Designing a Visual Cryptography Curriculum for K-12 Education
Pranathi Rayavaram, Sreekriti Sista, Ashwin Jagadeesha, Justin Marwad,, Nathan Percival, Sashank Narain, and Claire Seungeun Lee

TL;DR
This paper presents a visual, narrative cybersecurity curriculum for K-12 students using Scratch, teaching core concepts through simulated attack and defense scenarios, and demonstrates its effectiveness through student evaluations.
Contribution
It introduces a novel, interactive curriculum that simplifies cybersecurity education for K-12 students using visual storytelling and simulation techniques.
Findings
Students scored an average of 9.28/10 on comprehension surveys.
66.7% of students found the system extremely easy to understand.
The curriculum effectively teaches fundamental cybersecurity concepts.
Abstract
We have designed and developed a simple, visual, and narrative K-12 cybersecurity curriculum leveraging the Scratch programming platform to demonstrate and teach fundamental cybersecurity concepts such as confidentiality, integrity protection, and authentication. The visual curriculum simulates a real-world scenario of a user and a bank performing a bank transaction and an adversary attempting to attack the transaction.We have designed six visual scenarios, the curriculum first introduces students to three visual scenarios demonstrating attacks that exist when systems do not integrate concepts such as confidentiality, integrity protection, and authentication. Then, it introduces them to three visual scenarios that build on the attacks to demonstrate and teach how these fundamental concepts can be used to defend against them. We conducted an evaluation of our curriculum through a study…
| Age | N | % |
|---|---|---|
| 10 | 1 | 5.56 |
| 11 | 2 | 11.13 |
| 12 | 4 | 22.2 |
| 13 | 2 | 11.13 |
| 14 | 5 | 27.78 |
| 15 | 4 | 22.2 |
| Total | 18 | 100.0 |
| Topic | Correct | Incorrect |
|---|---|---|
| Confidentiality | 88.9% (16 students) | 11.1% (2 students) |
| Integrity | 94.4% (17 students) | 5.6% (1 student) |
| Authentication | 88.9% (16 students) | 11.1% (2 students) |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Child Development and Digital Technology · Bullying, Victimization, and Aggression
Bibliography management: natbib package
Pranathi Rayavaram1, Sreekriti Sista2, Ashwin Jagadeesha1, Justin Marwad1, Nathan Percival1, {@IEEEauthorhalign} Sashank Narain1, and Claire Seungeun Lee1
[email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], and [email protected]
2Heritage Highschool, Frisco, TX, USA
1University of Massachusetts Lowell, Lowell, MA, USA
Designing a Visual Cryptography Curriculum for K-12 Education
Pranathi Rayavaram1, Sreekriti Sista2, Ashwin Jagadeesha1, Justin Marwad1, Nathan Percival1, {@IEEEauthorhalign} Sashank Narain1, and Claire Seungeun Lee1
[email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], and [email protected]
2Heritage Highschool, Frisco, TX, USA
1University of Massachusetts Lowell, Lowell, MA, USA
Abstract
We have designed and developed a simple, visual, and narrative K-12 cybersecurity curriculum leveraging the Scratch programming platform to demonstrate and teach fundamental cybersecurity concepts such as confidentiality, integrity protection, and authentication. The visual curriculum simulates a real-world scenario of a user and a bank performing a bank transaction and an adversary attempting to attack the transaction. We have designed six visual scenarios, the curriculum first introduces students to three visual scenarios demonstrating attacks that exist when systems do not integrate concepts such as confidentiality, integrity protection, and authentication. Then, it introduces them to three visual scenarios that build on the attacks to demonstrate and teach how these fundamental concepts can be used to defend against them. We conducted an evaluation of our curriculum through a study with 18 middle and high school students. To evaluate the student’s comprehension of these concepts we distributed a technical survey, where overall average of students answering these questions related to the demonstrated concepts is 9.28 out of 10. Furthermore, the survey results revealed that 66.7% found the system extremely easy and the remaining 27.8% found it easy to use and understand.
Index Terms:
cybersecurity curriculum, K-12, block-based programming, confidentiality, authentication, integrity protection
I Introduction
Our data, digital devices, resources, and national secrets are more susceptible to cybercrime than ever before. Even then, there is a cybersecurity workforce shortage and a general lack of awareness that is required to defend against these crimes/attacks. The International Information System Security Certification Consortium estimates that the cybersecurity workforce must increase by 145% to fulfill global demand [1]. Currently, there are around 4 million vacant positions due to the talent gap. Bridging this cybersecurity talent gap is essential and has become one of the top priorities globally [2]. To address this problem, many government organizations and cybersecurity experts are ensuring to bring cybersecurity curriculum to the K-12 education level. These initiatives aim to encourage the next generation to pursue cybersecurity as a career and build the required skill set at an early age to enter into the cyber workforce. In addition, this also improves cybersecurity literacy nationwide and increases awareness among children. This is important as cybercrime is increasingly more prevalent than before, and it is, thus, crucial that they know and understand how to secure their private data.
For the development of a K-12 cybersecurity curriculum, organizations such as cyber.org have collaborated with K-12 educators, the cybersecurity industry, and the government to create the very first voluntary national cybersecurity standards [3]. These standards provide curriculum developers and teachers at schools with clear paths and resources they need in order to provide robust cyber education for every student. In addition, a core theme for security has been included in this curriculum, which comprises of sub-concepts such as the Confidentiality, Integrity, and Accessibility (CIA) triad, Access Control (ACC), Data Security (DATA), Threats and Vulnerabilities (INFO), and Cryptography (CRYP). Unfortunately, while these concepts are important to cybersecurity curricula, K-12 educators end up using complex tools or programming languages such as Python to teach these concepts to K-12 students due to a relative lack of age-appropriate, intuitive, and easy-to-use tools. Furthermore, according to a nationally representative survey from cyber.org administered by the EdWeek Research Center [4], 80% of rural educators claim that their students lack adequate cybersecurity resources. This includes a lack of access to cybersecurity education, from coursework to educators knowledgeable about the topic. These communities, which are disproportionately rural and low-income, are a crucial starting point for improving access to cybersecurity education in order to provide equal opportunities for students choosing a cybersecurity career.
To address the aforementioned problems, we have developed a simple, visual, and intuitive cybersecurity curriculum on Scratch for K-12 students. Scratch is a financially feasible and globally accessible platform, which implies that developing the curriculum on Scratch would provide equitable educational chances for students from low-income or rural regions. Scratch’s block-based programming and graphical representations encourage mathematics and science education. For instance, Harvard has integrated a Computer Science course using the Scratch platform [5] to teach programming fundamentals. Given these considerations, we believe that presenting a curriculum on Scratch would be appropriate for both teachers and students.
Our research focuses on answering the following research questions (RQs). First, RQ1: Can we develop a cybersecurity curriculum using simple technologies that enables K-12 children to intuitively understand and apply core cybersecurity concepts such as confidentiality, integrity protection, and authentication? Second, RQ2: Can we design and implement this curriculum in a manner where students can understand these concepts under minimal or no supervision?
In response to RQ1 and RQ2, we used Scratch - the block-based coding platform - to design a novel cybersecurity curriculum focused on the basics of cybersecurity, such as confidentiality, integrity protection, and authentication. According to the K-12 national cybersecurity curriculum from cyber.org [2], these are fundamental concepts that must be taught to everyone beginning cybersecurity education. We believe that understanding these concepts leads to a stronger understanding of modern cybersecurity schemes such as TLS and SSH, the technologies that protect our day-to-day online activities. Using the visual capabilities of Scratch, we created six scenarios that illustrate the story of an attacker attacking a system that a user and a bank are using to perform a banking transaction. A user connects with the bank to make a transaction with his friend, and an attacker is trying to attack (read, modify, and/or fabricate) the transaction the user has made. Each time the attacker comes up with a new strategy to attack the transaction, the user and bank defend against those attacks by introducing the concepts of confidentiality, integrity protection, and authentication. For instance, Fig. 1 shows how the concept of integrity protection can be demonstrated to young children simply by building a visual story-like environment in Scratch. In this example, a user (cat) and a bank perform a banking transaction in which “Send 1000 to Alice”. The user and bank think of message hashing as a protection mechanism against such modification. We believe that this real-time visual narrative will assist students in comprehending the significance and existence of these fundamental system security concepts. The capability of our curriculum to clearly show offensive and defensive scenarios will assist students in comprehending and excelling in this field. We anticipate that in the future, if children are educated with more sophisticated cybersecurity concepts, they will be able to create these real-time secure infrastructure scenarios on the Scratch platform. This enables students to comprehend the intuitive application of cybersecurity concepts in real-world without any programming or tool-specific complexities.
To assess the effectiveness of our curriculum, we recruited 18 middle and high school students (10 girls and 8 boys) for a 3-hour workshop. During this time, the students were taught the previously mentioned core cybersecurity concepts using our curriculum. Afterwards, we administered a survey questionnaire in order to assess the students’ comprehension of the topics that were taught in the workshop. We also included secure and insecure visual scenario questions about these concepts in the survey. In this three-hour session, the students could easily understand the concepts of confidentiality, integrity protection, and authentication, and provide accurate answers to various technical questions on these concepts, with an average score of 9.28 out of 10. According to the post-survey results, 66.7% of students said the curriculum was really easy, and 27.8% of students considered it to be easy. The curriculum was well received by the participants, considering they would recommend it to others. Specifically, 61.1% of students were inclined to strongly recommend this intuitive curriculum to their peers, while the remaining students were highly likely to suggest it. Our results also indicate that this style of narrative will aid students in comprehending cybersecurity concepts with minimum supervision, which might be especially helpful for those who lack access to educational resources. Our research contributions may have far-reaching effects on K-12 education by raising students’ awareness about cybersecurity and helping educators fill a critical resource vacuum in their cybersecurity instruction.
In summary, we make the following contributions:
- •
We designed and implemented a simple, visual, and intuitive cybersecurity curriculum for K-12 students on the Scratch platform. Our initial efforts are focused on teaching children fundamental cybersecurity concepts such as confidentiality, integrity, and authentication.
- •
We conducted a user study with 18 middle and high school students to teach them cybersecurity concepts using our curriculum. Our results show that our visual curriculum greatly simplifies the understanding of core cybersecurity concepts and is engaging to K-12 students.
The rest of this paper is structured as follows. In Section II, we discuss some of the related works that focus on cybersecurity curricula and tools that teach cybersecurity concepts. Section III focuses on the design and implementation of our attack and defense scenarios. Section IV describes the design, metrics, and results of the user study that was conducted with 18 middle to high school students to evaluate the effectiveness of our curriculum. We highlight the potential benefits and contributions of this current study in Section V. We then conclude our work in Section VI.
II Related Work
We acknowledge that many initiatives exist that focus on cybersecurity education and awareness for diverse socioeconomic groups, education of women, and underrepresented groups [6] [7]. This section highlights only a subset of these initiatives directly relevant to our curriculum. Our focus is on demonstrating how these initiatives encourage cybersecurity education and on tools that teach these concepts.
Recent studies have focused substantially on incorporating cybersecurity education into K–12 curricula for children [8]. Most of the research focuses on the barriers preventing educators from delivering effective cybersecurity education in formal educational settings. All of these research projects were conducted in an effort to make cybersecurity more accessible and intuitive for young students. In order to provide a comprehensive cybersecurity curriculum for K-12 students, it is crucial to figure out how to teach them and devise an effective method of teaching.
In the past few years, important initiatives and research have existed from the public sector, private sector, universities, and beyond. As a good example that how a university can engage with K-12 students in cybersecurity, Stony Brook University’s cyberMiSTS project team designed a professional development course for middle school teachers that incorporated a recent understanding of cybersecurity based on research [9]. Hacker High school from the Institute for Security and Open Methodologies (ISECOM) [10] provides a self-directed learning curriculum focused on attack and defense skills. The public sector also plays an important role in giving young students an opportunity to be more educated and trained in cybersecurity. The AFA CyberPatriot program by the Air Force Association [11] and NSF GenCyber [12] are such programs that work to inspire students to pursue careers in cybersecurity or related STEM fields. This work [13] focuses on teaching students about cybersecurity and developing their cognition through storytelling using social robots. Another work’s [14] purpose is to include case studies in cybersecurity training. These case studies are actual breaches that have occurred in the real world, and these attacks were taught from beginning to end. In addition, efforts have been made to educate women about cybersecurity, and research suggests that applications inherent to cybersecurity will likely increase their interest in the field [15, 16, 17, 18, 19, 20].
There has been a significant research recently in developing innovative curricula and pedagogical tools in the area of cybersecurity education [21]. These tools increase the scope of education and resources to teach. These tools have developed a special interest in the research community, and their objectives generally involve creating challenges and to bring hands-on experience around specific concepts [22]. For example, [23] has focused on creating cybersecurity curriculum challenges that include defensive measures such as encryption, secure key exchange, and sequence numbers to prevent cyber attacks during robot operations. Video games for cybersecurity are also considered one of the effective techniques to provide cybersecurity training to children [24, 25, 26]. Some other works [27, 28] focus on creating VR and AR technologies to effectively increase cybersecurity awareness. Other works such as [29] attempt to develop visual techniques to teach public key infrastructure concepts. The Bits N Bytes organization [30] is dedicated to bringing awareness of the field of cybersecurity to young students. Works such as Cybersecurity Lab as a Service (CLaaS) [31] have also looked at creating services that can run other cybersecurity tools on their platform.
Some of the initiatives focused on teaching cryptography through an online website, the presentation of workshops, and the distribution of cryptography challenges. Practical Cryptography [32] is an online lesson-based website that emphasizes the practical application of classical cryptography. In a similar line, The CryptoClub Project [33] provides educational resources for use in the classroom as well as an interactive website to educate students on typical cryptographic techniques. A workshop held by Lincoln Laboratory [34] has the intention of teaching core cryptography theory to students who are interested in the mathematics aspects of cybersecurity. In a similar manner, NCC Group hosts Cryptopals Crypto Challenges [35] involving the participants in programming to address cryptography challenges. The intended audience for Cryptopals is comprised of experienced programmers interested in independently studying cryptographic concepts.
Despite the existing and ongoing efforts, our work differs from the above curricula and tools as we focus on a self-expressive, visual, and intuitive cybersecurity curriculum using the popular Scratch platform. We focus on building visual and intuitive stories for young students that aid their understanding of the fundamentals that drive cybersecurity and cryptosystems. We note that our curriculum can be integrated into the above initiatives to teach the concepts of confidentiality, integrity protection, and authentication to K-12 students.
III Design of the curriculum
We designed our curriculum using a Scratch extension called CryptoScratch [36] that implements modern cryptographic algorithms like AES and RSA for encryption/decryption and the SHA-256 algorithm for message hashing. The CryptoScratch extension implements these algorithms as visual blocks with the same capabilities as conventional Scratch blocks. In addition, since Scratch has the capacity for visual demonstrations and a user interface that allows children to interact easily with the blocks, we determined that it would be a suitable platform for developing cybersecurity curricula. We note that the authors of CryptoScratch mostly focused on tool development and did not present any learning materials for the users of their system. Our focus, on the other hand, is on teaching how to use the aforementioned algorithmic blocks to provide security services such as confidentiality, integrity protection, and authentication.
Using the CryptoScratch blocks, we designed scenarios and visual demonstrations that simplify the aforementioned core cybersecurity concepts. Our scenarios consider a conversation between a user and a bank, and an attacker attempting to intercept, modify and/or fabricate the conversations. Through collaboration between a diverse team comprising high-school students, undergraduate students, and security and education researchers, we designed a total of six scenarios that demonstrate the story of an attacker attacking bank transactions while the user and bank attempt to defend against these attacks using the aforementioned core cybersecurity concepts. The scenarios have been designed such that they start with a bank transaction that has no security protections (Scenario 1), then integrity protected using secure hashing algorithms (Scenario 2), then made confidential using symmetric cryptography (Scenario 4), and then authenticated using Certificate Authorities (Scenario 6). The other scenarios (Scenarios 3 and 5) demonstrate attacks that necessitate the need for the protections added in the other scenarios (Scenarios 2, 4, and 6). All these scenarios are discussed below. We note that our curriculum currently concentrates on teaching fundamental principles for the sake of simplicity for young children. According to national cyber security standards for K-12 students, we leave next advanced ideas such as replay attacks, reflection attacks, Man-in-the-Middle (MitM) attacks, Public Key Infrastructure (PKI) to explain public key cryptography, modern schemes, Message Authentication Codes, Authenticated Encryption, and the design of protocols such as Transport Layer Security (TLS) for future work.
Notations - To explain our scenarios, we will denote a bank transaction message as throughout this section. Our goal is to demonstrate to students how to protect using the concepts of confidentiality, integrity protection, and authentication. The message will denote a secure hashing algorithm such as SHA-256 on message . The message will denote encryption of message using a symmetric cryptographic algorithm such as AES and symmetric key , and will denote decryption of ciphertext using the symmetric cryptographic algorithm and key , such that .
Integrity Protection - The first two scenarios of our story-based curriculum focus on teaching the concept of integrity protection. Integrity protection is one of the core cybersecurity principles, as it assures that data has not been altered during transmission between a sender and recipient. In Scenario 1, a user sends the sensitive transaction to the bank over an insecure channel. The attacker, intercepting this channel, modifies the transaction to and forwards it to the bank. The bank receives the modified message and processes it resulting in a breach of the integrity of the transaction (see Fig. 1). The goal of this scenario is to show the dangers of insecure communications in critical everyday applications such as banks. In continuation to the previous scenario, Fig. 2 demonstrates Scenario 2 where the user and the bank recognize that the attacker has altered the message and discuss the use of message hashing as a defense strategy. To ensure the integrity of a future transaction, this time, the user transmits the message to the bank. An attacker, unaware of the addition of message hashing, modifies the message to but leaves the hash as to send to the bank. The bank receives the modified and hash , verifies that the hash is not the same as , and determines that the message has been altered (see Fig. 2(c)). We note that this scheme is currently susceptible to an attacker changing the message and recalculating the hash. This vulnerability motivates the addition of the concept of confidentiality in the next scenarios.
Confidentiality - Scenarios 3 and 4 of our curriculum focus on confidentiality, which is a key cybersecurity concept that describes the ability of senders and recipients to protect information from unauthorized entities. We note that, even though confidentiality can be achieved using symmetric and asymmetric cryptography, we focus on symmetric cryptography for this work. This is because symmetric cryptography is more intuitive for K-12 students, while asymmetric cryptography can be slightly more advanced. We leave the exploration of simplifying asymmetric cryptography for students for a future extension of this work. Continuing from Scenario 2, in Scenario 3, the attacker discovers that the user and bank are now using message hashing to detect modifications to the message . This time, when the user sends the bank a message , the attacker attempts to disrupt communication by altering the hash value and sends to the bank. The bank receives the new message, compares the hash, and accepts the transaction as it has no means of verifying that the message has been modified by the attacker. This attack is meant to demonstrate to students that integrity protection by itself cannot protect sensitive transactions, and must be combined with other core concepts, such as confidentiality for improved security. Figure 3(a) illustrates the attack. In Scenario 4, the user and the bank again discuss the attack and understand that integrity protection alone cannot secure the transaction as shown in Fig. 3(b). To protect their future transaction from the attacker, they decide to use symmetric cryptography and share a secret key . Let denote the transaction message from Scenario 2. To protect the attack on , this time the user encrypts the message to produce a ciphertext and transmits to the bank. The bank receives the ciphertext and decrypts it to get back the original transaction such that . Since the attacker does not have key to encrypt or decrypt the message , they cannot read this transaction preserving the confidentiality as shown in Fig.3(c). Since , the bank also knows that the integrity of the message is preserved. However, we note that this communication is still vulnerable because it does not contain any means of verifying the user. The next scenario explains the potential risk of not validating the user and how authentication can be used to mitigate such risks.
Authentication: Our next two scenarios (Scenarios 5 and 6) focus on demonstrating the importance of learning authentication in a cybersecurity curriculum. Authentication is the process of identifying and validating the identity of a user and is the primary means used to control access to sensitive information (e.g., emails, and bank accounts) in the modern world. Scenario 5 demonstrates that an attacker can fabricate transactions even with the introduction of symmetric cryptography in Scenario 4. The attacker does this by impersonating the authorized user and obtaining the secret key from the bank. Now, the attacker simply needs to fabricate a new transaction , encrypt the transaction , and then transmit to the bank to perform a transaction as the user. This vulnerability can be addressed using authentication where the user and bank verify each other’s identity before performing the transaction. Scenario 6 introduces the concept of Certificate Authority (CA) that can be used to establish trust in the system. We note that the concept of CA in the real-world has its base in public key cryptography. However, since our focus is on using the more intuitive symmetric cryptography, we have deviated from the actual usage of a CA in protocols such as TLS. In our scenario, we use the CA as a trusted agent that verifies the user and the bank and then assigns a symmetric key to the user and the bank (as opposed to a certificate in the real world). The CA shares this key via a secure channel after verifying the identity of the user and the bank as shown in Fig.4(a). We note that is a secret key specific to the user and the bank. Considering the transaction from Scenario 4, the user now transmits to the bank, and the bank decrypts to get back the original transaction such that . Even when the attacker attempts to impersonate a user, it fails in the verification process. As such, the attacker cannot read, modify and/or fabricate the transaction message resulting in a scheme that provides all three security services - confidentiality, integrity protection, and authentication. Fig.4(b) demonstrates this scenario where an attacker can not change the message contents.
Implementation Details: We explain the implementation of the curriculum by using the message integrity scenario (Scenario 2). The authors of CryptoScratch [36] use the algorithm names such as AES and SHA for their block names. As we are building the curriculum for K-12 students, we have simplified the blocks to just refer to the key function of the block as shown in Fig. 5.
We begin the flow of the scenario with user cat, where the user initiates the transaction and executes the associated sprite code as shown in Fig.6(a). This sprite code first creates a transaction message and saves it in a Scratch variable called ‘Message’. Then it computes the hash of the message and saves it in a Scratch variable called ‘Hashed_Message’. Once the message and the associated hash value are generated, the user transmits the message using the broadcast block. The broadcast block is similar to a function call in conventional programming. As a continuation, the attacker sprite executes its associated sprite code, this code modifies only the transaction message which is modifying a variable ‘Message’ in scratch, unknowing there is an associated hash value as shown in Fig. 6(b). Now, the adversary re-transmits the information to the bank using a broadcast block, which in turn calls/triggers the code associated with the sprite bank. The associated code recalculates the hash value for the modified message and compares it to the unmodified hash value using the comparison operator block as shown in Fig. 6(c). Furthermore, using a scratch logic block on these comparisons assesses if the transaction is legal and determines whether to discard or execute the transaction. Note that here ‘Red_enveloped’, and ‘Blocker_message’ that are used in broadcast blocks as shown in Fig.6 are temporary block code to create flow in visualization, and does not implement logic, due to space constraint we didn’t include those blockcode in the images.
All the aforementioned principles were explained by relating them to real-world scenarios and making them highly visual through the conversation between the user, bank, and the attacker. We believe that these qualities of our curriculum aid in the retention of these concepts in children’s minds. A video demonstration of these scenarios is also available 111\urlhttps://www.dropbox.com/s/cq4031sx3ore50t/Video.mp4?dl=0. In order to assess the curriculum, we conducted a user study, and the next section is dedicated to analyzing the study’s findings.
IV Evaluation
We conducted a user study to assess our curriculum competency in teaching students the cybersecurity concepts of confidentiality, integrity protection, and authentication. This section presents the user study design, recruitment of participants, and results demonstrating the student’s perception of our curriculum.
IV-A * *Design of the Evaluation Study
The user study’s aims are threefold:
- •
To assess the accessibility of the curriculum
- •
To assess the effectiveness of the curriculum
- •
To assess the impact on students’ learning
IV-A1 Recruitment
Study participants were recruited via a snowball sampling method [37] , frequently used in recruiting participants in various disciplines. One of the authors created a flyer that advertised the study and sent it to acquaintances, friends, and former colleagues after securing approval from the authors’ university’s Institutional Review Board (IRB). As a result of the recruitment effort, we recruited middle-school and high-school students. While a few middle-school students were directly enrolled in the study, most students were enrolled by their parents. Because the study participants are minors, we received a parental consent form from every participant, which is required by the authors’ university’s IRB. The first author contacted the students/parents via email and confirmed their placement for the study. Then, the author shared the workshop details with the study participants.
IV-A2 Study Design
The participants were part of a 3-hour one-day virtual workshop, which entailed lectures and hands-on training sessions on the core cybersecurity concepts described in Section III. Due to the continuing COVID-19 pandemic, most of the parents preferred to have the workshop conducted remotely [38]. As such, we held the workshop virtually. The workshop was conducted synchronously to mitigate any difficulties that may have arisen from the virtual teaching/learning environment. The workshop began with a brief introductory session to create a friendly atmosphere and promote participant engagement. Following everyone’s introductions and discussion of their interests, we requested the participants to complete our pre-survey questionnaire. The pre-survey questions include their socio-demographic questions, prior knowledge of computer programming skills, and cybersecurity concepts.
The first hour of the workshop was dedicated to educating about cyber awareness and cybersecurity basics. Some of the most prevalent attacks, such as MitM, phishing, password, and malware were explained in detail. We also prioritized the teaching of cybersecurity basics such as securing passwords and avoiding spam emails to avoid cybercrimes. The rest of the workshop focused on teaching confidentiality, integrity protection, and authentication from our curriculum. The students were shown the demonstrations of those scenarios, followed by discussions of what the next potential attack can be and their ideas about how those attacks can be defended. Then, the participants were asked to solve a technical survey comprising ten questions assessing their understanding of the concepts.
IV-B Pre- and Post-Survey Evaluation
Our goal with the pre and post-survey was to understand the curriculum’s accessibility and contribution to the students’ learning about cybersecurity. We wanted to assess whether students enjoyed using the interface to learn cybersecurity. In doing so, we wanted to provide students an opportunity to be prepared and aware of cybersecurity. A strong understanding of core knowledge is fundamental to students for learning and also working on complex cybersecurity issues in the future.
IV-B1 Participant Demographics
In total, we had 18 study participants where 10 (55.5%) are female and 8 (44.5%) are male. All our study participants were aged between 10 to 15 years old (see Table I for distribution). All of them studied in the fifth to eleventh grades. Our participants were predominantly Asian (94.45%) with 1 Caucasian student. Almost all of them indicated that they were new to cybersecurity.
Among the 18 participants, 10 (55.6%) reported in the pre-survey that they were ‘interested’, and 6 (33.3%) of the participants as ‘very interested’ to learn cybersecurity. In the post-survey questionnaire, every student unanimously voted that our cybersecurity curriculum is very useful and can explain complex cybersecurity concepts easily. Every student found this method of teaching cybersecurity principles to be very useful and effective.
IV-B2 Curriculum Assessment
Our participants unanimously found the cybersecurity concepts from our curriculum easy to learn. Specifically, 12 (66.7%) participants found the concepts very easy to learn (Likert scale 5), while 5 (27.8%) participants found it quite easy to learn (Likert scale 4), as shown in Fig. 7.
Most of the students reported that they would recommend the curriculum to others. In summary, 11 (61.1%) students responded that they would highly recommend the curriculum to other students, while 5 (33.3%) students would recommend it to others. The remaining 2 students (11.1%) indicated that they are happy to recommend it to others, as shown in Fig.8.
Overall, the students enjoyed interacting with our curriculum and left comments such as - ”I think I found it very useful as it provides a visual for me. I can see what is happening to the information in a very simple way which enables me to understand the concepts thoroughly and also apply them in the future.”, and ”I enjoyed the live examples for the cybersecurity principles on Scratch!”.
IV-C Assessing Students’ understanding
We asked the students to fill out a technical survey questionnaire to assess their understanding of cybersecurity concepts after learning such concepts in our curriculum. In our workshop, we presented these concepts to the students for an hour and then asked them to answer the technical survey. This survey had ten multiple-choice questions, which were distributed over three sections. The results were promising. The average score of correct answers was 9.28 out of 10. We were also able to see that the female participants were eagerly and actively engaged in the workshop and discussions. It is also encouraging to see this result since gender gaps in cybersecurity education and practice still exist [39]. Among the 10 female students, the mean of them answering technical questions correctly was 9.7 out of 10.
Section 1 - We had five conceptual questions in this section to evaluate the students’ comprehension of the core concepts. The multiple-choice questions such as “Which of the following ensures that shared information is in a format that is not modified in transit?” and “Which of following cyber security principle relates to encrypting the data?” assessed basic understanding. The percentage of accurate responses is shown in Table II, allowing us to determine whether these scenarios adequately convey the meaning of each fundamental concept. The average score on these five questions was 4.33 out of 5.
Section 2 - We also showed the participants some secure and insecure visual scenario questions around cybersecurity concepts during the workshop. Fig. 9 demonstrates a simple visual scenario, on the right we show them a secure scenario, where CA shares the key with the authenticated parties on verifying their identities (i.e authentication and encryption). On the left, we show them an insecure scenario, where the user cat shares a message and also a key with it to the bank (i.e., no authentication). Note that students were already taught about concepts of authentication, encryption, CA key sharing in our curriculum. We believe that differentiating between these scenarios enables students to think about vulnerabilities in the environment. The mean of students answering these two questions correctly was 1.94 out of 2.
Section 3 - This set of questions was included in the survey to see whether students were restricting their knowledge to the scope of the bank and user scenario they were taught or whether they understood the real-world implications of the learned concepts. To facilitate comprehension, these questions are framed in a manner that asks about the same concepts in many different contexts. Fig.10 shows two individuals conversing on a messaging platform, and students were asked to name the fundamental concept that secures WhatsApp or message platform conversations. The students unanimously answered that WhatsApp employs confidentiality, convincing us that they could discern between the fundamental principles. The average value of students answering these questions is 2.94 out of 3. By these results, we believe that students can understand the concepts and relate the usage of these concepts in other real-world environments.
V Potential Benefits
We believe that this real-world, visual, and narrative curriculum with a block-based programming language (i.e., Scratch) will help students understand the importance and existence of cybersecurity concepts to build secure systems. Our curriculum can intuitively address the question of why and how these concepts are used which is, in our opinion, essential for a thorough comprehension of the subject. Moreover, this may improve children’s knowledge of cyberattacks and instill a sense of caution towards safeguarding their personal information in everyday life. We anticipate that this will also help children grasp advanced cybersecurity principles at an early age (which is a subject of our future research), and help them build real-time secure infrastructure scenarios to learn cybersecurity on the Scratch platform. Students can thus master the application of cybersecurity concepts in the real world without dealing with complexities associated with programming languages or tools.
We believe that introducing our intuitive, user-friendly, and age-appropriate cybersecurity curriculum will significantly expand the uptake of cybersecurity education in K-12 institutions. The prevalence of Scratch in schools influenced our decision to develop our curriculum on the Scratch platform; consequently, integrating our curriculum into schools should be feasible for educators. We think that the free and multilingual availability of the Scratch platform to anybody with an Internet connection will benefit students from diverse and underrepresented socioeconomic backgrounds.
VI Conclusion
This paper proposes an intuitive and real-scenario-based cybersecurity curriculum using Scratch to teach the core cybersecurity concepts of confidentiality, integrity protection, and authentication. The curriculum introduces students to three visual scenarios demonstrating attacks when systems do not integrate concepts such as confidentiality, integrity protection, and authentication. Then, it introduces them to three scenarios that build on the attacks to demonstrate how the fundamental concepts can be used to defend against them. Based on an evaluation survey, 67% out of 18 middle and high-school students found the curriculum very easy, and 28% found it relatively easy to learn and comprehend the concepts in our curriculum. The initial study shows the potential of our curriculum and provides the impetus for the future to integrate other complex cybersecurity concepts into the Scratch platform.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] (ISC) 2 , “Cybersecurity Professionals Stand: (ISC) 2 Cybersecurity Workforce Study, 2022,” Tech. Rep., 2021. [Online]. Available: \url https://www.isc 2.org//-/media/ISC 2/Research/2021/ISC 2-Cybersecurity-Workforce-Study-2021.ashx
- 2[2] IBEC, “Cybersecurity Summit Report-IBEC,” Tech. Rep., 2022. [Online]. Available: \url https://www.ibec.ie/connect-and-learn/insights/insights/2022/02/09/cybersecurity-summit-report
- 3[3] Cyber.org, “K-12 cybersecurity learning standards,” Tech. Rep., 2021.
- 4[4] cyber.org, “The State of Cybersecurity Education in K-12 Schools,” Tech. Rep., 2020. [Online]. Available: \url https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf
- 5[5] “Harvard computer science program.” [Online]. Available: \url https://pll.harvard.edu/course/cs 50s-introduction-programming-scratch?delta=0
- 6[6] B. Upadhyaya, M. M. Mc Gill, and A. Decker, “A longitudinal analysis of k-12 computing education research in the united states: Implications and recommendations for change,” ser. SIGCSE ’20. New York, NY, USA: Association for Computing Machinery, 2020. [Online]. Available: \url https://doi.org/10.1145/3328778.3366809
- 7[7] X. Mountrouidou, D. Vosen, C. Kari, M. Q. Azhar, S. Bhatia, G. Gagne, J. Maguire, L. Tudor, and T. T. Yuen, “Securing the human: A review of literature on broadening diversity in cybersecurity education,” ser. I Ti CSE-WGR ’19, New York, NY, USA, 2019. [Online]. Available: \url https://doi.org/10.1145/3344429.3372507
- 8[8] G. Javidi and E. Sheybani, “K-12 cybersecurity education, research, and outreach,” in 2018 IEEE Frontiers in Education Conference (FIE) , 2018.
