, and apply secure coding techniques

With our global reliance on software, secure and robust programming has never been more important. Yet academic institutions have been slow to add secure coding to the curriculum. We present a model using checklist-based security injection modules to increase student awareness and ability to apply secure coding principles, specifically - identify, understand, and correct key security issues in code. The model is evaluated by mapping assessment questions to the cognitive dimension of the revised Blooms taxonomy. Experiments with students in four sections of CS0 and CS1 show that students using our modules perform significantly better at remembering, understanding and applying secure coding concepts. Students exposed to the modules also show increased ability to write code to address specific security issues.

Security in computer literacy: a model for design, dissemination, and assessment

While many colleges offer specialized security courses and tracks for students in computing majors, there are few offerings in information security for the non-computing majors. Information security is becoming increasingly critical in many fields, yet most computer literacy courses insufficiently address the security challenges faced by our graduates. This paper discusses the development and impact of a set of modules designed to integrate security into computer literacy across two universities and several community colleges in the state of Maryland. Results from our comparative analyses based on pre- and post- test analysis show significant improvements in post-test results.

Information assurance education in two- and four-year institutions

The 2011 ITiCSE working group on information assurance (IA) education examined undergraduate curricula at the two- and four-year levels, both within and outside the United States (US). A broad set of two-year IA degree programs were examined in order to get a sense of similarities and differences between them. A broad set of four-year IA degree programs were also examined to explore their similarities and differences. A comparison between the two-year and fourfour-year degree programs revealed that the common challenge of articulation between two- and four-year programs exists in IA as well. The challenge of articulation was explored in some depth in order to understand what remedies might be available. Finally, a number of IA programs at international institutions were examined in order to gain insight into differences between US and non-US IA programs.

Integrating security in the computer science curriculum

With increased focus on the global computing infrastructures vulnerability to cyber-attacks - the time is right for security integration across the computer science curriculum to contribute to a cyber-ready workforce. The challenges to integrating security into computer science (CS) curriculum are significant---lack of faculty to teach security, a dearth of effective teaching resources, and little room to spare in CS curriculum. This article describes an initiative that aims to develop faculty expertise in cybersecurity, provide a library of resources for security education, and build a community of CS educators to prepare computing graduates to meet current and future cybersecurity challenges.

Teaching secure coding: the myths and the realities

Teaching secure coding has never been more important. The CS2013 Ironman draft includes Information Assurance and Security as a new Knowledge Area and recommends that security be cross-cutting across all undergraduate computer science curricula. The Summit on Education in Secure Software recommended: 1) increasing the number of faculty who understand the importance of secure programming principles, and will require students to practice them; 2) integrating computer security content into existing technical and non-technical courses; and 3) using innovative teaching methods to strengthen the foundation of computer security knowledge. In this panel, we will speak to these recommendations and the new curricular guidelines and discuss the importance and challenges of teaching secure coding.

Security Injections 2.0: Increasing Engagement and Faculty Adoption Using Enhanced Secure Coding Modules for Lower-Level Programming Courses

Learning interventions based on modules are common in computer science education. Traditional learning modules that present a large amount of content in a linear format can lead to students skimming and skipping content resulting in lower student engagement and effectiveness. In this paper, we present theoretical support for increasing engagement and effectiveness of learning modules, describe a system that implements these principles, and discuss the results of a study across four sections of CS0. Using the Security Injections @Towson cybersecurity modules, we enhanced select modules by incorporating the e-learning design principles of segmentation and interactivity. The study compares student engagement between the current (1.0) modules and the enhanced (2.0) modules. The use of the enhanced (2.0) modules significantly increased student engagement and these results persisted across gender and race. Feedback from instructors indicates higher student and instructor interest in the enhanced modules; in spring 2015, more than 20 instructors are using the enhanced (2.0) modules.

Teaching secure coding: report from summit on education in secure software

Software is critical to life in the 21st century. It drives financial, medical, and government computer systems as well as systems that provide critical infrastructures in areas such as transportation, energy, networking, and telecommunications. As the number and severity of attacks that exploit software vulnerabilities increase, writing reliable, robust, and secure programs will substantially improve the ability of systems and infrastructure to resist such attacks. Education plays a critical role in addressing cybersecurity challenges of the future, such as designing curricula that integrate principles and practices of secure programming into educational programs. To help guide this process, the National Science Foundation Directorates of Computer and Information Science and Engineering (CISE) and Education and Human Resources (EHR) jointly sponsored the Summit on Education in Secure Software (SESS), held in Washington, DC in October, 2010. The goal of this session is to share some of the key findings and challenges identified by the summit and to actively engage the community in the discussions. Each of the speakers participated in the summit and brings a unique viewpoint to the session.

Creating Shareable Security Modules

While there is increased appreciation of the need to provide students with education in computer security, there are significant challenges associated with the creation of shareable computer security modules that can be used by a wide-range of educators. This paper discusses some of the challenges that educators currently face in this area, and presents a means to couple a successful framework and infrastructure environment to address some of the associated issues. Two examples are provided that link the framework and infrastructure followed by suggestions for future research and development in this area.

Using eye-tracking to investigate content skipping: A study on learning modules in cybersecurity

Students skipping content is common in learning modules that present a large amount of information in a linear format. This may result in lower student engagement and learning. We proposed a theoretical model to reduce content skipping using an e-learning design principle of “segmentation.” In this paper, we describe the segmentation principle, conduct a study to examine its effectiveness using eye-tracking and discuss the results. The study uses two eye-tracking metrics - 1) reading scores (computed using reading detection algorithm) and 2) reading depth (number of words looked at in a given area of text), as a measure to compare content skipping between linear and segmented modules. A total of 19 students participated in a randomized control-group treatment-group experimental study. Nine students completed linear modules and ten completed segmented modules. The results indicate significantly higher reading scores and reading depth (p <; .05) for the students using segmented modules, implying more reading coverage and less content skipping in segmented modules as compared to the linear modules.