How do we create cyberattack defenders?

 

Roger Schank (famous AI and cognitive science researcher, the guy who coined the term “learning sciences”) is putting his expertise to the task of creating cyberattack defenders.  The description of his process (linked below) is interesting.  It has all the hallmarks of his work — innovative, informed by research, driven by concrete tasks.  Notice the strong claim that I quoted below.  We shouldn’t be aiming for general cyber attack defense skills.  These skills are going to be industry-by-industry specific.  He’s directly informed by the research that suggests that these skills are unlikely to generalize.

One of the big questions is: where are we going to get the students?  How do we recruit students into this kind of program?

How can we help? The cyber attack course Socratic Arts is building for the DOD will be modified to make the projects specific to particular industries. The banks’ problems are obvious: hackers might want to steal money. Pharma’s problems are obvious: hackers might want to steal secrets. We intend to put out versions of our cyber attack course for each industry. These courses will take 6 months for a student to complete. We are not interested in giving an overview in the typical one week course that is no more than an intro. We want to train real cyber attackers who can help. The only way to learn is by practice (with advice). That’s how you learn to ride a bike and that’s how you learn to do anything.

Source: Cyber Attack Academy

Using Learning Sciences to Inform Cyber Security Education

I’m giving the keynote talk at the 2015 International Security Education Workshop at Georgia Tech today. I’ve never spoken on cyber security before, so the talk was challenging and fun to put together. I used some of the learning sciences research we’ve done in computing education to draw connections to cyber security education. The lessons I highlight are:

• Context matters.  People only learn when they understand why the learning is useful.
• Identity matters.  People who reject computer science (and that’s most people) will likely reject cyber security education, even if they need to know it.  The cyber security learning that they need to know has to meet their identity and expectations. Don’t expect them to change who they are and what they think is important.
• Structure matters.  Teaching something well, like using subgoal labeling, can dramatically improve learning.

 

(Click on the image below to get to the Slideshare site)