Hacking and the security mindset: How open source innovations are empowering educators and students

Hacking and the security mindset: How open source innovations are empowering educators and students

Published: 3 Aug 2023, 3:52 p.m.

As a strong advocate for free culture and constructivism, Dr Z. Cliffe Schreuders’ personal and professional ambitions align neatly with those of CyBOK, nurturing an ongoing collaboration that has benefited over a thousand students and likely thousands more thanks to a new market-facing project.

Through Leeds Beckett University, Cliffe first mapped the university’s cyber security curriculum against CyBOK’s rigorous framework, and was subsequently awarded funding by CyBOK to advance the open source SecGen platform, which gives learners an invaluable hands-on experience of navigating real-world challenges.

As a result, his team has been awarded £92,000 by Innovate UK’s Cyber Security Academic Startup Accelerator Programme (CyberASAP) to work on the commercialisation of Hacktivity Cyber Security Labs and SecGen, which will make the platforms more accessible to more people when they go to market in 2023.

When and how did your own interest in computer security and software emerge?

I’ve been interested in hacking and defending computers since the 1990s, writing both attacks and amateur anti-malware software while in high school. There is a certain amount of satisfaction and joy that you get from solving the puzzle of a computer that you try to break into.

Looking back at the history of hacking and cybercrime, there was an early period where a lot of the activity was based on exploration and hackers challenging ourselves as to what could be done. Since then, the threat landscape has evolved, and a lot of malicious actors are now financially or politically motivated, but there are still ethical hackers, security professionals and researchers who use that experiential knowledge to find security issues and detect and defend against attacks.

A lot of what I do now is design ways to help others have an enjoyable learning experience using resources that were not available when I started out. Students benefit from having virtual machines that they can safely attack, to build their knowledge through hands-on learning experiences. For instance, we don’t just want to tell students about phishing, we want to encourage them to try out some phishing tasks. By putting that basic theory into practice, they will internalise the theory through doing – which in pedagogical terms is called constructivism.

Not only is that more engaging, it teaches students “the security mindset,” which is the elusive idea that it’s helpful to think as an attacker. Even if you’re trying to defend something, if you approach it in the way of seeing how a system is attacked and therefore needs to be defended, you critically assess how someone might break it.

You’ve been instrumental in developing the cyber security curriculum at Leeds Becket University and co-led the NCSC accreditation process, which led on to further funding from CyBOK for your activities. How did that process evolve?

The NCSC accreditation process is quite a significant undertaking. Working with our course director I looked at each of our cyber security modules to see how they mapped across to the topics, keywords and Knowledge Areas of CyBOK. We took a really granular approach, looking at every lecture to see what we taught, what was included in lab work and assessments. Through this process we mapped to 360 security concepts from CyBOK. This enabled us to see which areas we weren’t covering and then make some changes to our degrees, even renaming some modules to communicate more clearly what they involved and where they sat relative to the CyBOK framework.

With subsequent small grant funding from CyBOK, we were able to incorporate what we had learned by mapping SecGen to CyBOK. This mapping includes hundreds of labs, CTF scenarios, and even modular components of challenges within SecGen. The funded projects have also involved developing new open source learning materials. The funding enabled us to pay student interns to help with the work and in doing so, to inject some new life into what we were already doing by involving more people and developing more content.

We’ve since successfully applied for CyberASAP, which has helped to bring in more resources and eventually, take Hacktivity to the commercial market this calendar year.

You describe yourself as a “free culture advocate”. Why do you believe open source is the best approach?

Human society and culture are built on sharing and making incremental contributions. We stand on the shoulders of giants in both the sciences and the arts. Personally, I’ve openly released many free and open source software projects, entire modules, curriculums of labs and learning resources, and even many of my own creative hobby projects under open source and free culture licences.

By sharing my own creations, I hope I am contributing to helping others, and incrementally making the world a better place. We can create bigger and better things by building on each other’s efforts.

Tell us about your plans to expand the open source SecGen project and your online cyber security education platform Hacktivity.

Including hacking and offensive security is critical to developing the security mindset, both of these platforms help with that.

SecGen is an open source project used by many people and universities internationally. It includes a huge amount of content, full labs, CTF challenges, interactive hackerbots, and supporting videos. The content spans the breadth of CyBOK and thanks to the small grants we were awarded, we were able to map across every scenario to CyBOK. One of the unique things about SecGen is that not only is there a huge amount of content, we use randomisation which means we can give creative challenges to different students.

Hacktivity has been used by at least 1,000 of our students in Leeds and for our NCSC accredited degrees. It has a great remote access experience, with gamification, educational features such as timed CTF tests, and with SecGen scenarios, it offers endless replayability.

We are now preparing to take the platform to market, to make these great educational resources accessible to more people by growing the platforms in a way that remains true to our open source commitment. One feature still in development is tracking and presenting a CyBOK dashboard to users of the platform.

CyBOK has been key to the planning and development of everything we’ve been doing, and will be even more so as we prepare to take SecGen and Hacktivity to the market.

CyBOK’s commitment to open source and democratic processes is what makes it stand out. The CyBOK learning resources projects directly benefit the community and we’re confident that our work will continue to do the same as we engage in the commercialisation process.

This is exactly the kind of initiative that the government should continue to fund, to empower educators and learners.

Dr Z. Cliffe Schreuders is Reader in Cyber Security and Director of the Cybercrime and Security Innovation Centre (CSI Centre) at Leeds Beckett University.