Analysis and Evaluation of Capture the Flag Challenges in Secure Mobile Application Development

Abstract

Capture the Flag (CTF) challenges are frequently used as cybersecurity learning environments to engage students in cybersecurity education activities and learning, focusing on technical concepts. CTF challenges cover various learning topics. However, they do not always maintain a clear learning outcome. In this paper, we present a systematic approach to study and evaluate CTF challenges, then apply the evaluation methodology in two CTF challenges that relate to the development of secure mobile applications. For this proof of concept, we used the National Initiative for Cybersecurity Education (NICE) which is a cybersecurity educational framework published by the National Institute of Standards and Technology (NIST). Additional information was used for the evaluation process which included threat, vulnerability, and weakness taxonomies proposed by Open Web Application Security Project® (OWASP) and Mitre Corporation (MITRE). The evaluation methodology could be used to assess and determine the learning outcomes of other existing or upcoming CTF challenges, including though not limited to secure mobile application development.