Academic Papers - Pedagogy

This paper uses the Extended Risk Analysis Model to introduce risk analysis in a classroom setting. The four responses to an attack, avoidance, transference, mitigation, and acceptance are overlaid on the Extended Risk Analysis Model to aid in the visualization of their relationship. It then expands and updates the cyber insurance portion of the Extended Risk Analysis Model.

To help people improve their knowledge and security self-efficacy in dealing with malware attacks that are relevant and meaningful to their organizations, we recently developed over 30 e-learning videos based on the major types of malware attacks we captured using the state-of-the-art anti-malware solution. The preliminary evaluation results of the videos are quite positive and indicate that these evidence-based e-learning videos have great potential to increase users’ security self-efficacy.

This work describes an undergraduate honors research project into some of the challenges modern healthcare providers face in maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH (Health Information Technology for Economic and Clinical Health) Act. An overview of the pertinent sections of both the HIPAA and HITECH Acts regarding health information security is provided, along with a discussion of traditionally weak points in information security, including: people susceptible to social engineering, software that is not or cannot be regularly updated, and targeted attacks (including advanced persistent threats, or APTs). Further, the paper examines potential violations of HIPAA involving vulnerabilities in commonly-used enterprise health records systems. Finally, we compare these challenges to the challenges of the United States healthcare system prior to 1995, specifically looking at information handling procedures, how procedures have changed, and how effective those changes have been.

Insider threats has become a significant challenge to organization, due to the employees varying levels of access to the internal network. This will intern bypass the external security measures that have been put in place to protect the organization’s resources. Computer-mediated communication (CMC) is a form of communication over virtual spaces where users cannot see each other. CMC includes email and communication over social networks, amongst others. This paper focuses on the design and implementation of exercise modules, which can be integrated into cybersecurity courses. The main objectives of the paper include how to teach and integrate the CMC learning modules into cyber security courses. Further, experimental case studies and hands-on labs will be discussed to facilitate effective teaching practices pertaining to cybersecurity education.

Industrial Control Systems (ICS), which are pervasive in our nation’s critical infrastructures, are becoming increasingly at risk and vulnerable to internal and external threats. It is imperative that the future workforce be educated and trained on the security of such systems. However, it is equally important that careful and deliberate considerations must be exercised in designing and implementing the educational and training activities that pertain to ICS. To that end, we designed and implemented pedagogical materials and tools to facilitate the teaching and learning processes in the area of ICS security. In this paper, we describe those resources, the professional development workshop to disseminate the curriculum materials, and the evaluation results pertaining to those artifacts and activities.

The GenCyber program is jointly sponsored by the National Security Agency (NSA) and the National Science Foundation (NSF) to help faculty and cybersecurity experts provide summer cybersecurity camp experiences for K-12 students and teachers. The main objective of the program is to attract, educate, and motivate a new generation of young men and women to help address the nationwide shortage of trained cybersecurity professionals. The curriculum is flexible and centers on ten cybersecurity first principles. Currently, GenCyber provides cyber camp options for three types of audiences: students, teachers, and a combination of both teachers and students. In 2016, over 120 GenCyber camps were funded, serving 5,000+ students and teachers, and the NSA hopes to double the program in 2017. GenCyber camps can be offered at colleges, universities, public or private school systems, or non-profit institutions. The purpose of this paper is to describe the GenCyber program, provide lessons learned from a successful program implementation, and encourage PI’s to plan and implement a GenCyber summer cyber academy.

With rapid growth of technology involved and the implementation of the smart city concept, it is becoming vital to identify and implement security controls for their secure operation. Smart city security is essential for a city to incorporate the technologies into smart city cyber infrastructure and to improve the conditions of life for its citizens. In this paper, we have discussed the growth of smart city concept, their security issues. We also discuss the security solutions that needs to be implemented to keep the smart city cyber infrastructure secure. We have also pointed out the recommendations on the open issues that the researchers and practitioners need to concentrate on.

The Internet of Things (IoTs) is becoming a reality in today’s society. The IoTs can find its application in multiple domains including healthcare, critical infrastructure, transportation, and home and personal use. It is important to teach students importance and techniques that are essential in protecting IoTs. We design a series of hands-on labs in a smart home setting, which can exercise attack and protection of IoTs. Our hands-on labs use a Raspberry Pi and several diverse smart things that communicate through Z-Wave technology. Using this environment, students can operate a home automation system and learn security concepts by performing these labs. These labs demonstrate several fundamental security concepts and techniques that can be adopted in security curricula. Students are expected to understand and master how to implement various attacks, design and implement defenses to these attacks, and explore security solutions of Internet of Things in a Smart Home application.

Malicious code detection is a critical part of any cyber security operation. Typically, the behavior of normal applications is modeled so that deviations from normal behavior can be identified. There are multiple approach to modeling good behavior but the most common approach is to observe applications’ system call activity. System calls are messages passed between user space applications and their underlying operating systems. The detection of irregular system call activity signals the presence of malicious software behavior. This method of malware-detection has been used successfully for almost two decades. Unfortunately, it can be difficult to cover this concept at the right level of detail for undergraduate information systems students. Some instructors provide only superfluous descriptions of malware, others delve into in-depth reviews of application code. This paper advocates an approach which teaches the fundamentals of code analysis to non-programmers. The approaches integrates visualization tools such as flame graphs to help students interpret software behavior. It has been found to be especially valuable for upper division information systems courses on cyber security.

Threats to information assets have always been a concern to those responsible for making information useful and defending its value. The concepts of threat, threat agent, threat events and threat sources have evolved in recent years have very precise definitions. The article includes a summary of threat classification models used in academic research is provided along with a summary of recent industry threat assessment reports. Finally, the article shares results from a recent study, 2015 SEC/CISE Threats to Information Protection Report Including a Current Snapshot of the State of the Industry, are given.

Despite massive investments in cyber security education, training, and awareness programs, most people retain unsafe mobile computing habits. They not only jeopardize their own data, but also risk the security of their associated organizations. It appears that conventional training programs are not ingraining sound security practices on trainees. This research questions the efficacy of legacy SETA frameworks and proposes a new cyber training tool for mobile devices. The tool is called Training Wheels. Training Wheels stands a number of cyber security training practices on their heads: instead of using punitive methods of reinforcement it provides rewards to encourage good behavior, instead of summary measures of security compliance it gives real-time feedback, and instead of isolating participants it displays participants’ performance relative to their peers. These changes are grounded in established psychological theory. They are incorporated as key features of Training Wheels. Besides introducing the new training tool, this study also provides recommendations for its usage and implications for research.