CAREER: Describing and Quantifying 'Adversarial Thinking' For Cybersecurity

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2). Adversarial Thinking (AT) is widely recognized as a critically important ability for cybersecurity. The importance of AT has been widely discussed in the cybersecurity community, and many educators have created activities and exercises explicitly intended to strengthen AT in students to enhance their cybersecurity understanding and abilities. However, there is no broadly accepted description of AT or its components beyond describing it as the ability to 'think like an attacker.' As a result, there is no test to meaningfully quantify AT or the effectiveness of interventions designed to improve AT. To meet this important need, this foundation-building five-year project will create a description of the core components of AT. The project will use a consensus approach drawing on the knowledge and experience of a diverse group of individuals in the cybersecurity community. The project will create and validate a non-technical test for AT and use the test to 1) identify AT in individuals and 2) evaluate the effectiveness of exercises meant to improve AT. This project will shed light on fundamental knowledge about AT in cybersecurity, help identify the next generation of cybersecurity professionals, and give cybersecurity educators tools to improve the effectiveness of security education.

Based on the widespread belief that AT is critical for security, the hypotheses of this project are that 1) critical components of AT for cybersecurity can be identified, 2) a non-technical test can be created and validated that measures these components, 3) the test can be used to perform rigorous research about AT, and 4) this research can be integrated with and inform cybersecurity education. To test these hypotheses, the PI will work with a diverse set of cybersecurity experts in a modified Delphi process to identify and describe AT's most crucial elements and publish the results. The PI will then create, screen for bias, rigorously validate, and publish the Adversarial Thinking Assessment (ATA), an instrument to measure AT ability. The test will not require technical cybersecurity knowledge and hence can be administered broadly. Using the validated ATA, the PI will conduct experiments to identify AT ability across various groups of students and professionals. The PO will also develop and evaluate new interventions to help individuals develop AT skills. The overall project will drive an iterative, five-year AT-focused curriculum development for a sequence of two security courses at the University of Minnesota Duluth. The impact of this project is a new foundation for research around the critical concept of AT in the context of cybersecurity education. This CAREER award is supported in part by NSF's IUSE:EHR Program which supports research and development projects to improve the effectiveness of STEM education for all students. This project is also supported by the Secure and Trustworthy Cyberspace (SaTC) program, which funds proposals that address cybersecurity and privacy, and in this case specifically cybersecurity education. The SaTC program aligns with the Federal Cybersecurity Research and Development Strategic Plan and the National Privacy Research Strategy to protect and preserve the growing social and economic benefits of cyber systems while ensuring security and privacy.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.