Exploring Cyber Ranges in Cybersecurity Education

According to a report from McAfee, the global cost of cybercrime for 2020 was over one trillion dollars (Smith, Z. et al., 2020). Cybersecurity breaches and attacks have not only cost businesses and organizations millions of dollars but have also threatened national security and critical infrastructure. Examples include the Ransomware attack in May of 2021 on the largest fuel pipeline in the United States and the February 2021 remote access system breach of a Florida water treatment facility which raised sodium hydroxide to a lethal level. Improving cybersecurity requires a skilled workforce with relevant knowledge and skills. Academic degree programs, boot camps, and various certification programs provide education and training to assist this need. Cyber ranges are a more recent development to provide hands-on skill training. These ranges, often virtual, provide a safe and accessible environment to improve practical skills and experience through hands-on application. They provide a training environment to identify threats, apply countermeasures, and secure data from risks separately from the organization's actual network. More and more academic programs utilize cyber ranges due to the perceived benefit of integrating them into their cybersecurity-related programs. Academic cyber ranges offer virtualized environments that support cybersecurity educators' needs to provide students with a safe, separated, and engaging environment. The purpose of my research has two components: 1) to understand who the educators are using academic-facing cyber ranges and how they are using them to support their cybersecurity education efforts, and 2) to understand how cybersecurity educators and students are motivated by using them. Specifically, my research is comprised of three manuscripts: (1) a mixed-method exploratory study of who are the educators using cyber ranges for cybersecurity education and how they are using them to create significant cybersecurity learning experiences, (2) a mixed-method study exploring the motivation of educators using a cyber range for cybersecurity education, and (3) a mixed-method study exploring student motivation participating in cybersecurity CTF competitions. The three manuscripts contribute to understanding cyber ranges in cybersecurity education. The results from my research provided insight from the users of these cyber ranges, cybersecurity educators and students. Results from my first manuscript suggested that high school cybersecurity educators are the primary users. These educators have less formal cybersecurity education and experience compared to cybersecurity educators in higher education. The data also showed that cybersecurity educators primarily used cyber ranges for teaching and learning to meet learning goals and objectives. Results from my second manuscript suggested that educators were motivated mainly by the importance of using a cyber range for cybersecurity education and for the interest-enjoyment their students experience from cyber range usage. Educators found using the cyber range made their class more engaging and relevant to their students.These educators were also confident they could use a cyber range and learn how to use it. However, those without prior experience in cybersecurity or previous experience using a cyber range shared they needed instructor-facing resources, professional development opportunities, and time to learn. Results from my third manuscript suggested that students were motivated by the importance of participating in a cybersecurity CTF competition. Many reported that participating was useful for developing professional skills and readiness. Although CTF competitions were considered difficult and stressful, students did not consider the difficulty pejorative. Many shared that challenging CTFs contributed towards the enjoyment of participating, making them a rewarding and worthwhile experience. However, students also shared that academic and team support contributed towards their confidence in competing. In contrast, those who did not report confidence, stated they lacked a team strategy or support from their academic institution. Additionally, they did not know what to expect to prepare before the competition event. Overall, the results of this dissertation highlight the importance of prior preparation for educators and student CTF participants. For educators, this prior preparation includes curriculum supporting resources such as content mapping to learning objectives and professional development opportunities that do not assume any prior knowledge or experience. For students, prior preparation includes understanding what to expect and recommendations for academic and team support.