An Assessment Driven Approach to Self-Directed Learning in Secure Programming (SecTutor)

Self-Directed Learning in Secure Programming

The failure to practice defensive, secure, robust, programming is one of the greatest challenges in cybersecurity today. The field of software development needs individuals who can write secure and robust code as well as continuously respond to constantly evolving threats and adapt system designs to new security needs. In order to do this, software developers need a deep understanding of the foundational concepts in secure programming. Given the current lack of consistent and comprehensive secure programming training in most computing programs, and the need for any training to evolve to meet constantly changing requirements, it is essential that there be more mechanisms by which secure programming training can be provided.

We propose the development of a dual-purpose testing and tutoring system that would allow students to learn about secure programming at their own pace in an extra-curricular setting and to continuously assess their knowledge of secure programming. This online system, called SecTutor, would provide an assessment-driven approach for individuals to learn about secure programming. An assessment-driven method was selected in order to personalize the learning process. A rigorous assessment determines the learner’s level of knowledge and skill and therefore the intelligent tutoring system can calibrate the instruction directly to the learner.To develop SecTutor, we will draw on prior work done by the research team that has: identified and mapped the foundational, knowledge critical concepts in the domain of secure programming; identified and created a taxonomy of misconceptions and difficult topics in secure programming; developed a bank of test items in secure programming; and developed a concept inventory to rigorously test for misconceptions and foundational knowledge in secure programming. Based on this prior work we will:

  • Construct an adaptive test: The first step of the project will be to construct an adaptive test to diagnose learners’ current level of foundational understanding in secure programming. This test will also diagnose what topics the learner is finding difficult or is fundamentally misunderstanding.
  • Construct an intelligent tutorial system: The next step of the project will be to build an intelligent tutorial system that will both provide content and assist the learner to master secure programming concepts and skills.
  • Integrate learning analytics: Incorporate learning analytics into the system to not only provide feedback to the individual learner but also provide mechanisms for secure programming instructors to gather information about their learners, compare them to other demographics, compare types of secure programming questions, and adapt their curriculum to address specific challenges to learning secure programming. These learning analytics will be used as the basis for research into the following: 1) Does the system improve student understanding of secure programming? 2) Which learning strategies result in the greatest conceptual change? 3) What question forms display the most discrimination? 4) Does an assessment-driven approach result in more learning gains than a content driven approach?
  • Test the system: The final step will be to test the adaptive test, intelligent tutorial system, learning analytics, and user interface to ensure that they work correctly, are user friendly, and provide the most useful information.

An Assessment Driven Approach to Self-Directed Learning in Secure Programming (SecTutor). Sponsoring Organization: National Science Foundation. Role: PI. Total Award: $238,127. 10/01/2019 – 09/30/2022.