Embed Size (px)
Citation preview
A CHOOSE-YOUR- OWN-ADVENTURE, CTF VM FOR CYBER SECURITY EDUCATION.
Student Contributors
Sam Holdcroft
RichardThomas
Andreea Ruda
Introduction• Story/narrative is an important aspect of gamification.
• In making cyber security education challenges this is often overlooked.
• We have developed a choose-your-own-adventure story engine to add a narrative to educational CTF challenges.
• We have written a story for this based on investigating a black market site, in a corrupt company.
• We have used this with a 2nd year cyber security class and collected data about its affect.
Gamification
Some quotes from these books
• “What we learn from games is that adding narrative, storyline, or a theme to our lessons and activities can help students be more engaged”
• “Stories and narrative are important for games focused on helping people to learn”
• “Researcher have found that the human brain has a natural affinity for narrative”
Types of Game
VS
Our Goal• As part of our project we have product a number of
Capture the Flag (CTF) exercises for education.• Our tests with students suggest these work well and are popular
• Our goal here is is to provide a framework to put these exercises into the context of a story.
• The story should tie the exercises together, for a 11 weeks cyber security.
• Students should have control over the story.
The Framework
ePlayerSpace
Ex1, flags
Ex2, flags
Ex3, flags
Ex4, flags
Ex5, flags
Mail Server
Web Server
Story Script
flags
flags
flagsStory e-mails
Class Test• We gave the VM to a 2nd year introduction to cyber
security course.
• The CTF exercises were compulsory and the story was completely optional.
• We logged the e-mails the student sent (with their knowledge).
• 38 Students started the story, 34 finished it.
Example student e-mails. To: [email protected]: Employee427 <[email protected]>
Hi there,
It's great to be here, and I'd love to start work now. Here are the tokens that I've found so far:
855e8fb63feed93e2c49135fc83737cf 65e802467c57f7d058119094ad9d496af 14673f7f3467e826b922915b5f14466a
Happy to help!
427.
Example student e-mails. To: [email protected]: Employee 427 <[email protected]>
Hi there,
Something big you say? I hope that I can trust you with these...
2029725918ac5486c1b40d07d9d7815e5a89ce67c9fe32d4b1d2ec8e55c619ce9daeb0c067a31d4bb6c3e92aaca74f4d0480dcab7a474deb9f0fe522b981271d
And yeah, if we are going to carry on with this I would prefer if we could get some encryption for these messages. I'm not up for loosing my job in the first week...
[oo] /|##|\ d b
Example student e-mails. Recipient: [email protected]: Employee 427 <[email protected]>Subject: HELP!!!
I have some incriminating evidence on my bosses!
I don't know who to turn to!
Here's some statements from my boss' private directory!
S.F. Heroes, Rocks and Grass Patches of £56,655S.F. cyber of £5,150S.F. Heroes, Rocks and Grass Patches of £40,380S.F. cyber of £1,750
Survey Results• Those that did take the story:
• 89% very happy with it, 11% happy• 83% very worthwhile, 15% worthwhile• 97% say it increased there level of engagement with the
course
• Those that didn’t take the story• 24% said they weren’t aware of the story. • 43% said they were too busy.• 17% said they weren’t interested in it• 16% other/no response
Conclusion.• The story seems to have been a success.
• The technical framework functioned well.
• Our results suggest adding a story to coursework does increase student engagement.
• We plan to run the story again next year• Considering making the e-mails to main way to submit homework• Working with other University so that they can use it.
• Long term: add it into Cliffe Schreuders’s SecGen framework
