Summit Program

The exponential growth of students participating in cy-bersecurity competition and challenge programs has been used as support for claims that the numbers of students interested in pursuing cybersecurity careers are also increasing. However, one recent study documented a decline in novice participants over the course of three cybersecurity competitions. This paper presents an ar-gument for supporting learner engagement by balancing the difficulty level of the game’s activities with the learner’s abilities.

Capture the Flag (CTF) is well-established as a computer security contest of skill in which teams compete in real time for prizes and bragging rights. At the time of this writing, CTFtime.org—a tracking web site devoted to aggregating team standings across various CTF events—lists 76 such contests, and more spring up each year. But what is the point, exactly? In this paper we detail our experiences in a third year of designing, building and running a CTF for Boston-area undergraduate and graduate students. This will serve two purposes: first, others desiring to stage such an event can benefit from our experience, and second, the details of our CTF will provide a concrete context for a broader discussion and deeper questions on the value and future of this type of activity.

We designed, produced, distributed, and evaluated Control-Alt-Hack™: a recreational tabletop card game intended to promote a casual awareness of high-level computer security concepts. Our experiences throughout this process gave us insights and opinions regarding the creation of games, their role in educational or outreach contexts, and opportunities and challenges for the research community. In particular, we: (1) provide a logistics-oriented reflection on our experiences, including a list of the work roles that were involved in producing the game and a timeline of the creation process; and (2) step back to consider higher-level issues for the community, including the role of games in the classroom and the challenges behind conducting and publishing evaluations of game-based learning.

This paper presents Elevation of Privilege, a game designed to draw people who are not security practitioners into the craft of threat modeling. The game uses a variety of techniques to do so in an enticing, supportive and non-threatening way. The subject of security tools for software engineering has not generally been studied carefully. This paper shares the objectives and design of the game, as well as tradeoffs made and lessons learned while building it. It concludes with discussion of other areas where games may help information security professionals reach important goals.

Security competitions have become a popular way to foster security education by creating a competitive environment in which participants go beyond the effort usually required in traditional security courses. Live security competitions (also called "Capture The Flag," or CTF competitions) are particularly well-suited to support handson experience, as they usually have both an attack and a defense component. Unfortunately, because these competitions put several (possibly many) teams against one another, they are difficult to design, implement, and run. This paper presents a framework that is based on the lessons learned in running, for more than 10 years, the largest educational CTF in the world, called iCTF. The framework's goal is to provide educational institutions and other organizations with the ability to run customizable CTF competitions. The framework is open and leverages the security community for the creation of a corpus of educational security challenges.

SecurityEmpire is a new multiplayer computer game to teach cybersecurity concepts to high school students. We describe the design and implementation of SecurityEmpire, explain how it teaches security concepts, share preliminary evaluative data from students and teachers, and describe our experiences with developing, fielding, and evaluating this educational game. SecurityEmpire challenges each user to build a green energy company while engaging in sound information assurance practices and avoiding security missteps. Sound information assurance practices include: not clicking on unsafe links, encrypting auction bids, authenticating software downloads, performing integrity checks of system software, keeping antivirus protection up-to-date, and choosing strong passwords. In contrast with traditional teaching methods, educational games hold promise for greater student engagement and learning. We pilot tested an initial version of the game in computer science classes at partner high schools and in an undergraduate gaming class at our university. The preliminary data suggest that the game is engaging and increases awareness of cybersecurity practices.