Age-Aware User Authentication: NSF Research Experience for Teachers and Undergraduates 2023 Summer Project

This summer project, spanning approximately three months, aimed to develop threat modeling scenarios that are relatable to high school students to personalize their learning of Identity and Access Management (IAM) technologies. The project design included group brainstorming to identify threat scenarios most suitable for classroom instruction that appeal to students’ everyday contexts. Specifically, we aimed to identify threat and attack scenarios that students may regularly face (or are familiar with) related to IAM, like password attacks through shoulder surfing from a classmate or use of biometrics on smartphones. Our hypothesis was that by personalizing learning in this way, student engagement and learning will be positively impacted, as opposed to relying on existing teaching strategies that do not produce consistently positive learning outcomes.

This study was approved by USF's Institutional Review Board as Study #005606, and was funded by NSF's Secure and Trustworthy Cyberspace Program, Grant #2039373.

Proposed Research Questions

---

1. Brainstorming Session 1:

   1. What is threat modeling?
   2. Can threat modeling be useful for teaching cybersecurity?
   3. How can personalizing the threat scenarios be useful?
      1. How can we personalize learning scenarios?
      2. How might students respond to personalized threat scenarios?
      3. How would personalized threat scenarios promote learning?
      4. What would be the likely takeaway messages by students when using personalized threat scenarios to teach cybersecurity?

2. Brainstorming Session 2:

   1. Which scenarios are suitable for classroom instruction, and why?
      1. Are these scenarios truly relatable?
      2. What makes scenarios relatable, including the media of presentation (e.g., online content, images, videos, slide decks, music, etc.).
      3. Which assessments/rubrics should be used for measuring learning?
      4. What are the potential limitations?
      5. What are the potential benefits?
      6. What should be improved?

3. Final Focus Group:

   1. Which scenarios are most promising for classroom instruction?
   2. If adapting personalized threat modeling for teaching cybersecurity concepts, what should teachers focus on during lesson planning?
   3. In what cases would this approach be most and least appropriate?
   4. Would this approach to teaching IAM work for other cybersecurity topics?

Research Background

Threat modeling is a process that allows us to identify and understand security threats [12]. By modeling threats, we gain a better sense of how to attack or defend a given system. In terms of teaching cybersecurity, threat modeling provides a way for teachers to give students a real-life scenario to engage with.

With the rise of technology, as well as the ethical considerations that come along with it, teachers are having to explain cybersecurity and other related topics to their students [4]. Unfortunately, there is strong evidence to suggest that teachers are having a hard time implementing this curriculum into their classes [2, 3, 4]. Teachers in the Killhoffer study were noted to be worried about a perceived gap in knowledge when faced with the tech-savvy nature of their students, regardless of if this divide was real or not. The Childers study revealed that teachers didn’t feel comfortable in their abilities to create an engaging lesson about cybersecurity, even after they had undergone the professional development course.

The consensus, among teachers and parents, is that it’s important to educate students on these topics [3], but there are differing views over how it should actually be done. Whether it should be game based [6, 7, 10], a hands-on simulation activity (like a lab or project) [5, 8, 9, 11], or just some sort of engaging learning experience [2, 4]. Furthermore, most of these studies take place as a summer program, rather than being implemented within the school system itself [5, 6, 8, 10], or are just tested in the classroom for a short period of time [7]. Even though student enjoyment was had a statistically significant increase with these programs, without knowing how their learning is impacted in the long-term it’s difficult to accurately evaluate the activity’s worth.

This project takes into consideration the student aspect of the cybersecurity learning scenario. We consider the preconceived notions that high-school students might have about cybersecurity and Internet safety, and how we can better adapt the lessons to be more engaging and relatable. We also have them generate their own ideas for activities, which allows them to come up with ideas that other students might be eager to participate in.

1. G. Childers, C. L. Linsky, B. Payne, J. Byers, and D. Baker, “K-12 educators’ self-confidence in designing and implementing cybersecurity lessons,” Computers and Education Open, accessed Sep. 9, 2023.
2. D. Pencheva, J. Hallett and A. Rashid, "Bringing Cyber to School: Integrating Cybersecurity Into Secondary School Education," in IEEE Security & Privacy, vol. 18, no. 2, pp. 68-74, March-April 2020.
3. Z. Kilhoffer et al., "“How technical do you get? I’m an English teacher”: Teaching and Learning Cybersecurity and AI Ethics in High School," 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2023, pp. 2032-2032.
4. J. Bhuyan et al., “Aerial drone: An effective tool to teach information technology and cybersecurity through Project Based Learning to minority high school students in the U.S.,” SpringerLink, accessed Sep. 27, 2023.
5. G. Jin, M. Tu, T.-H. Kim, J. Heffron, and J. White, “Game based cybersecurity training for high school students: Proceedings of the 49th ACM technical symposium on computer science education,” ACM Conferences, accessed Sep. 20, 2023.
6. B. Jerman Blažič and A. Jerman Blažič, “Cybersecurity skills among European high-school students: A new approach in the design of Sustainable Educational Development in cybersecurity,” MDPI, accessed Sep. 20, 2023.
7. Á. Lédeczi et al., “Teaching cybersecurity with networked robots,” ACM Conferences, accessed Sep. 20, 2023.
8. J. Mirkovic and T. Benzel, "Teaching Cybersecurity with DeterLab," in IEEE Security & Privacy, vol. 10, no. 1, pp. 73-76, Jan.-Feb. 2012.
9. G. Jin, M. Tu, T.-H. Kim, J. Heffron, and J. White, “Evaluation of game-based learning in cybersecurity education for high school students,” Journal of Education and Learning (EduLearn), accessed Sep. 23, 2023.
10. C. Tunc, S. Hariri, F. De La Peña Montero, F. Fargo, P. Satam and Y. Al-Nashif, "Teaching and Training Cybersecurity as a Cloud Service," 2015 International Conference on Cloud and Autonomic Computing, Boston, MA, USA, 2015, pp. 302-308.
11. W. Xiong and R. Lagerström, “Threat modeling – A systematic literature review,” Computers & Security, vol. 84, pp. 53–69, Jul. 2019.

Study Team

---

Participant Recruitment and Demographics

---

Ten undergraduate students were recruited for this study through various channels, including:

• Email invitations
• USF social media platforms
• Paper flyers distributed across campus and within on-campus residence halls
• Campus-wide email distributions
• Recruitment videos

Additionally, study flyers were shared with our established collaborators for dissemination to potential participants and were made available in the university student center. Eight participants reported enrollment in the Computer Science and Engineering program, with two individuals also enrolled in Medical Engineering, all of whom are affiliated with the University of South Florida's College of Engineering.

Each participant completed a Cybersecurity Knowledge Quiz prior to participating in the study to assess their overall cybersecurity awareness. This was important to ensure each participant could effectively participate in discussion during the study.

Each participant received:

• A $75 e-gift card per brainstorming session
• A $50 e-gift card for completing the final focus group

Participant Demographics

Age	Gender	Ethnicity	Program Year	Cybersecurity Quiz Score	Relevant Cybersecurity Courses
20	Man	Asian or Asian American	Sophomore	90%	Programming Concepts, Python, Program Design
19	Woman	White or Caucasian	Sophomore	90%	AP Comp Sci, Intro to Oriented Programming, Intro to Databases, Programming Fundamentals, Foundations of Cybersecurity
19	Woman	Asian or Asian American	Sophomore	90%	Programming Concepts
21	Man	Asian or Asian American	Junior	100%	Intro to Python
20	Man	Arab/Middle Eastern or Arab American, Asian or Asian American	Freshman	90%	Intro to Python, Google Cybersecurity Certificate, Programming Concepts, Intro to Web Development
21	Man	Asian or Asian American	Senior	100%	Program Design, Data Structures, Database Design
20	Man	White or Caucasian, Hispanic, Latino, or Spanish	Sophomore	70%	Programming Concepts, Program Design, Computer Logic Design, Python, C\#, C++
20	Man	Asian or Asian American	Junior	60%	Computer Programming
20	Woman	Asian or Asian American	Junior	80%	Programming Concepts, Program Design, Computer Organization
22	Man	White or Caucasian	Senior	100%	Intro to Programming, Programming Fundamentals, IT Object Oriented Programming, IT Concepts, Foundations of Cybersecurity

Participant and Engagement Summary: Prior to engaging in the study, each participant completed a Cybersecurity Knowledge Quiz to gauge their overall awareness in the field, ensuring their active involvement in subsequent discussions. The demographic profile of participants reveals a diverse group with varying levels of cybersecurity exposure and expertise. Notably, participants demonstrated strong proficiency in foundational programming concepts, with several individuals having completed relevant cybersecurity courses. The distribution of quiz scores indicates a spectrum of cybersecurity knowledge among participants, suggesting differing starting points for engagement with the study's objectives. These demographics serve as a foundational understanding for interpreting the insights and contributions gathered throughout the study sessions, reflecting a broad spectrum of perspectives and experiences within the cohort.

Overview of Methodology

---

Each brainstorming session consisted of:

• Lunch (15 minutes)
• Study overview (15 minutes)
• Brainstorming (45 minutes)
• Discussion (15 minutes)

Lunch was served at the start of the session. Participants were welcomed to continue eating during the study overview, during which the study facilitators presented a slide deck which detailed the study goals, provided an ice breaker, defined fundamental concepts, and established a schedule for the day.

During brainstorming time, participants broke into two groups, during which they were instructed to generate ideas with the following in mind:

• Quantity over quality
• No idea is a bad idea
• Creative and wild ideas are encouraged
• Jot down everything
• Avoid criticizing or praising ideas
• Avoid lengthy discussion
• Use many tools to express your ideas

Participants were provided with a wide array of stationary during all sessions, including markers, mini whiteboards and dry erase markers, pens, paper pads, sticky notes, index cards, and stickers. During discussion, each group would present their ideas and the whole team would reflect and discuss commonalities and the research team would ask questions to gain clarity.

We organized the sessions to scaffold the participants’ thought processes by first asking them to assess the feasibility of personalized lessons to teach cybersecurity in high school, having participants generate specific lesson plan ideas according to their previously established assessment of feasibility, and then voting on the most promising ideas. We video and audio recorded each session, using two video cameras to focus on each group. Each session, we also photographed design artifacts and collected notes.

Outcomes: Brainstorming Session 1

---

The objective of the first brainstorming session was to pinpoint threat modeling scenarios tailored specifically to high school students, aiming to facilitate effective cybersecurity education. The session underscored the importance of making content relatable to teenagers, hypothesizing that crafting narratives and scenarios would enhance engagement and comprehension. We emphasized the potential value of using real-world threats to enhance memorability and relevance. Central to this endeavor was the identification of scenarios pertinent to Identity and Access Management (IAM) and user authentication, vital concepts in cybersecurity education. The session's refined goal was to assess the usefulness of personalized threat scenarios for teaching IAM, with questions probing the benefits of personalization, its impact on learning, and student responses. The ultimate aim was to investigate the efficacy of this approach in the session and strategize its implementation for scenario identification in subsequent sessions.

Session Slides

Key Discussion Points

Question 1: Why would personalizing threat scenarios be useful?

Overall, Group A felt that personalizing threat scenarios was crucial for several reasons. They argued that such personalization could compel students to immerse themselves in a scenario, encouraging reflection and improvement for future encounters. Additionally, personalized scenarios might foster a sense of caution and connection by relating directly to personal experiences. They also felt this approach could facilitate easier dissemination of information, enhance understanding of risks, and provide a solid foundation for learning cybersecurity concepts, particularly for non-experts. Specific quotes from Group A members included the following:

• "[Personalizing threat scenarios] forces the individual to be in the scenario, [encouraging them] to think about how to do better next time."
• "[It] teaches them to be more careful."
• "[Personalizing threat scenarios] would be useful to make audiences feel more connected with the message."
• "[It's] useful because it can allow ourselves to be relatable to the audience."
• "[People] would relate to their own personal experiences."
• "[It's] easier to spread information if people care about what they are listening to."
• "[Many] people may know friends or family members that have had similar experiences."
• "[Audiences] can better understand the risks and severity as they see how it applies in their own lives."
• "Facing [threat scenarios] for the first time is tough. If they experience it before[,] it would be better to face the situation."
• "[Personalizing threat scenarios] would make the concept or threat scenarios easier to understand."
• "[It provides a] good foundation to learn."
• "[It] makes the information simpler, making it easier for non-experts to understand."
• "[It involves] open public servers, risk assessment, or even data breaches leading to information."
• "Do not share personal things."

Overall, Group B highlighted the various benefits of personalizing threat scenarios, emphasizing its importance in cybersecurity education. They felt that by informing students about the potential threats to their personal information and raising awareness of cybersecurity issues, personalized scenarios could significantly increase engagement and promote a deeper understanding of the subject. Moreover, Group B felt that personalized scenarios could inspire students to consider cybersecurity as a career path and encourage them to develop solutions to mitigate risks, such as creating cybersecurity software. Additionally, they argued that personalized scenarios could foster social awareness, enhance training, and empower students to take proactive measures against cyber threats, ultimately contributing to a safer online environment. Notable individual comments from Group B included the following:

• "It would inform students about the threat to their personal information."
• "Increased engagement rate."
• "So they are aware that they can pursue it as a career."
• "[This] could probably lead to someone creating a cybersecurity software which minimizes the risk of data being stolen."
• "[Cybersecurity education would be] easily available."
• "[It would] promote learning of cybersecurity."
• "[It would foster] social awareness."
• "[It would] involve more students [in] cybersecurity."
• "[It would provide] enhanced training."
• "[It would aim] to help student not be scared of hackers."
• "[It would serve the purpose of] informing authorities."
• "[It would help students] know about potential threat cyberattacks can pose to them."
• "[It would be implemented] to encourage students to be aware and afraid."
• "[It would emphasize] not sharing information across platforms."
• "So student are aware it could happen to them."
• "[It would help students] know about different types of cyberattacks."
• "So they know the severity of cyberattacks."

Findings

Overall outcomes from Brainstorming Session 1 showed general support for the use of personalized threat scenarios for high school students to teach cybersecurity concepts. Real-world threats were highlighted as essential for enhancing memorability and relevance. However, to conclude Session 1, we held a 15-minute open discussion, which yielded further insights from both groups. Group A raised questions about the feasibility of true personalization, emphasizing the need for engaging activities over personalized ones. They highlighted the discrepancy between current personalized approaches and real-world scenarios, suggesting that effective personalization requires a deep understanding of the individual. As a result, their goal for the next session evolved to develop a set of engaging and relevant activities that promote positive and ethical behaviors among students. Group B's final comments in Session 1 centered on the potential negative consequences of personalized content, including the risk of fostering "bad hacking mentalities" and influencing unethical behavior. As an alternative, they proposed introducing concepts like Blue Teams and Bug Bounty Programs to mitigate these risks while making students more aware of cybersecurity issues like phishing emails. Thus, their objective for the next session also evolved to create a set of large problem-solving projects that address cybersecurity challenges on a broader scale.

Outcomes: Brainstorming Session 2

Session Slides

Key Discussion Points

Findings

	Why would personalizing threat scenarios be useful?
	Group A	Group B
Highest Rated	Makes the information simpler, making it easier for non-experts to understand	Easily available
	It would make the concept or threat scenarios easier t understand.	Not sharing information across platforms
	Audiences can better understand the risks and severity as they see how it applies in their own lives	Increased engagement rate
	Useful because it can allow ourselves to be relatable to the audience	It would inform students about the threat to their personal information
	It forces the individual to be in the scenario, think about how to do better next time	So they know the severity of cyberattacks
	Personalizing threat scenarios would be useful to make audiences feel more connected with the message	So students are aware it could happen to them
	Easier to spread information if people care about what they are listening to	Social awareness
	Facing for the first time is tough. If they experience it before it would be better to face the situation.	Involve more students cybersecurity
	Teaches them to be more careful	To encourage students to be aware and afraid
	People would relate to their own experiences	Know about potential threat cyberattacks can pose to them
Lowest Rated	Open public servers, risk assessment, or even data breaches leading to information	Know about different types of cyberattacks

Outcomes: Final Focus Group

Session Slides

Key Discussion Points

Findings: Final Games Selected and Detailed by the Study Participants