Educating Students On Information Assurance Through Immersion And Operational Leadership

This paper presents the results an experiment to educate students on information assurance through immersion and student-led learning. As technology progresses, students face increasing attacks on their information systems. Rather than educate students solely in the classroom, we implemented two experiences to increase student understanding of modern information assurance using the students themselves: the student information security officers (SISOs) and the Carronade exercise. The student information security officer program empowers students to address information assurance education of their fellow students. Students are organized into groups of approximately 120 and each group is assigned a SISO. The SISOs are organized in a hierarchy so that ultimately one SISO is responsible for all. The SISOs educate and mentor their students on safe computing through formal classes in their dorms, formal inspections of personal computers, security awareness exercises, and assisting students when they encounter a problem. The empowerment of students to operationally lead their student organization has resulted in marked improvements in student learning regarding information assurance and computer attacks. An indicator of this learning is the Carronade exercise. The Carronade exercise is an immersive information security awareness exercise conducted very semester since September 2003. SISOs launch the exercise using an automated phishing tool that generates a phishing email attack against every student under the control of the SISO. If a student succumbs to the attack, the SISO is informed of the identity of student. No personal information is transmitted. The SISO then has an opportunity to mentor the student and explain why the email was a phishing attack and what the telltale signs were that identified the email as an attack. Because the attack occurs in the normal work environment of the students, it is viewed as highly relevant to the students. Due to the low threat and personal mentoring approach employed to resolve mistakes, students are receptive to the exercise. This has led to a marked improvement in student performance against phishing attacks over the last three years. The empowering of students to teach and mentor their fellow students through the SISO and Carronade programs has proven to be very successful.