Mapping the Landscape of Cybersecurity Education

How Is Cybersecurity Taught and How Is It Backed by Research?

29 May 2020 Valdemar Švábenský

More than 17,300 new security vulnerabilities were discovered in 2019. What is more, by 2021, the annual damages from cybercrime will cost the world a staggering $6 trillion.

With the globally rising importance of combating cyber threats, the cybersecurity workforce shortage is growing as well. In 2019, 4 million jobs that required cybersecurity expertise were unfilled.

Unfilled cybersecurity job positions globally.
Source: https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study

In this situation, training more cybersecurity professionals is crucial. New curricula, courses, and training materials are created to fight the skill gap. However, cybersecurity includes many concepts, which can be taught in different ways and contexts. Therefore, we set on a journey to understand the current advances in cybersecurity education research and practice.

We examined 71 research papers published at two leading education conferences, ACM SIGCSE and ACM ITiCSE, from 2010 to 2019. The papers discuss cybersecurity courses, tools, exercises, and teaching approaches. For each paper, we mapped five aspects:

Covered topics. We discovered that the technical topic areas are evenly covered; the most prominent are secure programming, network security, and offensive security. Moreover, human aspects, such as privacy and social engineering, are present as well.
Teaching context. The focus is predominantly on university education. It is practical and includes hands-on training and labs.
Evaluation methods. To evaluate the effectiveness of cybersecurity education, the researchers administer student questionnaires and surveys, and also knowledge tests.
Research impact. A third of the papers provides additional materials. Other researchers can build upon them to deepen the results.
Community of authors. Most authors come from the North American universities and governmental institutions. Interestingly, the footprint of C4e researchers is also visible.

Our results provide orientation in the area, a synthesis of trends, and implications for further research. Therefore, they are relevant for instructors, researchers, and anyone new in the field of cybersecurity education.

In the C4e project, we are building upon these results to research more effective methods of cybersecurity training. If you are interested in cybersecurity, follow us on our website: https://c4e.cz/.

Valdemar Švábenský, Jan Vykopal, Pavel Čeleda, April 2020

For this publication, we received the 3rd best paper award at the ACM SIGCSE conference. This prestigious conference is the largest venue in the world that focuses on computing education research and practice. In 2019, it marked its 50th anniversary with almost 2000 attendees.

References and Where to Learn More

Full paper: https://is.muni.cz/publication/1567598/2020-SIGCSE-what-are-cybersecurity-education-papers-about-paper.pdf
Slides: https://is.muni.cz/publication/1567598/2020-SIGCSE-what-are-cybersecurity-education-papers-about-presentation.pdf
Video presentation: https://www.youtube.com/watch?v=tIpgOrcFvzI
The author’s Ph.D. thesis proposal: https://is.muni.cz/th/ckc8w/thesis-proposal-svabensky.pdf

How to Cite This Paper

Valdemar Švábenský, Jan Vykopal, and Pavel Čeleda. 2020. What Are Cybersecurity Education Papers About? A Systematic Literature Review of SIGCSE and ITiCSE Conferences. In Proceedings of the 51st ACM Technical Symposium on Computer Science Education (SIGCSE ’20). Association for Computing Machinery, New York, NY, USA, 2–8. DOI: https://doi.org/10.1145/3328778.3366816