Educating the educators: How CyBOK’s adaptable approach is a winning formula for all stages of software engineering and cyber security

Educating the educators: How CyBOK’s adaptable approach is a winning formula for all stages of software engineering and cyber security

Published: 13 Jul 2023, 4:52 p.m.

As interest grows around software engineering and cyber security, programme designers, lecturers and professional bodies looking to expand the skills of their workforce have a greater need for robust and contemporaneous educational materials. Meeting that need in a way that gives educators the freedom and flexibility to tailor their approach to the needs of their learners is key – and something that two of CyBOK's esteemed experts have worked hard to deliver. As well as contributing to what they call the “sweet spot” between the increasingly overlapping fields, the collaboration betweenBastian Tenbergen, Associate Professor for Software Engineering at the State University of New York at Oswego, and Nancy Mead, a fellow at the Software Engineering Institute and an adjunct professor of software engineering at Carnegie Mellon University, represents the continuation of a mentorship that began in 2016 and was reignited in 2020 during their first CyBOK project. The pair have since produced three reports collating and analysing CyBOK case studies for use in software engineering education.

When did your work and interests collide?

Bastian: It's a story of mentorship from my perspective. Nancy, being a very established and very successful scientist, is someone I have known about since my undergraduate degree. It wasn't until 2016 that I finally had the opportunity to meet her at a conference in Texas. As very likeminded people, and with Nancy being very supportive and collegial to a then-junior scientist such as myself, we connected again in 2019 at a conference in Hawaii and decided to work on a project on software engineering education with a focus on supply chain risk management. We've been working on a series of papers ever since.

Nancy: It's been a great collaboration. One of the things that I've found over time is that I don't really feel the need to collect more roles or titles – what I really enjoy is working with younger faculty and helping to provide opportunities for them.

How did your CyBOK collaboration transpire?

Nancy: When CyBOK was first developed I was asked to review the Secure Software Lifecycle Knowledge Area, which Laurie Williams, a colleague of mine had authored. Then another colleague alerted me to a funding callout around software assurance curriculum design, something I had posted a large number of courses and educator materials on. I've always had good luck recruiting volunteers to help and that was true this time too!

Bastian: I heard about CyBOK through Nancy – I'm one of those volunteers! She said there was this funding available that fit really well into the trajectory of work we had been doing so far and whether I wanted to help out.

Nancy: We decided to focus on case studies to fit the size of the smaller project funding, and because in software engineering, we found that most educators wanted to develop their own course materials but they were crying out for good case studies and other artefacts that they could use in the classroom. When I joined the SEI there was a big emphasis on software engineering education. Over time it became clear that educational materials were of more interest to faculty than complete courses. In fact, we had videotaped all of our software engineering Master's degree courses and were making them available with a licensing arrangement but most faculty didn't want to use those – what they needed were materials that they could plug into their courses.

Why is it so important for educators to have easy access to these case studies, especially in the way you've offered them so as to allow people to select and apply them as they see fit?

Bastian: These educational case studies provide a realistic but invented or real-world scenario presenting a problem in a particular context, in such a way that a learner who is naive to the background can understand it. Based on that, an educator can formulate questions and prompts that the learner can work on to find a solution. In providing these case studies, we want programme instructors to be able to choose and apply them to their topics of choice, and offer them to students as classroom exercises or semester-long projects. Given the fact there are multiple case studies for most CyBOK topics, people can pick what interests them and adapt it to fit their needs.

Nancy: When Bastian and I worked on the first set of case studies, we were able to draw on existing published materials that covered most of the CyBOK subjects. By the time of the second project in 2021, we were able to fill in the remaining topics so there was at least one case study per topic.

Bastian: This not only allows educators to pick and choose, it provides a standardised way of instructing the core concepts of CYBOK, while at the same time, giving the instructor maximum flexibility.

One of your reports looked at the positive outcomes for students when they used a sample case study, leading to dramatic improvements in their understanding and assessment. Tell us more about this.

Bastian: I simply took an assignment from the software engineering course that I already run and decided to gather some before and after data, comparing how students did when they used an improved version that incorporated a CyBOK case study. The improvement in students' understanding and assessment was dramatic; in cyber security related topics, the average grade jumped from 74% to 92%, which was a statistically significant result.

With the courses I teach, the educational material is now so much more in depth as a direct result of us being involved with CyBOK, which has led to a direct improvement in our course. When I teach software engineering, I don't have a dedicated lecture in cyber security but whenever the opportunity arises, I will point students to these case studies and encourage them to take a look. That's the clear benefit of these case studies – even if cyber security is not taught as a specific subject, they give educators the resources to be able to introduce it in a relevant and relatable manner.

The nature of CyBOK resources and Knowledge Areas means the materials are often available within a relatively quick turnaround, between nine and 12 months. What's the advantage of this?

Nancy: If we look at some of the big professional society standards in software engineering, they can take several years to complete. By the time they become available, they are already behind in terms of the knowledge that's needed. People who pick up the latest standard might be teaching to something that is four or five years old. One of the advantages of the work with CyBOK is that we're not talking about large projects with a monumental review process – we're able to get something out there within a year and that makes a big difference.

Bastian: When we're producing these project deliverables, we're thinking about the non-expert educators, which is important, because many people in the sector aren't cyber security experts yet they teach cybersecurity in their computer science courses. This is information they need to know to be able to share with their students. It's vital that they sensitise students to the special considerations, perils and opportunities cybersecurity is owed. We hope our work can help them fulfil that role.