A CHOOSE-YOUR- OWN-ADVENTURE, CTF VM FOR CYBER SECURITY EDUCATION.

Student Contributors

Sam Holdcroft

RichardThomas

Andreea Ruda

Introduction• Story/narrative is an important aspect of gamification.

• In making cyber security education challenges this is often overlooked.

• We have developed a choose-your-own-adventure story engine to add a narrative to educational CTF challenges.

• We have written a story for this based on investigating a black market site, in a corrupt company.

• We have used this with a 2nd year cyber security class and collected data about its affect.

Gamification

Some quotes from these books

• “What we learn from games is that adding narrative, storyline, or a theme to our lessons and activities can help students be more engaged”

• “Stories and narrative are important for games focused on helping people to learn”

• “Researcher have found that the human brain has a natural affinity for narrative”

Types of Game

VS

Our Goal• As part of our project we have product a number of

Capture the Flag (CTF) exercises for education.• Our tests with students suggest these work well and are popular

• Our goal here is is to provide a framework to put these exercises into the context of a story.

• The story should tie the exercises together, for a 11 weeks cyber security.

• Students should have control over the story.

The Framework

ePlayerSpace

Ex1, flags

Ex2, flags

Ex3, flags

Ex4, flags

Ex5, flags

Mail Server

Web Server

Story Script

flags

flags

flagsStory e-mails

Class Test• We gave the VM to a 2nd year introduction to cyber

security course.

• The CTF exercises were compulsory and the story was completely optional.

• We logged the e-mails the student sent (with their knowledge).

• 38 Students started the story, 34 finished it.

Example student e-mails. To: NikAdler@sensiblefurniture.comFrom: Employee427 <employee427@sensiblefurniture.com>

Hi there,

It's great to be here, and I'd love to start work now. Here are the tokens that I've found so far:

855e8fb63feed93e2c49135fc83737cf 65e802467c57f7d058119094ad9d496af 14673f7f3467e826b922915b5f14466a

Happy to help!

427.

Example student e-mails. To: monkey.see482@imeverywhere.sensiblefurniture.comFrom: Employee 427 <employee427@sensiblefurniture.com>

Hi there,

Something big you say? I hope that I can trust you with these...

2029725918ac5486c1b40d07d9d7815e5a89ce67c9fe32d4b1d2ec8e55c619ce9daeb0c067a31d4bb6c3e92aaca74f4d0480dcab7a474deb9f0fe522b981271d

And yeah, if we are going to carry on with this I would prefer if we could get some encryption for these messages. I'm not up for loosing my job in the first week...

[oo] /|##|\ d b

Example student e-mails. Recipient: tips.police.uk@outbound.sensiblefurniture.comSender: Employee 427 <employee427@sensiblefurniture.com>Subject: HELP!!!

I have some incriminating evidence on my bosses!

I don't know who to turn to!

Here's some statements from my boss' private directory!

S.F. Heroes, Rocks and Grass Patches of £56,655S.F. cyber of £5,150S.F. Heroes, Rocks and Grass Patches of £40,380S.F. cyber of £1,750

Survey Results• Those that did take the story:

• 89% very happy with it, 11% happy• 83% very worthwhile, 15% worthwhile• 97% say it increased there level of engagement with the

course

• Those that didn’t take the story• 24% said they weren’t aware of the story. • 43% said they were too busy.• 17% said they weren’t interested in it• 16% other/no response

Conclusion.• The story seems to have been a success.

• The technical framework functioned well.

• Our results suggest adding a story to coursework does increase student engagement.

• We plan to run the story again next year• Considering making the e-mails to main way to submit homework• Working with other University so that they can use it.

• Long term: add it into Cliffe Schreuders’s SecGen framework