The UMBC Cyber Defense Lab presents
Categorizing Misconceptions of Cybersecurity Reasoning
Travis Scheponik
Computer Science and Electronical Engineering
University of Maryland, Baltimore County
11:15am-12:30pm Friday, 9 September 2016, ITE 237
We present preliminary analysis of student responses to cybersecurity interview prompts.
During spring 2016, we interviewed twenty-six students at three diverse colleges and universities (UMBC, Prince George’s Community College, Bowie State University) to understand how they reason about cybersecurity. Each interview lasted approximately one hour during which we asked the subject to solve four cybersecurity problems. For this purpose, we developed twelve engaging interview prompts organized in three protocols each comprising four prompts. Using a paired expert-novice methodology, we are analyzing transcriptions of the interviews produced from audio and video recordings. The twelve prompts focused on five difficult and important concepts identified from a Delphi method with thirty-six experts, which we carried out in fall 2014.
Preliminary analysis of student responses reveals common misconceptions and problematic reasoning, including conflating concepts, biased reasoning, unsound logic, and factual errors. For example, students commonly conflate authentication and authorization, as well as encryption and hashing. Examples of biased reasoning include seeing the situation only from the user’s perspective, placing inappropriately high trust in physical objects, and underestimating potential vulnerabilities from insider threats. Initially, we marked student statements as “correct’’ or “incorrect.’’ From the “incorrect’’ responses, we identified misconceptions about cybersecurity. Then, we categorized why responses were incorrect and we identified a variety of biases and problematic reasonings.
Our motivation is to produce educational assessment tools that will measure how well students understand cybersecurity concepts, for the purpose of identifying effective ways to teach cybersecurity. Results of our work will also be useful in developing curricula, learning exercises, and other educational materials and policies.
Joint work with David Delatte, Geoffrey Herman, Michael Neary, Linda Oliva, Alan Sherman, and Julia Thompson. Support for this research is provided in part by the U.S. Department of Defense under CAE-R grants H98230-15-1-0294 and H98230-15-1-0273, and by the National Science Foundation under SFS grant 1241576. We will present our results at the Frontiers in Education Conference, October 12-15, 2016, in Erie, PA.
About the Speaker: Travis Scheponik is a PhD student in computer science at UMBC, working with Dr. Alan T. Sherman. His research interests include cybersecurity education.