Designing the online educational information security laboratories

Abstract: Distance education and e-learning in the field of information security is gaining popularity. In the field of information security education, virtual labs have been suggested to facilitate hands-on learning in distance education. An internet-based information security lab is an artifact which involves a collection of systems and software used for teaching information security, and which is accessible through the Internet. This research is motivated from an on-going information security lab development initiative at Luleå University of Technology. A literature review on the online educational information security laboratories (InfoSec labs) in the academic literature was conducted. The current literature about online InfoSec labs still lacks well-specified pedagogical approaches and concrete design principles. It hinders the accumulation of technically and pedagogically rigorous knowledge for the implementation and use of online educational InfoSec labs. Moreover, the literature focused mainly on details of technical lab implementations whereas the pedagogical elements of the curriculum and rationale behind them were ignored. This leads to inadequate guidance about how the instructor and the learner can make use of the lab to pedagogically align the course objectives, teaching / learning activities and assessment methods.A theoretical framework comprising the Constructive alignment theory (Biggs 1996) and Conversational Framework (Laurillard 2002) was proposed to further guide the research process and analyze the case of an internet security course and e-learning platform. The framework suggested that the MSc program and individual courses in information security should be developed based on specific pedagogical principles in order to improve the quality of teaching and enhance the e-learning platform for flexible hands-on security education. Therefore, to design an online InfoSec lab to improve flexible hands-on education and security skills development in the courses; Action design research (ADR) was chosen as the whole approach to continue with this research project. The ultimate goal is to design an ensemble IT artifact as a result of emerging design, use, and refinement in context through continuous interaction between technology and organization during design process. This licentiate thesis is mainly focused on the 1st stage (Problem Formulation) of the ADR method where the trigger for the first stage is the problems perceived in the teaching of information security, i.e., how to improve students’ security knowledge, how to provide the students with flexible online educational information security lab.The review of prior research, observations, interviews with teachers and program management and reflection on pedagogical approaches lead to formalize five initial design principles (Contextualization, Collaboration, Flexibility, Cost-effectiveness and Scalability). These initial design principles have been derived keeping in view the requirements of an information security course in the degree program. A conceptual design for the information security course based on Personalized System Of Instruction (PSI) approach including online InfoSec lab design to promote student’s hands-on security knowledge level and to provide them flexibility to study at their desired speed has been proposed. The anatomy of design theory framework by Gregor & Jones (2007) is used for outlining a few first components of a design theory for an online-InfoSec-lab course. In its current form, this study makes a contribution to the literature by identifying and discussing about hitherto scattered research reports of educational online InfoSec labs in a common frame of reference, which will help other developers and researchers of information security pedagogy as an index of previous literature. The theoretical framework will be used to provide further guidelines to develop theory-ingrained artifact which will not only help to provide the necessary justification for elements of curriculum and the rationale behind its selection but also it will help to align the course objectives with teaching / learning activities in a specific teaching context for better hands-on education of information security. The initial design principles suggested in this study will provide help to start the next phase of ADR, Building, Intervention and Evaluation (BIE), which will support us to achieve a refined set of more concrete emergent design principles. The proposed conceptual design of online information security course will be implemented including development, implementation and use of online InfoSec lab. The future research will be focused on IT-dominant BIE (building, intervention and evaluation phases of the ADR method). Further research work after the licentiate phase will cover the rest of the phases of ADR.