Teaching Computer Science with Cybersecurity Education Built-in

Chuan Yue, Colorado School of Mines

Abstract ware engineers who graduated mainly from the com-

puter science degree programs.
Despite the remarkable cybersecurity education efforts
from traditional approaches such as offering dedicated
Despite the remarkable cybersecurity education efforts
courses and even degree programs or tracks, the com-
from the traditional approaches such as offering dedi-
puter science curricula of many institutions still severe-
cated courses and even degree programs or tracks, we
ly fall short in promoting cybersecurity education. We
strongly believe that the computer science curricula of
advocate to further explore the security integration
many institutions still severely fall short in promoting
approach to complement other approaches and better
cybersecurity education per our following observations:
promote cybersecurity education. We contribute to this
approach by concretely exploring a viable implementa- •   Cybersecurity courses are still not core courses in the
tion solution and evaluating its effectiveness. Specifi- computer science curricula of the majority of institu-
cally, we explore to discuss relevant cybersecurity top- tions (e.g., none of the top 50 CS programs in U.S.
ics in upper and graduate level non-security courses to includes cybersecurity in the core per our survey in
engage students in learning cybersecurity knowledge June 2016); many institutions even do not offer any
and skills from the perspectives of different computer cybersecurity elective course. One reason is that In-
science sub-areas, and help them understand the corre- formation Assurance and Security was only officially
lation and interplay between cybersecurity and other added as a knowledge area in computing curricula by
sub-areas of computer science. Our experience in six ACM and IEEE Computer Society in 2013 [2].
class sessions of five non-security courses is very en-
couraging: the majority of students found the discussed •   Many computer science courses such as program-
cybersecurity topics interesting, useful, and relevant; ming and software engineering traditionally do not
they would like to have cybersecurity topics discussed include cybersecurity topics. However, cybersecurity
in other non-cybersecurity courses in the future; they is closely related to almost all the other sub-areas of
improved their understanding of the discussed content. computer science. For example, engineers can easily
We hope our experience can be helpful for other educa- create many security vulnerabilities in the design,
tors to adopt and further explore the security integration implementation, and deployment of their software if
approach in the future. they do not have secure programming practices, do
not follow secure software development and deploy-
ment processes, or do not properly include security
components into the software.
1. Introduction
The necessity and importance of cybersecurity research •   Even if cybersecurity courses are offered as electives
and education have been widely recognized by the Na- in some institutions and are taken by some students,
tional Science and Technology Council, NSF, NSA, we missed the golden chances for helping students
DHS, NIST, many other organizations, and the whole understand the correlation and interplay between cy-
society. However, large-scale and pervasive online bersecurity and other sub-areas of computer science.
malicious or even criminal activities will only increase The consequence is that cybersecurity is too often an
in numbers and cause severer damages if we do not irrelevance or at most an afterthought for students –
build an efficient cybersecurity education system and not an indispensable ingredient that should be inte-
produce more high-quality cybersecurity professionals. grated into the basis of their computer science
knowledge and skills.
“Where a threat intersects with a vulnerability, risk is
present [1].” Threat sources are persistent because at- We advocate to further explore the security integration
tackers are always there, driven by either economic or approach to complement those traditional approaches
political incentives. Therefore, fundamentally, wide- and better promote cybersecurity education. This
spread security vulnerabilities in the server-side and approach is not new, and indeed the necessity and
client-side software are the root causes of the pervasive importance of integrating cybersecurity concepts into
security risks and rampant security attacks, and those existing computer courses have been emphasized for
vulnerabilities can be further attributed to the lack of over one decade, for example, as highlighted in a
sufficient security knowledge and skills in many soft- SIGCSE 2002 panel [3]. Unfortunately, this approach

1
has received insufficient attention, and it still severely throughout the undergraduate years to ensure a greater
lags behind in adoption (Section 2). understanding of security issues among diverse compu-
ting majors [9].
We contribute to this approach by concretely exploring
a viable implementation solution and evaluating its ef- Some educators have also experimented with the im-
fectiveness. Specifically, our cybersecurity researchers plementation of this security integration approach.
consulted with the instructors of five upper and gradu- Taylor and Azadegan piloted security integration across
ate level non-security courses (Computer Communica- sections of CS0 and CS1 using security laboratory
tion, Software Testing, Software Engineering, Operat- modules [10]; their results show an increased security
ing Systems, and Computer Networks), identified the knowledge in students. Markham introduced infor-
relevant cybersecurity topics, and discussed the corre- mation security in teaching CS1 with Python [11]. Ka-
sponding cybersecurity topics in six class sessions (Sec- za et al. experimented with disseminating the security
tion 3). Students’ responses to our anonymous ques- integration approach at low level courses across five
tionnaires are very encouraging (Section 4): the majori- institutions, and they obtained promising results [12].
ty of students found the discussed cybersecurity topics Siraj et al. focused on training non-security faculty
interesting, useful, and relevant; they would like to have members to integrate cybersecurity topics into their
cybersecurity topics discussed in other non- courses [13]; they found that students gained
cybersecurity courses in the future; they improved their knowledge and awareness, but did not increase interest
understanding of the discussed content. We hope our in computer security. Whitney et al. integrated secure
experience can be helpful for other educators to adopt coding education into an advanced Web programming
and further explore the security integration approach in course [14]; their results show an increased awareness
the future (Section 5). and secure programming knowledge in students.

Unfortunately, the overall attention to this security inte-

2. Related Work gration approach is still insufficient and its adoption is
We focus on reviewing the security integration ap- still very limited. Our effort differs from and comple-
proach in this section. The idea of this approach dated ments those existing efforts by providing a new viable
back to the late 1990s and early 2000s [4, 5, 6], while
implementation solution that leverages the expertise of
the 2002 SIGCSE panel on integrating security con-
cybersecurity researchers and focuses more on the (lim-
cepts into existing computer courses [3] is especially
ited existing) integration in upper and graduate level
notable. The panelists emphasized the necessity and
non-security courses, as will be further justified in the
importance of integrating cybersecurity concepts into
existing computer courses, and provided many detailed next section.
suggestions. For example, they suggested that using
this approach, “even if no security-based courses are 3. Our Implementation Solution
added, major and non-major courses in computer sci- The basic idea of our security integration implementa-
ence, CIS, etc., can do a better job of raising awareness tion solution is very simple: leveraging the expertise of
of threats, vulnerabilities, and risks”; they suggested cybersecurity researchers to incorporate relevant securi-
that “security issues should be discussed throughout the ty topics into upper and graduate level non-security
undergraduate computer science curriculum”; they courses. More specifically, cybersecurity researchers
suggested that “the most effective way to incorporate consult with the instructors of non-security courses,
security-oriented issues into the curriculum is to include identify the relevant cybersecurity topics, and discuss
them as natural aspects of normal course topics.” the corresponding topics in the classes. Our implemen-
tation solution is viable from two perspectives.
Some educators have further analyzed this security in-
tegration approach. Null proposed specific activities On the one hand, asking cybersecurity researchers to
that provide the students with the proper motivation and conduct the integration can ensure a high quality of the
the basic principles of computer security, but do not integration and meanwhile avoid the overhead of train-
require instructors to be security professionals [7]. Per- ing non-security faculty members [13]. The cybersecu-
rone et al. termed the security integration approach as rity researchers can be faculty and students in universi-
the “thread approach”; they analyzed that the single- ties, and can be experts in industry or government.
course approach is of limited effectiveness, the track They are ready and often willing to talk about cyberse-
approach demands extensive resources, while the thread curity research topics to a broader audience, for exam-
approach can effectively meet the cybersecurity educa- ple, in the form of invited talks as we have practiced
tional needs using a minimum of resources [8]. Howles and observed.
et al. outlined efforts to embed cybersecurity modules

2
 Table 1. Class Session Information
Session Course Course Institution/ Class
Integrated Content
Symbol Title Level Semester Size
SSL, TLS, HTTPS, DTLS (Datagram TLS), TLS Heart-
Computer
CC beat Extension, OpenSSL Heartbleed Vulnerabil- Grad. I/I 11
Communication
ity/Impact/Security Patch, Security Recommendations
Commonly Used Crypto Primitives, Common Crypto
Software
ST Rules, Program Slicing, CryptoLint Static Analysis Tool Grad. I/I 5
Testing
and its Design/Implementation/Evaluation/Discussion
Problems of Text-based Passwords, Popular Solutions,
Software
SE Password Creation, Password Management, Single Undergrad. I/I 24
Engineering
Sign-On (SSO) Systems Security, Web SSO Phishing
Operating Virtualization, VM, VMM, Virtualization and Security, Grad. and
OS1 I/I 27
Systems IDS, Virtual Machine Introspection (VMI) and its Use- Undergrad.
Operating ful Applications in Security, Weak and Strong Semantic Grad. and
OS2 I / II 23
Systems Gaps in VMI, Future VMI Research Directions Undergrad.
Symantec Internet Security Threat Report, Vulnerability
Computer
CN Analysis of Password Managers, Information Leakage Undergrad. II / II 17
Networks
Vulnerabilities in Browser Extensions, Phishing Attacks

On the other hand, focusing on upper and graduate level they meet the needs of those courses from different
non-security courses can help address one major con- perspectives.
cern that integrating cybersecurity topics “means some-
thing else will have to be sacrificed” [3] in those non- The OpenSSL Heartbleed vulnerability was publicly
security courses. We observed that instructors of upper disclosed in April 2014; right after the instructor of the
and graduate level courses often travel to conferences Computer Communication course introduced the
and meetings during the semesters, and sometimes are TCP/IP protocols in the class, we used one class session
not able to make up all the missed class sessions. Such to present the technical details, the impact, and the se-
missed class sessions are excellent opportunities for curity patch of the Heartbleed vulnerability as well as
cybersecurity researchers to integrate or inject relevant the following up suggestions and recommendations
topics into non-security courses. from the cybersecurity research community. Students
in the Software Engineering course had a strong de-
In our implementation, we talked with five instructors mand on learning the knowledge and skills for building
of upper or graduate level non-security courses at two user authentication components in software; we used
institutions, and easily obtained such opportunities to one class session to introduce the challenging problems,
discuss relevant cybersecurity topics in six 75-minute different solutions, and best practices in building pass-
class sessions in two semesters as shown in Table 1. word-based user authentication systems. Students in
Note that session symbol is used for ease of presenting the Operating Systems course wanted to learn more
results in the next section, and class size is the number about the security of the Virtual Machines (VMs) and
of students who attended the corresponding class ses- Virtual Machine Monitors (VMMs); we used one class
sion; OS1 and OS2 are the same course offered in two session to introduce the useful Virtual Machine Intro-
consecutive semesters, and we presented the same cy- spection (VMI) mechanisms and discuss the related
bersecurity topic in the two sessions. The five integra- research topics on bridging the semantic gaps in VMI.
tion opportunities obtained from Institution I were all The instructor of the Software Testing course hoped to
due to the travels of the corresponding instructors. The help students learn something about the security of mo-
integration opportunity obtained from Institution II was bile apps and about using software engineering tech-
due to an invited talk, and the activity can be consid- niques such as program slicing in security; we used one
ered as a trial adoption of our implementation solution class session to illustrate the common cryptographic
in an institution where no faculty member is actively misuses in Android apps and explain the secure coding
doing cybersecurity research. practices to the students. The instructor of the Comput-
er Networks course at Institution II hoped to introduce
The cybersecurity topics are identified based on our some latest cybersecurity related topics to students for
discussions with the instructors. All the topics are very their potential undergraduate honor’s projects; we used
relevant to the corresponding non-security courses, and one class session to discuss the basic concepts and

3
problems as well as interesting research topics in Web the consistence of the mean ratings among the six class
security and privacy. sessions for all the thirteen questions.

The instructors of those five non-security courses and

Table 2. Fourteen Common Questions
many students informally praised our effort afterwards.
In the next section, we present and analyze students’ General questions:
responses to our formal questionnaires. S1: Learning cybersecurity knowledge and skills is
important for computer science students.
S2: I am interested in learning cybersecurity
4. Results knowledge and skills.
We designed five anonymous questionnaires and col- S3: Please rate your current cybersecurity knowledge
lected the data at the end of each class session from all and skills: (clueless, beginner, intermediate, advanced,
the participating students. Basically, fourteen questions total guru)
are common in those five questionnaires, and they in- Questions based on your overall perception of the
clude three general questions, ten questions based on cybersecurity topic discussed in today’s class:
students’ overall perception of the cybersecurity topic S4: The cybersecurity topic discussed in today’s class
discussed in the class session, and one open comments is interesting.
question. Meanwhile, in each questionnaire, there are S5: The cybersecurity topic discussed in today’s class
eight to twelve questions specific to the cybersecurity is difficult.
content discussed in the class session for evaluating the S6: The cybersecurity topic discussed in today’s class
corresponding learning effectiveness. is useful.
S7: The cybersecurity topic discussed in today’s class
4.1. Common Questions and Results is relevant to this course.
The fourteen common questions are listed in Table 2, S8: The cybersecurity topic discussed in today’s class
and we use S1~S14 to label them because most of them improved my cybersecurity knowledge and skills.
(except for S3 and S14) are designed as five-point Lik- S9: The cybersecurity topic discussed in today’s class
ert-scale statements. We converted the five answer is helpful for me to prepare for my career.
options for Likert-scale statements to numeric values S10: The instructor(s) effectively discussed the cyber-
where value 1 stands for “Strongly Disagree”, value 2 security topic in today’s class.
stands for “Disagree”, value 3 stands for “Neither S11: I effectively learned the cybersecurity topic dis-
Agree Nor Disagree”, value 4 stands for “Agree”, and cussed in today’s class.
value 5 stands for “Strongly Agree”. Similarly, we S12 I would like to have cybersecurity topics discussed
converted the knowledge and skills rating for S3 to nu- in other non-cybersecurity courses in the future.
meric values from 1 to 5 corresponding to the five an-
S13: Today’s class motivates me to systematically
swer options from “clueless” to “total guru”. Strictly
learn cybersecurity knowledge and skills in the future.
speaking, since the responses are ordinal data, they do
Open comments question:
not necessarily have interval scales. We performed
S14: Please write down comments and suggestions
such conversions simply to ease the comparison of the
about today’s class and learning cybersecurity
responses from a relative perspective.
knowledge and skills in general.
Figure 1 is the box (and whisker) plot of the mean rat-
ings to S1~S13 from the six class sessions. In other
For the three general questions S1~S3, their box plots
words, to focus on the comparison of different class
show most students in all the six class sessions agreed
sessions and to save space, we calculated the mean rat-
or strongly agreed that learning cybersecurity
ings to S1~S13 for each class session, and then drew
knowledge and skills is important for computer science
the box plot of the six mean values (of the six class
students (S1), and they are interested in learning cyber-
sessions) for each question; we further verified the rat-
security knowledge and skills (S2); however, they also
ing distribution of each question for each individual
acknowledged that their current cybersecurity
course to make sure the wording in the following result
knowledge and skills are still limited to the “beginner”
presentation is accurate. In addition to representing the
and “intermediate” levels (S3). The lower outlier for
standard statistics such as quartiles, median, whiskers,
S1 is the Software Testing class session, and its low
and outliers, each box plot in this paper also depicts the
mean rating value is attributed to one student who disa-
mean value using a small solid square (▪) for us to more
greed with that statement and is also related to the small
comprehensively capture the central tendency of the
size of the class; the upper whisker for S1 is the Soft-
distribution. Overall, all the thirteen box plots have
ware Engineering class session, indicating that its stu-
small spread (the interquartile range) values, indicating

4
dents are well aware of the importance of cybersecurity. dents agreed that the instructor(s) effectively discussed
The upper outlier for S3 is the Computer Communica- the corresponding cybersecurity topic in the class (S10),
tion class session that has about half master students with the Computer Communication class session as the
and half PhD students, while the lower whisker for S3 upper whisker and the first OS class session as the low-
is the Software Testing class session. er whisker. Most students also agreed that they effec-
tively learned the corresponding cybersecurity topics
The box plots for the questions S4, S6, and S7 clearly discussed in the class (S11), with the Computer Com-
show most students in all the six class sessions agreed munication class session as the upper whisker and the
or strongly agreed that the discussed cybersecurity top- first OS class session as the lower outlier. Correlating
ics are interesting (S4), useful (S6), and relevant to the these results to that for the question S5, while we can-
corresponding courses (S7). The mean ratings to these not draw definitive conclusions as these results are only
three questions are highly consistent among the six correlations, it is possible that more difficult topics will
class sessions; meanwhile, all the three box plots exhib- result in lower teaching and learning effectiveness rat-
it the symmetry (less skewness because the median is ings.
almost in the center of the box) of the distribution while
none of them contains any outlier. The box plot for The mean rating distribution for the question S12 is a
question S5 shows that overall, the difficulty levels of very positive sign showing that most students in all the
those cybersecurity topics are neither too difficult nor six class sessions enjoyed our activities and they would
too easy just as intended, with the first OS class session like to have cybersecurity topics discussed in other non-
as the upper whisker and the Computer Communication cybersecurity courses in the future. The upper outlier
class session as the lower whisker. The results of these for S12 is the Computer Communication class session,
four questions demonstrate that our efforts in discussing while the lower whisker for S12 is the first OS session.
with the instructors and in selecting and preparing for The mean rating distribution for the question S13 is
the topics are worthwhile. also positive, indicating that our activities can to certain
extent motivate students to learn cybersecurity
knowledge and skills in the future. The upper whisker
for S13 is the Computer Communication class session.

Some students also answered the open comments ques-

tion S14. In most cases, students appreciated our effort
and further agreed to add more security contents into
non-cybersecurity courses. Some students expressed
that they need to study more cybersecurity knowledge
and skills. Some other students commented about the
technical details of the cybersecurity topics.

Fig 1. Mean Ratings of Six Class Sessions to S1~S13 4.2. Specific Questions and Results
Each questionnaire also contains some questions specif-
ic to the cybersecurity content discussed in the class
For the question S8, the mean ratings from four class session. The questions are designed in pairs for us to
sessions are centered on agreeing that “the cybersecuri- evaluate the learning effectiveness in terms of the stu-
ty topic discussed in today’s class improved my cyber-
dents’ understanding of certain details of the discussed
security knowledge and skills”. The upper outlier for
content (B)efore the class session and (C)urrently. All
S8 is the Software Testing class session probably due to
these questions are five-point Likert-scale statements
the limited prior cybersecurity knowledge and skills in
(labeled as Special Statements SS#B and SS#C for “be-
its students (the lower whisker for S3), while the lower fore” and “currently”, respectively), and their answer
outlier for S8 is the first OS class session, probably due options are converted to numeric values in the same
to the high difficulty level perceived by its students (the way as described in Section 4.1. Due to space limita-
upper whisker for S5). For the question S9, the overall tion, we only list the specific questions for two courses
agreement level is still positive, but it is not as high as Software Engineering and Operating Systems in Tables
those for most other questions probably because it takes 3 and 4, respectively; these two courses account for the
time to predict if what students learned in the class will three largest class sessions (SE, OS1, OS2) as shown in
be helpful for them to prepare for their career.
Table 1. We present the details of these three class
sessions while only briefly summarize the results of the
The questions S10 and S11 are more related to the
other three class sessions (CC, ST, CN).
teaching and learning effectiveness. Overall, most stu-

5
 Table 3. Specific Questions for Software Engineering Figures 3 and 4 illustrate the box plots of the ratings to
SS1B: I clearly understood that weak password, the 10 (or five paired) specific operating systems ques-
password reuse, and phishing are the essential prob- tions listed in Table 4 for class sessions OS1 and OS2,
lems of password security before today’s class. respectively. Note that although we have the words
SS1C: Currently, I clearly understand that weak “before reading the paper …” in those SS#B state-
password, password reuse, and phishing are the essen- ments, the link to the paper was not available to stu-
tial problems of password security. dents in advance due to technical issues. Comparing
SS2B: I clearly understood that servers should use the paired distributions of the ratings in each individual
password checking techniques to help users avoid figure, we can clearly see that students improved their
weak passwords before today’s class. understanding of the IDS and VMI related concepts by
SS2C: Currently, I clearly understand that servers attending our cybersecurity session. Median ratings are
should use password checking techniques to help us- improved for three paired questions in Figure 3, and for
ers avoid weak passwords. all the five paired questions in Figure 4. Mean ratings
SS3B: I clearly understood that servers should only for all the five paired questions are improved in both
save salted and hashed passwords before today’s class sessions, and the spread for all the ratings to the
class. current understanding are also relatively small in both
figures. Using the paired t-test to compare the mean
SS3C: Currently, I clearly understand that servers
ratings for each pair of the questions in both sessions,
should only save salted and hashed passwords.
we found that the mean rating improvements are statis-
SS4B: I clearly understood the basic idea of Web
tically significant (at the 0.05 significance level) for all
Single Sign-On (SSO) user authentication systems
the five pairs in both sessions: in the OS1 session, the
before today’s class.
p-values are: p = 0.011, p < 0.001, p < 0.001, p < 0.001,
SS4C: Currently, I clearly understand the basic idea
and p = 0.003 for the five tests, respectively; in the OS2
of Web SSO user authentication systems.
session, the p-values are: p = 0.005, p < 0.001, p =
SS5B: I clearly understood that HTTPS should be 0.009, p < 0.001, and p < 0.001 for the five tests, re-
used by the Web SSO relying parties before today’s spectively.
class.
SS5C: Currently, I clearly understand that HTTPS
should be used by the Web SSO relying parties.
SS6B: I clearly understood that Web SSO phishing
attacks can be very profitable, insidious, and hard to
detect before today’s class.
SS6C: Currently, I clearly understand that Web SSO
phishing attacks can be very profitable, insidious, and
hard to detect.

Figure 2 illustrates the box plots of the ratings to the 12

(or six paired) specific software engineering questions
Fig 2. Ratings to Specific Software Engineering Questions
listed in Table 3. Comparing the paired distributions of
the ratings, we can clearly see that students improved
their understanding of the password security and pass- Further using the unpaired t-test, we compared the rat-
word-based user authentication systems by attending ings to the 10 questions between the two OS sessions,
our cybersecurity session. Median and mean ratings for i.e., between SS1B in OS1 and SS1B in OS2, between
all the six paired questions are improved (“currently” SS1C in OS1 and SS1C in OS2, and so on. For all the
vs. “before”), and the spread for all the ratings to the 10 tests, the mean rating differences are not statistically
current understanding are relatively small. Except for significant (at the 0.05 significance level) with all the
two lower outliers (for SS4C and SS5C) and two lower 10 p-values greater than 0.05.
whiskers (for SS3C and SS4C), all other ratings are
very positive. Using the paired t-test to compare the We also analyzed the ratings to the specific questions
mean ratings (solid squares ▪) for each pair of the ques- for the other three class sessions (CC, ST, CN). We
tions, we found that the mean rating improvements are have 8 (or four paired) specific questions for each of
statistically significant (at the 0.05 significance level) those three class sessions. While the rating distribu-
for all the six pairs, with p-values: p = 0.032, p = 0.002, tions are improved for all the questions in the three
p < 0.001, p < 0.001, p < 0.001, and p < 0.001 for the class sessions, the mean rating improvements are statis-
six tests, respectively. tically significant (based on the paired t-test at the 0.05

6
significance level) only for some of those questions cussed topics are statistically significant at least in the
partially due to the small sample sizes in those three three sessions with the largest sample sizes.
class sessions.
Table 4. Specific Questions for Operating Systems
SS1B: I understood the basic idea of the Intrusion De-
tection System (IDS) before reading the paper recom-
mended by the instructor(s) and before today’s class.
SS1C: Currently, I clearly understand the basic idea of
IDS.
SS2B: I understood that VMI can be useful in security
systems such as IDS before reading the paper recom-
mended by the instructor(s) and before today’s class.
SS2C: Currently, I clearly understand that VMI can be
Fig 3. Ratings to Specific OS Questions for Session OS1 useful in security systems, especially IDS.
SS3B: I understood the technical details about using
VMI in security systems, especially IDS, before read-
ing the paper recommended by the instructor(s) and
before today’s class.
SS3C: Currently, I clearly understand the technical
details about using VMI in security systems, especially
IDS.
SS4B: I understood the meaning of the semantic gap
in VMI before reading the paper recommended by the
instructor(s) and before today’s class.
SS4C: Currently, I clearly understand the meaning of
Fig 4. Ratings to Specific OS Questions for Session OS2 the semantic gap in VMI.
SS5B: I understood the difference between the weak
semantic gap and the strong semantic gap in VMI-
4.3. Summary of Results and Discussion based security systems, especially IDS, before reading
the paper recommended by the instructor(s) and before
Overall, from the results for the common questions pre-
today’s class.
sented in Section 4.1, we can clearly see that most stu-
SS5C: Currently, I clearly understand the difference
dents agree with the importance of learning cybersecu-
between the weak semantic gap and the strong seman-
rity knowledge and skills (S1), they consider their cy-
tic gap in VMI-based security systems, especially IDS.
bersecurity knowledge and skills as limited (S3), and
they are interested in learning more about cybersecurity
(S2); most students agree that our discussed cybersecu-
rity topics are interesting (S4), useful (S6), and relevant While we justified in Section 3 that our implementation
to the corresponding courses (S7); most students agree solution to the security integration approach is viable,
that the discussed topics are neither too difficult nor too we acknowledge that some limitations exist in our solu-
easy (S5), and our activities improved their cybersecuri- tion and in its effectiveness evaluation. For example, in
ty knowledge and skills (S8); most students agree that terms of the implementation solution itself, the identi-
instructor(s) effectively discussed the corresponding fied cybersecurity topics are discussed only through
cybersecurity topics in the class (S10), they effectively presentations and Q&A in one class session, while oth-
learned the corresponding topics (S11), and they would er methods such as laboratory exercises [15, 16] and
like to have cybersecurity topics discussed in other non- capstone projects are not explored in our study; in terms
cybersecurity courses in the future (S12). Our activities of the effectiveness evaluation, we only used question-
also to certain extent help students prepare for their naires and did not try other techniques such as quizzes
career (S9) and motivate them to learn cybersecurity and formal knowledge and skill assessments yet. Alt-
knowledge and skills in the future (S13). From the re- hough these limitations can be largely attributed to the
sults for the specific questions presented in Section 4.2, limited amount of time available for us to inject the
we can clearly see that students effectively learned the cybersecurity topics into the non-security courses, we
corresponding cybersecurity topics discussed in the are still very grateful to those instructors who enabled
class sessions; the paired t-test results indicate that the us to make our existing solution viable. In the future, it
improvements of students’ understanding on the dis- is possible for us to further address some of those limi-
tations by having discussions with more educators and

7
incorporating some other appropriate methods and tional Information Systems Security Conference,
techniques into our implementation and evaluation. 1996.
[5]   C. E. Irvine, S. K. Chin, and D. Frincke, “Integrat-
ing Security into the Curriculum”, Electrical Engi-
5. Conclusion neering and Computer Science, 1998.
We advocated to further explore the security integration [6]   R. Vaughn, “Application of Security to the Compu-
approach to complement other approaches and better ting Science Classroom”, In Proc. of the ACM
promote cybersecurity education. We contributed to Technical Symposium on Computer Science Edu-
this approach by concretely exploring a viable imple- cation (SIGCSE), 2000.
mentation solution and evaluating its effectiveness. [7]   L. Null, “Integrating security across the computer
Specifically, we explored to discuss relevant cybersecu- science curriculum”, J. Comput. Sci. Coll. 19, 5,
rity topics in upper and graduate level non-security 2004.
courses to engage students in learning cybersecurity [8]   L. F. Perrone, M. Aburdene, and X. Meng, “Ap-
knowledge and skills from the perspectives of different proaches to Undergraduate Instruction in Computer
computer science sub-areas, and help them understand Security”, In Proc. of the American Society for
the correlation and interplay between cybersecurity and Engineering Education Annual Conference & Ex-
other sub-areas of computer science. Our experience in position (ASEE), 2005.
six class sessions of five non-security courses is very [9]   T. Howles, C. Romanowski, S. Mishra, and R. K.
encouraging: the majority of students found the dis- Raj, “A Holistic, Modular Approach to Infuse Cy-
cussed cybersecurity topics interesting, useful, and rel- berSecurity into Undergraduate Computing Degree
evant; they would like to have cybersecurity topics dis- Programs”, In Proc. of the Annual Symposium on
cussed in other non-cybersecurity courses in the future; Information Assurance (ASIA), 2011.
they improved their understanding of the discussed con- [10]  B. Taylor and S. Azadegan, “Moving beyond secu-
tent. We will continue to discuss with instructors and rity tracks: integrating security in CS0 and CS1”,
obtain opportunities to integrate relevant cybersecurity In Proc. of the ACM Technical Symposium on
topics into other non-security courses. We share our Computer Science Education (SIGCSE), 2008.
developed materials including questionnaires with other [11]  S. A. Markham, “Expanding security awareness in
educators to make our effort more duplicable. We hope introductory computer science courses”, In Proc. of
our experience can be helpful for other educators to the Information Security Curriculum Development
adopt and further explore the security integration ap- Conference (InfoSecCD), 2009.
proach in the future. [12]  S. Kaza, B. Taylor, H. Hochheiser, S. Azadegan,
M. O’Leary, and C. F. Turner, “Injecting Security
Acknowledgments: We sincerely thank anonymous in the Curriculum – Experiences in Effective Dis-
reviewers for their valuable comments and suggestions. semination and Assessment Design”, In Proc. of
We also sincerely thank all the instructors and students the Colloquium for Information Systems Security
who have participated in our security integration activi- Education, 2010.
ties. This research was supported in part by the NSF [13]  Siraj, S. Ghafoor, J. Tower, and A. Haynes, “Em-
grant DGE-1619841. powering faculty to embed security topics into
computer science courses”, In Proc. of the Confer-
References ence on Innovation & technology in computer sci-
[1]   P. Bowen, J. Hash, and M. Wilson, “Information ence education (ITiCSE), 2014.
Security Handbook: A Guide for Managers”, in [14]  M. Whitney, H. L-R, B. Chu, and J. Zhu, “Embed-
NIST Special Publication 800-100, 2007. ding Secure Coding Instruction into the IDE: A
[2]   “Curriculum Guidelines for Undergraduate Degree Field Study in an Advanced CS Course”, In Proc.
Programs in Computer Science”, The Joint Task of the ACM Technical Symposium on Computer
Force on Computing Curricula, ACM and IEEE Science Education (SIGCSE), 2015.
Computer Society, 2013. [15]  W. Du and R. Wang, “SEED: A Suite of Instruc-
[3]   P. Mullins, J. Wolfe, M. Fry, E. Wynters, W. Cal- tional Laboratories for Computer Security Educa-
houn, R. Montante, and W. Oblitey, “Panel on in- tion”, Journal on Educational Resources in Compu-
tegrating security concepts into existing computer ting, 8, 1, 2008.
courses”, In Proc. of the ACM Technical Symposi- [16]  C. Yue, W. Zhu, G. Williams, and E. Chow, “Us-
um on Computer Science Education (SIGCSE), ing Amazon EC2 in Computer and Network Secu-
2002. rity Lab Exercises: Design, Results, and Analysis”,
[4]   G. White and G. Nordstrom, “Security Across the In Proc. of the American Society for Engineering
Curriculum: Using Computer Security to Teach Education Annual Conference & Exposition
Computer Science Principles”, In Proc. of the Na- (ASEE), 2012.