Cybersecurity Students Stir Up Chaos in Pursuit of Remedies

With funding from the National Science Foundation, WPI computer science professors aim to enhance cybersecurity education through peer review
August 20, 2015

Kathi Fisler, principal investigator for the NSF award

Aiming to improve the learning experience for students enrolled in the cybersecurity program at Worcester Polytechnic Institute (WPI), a WPI professor has secured a two-year, $229,280 award from the National Science Foundation for a study exploring how peer review enhances student learning. In one assignment, students will hack model computer systems, fix the vulnerabilities they’ve identified, and then have their work critiqued by other students.

The research comes as attacks on computer systems continue to plague individuals and corporations worldwide. According to a study published last year by the Center for Strategic and International Studies and funded by cybersecurity firm McAfee, hackers cost consumers and companies between $375 and $575 billion annually. Also, the U.S. Senate is currently debating the Cybersecurity Information Sharing Act, a bill that seeks to enable the exchange of cyberthreat information between the public and private sector.

Kathi Fisler, professor of computer science in WPI's Cybersecurity Program, is the principal investigator for the NSF award. Given the scope of the problem, she believes it’s critical for universities to train more students in cybersecurity.

"By looking at this specific approach to teaching, we expect to find some interesting results that will inform future teaching methods," said Fisler, who added that this research is distinctive because the students involved will be "enhancing cybersecurity education through peer review."

While many universities nationally offer cybersecurity courses, WPI is among the first to formally study the effectiveness of peer review in this context. In pedagogical terms, professors empower students to hack. It’s a move that invites them to create chaos and then develop creative solutions that make the computer system more secure.

Fisler also noted that the grant focuses on the intersection of cybersecurity and computing education. In earlier research, Fisler experimented with the use of peer review in computer science courses. She had students review the work of other students, not for grading purposes, but to help them learn concepts more effectively both by critiquing other students’ efforts and by having their own work evaluated by peers. Fisler also noted that faculty members plan to use peer review in assignments that plan defenses and analyze threats and policies.

"A lot of research in higher education focuses on getting students more involved in learning in various ways," said Fisler. "We need to rethink this idea that the professor is the sole source of authority."

WPI cybersecurity faculty members will incorporate peer review activities into several undergraduate and graduate security courses and analyze the impact it has on student learning. Fisler, who is leading the analysis, plans to collect the data throughout the upcoming academic year.

Co-principal investigator Krishna Venkatasubramanian

Krishna Kumar Venkatasubramanian, assistant professor of computer science and a co-principal investigator on the NSF award, used peer review for the first time earlier this year in an undergraduate software security engineering class focused on cybersecurity issues. Specifically, he asked students to hack a WPI-developed "dummy" web site with three specific steps: find the vulnerabilities, exploit them, and patch them.

Although he is still collecting data on the outcome, Venkatasubramanian said his early findings indicate that the peer review process was valuable for a large portion of the class.

"I was impressed with not only how the students critiqued other students, but how they also accepted critical comments," he said. "Security is a process, not just a technical solution, and we're encouraging students to think broadly about this issue."

Venkatasubramanian will teach the course again early next year, and he and Fisler are hopeful that the findings will help shape how future academic courses are taught nationally.

Alexander Witt, a PhD student at WPI currently working with Venkatasubramanian, took the course earlier this year as a senior. Among the course benefits, he said, were "…the ability to communicate ideas, receive suggestions, and curate techniques to establish more systematic approaches for identifying vulnerabilities in software-based systems."

Other co-principal investigators on the NSF project are Joshua Guttman, professor of computer science; and Craig Shue, assistant professor of computer science.

Having served as the director of WPI's Cybersecurity program from 2010 through May 2015, Fisler developed formal security curricula for on-campus students and students enrolled in programs offered by WPI's Corporate and Professional Education division. She led WPI's applications to be a National Center of Excellence in Security Research, which was awarded in 2013, and was instrumental in the university's recent recognition as a host for the National Science Foundation’s Scholarships for Service program. The NSF awarded WPI more than $4.4 million last year to develop a program that will prepare professionals to address cybersecurity challenges and threats for the federal government.