Using Learning Sciences to Inform Cyber Security Education

May 18, 2015 at 9:30 am 6 comments

I’m giving the keynote talk at the 2015 International Security Education Workshop at Georgia Tech today. I’ve never spoken on cyber security before, so the talk was challenging and fun to put together. I used some of the learning sciences research we’ve done in computing education to draw connections to cyber security education. The lessons I highlight are:

  • Context matters.  People only learn when they understand why the learning is useful.
  • Identity matters.  People who reject computer science (and that’s most people) will likely reject cyber security education, even if they need to know it.  The cyber security learning that they need to know has to meet their identity and expectations. Don’t expect them to change who they are and what they think is important.
  • Structure matters.  Teaching something well, like using subgoal labeling, can dramatically improve learning.


(Click on the image below to get to the Slideshare site)

First slide of talk

Entry filed under: Uncategorized. Tags: , , , .

JES 5.02 Now Released, and Media Computation 4th Edition Slides Available Congratulations to Bill Wulf, 2014 ACM Karl V. Karlstrom Outstanding Educator Awardee

6 Comments Add your own

  • 1. Wu He  |  May 18, 2015 at 9:38 am

    Great talk. I really enjoy it. The three lessons are inspirational for improving cybersecurity education.

  • 2. Bill  |  May 18, 2015 at 9:52 am

    Thanks for sharing your slides. I enjoyed your talk, but I think it was too CS-focused. I’m from a CS department, but many (most going by the people I talked to at breakfast and break) Cybersecurity programs are housed in places where they don’t teach CS concepts or programming.

  • 3. Mark Guzdial  |  May 18, 2015 at 10:32 am

    Thanks. Interesting questions.

    (1) First question was how to deal with over-experienced vs. under-experienced students. I talked about splitting by majors and HMC’s splitting by experience.

    (2) Next question claimed that cybersecurity education needs more thrashing because they need people to explore and “hack.” I said that thrashing at the start of learning makes it more difficult to learn, not easier. I told the Worked Examples story.

    (3) Next question said that what’s different about cyber-security education is that there is an adversary. I agreed that that’s different than intro CS, math, or physics, but you have to get people started before they face the adversary. All learning proceeds declarative to procedural. You learn the processes and recipes and cookbooks first, and then abstract and riff on them.

    (4) Next question claimed that we won’t need people to program eventually, so how do you decide what to teach. I told the Alan Perlis story and the Michael Mateas “There will always be friction” stories.

    (5) Last question asked how do you get people to explore and hack. I told them to put people in a context that they want to learn, and they will explore.

    I never got to coffee after the talk. I got swamped with people asking questions. I had one person asking me to please finish my book on Learner Centered Design of Computing Education in the next month because he needs it. I plan to finish it for Fall, but it’s nice to know that there’s interest.

  • 4. Ashish Sethiya  |  May 19, 2015 at 6:03 am

    It is a truth that Cyber security education is necessary in this digital age, where everything is almost accessible through different means. So cyber security education is a must thing and your three key points are doing well in order to make everyone aware, whether they like computer Science or not.

  • 5. Kevin Sullivan  |  May 19, 2015 at 6:25 pm

    One can’t get into complex failure mechanisms with beginners. How could one possible explain return-oriented programming, for example, to students who lack such concepts as machine code and stacks? It’s probably best not to try.

    What one can perhaps teach from day one is that in many situations there is an engineering aspect to programming in the real world–from programming of simple spreadsheets to the most complex societal infrastructure systems.

    What would it mean to give beginning students an understanding of programming as an engineering activity? Petroski gives a great answer. The primary responsibility of the engineer is to anticipate and avert failures that would create unacceptable losses. Helping even the novice to understand that computers and software often control key physical, cyber, financial, social, and other systems; that failures of software and produce real-world catastrophes; and that software is prone to fail in ways that are very unlike physical systems failures — s not only possible but arguably vitally important.

    It’s easy, for example, to show students videos of exploding rockets, then show them that computer arithmetic is not really the maths we all know an love, then explain that the former kind of loss was due to the latter kind of error.

    Failures due to exploits of vulnerabilities are really just another form of failure, today most often due to a very poor understanding of the engineering aspects, and specifically the failure modes, of software.

    The point isn’t to be a killjoy. There’s nothing wrong with having a lot of fun with programming, and students should; but they should also be made aware that when it comes to employing programming in any professional situation, especially but not limited to life-critical systems, one has to shift one’s psychology a bit, from artist to builder. Indeed, coming to understand failure and how to avoid it by causing lots and lots of failures is itself not only fun but productive. It’s one way that we can learn eventually to build things that don’t fail.

    Even students who have only only course in computing should maybe be given some kind of introduction to issues of the professional ethics of programming, particularly with respect to the possibilities and costs of system failure, and one’s professional responsibility not to program well past one’s real level of engineering competence. One big reason that we’ve got such a security catastrophe on our hands is that far too many people enter the profession who simply have no concept of what we do as an engineering activity with associated obligations to anticipate and avoid failures, including those involving adversaries.

  • 6. Alle Stromanbieter im Vergleich  |  June 6, 2015 at 11:09 pm

    Alle Stromanbieter im Vergleich

    Using Learning Sciences to Inform Cyber Security Education | Computing Education Blog


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trackback this post  |  Subscribe to the comments via RSS Feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 9,005 other followers


Recent Posts

Blog Stats

  • 1,879,118 hits
May 2015

CS Teaching Tips

%d bloggers like this: