Evaluating Cybersecurity Class Activities Based on the Cognitive Continuum Theory: An Exploratory Case Study

Abstract

With the cybersecurity workforce estimated to have grown to 5.5 million in 2023 but still facing a significant shortage, there is an urgent need for educational strategies that can effectively enhance decision-making skills in this domain. This paper explores the application of Hammond's Cognitive Continuum Theory (CCT) in the context of K-12 cybersecurity education, aiming to address the global cybersecurity workforce shortage and skills gap by preparing the next generation of cybersecurity professionals. This study adopts a case-study methodology to investigate the use of CCT in a high school "Cybersecurity and Ethical Hacking" class, analysing 104 tasks across six class activities to determine how different cognitive modes (Analytical Cognition, Quasi-Rational Cognition, and Intuitive Cognition) are induced by various task characteristics from CCT’s Task Continuum Index (TCI). Analytical cognition consists of rational decision making while Intuitive Cognition represents intuitive decision making. Quasi-Rational Cognition represents a blend of these two decision making styles. Directed content analysis and thematic analysis reveal that most tasks in the case promoted Analytical Cognition, with a significant presence of tasks inducing Quasi-Rational Cognition and fewer tasks facilitating Intuitive Cognition. The findings also highlight the dominance of information retrieval and analysis, methodical approaches in information seeking, and synthesis and decision-making across the cognitive modes, pointing towards the critical role of information behaviour in cybersecurity tasks. This research provides insights into how CCT can potentially inform the design of educational activities in cybersecurity, suggesting that a balanced inclusion of tasks across the cognitive spectrum can better prepare students for the complexities of the cybersecurity field. The paper discusses the implications for cybersecurity education, emphasising the need for instructional strategies that encompass a range of cognitive modes to reflect real-world challenges and enhance decision-making capabilities in future professionals. Additionally, the findings make a connection between cybersecurity tasks and school library instruction which focuses heavily on information behaviours. Limitations and directions for future research, including expanding data collection and connecting CCT to other theoretical frameworks, are also discussed.