Layering Sociotechnical Cybersecurity Concepts Within Project-Based Learning

Motivation: The increasing volume and frequency of cyberattacks have made it necessary that all computing professionals be proficient in security principles. Concurrently, modern technology poses greater threats to privacy, making it important that technological solutions be developed to respect end-user privacy preferences and comply with privacy-related laws and regulations. Just as considering security and privacy must be an integral part of developing any technological solution, teaching security and privacy ought to be a required aspect of computer science education. Objective: We set out to demonstrate that a project-based capstone experience provides an effective mechanism for teaching the foundations of security and privacy. Method: We developed ten learning modules designed to introduce and sensitize students to foundational sociotechnical concepts related to the security and privacy aspects of modern technology. We delivered the modules in the treatment sections of a two-term capstone course involving the development of software solutions for external clients. We asked the students in the course to apply the concepts covered in the modules to their projects. Control sections of the course were taught without the modules as usual. We evaluated the effectiveness of the modules by administering pre-treatment and post-treatment assessments of cybersecurity knowledge and collecting written student reflections after the delivery of each module. Results: We found that the students in the treatment condition exhibited statistically significant increases in their knowledge of foundational security and privacy concepts compared to those in the control condition without the modules. Further, student reflections indicate that they appreciated the content of the modules and were readily able to apply the concepts to their projects. Discussion: The modules we developed facilitate embedding the teaching of security and privacy within any project-based learning experience. Embedding cybersecurity instruction within capstone experiences can help create a software workforce that is more knowledgeable about sociotechnical cybersecurity principles.