Usability

Software development is a complex and manual process, in part because typical software programs contain more than hundreds of thousands lines of computer code. If software programmers fail to perform critical checks in that code, such as making sure a user is authorized to update an account, serious security compromises ensue. Indeed, vulnerable software is one of the leading causes of cyber security problems. Checking for security problems is very expensive because it requires examining computer code for security mistakes, and such a process requires significant manual effort.

Usability is widely recognized as important to the design of security and privacy systems. Despite this, very few of the lessons learned through usable security and privacy research are taught to students as part of a security or computing curriculum. There are few educational materials, no consensus as to the knowledge units and learning objectives, and little research on how to best integrate usable security concepts into security curricula.

Online social engineering attacks have been often used for cybercrime activities. These attacks are low cost and complicate attack attribution. Pure technical defense solutions cannot counter them, which rely on human gullibility. Humans often engage in short-cut decision-making, which can lead to errors. Another expectation is that users should be able to understand complex security tips, which do not consider user demographics. User age has been overlooked in understanding these attacks and user behavior related to them.

The explosion in data gathering has greatly exacerbated existing privacy issues in computing systems and created new ones due to the increase in the scale and the scope of available data as well as the advances in the capabilities of computational data analysis. Software professionals typically have no formal training or education on sociotechnical aspects of privacy. As a result, addressing privacy issues raised by a system is frequently an afterthought and/or a matter of compliance-check during the late phases of the system development lifecycle.

The goal of this project is to develop a lightweight infrastructure for supporting hands-on network security education (NSE) and a compelling set of exercises that rely on the infrastructure, covering the three basic aspects of the security: attack, analysis, and defense. Historically, building realistic Cybersecurity exercises has been both a laborious and resource-intensive task.