Lessons Learnt Conducting Capture the Flag CyberSecurity Competition during COVID-19

Abstract

This innovative practice full paper describes our experiences conducting cybersecurity capture the flag (CTF) competition for cybersecurity enthusiast participants (inclusive of both tertiary students and working professionals) local and abroad during the COVID-19 pandemic. Learning and appreciation of cybersecurity concepts for our participants with little to no technical background can be challenging. Gamification methods such as capture the flag competition style is a popular form of cybersecurity education to help participants overcome this challenge and identify talents. Participants get to apply theoretical concepts in a controlled environment, solve hands-on tasks in an informal, game-like setting and gain hands-on active learning experience. CTF competitions can be held at physical locations or virtually. However, the COVID-19 pandemic catalyses all major events that are traditionally held physically to go virtual (likewise for physical CTF events). The pandemic limits our physical interactions, changes the dynamics of our engagements with the participants and how participants learn. We have to adapt our CTF competition design and conduct it in a virtual format during the COVID-19 pandemic that is compliant with local pandemic regulations as well. This paper describes these adaptations for a semi-international CTF competition conducted for our participants. We conduct the competition entirely virtual and adapt the cybersecurity exercises to be attempted without the participant's physical presence. While we devise ways to validate participants' involvement, it is still more challenging to limit cheating than in a physical environment. However, with appropriate mitigating controls in place (reducing risks to acceptable levels), we were able to achieve similar outcomes compared to a physical event despite the lack of physical interactions. Over 1400 participants registered for our competition, and with the help of over 40 staff, we successfully conducted this 48 hours virtual CTF competition. We further analyse the participants' online activity during the competition, their survey responses after the competition and derive our lessons learnt. We hope that these experiences, analysis and findings are useful for educators or organisers who wish to adopt online CTF to improve the learning outcomes of teaching cybersecurity education.