Nikola Luburić
Abstract
With ever-greater reliance of the developed world on information and communication technologies, constructing secure software has become a top priority. To produce secure software, security activities need to be integrated throughout the software development lifecycle. One such activity is security design analysis (SDA), which identifies security requirements as early as the software design phase. While considered an important step in software development, the general opinion of information security subject matter experts and researchers is that SDA is challenging to learn and teach. Experimental evidence provided in literature confirms this claim.
To help solve this, we have developed a framework for teaching SDA by utilizing case study analysis and the hybrid flipped classroom approach. We evaluate our framework by performing a comparative analysis between a group of students who attended labs generated using our framework and a group that participated in traditional labs. Our results show that labs created using our framework achieve better learning outcomes for SDA, as opposed to the traditional labs. Secondary contributions of our article include teaching materials, such as lab descriptions and a case study of a hospital information system to be used for SDA.
We outline instructions for using our framework in different contexts, including university courses and corporate training programs. By using our proposed teaching framework, with our or any other case study, we believe that both students and employees can learn the craft of SDA more effectively.
- Accountability Act. 1996. Health insurance portability and accountability act of 1996. Public Law 104, 191.Google Scholar
- Ajit Appari and M. Eric Johnson. 2010. Information security and privacy in healthcare: Current state of research. Int. J. Internet Enterprise Manage. 6, 4 (2010), 279--314.Google ScholarCross Ref
- Steven F. Burns. 2005. Threat modeling: A process to ensure application security. GIAC Security Essentials Certification (GSEC) Practical Assignment (2005).Google Scholar
- Aparicio Carranza and Casimer DeCusatis. 2015. Hybrid implementation of flipped classroom approach to cybersecurity education. Natl. Cybersecur. Inst. J. 2, 3 (2015), 45--54.Google Scholar
- Brian Chess and Brad Arkin. 2011. Software security in practice. IEEE Secur. Priv. 9, 2 (2011), 89--92. Google ScholarDigital Library
- Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno. 2013. Control-alt-hack: The design and evaluation of a card game for computer security awareness and education. In Proceedings of the 2013 ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 915--928. Google ScholarDigital Library
- National Science Foundation. 2008. Developing case studies for information security education. Retrieved January 14, 2018 from https://www.nsf.gov/awardsearch/showAward?AWD_ID=0737304.Google Scholar
- S. Gibbs. 2018. Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers. The Guardian. Retrieved January 12, 2018 from https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw.Google Scholar
- Saee Hamine, Emily Gerth-Guyette, Dunia Faulx, Beverly B. Green, and Amy Sarah Ginsburg. 2015. Impact of mHealth chronic disease management on treatment adherence and patient outcomes: A systematic review. J. Med. Internet Res. 17, 2 (2015).Google ScholarCross Ref
- A. Hern. 2017. WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017. The Guardian.Retrieved January 12, 2018 from https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomwar.Google Scholar
- Adobe Systems Incorporated. 2010. Adobe Secure Product Lifecycle. Retrieved August 5, 2017 from http://www.ten-inc.com/presentations/Adobe_privacysecurity.pdf.Google Scholar
- Association for Computing Machinery (ACM) Joint Task Force on Computing Curricula and IEEE Computer Society. 2013. Computer Science Curricula 2013: Curriculum Guidelines for Undergraduate Degree Programs in Computer Science. ACM, New York, NY. Google ScholarDigital Library
- Sul Kassicieh, Valerie Lipinski, and Alessandro F. Seazzu. 2015. Human centric cyber security: What are the new trends in data protection? In Proceedings of the 2015 Portland International Conference on Management of Engineering and Technology (PICMET’15). IEEE, 1321--1338.Google Scholar
- Tadayoshi Kohno and Brian D. Johnson. 2011. Science fiction prototyping and security education: Cultivating contextual and societal thinking in computer security education and beyond. In Proceedings of the 42nd ACM Technical Symposium on Computer Science Education. ACM, 9--14. Google ScholarDigital Library
- Daniel E. Krutz, Andrew Meneely, and Samuel A. Malachowsky. 2015. An insider threat activity in a software security course. In Proceedings of the 2015 IEEE Frontiers in Education Conference (FIE’15). IEEE, 1--6. Google ScholarDigital Library
- Ralph Langner. 2011. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9, 3 (2011), 49--51. Google ScholarDigital Library
- Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016). Retrieved on January 13, 2018 from https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf.Google Scholar
- Marcin Lukowiak, Stanisław Radziszowski, James Vallino, and Christopher Wood. 2014. Cybersecurity education: Bridging the gap between hardware and software domains. ACM Trans. Comput. Educ. 14, 1 (2014), 2. Google ScholarDigital Library
- Andrew Meneely and Samuel Lucidi. 2013. Vulnerability of the day: Concrete demonstrations for software engineering undergraduates. In Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 1154--1157. Google ScholarDigital Library
- Andreas L. Opdahl and Guttorm Sindre. 2009. Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51, 5 (2009), 916--932. Google ScholarDigital Library
- The Open Web Application Security Project. 2017. Application Threat Modeling. Retrieved January 13, 2018 from https://www.owasp.org/index.php/Application_Threat_Modeling.Google Scholar
- James Ransome and Anmol Misra. 2013. Core Software Security: Security at the Source. CRC Press, Boca Raton, FL. Google ScholarDigital Library
- Alexandra Savelieva and Sergey Avdoshin. 2016. Integrating case studies into information security education. In Emerging Trends in Information Systems. Springer, 99--115.Google Scholar
- Riccardo Scandariato, Kim Wuyts, and Wouter Joosen. 2015. A descriptive study of microsoft’s threat modeling technique. Require. Eng. 20, 2 (2015), 163--180. Google ScholarDigital Library
- Bruce Schneier. 1999. Attack trees. Dr. Dobb’s J. 24, 12 (1999), 21--29.Google Scholar
- Brook S. E. Schoenfield. 2015. Securing Systems: Applied Security Architecture and Threat Models. CRC Press, Boca Raton, FL. Google ScholarDigital Library
- Adam Shostack. 2014. Elevation of privilege: Drawing developers into threat modeling. In 3GSE.Google Scholar
- Adam Shostack. 2014. Threat Modeling: Designing for Security. John Wiley 8 Sons. Google ScholarDigital Library
- Paulina Silva, René Noël, Santiago Matalonga, Hernán Astudillo, Diego Gatica, and Gastón Marquez. 2016. Software development initiatives to identify and mitigate security threats-two systematic mapping studies. CLEI Electron. J. 19, 3 (2016), 5.Google ScholarCross Ref
- Emmanouil G. Spanakis, Silvina Santana, Manolis Tsiknakis, Kostas Marias, Vangelis Sakkalis, António Teixeira, Joris H. Janssen, Henri de Jong, and Chariklia Tziraki. 2016. Technology-based innovations to foster personalized healthy lifestyles and well-being: A targeted review. J. Med. Internet Res. 18, 6 (2016).Google ScholarCross Ref
- Sven Türpe. 2017. The trouble with security requirements. In Proceedings of the 2017 IEEE 25th International Requirements Engineering Conference (RE’17). IEEE, 122--133.Google ScholarCross Ref
- Bill Whyte and John Harrison. 2010. State of practice in secure software: Experts views on best ways ahead. Software Engineering for Secure Systems: Industrial and Research Perspectives. IGI Global.Google Scholar
- Xiaohong Yuan, Li Yang, Bilan Jones, Huiming Yu, and Bei-Tseng Chu. 2016. Secure software engineering education: Knowledge area, curriculum and resources. J. Cybersecur. Educ. Res. Prac. 2016, 1 (2016), 3.Google Scholar
- Chuan Yue. 2016. Teaching computer science with cybersecurity education built-in. In 2016 USENIX Workshop on Advances in Security Education (ASE’16). USENIX Association, Austin, TX.Google Scholar
Index Terms
- A Framework for Teaching Security Design Analysis Using Case Studies and the Hybrid Flipped Classroom
Recommendations
Enhancing Cybersecurity Education Using POGIL (Abstract Only)
SIGCSE '17: Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science EducationThis poster presents our NSF collaborative project "Enhancing Cybersecurity Education Using POGIL". Although the POGIL (Process Oriented Guided Inquiry Learning) instructional approach has been used and evaluated in science and engineering disciplines, ...
Research on the Application of Flipped Classroom Model in English Teaching
ICDTE '17: Proceedings of the 1st International Conference on Digital Technology in EducationFlipped classroom model, which integrates the traditional face-to-face interaction model in classroom with self-paced e-learning model on the Internet, has significance to modern English teaching. In this study, we designed a series of teaching programs ...
Teaching programming with flipped classroom method: a study from two programming courses
Koli Calling '15: Proceedings of the 15th Koli Calling Conference on Computing Education ResearchFlipped classroom teaching method, where theory is studied at home and exercises are done in the classroom, is gaining foothold in teaching. The method has been used with different approaches and guidelines, yet a single unified process has not been ...
Comments