Carnegie Mellon University

Students working at computers.

June 27, 2019

How to teach cybersecurity without scaring students away

By Daniel Tkacik

Last year, a record-breaking 27,000 people around the world took part in picoCTF, CyLab’s online hacking competition aimed at nudging young minds to consider pursuing a career in cybersecurity.

Last week, the masterminds behind that competition shared some lessons learned in a paper at the Colloquium for Information System Security Education conference in Las Vegas. 

That paper, titled, “pico-Boo! How to avoid scaring students away in a CTF competition,” won a Best Student Paper Award. Kentrell Owens, a graduate student in the Electrical and Computer Engineering department, was the paper’s lead author.

Student holding an award
Source: Carnegie Mellon University's College of Engineering
ECE graduate student Kentrell Owens received a "Best Student Paper" award for his paper on picoCTF.

“A big focus last year was establishing learning objectives for the problems and trying to make each succeeding problem slightly more difficult,” says Marty Carlisle, the education lead for picoCTF 2018 and a professor in the Information Networking Institute (INI).

During the annual two-week competition, picoCTF players capture virtual “flags” – hence “CTF” for “capture the flag” – by solving problems that mimic real-life cybersecurity challenges. The problems are housed in an online video game that follows a storyline unique to that year’s competition. Each problem offers hints if players get stuck.

“picoCTF gives immediate feedback on whether students have mastered a concept; they know this because they've captured the flag,” says Carlisle. “It gives people real hands-on experience with software vulnerabilities and security issues in a safe, controlled, and legal environment.” 

Two years ago – after picoCTF 2017 had ended – many players commented in a post-competition survey that the problems had gotten too hard too quickly, causing many of them to lose confidence and give up.

“We wanted to hit the sweet spot where students didn’t get discouraged and give up, but also didn’t get bored and quit because the problems were too easy,” Carlisle says. 

We wanted to hit the sweet spot where students didn’t get discouraged and give up, but also didn’t get bored and quit because the problems were too easy.

Marty Carlisle, Teaching Professor, Information Networking Institute

The data show that they were successful. In the 2018 competition, half of the students were able to complete 15 or more problems, compared with only a quarter of students having done so in 2017.

“By making problems incrementally harder, we can get students to advance further through the learning objectives,” Carlisle says. “We’ll continue to focus on this in future years.” 

Other members of the picoCTF education team who co-authored the paper included INI graduate student Alexander Fulton and CyLab software engineer Luke Jones.