Honolulu, Hawaii
June 24, 2007
June 24, 2007
June 27, 2007
2153-5965
Computers in Education
7
12.571.1 - 12.571.7
10.18260/1-2--2738
https://peer.asee.org/2738
483
Educating Students on Information Assurance through Immersion and Operational Leadership Abstract
This paper presents the results an experiment to educate students on information assurance through immersion and student-led learning. As technology progresses, students face increasing attacks on their information systems. Rather than educate students solely in the classroom, we implemented two experiences to increase student understanding of modern information assurance using the students themselves: the student information security officers (SISOs) and the Carronade exercise.
The student information security officer program empowers students to address information assurance education of their fellow students. Students are organized into groups of approximately 120 and each group is assigned a SISO. The SISOs are organized in a hierarchy so that ultimately one SISO is responsible for all. The SISOs educate and mentor their students on safe computing through formal classes in their dorms, formal inspections of personal computers, security awareness exercises, and assisting students when they encounter a problem. The empowerment of students to operationally lead their student organization has resulted in marked improvements in student learning regarding information assurance and computer attacks. An indicator of this learning is the Carronade exercise.
The Carronade exercise is an immersive information security awareness exercise conducted very semester since September 2003. SISOs launch the exercise using an automated phishing tool that generates a phishing email attack against every student under the control of the SISO. If a student succumbs to the attack, the SISO is informed of the identity of student. No personal information is transmitted. The SISO then has an opportunity to mentor the student and explain why the email was a phishing attack and what the telltale signs were that identified the email as an attack. Because the attack occurs in the normal work environment of the students, it is viewed as highly relevant to the students. Due to the low threat and personal mentoring approach employed to resolve mistakes, students are receptive to the exercise. This has led to a marked improvement in student performance against phishing attacks over the last three years. The empowering of students to teach and mentor their fellow students through the SISO and Carronade programs has proven to be very successful.
Background
The number and sophistication of computer attacks has grown dramatically in the last twenty years. In terms of numbers, the growth has been exponential1. The sophistication of the attacks has likewise increased with the development of rootkits, patch reverse engineering, and the involvement of organized crime and nation states in launching the attacks. In the last five years, as perimeter defenses have stiffened, computer attacks has attempted to bypass perimeter defenses and manipulate individual users through a number of social engineering techniques and attack vectors. Attempts to make our students aware of the threat and train them through passive classroom experiences proved inadequate. What was needed was active, immersive educational experience outside the classroom.
Carver, C. (2007, June), Educating Students On Information Assurance Through Immersion And Operational Leadership Paper presented at 2007 Annual Conference & Exposition, Honolulu, Hawaii. 10.18260/1-2--2738
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2007 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015