What Are Cybersecurity Education Papers About? A Systematic Literature Review of SIGCSE and ITiCSE Conferences

TL;DR

This systematic review analyzes 71 cybersecurity education papers from SIGCSE and ITiCSE conferences (2010-2019), highlighting research trends, teaching approaches, and gaps in evaluation and data sharing.

Contribution

It provides a comprehensive synthesis of cybersecurity education research, mapping topics, methods, and community insights, and offers a publicly available dataset for future work.

Findings

Technical topics are evenly covered, with secure programming, network security, and offensive security prominent.

Most interventions target US tertiary education and rely on subjective student feedback.

Less than a third of papers share supplementary materials; no datasets are published.

Abstract

Cybersecurity is now more important than ever, and so is education in this field. However, the cybersecurity domain encompasses an extensive set of concepts, which can be taught in different ways and contexts. To understand the state of the art of cybersecurity education and related research, we examine papers from the ACM SIGCSE and ACM ITiCSE conferences. From 2010 to 2019, a total of 1,748 papers were published at these conferences, and 71 of them focus on cybersecurity education. The papers discuss courses, tools, exercises, and teaching approaches. For each paper, we map the covered topics, teaching context, evaluation methods, impact, and the community of authors. We discovered that the technical topic areas are evenly covered (the most prominent being secure programming, network security, and offensive security), and human aspects, such as privacy and social engineering, are present as well. The interventions described in SIGCSE and ITiCSE papers predominantly focus on tertiary education in the USA. The subsequent evaluation mostly consists of collecting students' subjective perceptions via questionnaires. However, less than a third of the papers provide supplementary materials for other educators, and none of the authors published their dataset. Our results provide orientation in the area, a synthesis of trends, and implications for further research. Therefore, they are relevant for instructors, researchers, and anyone new in the field of cybersecurity education. The information we collected and synthesized from individual papers are organized in a publicly available dataset.