Abstract
Cybersecurity is a multidisciplinary field that requires understanding of human behavior. To reinforce this idea and encourage non-technical students to participate in cybersecurity, an experiential learning project was implemented in an upper-level undergraduate criminal justice class. This paper is focused on that proof-of-concept class project in which groups of students mapped a social engineering case study onto the MITRE ATT&CK framework to understand the adversarial mindset. The paper provides background information on the ATT&CK framework, compares groups’ mappings to others within the class as well as against a mapping done by an ATT&CK representative, and it offers a discussion on the lessons learned and opportunities to expand our application and understanding of educational cybersecurity principles. This paper emphasizes that while someone with more knowledge and experience using a framework that focuses on the technical aspects of cybersecurity may map a SE case study differently than multidisciplinary students who are experiencing it for the first time, there is not a single correct way to interpret and correspondingly defend adversary behaviors. Having students experience this mapping project allows them to understand the breakdown of an adversary’s behavior and contextualize key tactics and techniques in a way that fits their perspective and skillset. This paper also demonstrates how a SE case study can be mapped onto the ATT&CK framework despite SE not being the focus of the framework, and that SE uses tactics and techniques that are also prevalent within more technical cyber campaigns. The authors hope to encourage more interdisciplinary cybersecurity education by sharing this experiential learning course project.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.