In my Cyber Self Defense course at the Rochester Institute of Technology, I teach a module on Developing a Security Mindset. Based on a class exercise by Tadayoshi Kohno at the University of Washington (mentioned in a blog posting by Bruce Schneier), the goal of the module is to reorient students’ thinking from the features of a product and how those features are supposed to be used to thinking about how someone might “hack” the product. In other words, develop a security mindset.
I ask the students to determine product assets and vulnerabilities and identify how someone might attack the product. The students are told that they do not have resources to counter every possible threat.
I also have the students create a risk map that depicts the likelihood of a particular attack and the potential impact of that attack. Placing specific threats on a risk map helps students understand that since not all threats bear the same weight they need to choose what is most important to defend against.
The twist to the exercise is that students may not conduct an analysis of a computer-related product. For example, subjects presented by my students this quarter included Water Purification, Bicycle Safety, Running a Pizza Business, etc. As the students presented, we discussed their risk maps and the choices they made.
Although we may not agree with the students’ risk map, the exercise stretches IT students to think “outside the box.”
- Bruce Schneier: “The Security Mindset” (schneier.com)