Today’s cybersecurity and software development students spend years in the classroom honing their skills for gainful employment once they graduate. They’re being equipped with deep knowledge of application vulnerabilities, real-world attack scenarios, and extensive software development expertise that includes secure coding practices. The many students the universities are educating today are being better equipped than ever before. Most would agree that the best way to train someone is while they’re doing the activity themselves. For example, if someone wanted to train for a sporting competition of sorts, they would likely spend significant amounts of their training-time doing the sporting activity. In the world of sports, it seems that this type of training produces the best athletes. However, in comparison to cybersecurity training, are there any studies that demonstrate that this type of real-world training is capable of delivering the desired results? Fortunately, there is. In a recent webinar, Michael Workman, Ph.D., Professor at Texas A&M University discussed with Kurt Risley, Global SME Codebashing at Checkmarx about his recent study that demonstrated real-world simulated training produced the highest results in the context of secure coding education for tomorrow’s cybersecurity pros and software developers. In Michael’s study, he first broke down the four types of education and training he used for his students in various settings. They are as follows:

1. Class / Reading / Labs / Quizzes-Tests
2. Class / Reading / Labs / Simulation Challenges
3. Class / Reading / Labs / Live Activities (e.g., Hackathon, Capture the Flag)
4. Class / Reading / Labs / Simulations / Live Activities (e.g., Hackathon, Capture the Flag)

For his study, the test subjects were 209 undergraduate cybersecurity students and he separated them into 4, nearly equal groups over the course of 4 semesters. For the simulations part of his class requirements, Michael used Checkmarx’s Codebashing, a hands-on, interactive, gamified secure coding training solution. Rather than spending a whole lecture learning about security vulnerabilities out-of-context in a classroom setting, Michael’s students received bite-size, on-demand sessions that were relative to the specific challenges they were facing in their coding lessons. His students were assigned Codebashing training modules that would train the students about how to remedy software defects in an interactive and gratifying approach. This way, the training modules were completely contextual, not only to the overall lines of code they were learning about, but to the actual defects as well. Michael also used the Codebashing hosted platform to register his students, track their performance through his classes, and monitor lesson completion and improvements.

Results Summary

Overall, Michael was impressed with his study’s results and his students’ learning improvements. He demonstrated that cybersecurity simulations improved applied performance over classroom and lab instruction. Also, adding activities such as capture the flag and hackathons appear to add little benefit to the applied learning outcome, yet when combined with simulations, that combination yielded the great gains in applied learning performance. Michael is an advocate of Checkmarx’s Codebashing solution and he believes that using Codebashing as an educational tool makes a great deal of sense for cybersecurity and software developer students in higher education environments, and in industry as well. The key takeaway from his study is that simulations did significantly improve the performance of his students in the context of more-secure software. To learn more about how you can incorporate Codebashing into your environment, to include higher-ed, industry, government, etc., please request more information here. For a short hands-on, self-guided demo, click here. Finally, if you would like to learn more about Michael’s study, please reach out to him via LinkedIn.