Engaging students in cybersecurity: a primer for educators

Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.
~ Maimonides

The education sector has had its share of breaches. And schools, like medical and retail institutions, continue to struggle when it comes to securing their highly-priced assets: student and staff data and intellectual property. This is a big challenge for many. Unfortunately, it’s not the only challenge they face.

The education sector is pressured to address skills shortage, not just within the cybersecurity industry but in their own as well. Educators are also faced with the challenge of teaching the current and future generation of students about cybersecurity and privacy, fields which for most of them are relatively new and challenging to learn. Furthermore, engaging students to start considering careers in cybersecurity—much less getting them interested and talking about it—is another hurdle to conquer.

Educators are left wondering, “How can I even begin to tackle all this?” Before we start concerning ourselves with what to do with students, here are two questions teachers must ask themselves first:

How prepared am I for this?

Remember that a mark of good teaching is the knowledge, firm grasp, and familiarity with the subject matter. Teachers both new and experienced who are willing to take up teaching cybersecurity can start off by learning more about this subject for themselves, understanding why it’s crucial that every citizen of every country must play their part, and how they can make a difference in the burgeoning fight against cybercrime. There are some ways this can be done:

  • Get trained. The National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource and training hub managed by the Department of Homeland security, offers cybersecurity training for educators for free. They can check out the materials from the NICCS official website.
  • Seek mentors among experienced cybersecurity educators and/or professionals. It’s always good to have someone show you the ropes on something you’re not that familiar with yet. Same is true for educators, and there’s no shame in asking to be mentored. After all, educators can benefit from the best and brightest minds in this field, as do the students.
  • Teach yourself via the Internet. Self-learning is always an option, and there are free and available materials an educator can use for studying online. Cybersecurity Ventures also has a hefty list of private institutions that educators and their organizations can invite to do in-house training. Lastly, the National Initiative for Cybersecurity Education (NICE), which is a program of the National Institute of Standards and Technology in the Department of Commerce, has more materials teachers can pore over.

What methods can I use to introduce this new subject to my students?

Making cybersecurity palatable to K–12 students is something educators must prepare and plan ahead for. For some organizations, the availability of technology has made it easier for teachers to use methods beyond the blackboard and textbooks.

This doesn’t mean that old yet effective methods of instruction are entirely forgotten. Instead, integrating technology must be used alongside tools that already work in a classroom. Technology also livens up the class, making it conducive for students to accept the new subject matter. TeachHub recommends that teachers undergo the four stages of technology integration, which are substitution, augmentation, modification, and redefinition, should they decide to take advantage of new learning tools using technology. And when it comes to training students on cybersecurity, it’s a must.

We can’t give what we don’t have. In this case, educators cannot impart knowledge about cybersecurity without (or are in the process of) gaining sufficient learning about it themselves. So it’s essential to undergo this step before moving on to the next.

Ways to get students interested and involved in cybersecurity

The majority of educators love teaching because they also like working with young kids. And starting them young is the ideal stage to discuss cybersecurity. How young? Some say once they begin elementary school; for others, there is really no defined age. As long as the kids (1) are mature enough mentally to be taught about the importance of safe computing, and (2) are already using technology, such as a smartphone or tablet, then we can say they are ready to take this new step to learning.

Like any list, the outline below isn’t exhaustive. This is also, by no means, not an ordered list of steps but rather a list of guidelines you can follow (and reject) at your discretion. As educators, you can branch out and look for other ways. Keep honing your methods and replacing them with new, more efficient ones. So without further ado, below are methods we’re proposing for kids:

1. Join boot camps. Independent and private organizations can conduct cybersecurity camps for kids and teens. It’s up to the educator to learn more about such programs, getting as much information as they can, and then choosing which camp they’d vouch for their students to join. Examples of camps are GenCyber, Cyber Camps by the US Cyber Challenge, and Tech Camps by ID Tech.

2. Join competitions. This is probably applicable from middle- to university-level contests that can be in-school or out-of-school. Examples are Carnegie Mellon’s picoCTF, CyberFirst Girls Competition (in the UK), CyberPatriot, and Global Cyberlympics.

3. Go on tours. Some schools can organize trips within government and private sector offices that deal with cybersecurity.

4. Get an internship. Students at the high school level (as young as) can apply for an internship to companies that have openings for information security teams. An internship is the closest hands-on experience they can gain in a real-world setting. Educators can encourage their students to go for this, or go that extra mile and vouch for the students to companies they want to intern.

5. Volunteer to teach younger generations about cybersecurity. This may apply to high school and university-level students who would be graduating. Not only would this help educators immensely by being unburdened from some of the tasks of teaching, but it can also be a positive experience for students while putting themselves in the shoes of being a mentor. Who knows—they might actually take an interest in teaching cybersecurity for the next generation.

And as for teachers, they can help students by doing the following:

1. Provide them a role model. Kids and teens need someone they can look up to or model after, even when they don’t realize it at first—This could explain why YouTube stars are so famous. If you want to encourage kids and teens to be an expert in the field of their interest in the future, educators must introduce to them personalities they can emulate. Are the little girls in class a fan of Taylor Swift? Mention that Swifty is actually besties with Karlie Kloss, international supermodel and coder.

2. Develop their soft skills. While tech and coding skills may be necessary for several job positions, soft skills—especially when sharpened to the point of awesomeness—can not only get the post-grad through the door but can also keep them employed for a long time.

In a previous blog post, we asserted that if one wants to work in cybersecurity, they don’t have to be too technical or know how to code. In fact, some are saying that the skills shortage being experienced in this industry is not about lacking technical people. Instead, the industry requires technical people who also have other skills like advanced reading, advanced writing, communication, management, organization, critical thinking, and troubleshooting skills. Most employers actually consider soft skills as more important than hard skills.

Read: When cybersecurity isn’t all cyber: What does it really take to work in cybersecurity?

3. Recognize talents that they can use in cybersecurity. Some students may feel put off or inadequate in pursuing careers that they deem too technical. Musical individuals and those with above-average eye-hand coordination (e.g., video game players), they say, may have a high opportunity of success in the cybersecurity field. They are creative personalities who can think outside the box when it comes to solving problems and innovation, especially when they are adequately trained. Educators can utilize the studies behind these claims to pique student interest for a start.

4. Provide a platform for students to learn, share, and apply what they learned. At this day and age, it may not be difficult to find a platform. We have already mentioned YouTube above. There is also GitHub for the code monkeys, and, if your child is into messaging instead of social networking sites to get in touch with their friends, there is Discord, where they can create a room and throw ideas around to members who can help refine them. There is also Twitch, where some game modders actually broadcast themselves coding and testing the code of the game they want to improve on.

5. Gamify learning. Gamification, or the use of game mechanics and design, to drive home important points that may otherwise leave students confused can bring about high engagement. Not to mention, it’s extremely fun. There are some ways educators can apply this. They can change the class grading system from letter grades to “experience points” (or XP in the gaming world) as one teacher already demonstrated, awarding students with tangible incentives like badges, conduct tournaments among small groups within the class, and using actual games that teach about cybersecurity, privacy, and hacking. For middle- to high-school educators, assess if you can introduce your students to games like TIS-100, Shenzhen I/O, and Uplink. Zachtronics have more and various games to offer on their website.

6. Teach them the necessary security skills. One cannot be equipped to work in cybersecurity—or, in this day and age, in any industry—until they know basic cybersecurity hygiene. This is fundamental, but it shouldn’t stop there. Students will learn and adapt better security techniques to protecting their own and company assets once they advance in their education and begin working. But having some sort of security cornerstone or foundation must be there to build on.

7. Ingrain in them the importance of continuous development. Education shouldn’t begin and end in institutions. This may seem like a no-brainer, but it is important to remind students that although learning on the job is essential, it is equally important to make an effort to understand concepts they haven’t encountered in the classroom by reading books and researching about them online. Life these days is fast-paced, and if one is not paying attention, valuable knowledge can just pass us by.

8. Expand cybersecurity education and training efforts to include all students. This may be applicable only in a university setting. Expanding cybersecurity education means that it shouldn’t be only students in STEM courses being trained on it. The curriculum should include practical applications of security in their career of choice and how insecure practices may potentially jeopardize not just their employment but also the clients they serve. Real-world scenarios and examples are the best case studies.

The cool factor

While educators expose students to the exciting and highly positive aspects of cybersecurity, it’s unavoidable for them to also see the other side of it: the exploits, methodologies, and (if the information is available) the people behind cybercrimes and threat actor groups that the cybersecurity industry is battling against.

Thanks to increased media coverage on successful breaches, availability of written works and videos on various hacktivist ideologies, and the dramatization of the misuse of computer and network prowess in television series and movies, students have more to internalize and mentally process today compared to previous generations. Unfortunately in today’s culture, more and more are not taking the time to think things through before acting. In many instances, kids and teens like to do things because of “the cool factor” involved.

This isn’t entirely a bad thing. The dramatization of hacking in TV and movies, no matter how poorly they were presented, has inadvertently put cybersecurity on the media map, undoubtedly sparking viewers’ imaginations, helping form idealisms and dreams, and pushing intellectuals and creatives alike to pursue the “what ifs.”

So if you hear students expressing sympathy over Elliot Alderson’s plight in taking down an evil corporation that he works for, a liking to Penelope Garcia’s focus and quick wit in the midst of life-or-death situations, or a deep fascination for Harold Finch’s selflessness and fierce loyalty to the cause of saving and not taking lives, let them. But also bring them gently back down to reality and introduce eye-opening documentaries of about real-life hackers and how the cyberculture came about.

CyberRisk named a few titles in a recent blog post, from Hackers in Wonderland (2000) to Hackers are People, Too (2008). Of course, we’d like to add The Triumph of the Nerds: The Rise of Accidental Empires (1996), Downloaded (2013), The Internet’s Own Boy: The Story of Aaron Swartz (2014), Deep Web (2015), and Softwaring Hard (2014).

Heck, if these aren’t cool for them, then I don’t know what is.

*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Jovi Umawing. Read the original post at: