Article Preview
Top1. Introduction
The importance of experimental learning has long been recognized in the learning theory literature (Denning, 2003; Du, Jayaraman, & Gaubatz, 2010). Despite this fact many graduate and undergraduate courses in information security still offer a limited number of hands-on laboratory exercises. The need for using a theory and practice-oriented approach in information security education is seen as paramount (Chiou Chen & Lin, 2007). A program that covers only the theoretical aspects of information security may not prepare students for overcoming the difficulties associated with the efficient protection of complex computer systems and information assets. Furthermore a learning environment that does not give the student an opportunity to experiment and practice with security technologies does not equip him/her with the skills and knowledge required for doing research and development in the computer security field.
So far most information security courses have supplemented content by adding a practice-oriented component which includes laboratory exercises (labs) based on defensive information security techniques (Hill, Carver, Humphries, & Pooch, 2001; Mullins et al., 2002; Vigna, 2003; Whitman, Mattord, & Green, 2014; Trabelsi, Hayawi, Al Braiki, & Mathew, 2013). However many academics and industry practitioners feel that to defend a system one needs a good knowledge of the attacks a system may face (Arce & McGraw, 2004). Students who understand how attacks are designed and launched will be better prepared for opportunities as security administrators rather than those without such skills (Logan and Clarkson, 2005). As a result, interest for including labs on offensive techniques originally developed by hackers has grown significantly. Teaching ethical hacking techniques has become a vital component of programs that aim to produce competent information security professionals (Brutus & Locasto, 2010; Damon, Dale, Land & Weiss, 2012; Dornseif, Gärtner, Holz & Mink, 2005; Ledin, 2011; Mink & Freiling, 2006; Trabelsi & Al Ketbi, 2013; Trabelsi, 2011; Yuan & Zhong, 2008; Trabelsi et al., 2013).
Adding hacking activities to the information security curriculum raises some variety of ethical and legal issues. By using log data as well as data gathered through a student survey, this paper investigates the ethical implications of offering hands-on lab exercises on attack techniques in information security education. The paper emphasizes teaching offensive techniques which are central to better understanding the hacker’s thinking and the ways in which security systems fail in these situations. Moreover, hands-on labs using attack techniques allow students to experiment with common attack techniques and consequently allow them to implement the appropriate security solutions and more efficiently protect the confidentiality, integrity, and availability of computer systems, networks, resources, and data. The paper proposes measures that schools and educators can take to develop successful and problem-free information security programs while reducing legal liabilities, preventing student misconduct, and teaching students responsible behavior.
The paper is organized as follows: Section 2 presents the case of teaching offensive techniques in hands-on lab exercises and the expected learning outcomes resulting from this approach. Sections 3 and 4 discuss the risks arising from teaching offensive techniques in an academic environment, the associated ethical concerns, and the emerging liability issues; along with practical steps to mitigate these risks. Finally, Section 5 summarizes the results and concludes the paper.