Huiming Yu

Teaching a web security course to practice information assurance

This paper presents a hybrid teaching approach, a new Web Security course as well as how to use the hybrid approach to teach the Web Security course to practice information assurance. The hybrid teaching approach contains three key issues that are keeping the lecture materials up-to-date, assigning former research projects as comprehensive team projects, and connecting classroom knowledge with real world web applications. We have applied this approach to the teaching a Web Security course and achieved excellent results. Our experience exhibits that integrating education, research and web applications into the Web Security course to practice information assurance are essential for a sound security education. Using this approach instructors connect knowledge in the classroom to real world applications, attract students to the security area, and train students to become information assurance professionals.

Retrieving relevant CAPEC attack patterns for secure software development

To improve the security of computer systems, information, and the cyber space, it is critical to engineer more secure software. To develop secure and reliable software, software developers need to have the mindset of an attacker. Attack patterns such as CAPEC are valuable resources to help software developers to think like an attacker and have the potential to be used in each phase of the secure software development life cycle. However, systematic processes or methods for utilizing existing attack pattern resources are needed. As a first step, this paper describes our ongoing effort of developing a tool to retrieve relevant CAPEC attack patterns for software development. This tool can retrieve attack patterns most relevant to a particular STRIDE type, as well as most useful to the software being developed. It can be used in conjunction with the Microsoft SDL threat modeling tool. It also allows developers to search for CAPEC attack patterns using keywords.

Assessing the Effectiveness of Experiential-Learning-Based Teaching Tools in Cybersecurity Courses (Abstract Only)

The poster describes our project of Assessing the Effectiveness of Experiential-Learning-Based Teaching Tools in Cybersecurity Courses. We are assessing the effectiveness of experiential-learning-based teaching tools for 10 cybersecurity topics in five cybersecurity courses. For each topic, two teaching methods are selected: the control group teaching method, and the experimental group teaching method. The two teaching methods are compared to answer one of the two research questions: (1) Is using an experiential-learning-based teaching tool more effective in improving student learning than the traditional teaching method without using the teaching tool? (2) Is one experiential-learning-based teaching tool more effective than another experiential-learning-based teaching tool? We will assess the effectiveness of the teaching methods via three measures: (1) improvement in student learning outcomes, (2) improvement in student motivation in learning the topic, and (3) improvement in the student experience such as student enjoyment, satisfaction, and perceived difficulty in learning the topic. The knowledge gained from this research can be used by cybersecurity educators at other institutions to use effective teaching tools to improve cybersecurity education practices, which has the potential to increase the number of students well-prepared for entering cybersecurity careers.