CyberAIMs: a tool for teaching adversarial and systems thinking

Abstract

CyberAIMs stands for Cyber Agents’ Interactive Modeling and Simulation. We designed this tool in order to use it as an educational tool to teach Master students in a Cyber security course. This paper aims to describe the model and explain the design choices behind CyberAIMs in terms of associating them with the emerging concepts within cyber security curriculum, namely adversarial and systems thinking. The preliminary results indicate that the current distribution of values and entities allows most of the defense agents to avoid losing all their resources to their attack counterparts. We intend to use this tool as part of a lab with students in Information Security and further extend our target users, by including others who need training in adversarial and systems thinking. We conclude by providing rough results from running simulations with the tool and giving further directions of our future research, in order to improve the usability and level of detail for this tool.

Agent-Based Simulation | Teaching   | Cyber Security | Adversarial Thinking | Systems Thinking

References

1. Lillian Ablon, Martin C Libicki, and Andrea A Golay. Markets for cybercrime tools and stolen data:
   Hackers’ bazaar. Rand Corporation, 2014.
2. Bilal AlSabbagh and Stewart Kowalski. Sociotechnical siem (st-siem): Towards bridging the gap in security incident response. International Journal of Systems and Society (IJSS), 4(2):8–21, 2017.
3. E Anne Bardoel and Tim Haslett. Success to the successful: The use of systems thinking tools in
4. teaching ob. Organization Management Journal, 1(2):112–124, 2004.
5. Noam Ben-Asher and Cleotilde Gonzalez. Cyberwar game: A paradigm for understanding new challenges
   of cyber war. In Cyber Warfare, pages 207– 220. Springer, 2015.
6. J Bologna. Momm’s (motivations, opportunities, methods, means)-a taxonomy for computer related
   employee theft. Assets Protection, 6(3):33– 36, 1981.
7. S Brahima. Global cybersecurity index 2017. International Telecommunication Union (ITU), pages
   1–77, 2017.
8. Barbara Filkins and GM Hardy. It security spending trends. A SANS Survey. SANS Institute, 2016.
   
9. Jack S Goodwin and Stephen G Franklin. The beer distribution game: using simulation to teach systems
   thinking. Journal of Management Development, 13(8):7–15, 1994.
10. Seth T Hamman, Kenneth M Hopkinson, Ruth L Markham, Andrew M Chaplik, and Gabrielle E Metzler. Teaching game theory to improve adversarial thinking in cybersecurity students. IEEE Transactions on Education, 60(3):205–211, 2017.
11. Joint Task Force on Cybersecurity Education. Cybersecurity curricula 2017 - curriculum guidelines for post-secondary degree programs in cybersecurity - csec2017 v. 0.95 draft. Technical report, November 2017.
12. M. D. Norman and M. T. K. Koehler. Cyber Defense as a Complex Adaptive System: A modelbased
    approach to strategic policy design. ArXiv e-prints, June 2017.
13. Vicente Pastor, Gabriel Díaz, and Manuel Castro. State-of-the-art simulation systems for information
    security education, training and awareness. In Education Engineering (EDUCON), 2010 IEEE, pages 1907–1916. IEEE, 2010.
14. Ponemon Institute. Flipping the economics of attacks. Technical report, January 2016.
15. Marc Rogers. A new hacker taxonomy. University of Manitoba, 2000.
16. Ronald W Rogers. A protection motivation theory of fear appeals and attitude change1. The journal
    of psychology, 91(1):93–114, 1975.
17. Brent R Rowe, Igor D Pokryshevskiy, Albert N Link, and Douglas S Reeves. Economic analysis of an inadequate
    cyber security technical infrastructure. National Institute of Standards and Technology Planning Report, pages 13–1, 2013. Fred B Schneider. Cybersecurity education in universities. IEEE Security & Privacy, 11(4):3–4,
    2013.
18. Vijay Vaishnavi and William Kuechler. Design research in information systems. 2004.
19. Uri Wilensky. Netlogo. evanston, il: Center for connected learning and computer-based modeling,
    northwestern university, 1999.