Remote Controlled Cyber: Toward Engaging and Educating a Diverse Cybersecurity Workforce

Cybersecurity education has grown exponentially to support the need for a skilled cybersecurity workforce. Further, capture-the-flag competitions have popularized cybersecurity by engaging and recruiting students while exposing them to cybersecurity workforce competencies. However, the heavy reliance on competition-based educational approaches may contribute to the lack of diversity in cybersecurity programs. Cybersecurity competitions are the primary catalyst to expose and recruit students from both high school and collegiate cybersecurity education programs. In response, we propose a collaborative, experiential learning approach that leverages hackable Internet of Things (IoT) toys as a pedagogical tool for cybersecurity education. We share our detailed design, activities, experiences, and lessons learned for others to build on our initial success.


INTRODUCTION
Capture the Flag (CTF) games are pervasive in education settings as teaching and engagement strategies [12,13,16,20,26,27,31,33,37,44,46,48,50].Previous works have argued that CTFs increase student learning outcomes, develop workforce competencies, and deliver enjoyable assessment methods [20,48].Further, CTF-based approaches provide an opportunity to increase participation in the growing cybersecurity discipline.CTFs have proven effective at recruiting individuals interested in cybersecurity; however, they fail to attract and engage historically marginalized groups without previous exposure [24].Statistics from national and international CTF competitions hint that CTFs fail to engage and recruit a diverse cohort of cybersecurity students and professionals.Demographics from the 2023 High School Cyber Patriot program reveal that only 27% of competitors identify as female and 7% as African American [2].Further, these demographics have remained stagnant for five years, with female and African American participation growing only 2% and 1%, respectively.
We hypothesize that the current cybersecurity educational approaches that heavily rely on the capture-the-flag (CTF) style gamification model may unintentionally reinforce the barriers for underrepresented groups in the cybersecurity domain.CTF games often map to workforce competencies [36], and gamification is a highly effective learning tool across several disciplines.However, previous work suggests that competition-focused gamification may not equally benefit all individual learners [17].There may be negative impacts on underrepresented minorities in competitive environments [39].In contrast, supportive and collaborative learning environments may be more beneficial.
In the following work, we propose a collaborative, experiential learning approach that leverages hackable toys as a pedagogical tool for cybersecurity education.Further, we embrace scaffolding and direct mentoring as supportive strategies to engage historically marginalized groups in cybersecurity.Our approach presents an opportunity to overcome the artificial roadblocks created by the growing emphasis on CTF competitions.This paper makes the following contributions: (1) We share our detailed design, activities, experiences, and lessons learned for a collaborative, experiential learning approach that leverages hackable toys as a pedagogical tool for cybersecurity education.(2) To allow other instructors to build on our initial success, we publish our classroom slides, lecture materials, activities, and code to reproduce at https://github.com/tj-oconnor/Remote-Controlled-Cyber.
Organization: Section 2 investigates the workforce competencies and gamification strategies for cybersecurity.Section 3 provides an overview of our approach, platform, and modular design.Section 4 examines the design of our modules.Section 5 explores our spiral development model and our test groups.Section 6 offers insight and examines future challenges.Section 7 explores opportunities for future work.Section 8 summarizes our findings.

BACKGROUND
The following section motivates the problem by examining cybersecurity workforce competencies and pedagogical approaches for diversity and gamification.

Cybersecurity Workforce Frameworks
A growing demand exists for professionals with cybersecurity education.However, the discipline of cybersecurity is often vaguely and broadly described.Existing frameworks, accreditation, and curricular guidance often present competing guidance prioritizing different cybersecurity domains.We examined this guidance before determining the topics for our activities.The National Initiative for Cybersecurity Education (NICE) publishes a framework of fundamental cybersecurity knowledge, skills, and abilities [36].This framework focuses broadly on several non-technical areas, including planning, policy, governance, and management.This framework further creates a technical taxonomy of knowledge, skills, and abilities.In contrast, the National Security Agency (NSA) provides a curriculum accreditation requirement that focuses on deep technical concepts in computer science, computer engineering, and electrical engineering and places a higher emphasis on binary reverse engineering and vulnerability research topics [25].This approach benefits the development of offensive cyber operations tools necessary to operate in cyberspace.Finally, the Association for Computers and Machinery (ACM) circulates comprehensive and flexible curricula in cybersecurity education that broadly prescribes knowledge units across data, components, connection, software, and organizational security [1].This curriculum emphasizes domains like system testing that support developing secure and reliable code.

Related Work
Gamifying Cybersecurity Education: Previous works have explored the benefits of gamification in cybersecurity education [12,13,16,26,31,33,37,44,46,50].These approaches have heavily relied on classroom capture-the-flag (CTF) competitions to encourage and engage students in cybersecurity [12].In developing Aquinas, Petullo argued that cybersecurity students must have solutions capable of self-teaching and immediate feedback [37].Burns et al. analyzed 3,600 Capture the Flag challenges and identified they focus on five key topics: cryptography, penetration testing of web vulnerabilities, reverse engineering, forensic analysis, and binary exploitation [11].Švábenskỳ et al. identified that despite a focus on network security monitoring and ethical hacking, few classroom approaches introduce an adversarial mindset [44,45].Our previous work observed that cooperative team learning could balance the negative impacts of gamification [33].We extend this work to identify opportunities to educate cybersecurity workforce-centric skills in an engaging methodology.Inspired by the clarity of CTF problems, we developed hands-on cooperative activities that span various NICE knowledge skills, abilities (KSAs), NSA knowledge units (KUs), ACM Curriculum, and CTF categories.Table 1 depicts our mapping of these activities.Section 4 expands on each exercise, providing an overview of the activity, the learner outcomes, and the engagement strategies.
Diversity Approaches: Osman et al. conducted interviews with underrepresented minorities' interviews to understand the factors that attracted them to cybersecurity, how they built their skills, overcame hurdles, and maintained engagement [35].Their work identified 19 recommendations for practice to engage a diverse cybersecurity workforce.We highlight three of these recommendations.First, we examine how to Bolster Self-Efficacy The lack of traditional education resources demands that cybersecurity students aspire to become autodidacts responsible for their learning [8,10].
Progressing towards this goal, we incorporate scaffolded code and achievable modules to foster self-belief [21].Next, we explore how to highlight the societal relevance of cybersecurity.We design each module with a lecture exploring cybersecurity's historical impacts.
For example, we motivate our binary exploitation module by examining how STUXNET sabotaged Iran's uranium enrichment program to prevent nuclear weapons development [19].This approach allows students to see meaningful, real-world impacts.Finally, we design each module to integrate active problem-solving exercises.
Each module consists of a challenge that teammates must solve collaboratively.Collaboration has been shown to benefit female students that tend to be more mastery-oriented [5,41].For example, during the Grand Theft Crypto module, one student must brute-force values while another observes the outcomes.We believe the emphasis on collaboration is necessary to engage historically marginalized groups.

OVERVIEW
As depicted in Table 1, our modules expose students to five ACM Curriculum areas, twenty NICE workforce competencies, and eight NSA CAE-CO knowledge units.We developed the modules to target a high-school based audience.We leverage this broad-based approach to engage and educate a diverse workforce by relying on the best practices [35].Each module includes a lecture that introduces technical material and highlights the societal relevance of that domain.Following each lecture, we deliver a collaborative activity integrating active problem-solving exercises.Further, we designed the activities with appropriate digital prompts and scaffolded solutions.This careful approach ensures challenge-skill match, leading to bolstering efficacy in learners.In the following section, we explore the modules in depth.1: Our modules deliver cooperative activities that span various ACM Curriculum, NICE knowledge skills, abilities (KSAs), NSA knowledge units (KUs), and Capture-The-Flag categories Figure 1: Our approach begins with a Game Boy game that introduces students to cyber ethical and legal dilemmas.

MODULES
In the following section, we explore how our modules bolster selfefficacy, highlight the societal relevance of cybersecurity, and integrate active problem-solving exercises toward engaging and educating a diverse cybersecurity workforce.
Ethics or Death: As discuss in [6], all cybersecurity education should address ethics first.Although studying offensive cybersecurity is engaging and exciting, critics are often against such approaches due to the possibility of misusing skills [14].As such, we begin our modules with an ethical foundation for all other modules to build on.We focus our Ethics or Death module on developing students' moral sensitivity [40] to cybersecurity ethical and legal issues.We began the module with a lecture on key cybersecurity laws, including the Computer Fraud and Abuse Act (CFAA), Digital Millennium Copyright Act (DCMA), Electronic Communication Privacy Act (ECPA), and Access Device Statute.Following the lecture, we provide students with a replica Game Boy handheld console running a homebrew game.As depicted in Figure 1, the students move through a series of levels where characters introduce various ethical dilemmas.If the player fails to identify ethical issues, the game sends them to jail, where they must retrain.In our initial testing, we encountered an exciting ethical pivot worth discussing.Initially, we programmed the game so that correct answers were always the first choice of a multiple-choice question.After identifying this issue, we deliberately chose to keep it and use it as a teachable moment following the activity.We followed through after the activity, asked students if they identified the flaw, and discussed the ethical issues surrounding cheating.Ultimately, we developed this module to establish a solid foundation for the subsequent series of adversary-oriented modules by nurturing students' moral sensitivity through practical experience.In future course iterations, we will introduce and explore responsible disclosure by sharing narratives of our experiences in reporting IoT vulnerabilities to industry [18,[28][29][30].
King of the Packet: Our King of the Packet module explores network traffic analysis.We begin the lecture by introducing networking and exploring a historical example of how attackers compromised the telemetry of a drone.After motivating the problem, we move to a hands-on activity on a remote-controlled car.CTF competitions often include network traffic analysis challenges that require competitors to parse multimedia content embedded in network traffic [11,12].In this delivery model, network forensic challenges are often considered defense-oriented and do not benefit from engagement strategies that leverage adversarial thinking [15,31,45].Similar to this approach, we captured the remote control car's network traffic and asked students to decode the traffic to parse the protocol, network address, port, login credentials, and embedded commands.However, we then challenged the students to embrace an adversarial thought process by asking them to take control of their car.In our classroom experiments, we often extended this activity to a king of the hill competition by placing students into groups surrounding a car under a traffic cone.We challenged the students to drive their cars to the cone and stay connected to the cone for two minutes.To further embrace the adversarial thought process, we prompted students by letting them know they could attack the other teams' cars or the car with the cone.As expected, this often turned into a chaotic event as teams pivoted between driving their car, the opposing group's car, and the car under the cone.As expected, few teams succeeded in staying connected for over two minutes due to the constant context switching.By creating an unwinnable activity, we delivered an engaging activity that avoided the negative impact of competition.Grand Theft Crypto: In our Grand Theft Crypto module, we extended the earlier King of the Packet activity by creating a symmetric encryption scheme for the car.The scheme encrypted the car's commands with a secret key known only to a legitimate driver and the engine.After lecturing students on data representation, cryptography, encryption, and cryptography attack approaches, we challenged the students to gain unauthorized control of the car.As depicted in Figure 2, we provided scaffolded code to allow the students to brute-force through a range of possible messages, encrypt a message given a key, and send encrypted traffic to the car.We placed obvious flaws into the design of the encryption scheme, limiting the necessary range to brute-force to 256 possible messages.Further, our encryption scheme relied on a one-byte key XOR'd with the plaintext message.As students brute-force and sent ciphertext messages to the car, they examined any vehicle movement to recover the original plaintext message.With an understanding of the plaintext and ciphertext messages, students could replicate a known-plaintext attack to recover the key.During this module's development and initial testing, we observed students solved this problem differently.Instead of relying on a known-plaintext attack to uncover the key, some students performed a replay attack by resending encrypted messages that moved the car.This observation demonstrates a vital issue in cybersecurity: several paths to success exist.Further, this approach allows advanced students to explore the breadth of solutions.We discuss this opportunity further in Section 6.
Attack-Oriented Programming: Our Attack-Oriented Programming module introduces key programming concepts, including variables, selection, iteration, and execution.Specifically, we present the high-level, interpreted Python3 programming language due to widespread adoption in cybersecurity tools.After the lecture introduces these concepts, we invite students to participate in an activity on the modified Game Boy.The modified Game Boy hosts an emulator that executes our homebrew Game.Further, the modified Game Boy hosts a Linux terminal accessible via a web server.The homebrew game challenges students to solve problems by programming in the terminal at specific points.To solve these challenges, students must write Python3 code that executes another program repeatedly in a loop until meeting a termination condition.Correctly solving the challenge allows the student to progress to the next level in the Game Boy game.As we examine in Section 6, this module introduced the most significant difficulty to students.As a result, we made several changes to our scaffolding that eased the challenge of systems testing.
Beating Rumpelstilkin with Z3: The Beating Rumpelstilkin module introduces the concept of constraint solving.Constraint-solving is a key component of software reverse engineering.Further, understanding constraint solving simplifies understanding advanced reverse engineering domains like symbolic execution.We begin the module with a lecture on constraint solving and motivate the problem with the historical example of the Conficker Working Group's reverse engineering the worms domain generation algorithm [38].We introduce the Z3 open-source theorem prover during the lecture.In addition to other capabilities, Z3 provides a powerful ability to solve constraint problems and offers an easy-to-use Python3 API.For the activity, we present a Game Boy game where the student must pass levels by submitting the results of complex equations.Like the previous module, the student can pivot to a terminal providing tools and scaffolded code.We purposely placed this module after the Attack Oriented Programming module to justify the importance of learning programming in students' cybersecurity exploration.
Hack This Car: We designed the Hack This Car module around the concept of a Bug Bounty to release the power and steering controls of our remote controlled car.In recent years, companies have incentivized cybersecurity reporting by creating organizational bug bounty programs encouraging security researchers to disclose vulnerabilities in exchange for a monetary reward [9,23].Researchers identify bugs by systematically analyzing source code and configuration data [36].Typically, bug bounty programs focus on web-based platforms that are publicly available for researchers to investigate.Centralized reporting platforms like HackerOne allow researchers to disclose vulnerabilities without fear of retaliation [23].In response to the popularity of bug bounties, several prominent researchers have begun offering bug bounty courses as an alternative educational approach to teach students and researchers about the methodology and tooling necessary to investigate bugs [3].Before the activity, we provide students with a lecture on web vulnerabilities.As depicted in Figure 3, the activity includes prompts to direct the student to vulnerabilities in the web application.For example, the application contains a boolean value cookie that sets the state of the administrator.By manipulating this value to True, the students can move the car in the left direction.Students gain complete control of the car by solving all the bounty challenges.
Pwn My Ride: Our Pwn My Ride module examines the concept of buffer overflows, dynamic analysis, and binary exploitation.In this activity, we explained to students that the car application, used in previous modules, had been disabled by deliberating removing the steering control function call.However, in their haste, the developers also used a vulnerable input call that failed to validate input, allowing for a buffer overflow.Similar to the previous lesson, we challenge students to uncover and exploit a security flaw.After a lecture on buffer overflows and debugging, we challenged the students to restore their access to the steering controls by overflowing the input, gaining control of the program counter (PC) register, and pointing it at correct function address.By allowing the students to compromise the car, we introduce the severity of binary exploits.As reverse engineering and binary exploitation are rarely taught and embraced in classroom environments [4,31,32,34]; we approached this module carefully, creating both novice and advanced modules.The advanced modules extend the study to include understanding how the prologue and epilogue of Aarch64 functions and memory register purposes affect code-reuse attacks like return-oriented programming.

EVALUATION
We leveraged a spiral development approach [7] in which we developed, delivered, and evaluated modules to various demographics.This approach allowed us to refine several key variables and test different educational strategies.For example, in Section 6, we describe how this strategy informed us about the appropriate amount of scaffolding to achieve guided discovery throughout the various modules.Over the previous year, we conducted trial lectures and activities with the following groups.For a portion of these evaluations, we obtained IRB approval and collected empirical data regarding student engagement and challenge levels experienced during the lessons, as well and changes in student intent to pursue a cybersecurity career or education occurring from pre to post exposure to the lesson.Results indicated that: (a) participants experienced a moderate amount of challenge, so the modules were at the right difficulty level; (b) all participants experienced high levels of engagement, with underrepresented minorities (URMs) reporting significantly higher engagement than non-URMs; and (c) significantly more female than male students reporting increased levels of intent to pursue cybersecurity after participating in the lesson (Namukasa et al., under revision).We also collected qualitative data regarding student positive and negative reactions to the course that served as lessons learned.

LESSONS LEARNED
The following section shares our challenges and successes in developing our modules and pedagogical approach that leverages hackable toys to engage and educate.

Challenges
Embracing the Digital Divide: We encountered an interesting observation when presenting our Grand Theft Crypto module to a Middle School Honors Math Class.Although students thoroughly participated and accomplished the outcomes of the module, the teacher struggled when the module pivoted to the hands-on activity.Self-admittedly frustrated with their lack of understanding, the teacher asked the students how they accomplished the activity outcomes.After examining the situation, we realized that the students were part of Generation Alpha, who had grown up with ubiquitous computing and networking [47,51].These digital natives felt far more comfortable on mobile devices than their digital immigrant Generation X teacher.Without their teacher's guidance or prompting, the students responded to the digital prompts on their mobile devices to complete the activity.While adept at technology, the digital immigrant teacher felt far less comfortable approaching newer technology.Following this insight, we iterated our design process to ensure all activities had digital prompts to allow the students to engage in self-learning.This Scaffolding Is Just Right: Previous work has investigated the amount of scaffolding necessary for discovery by computer science students [21,49].Correctly balancing scaffolding results in guided discovery with students demonstrating proximal flow learning [49].Previous work has shown this approach beneficial, even for teaching complex reverse engineering concepts like symbolic execution [42].In our evaluation, we explored different amounts and types of scaffolding, observing student responses.For example, during the activity at B-Sides, we provided challenges with relatively few digital prompts or starter code.This resulted in a limited pool of novices trying the challenges.We saw this pattern repeat with the attack oriented programming module, where students struggled with syntactical problems like Python3 whitespace indentation.We iterated this design to develop digital prompts or starter code examples that bypassed these syntactical challenges.We then tested this improved design with a trial with novice students at our university, observing they enjoyed attacking the problem instead of the syntax.Our spiral design approach demands further formal study to identify the optimal amount of scaffolding for each module and reserve a formal curriculum evaluation for future work.

Successes
Hiding the Easter Eggs: In video games, Easter eggs provide undocumented features often hidden by the game's developer.One of the earliest and most well-known Easter eggs is the Konami Code, a sequence of inputs that yield hidden features [22].Initial work has shown hidden content to prove an effective strategy in the classroom by communicating the teacher is seeking innovative communication mechanisms [43].As such, we explored this concept by adding several Easter eggs to our hackable toys.As depicted in Figure 4 our car has undocumented features, including lights, spin, or dance, that the students can identify by reviewing the source code.In our trials, we discovered that leaving these hidden features proved a helpful pivot when students exceeded the course outcomes faster than their peers.As explored earlier, this allowed us to create an effective dialogue and empowered learners.Our early evaluations showed that these Easter eggs developed positive relationships between students and teachers.This approach established a hidden secret, empowering students to explore the module deeper instead of reaching an arbitrary terminal conclusion of the activity.
Taking The Unintended Path: Cybersecurity educational approaches often encourage creativity by emphasizing the solution instead of following a process [10].The ever-evolving landscape of cybersecurity demands individuals who can think creatively and purposely deviate from the directed paths or processes [8,15,26].
To reinforce this paradigm, our modules contain multiple paths to success.While this concept is intuitive to hackers, it proves extremely difficult to understand for our colleagues in other domains who demand convergent solutions.Our colleagues in other disciplines would often ask, What is the correct solution?and become frustrated with our response Any solution that achieves the outcome.
We observed one of these deviations while testing the Grand Theft Crypto module.When designing the module, we anticipated students would approach the solution by calculating the key from XOR of an observed action and brute-forced value.However, a middle-school student identified a second path during our testing.Her solution achieves the same outcome without discovering the key by replaying the brute-forced value.Both approaches successfully reach the outcome of moving the car forward.As the learning outcome of the module is to introduce and apply a cryptographic attack, both paths reach the same learning outcome.This approach further allows us to direct path exploration and pivots for advanced students who develop solutions before their peers.

FUTURE WORK
Our work introduces the idea of using IoT toys as a pedagogical tool for cybersecurity education.As such, we share our initial findings developed during our spiral development approach.We reserve future work to explore a more detailed experiment, examining how this approach affects demographics of gender and race.We reserve this future work to explore how our approach affects learner outcomes.

Figure 2 :
Figure 2: Each module provides a prompt, accessible by a web browser, that delivers the scaffolding to guide learning.

Figure 3 :
Figure 3: In our Hack-This-Car lesson, students work collaboratively to compromise web vulnerabilities, unlocking the control of a remote-controlled car.

Figure 4 :
Figure 4: We hid easter eggs in each module to create effective dialogue that empowered learners.

•
Middle School Honors Math Class • High School Army Junior ROTC Class • High School Air Force Junior ROTC Class • Mixed Audience Expertise, B-Sides Security Conference • Mixed Audience Expertise, Novice Cybersecurity Club • Undergraduate Students, Cybersecurity Degree • Mixed Audience Expertise, Aeronautics Graduate Students